Right of Boom: Day 2, Live Blog

Welcome to Day 2 of our Right of Boom coverage at MSSP Alert. Check out our coverage of Day 1 here.

While the first day of the conference is focused on Left of Boom topics such as Secure Onboarding, Day 2 is where the conference topics focus on the Right of Boom — the response after an event occurs. We’ll be updating this blog as the day goes on, so please check back for more.

Before addressing the Day 2 topics, attendees heard from an industry luminary, Arnie Bellini, founder of ConnectWise and a pioneer in the industry that is managed services. Bellini delivered the Day 2 keynote at Right of Boom.

Bellini sold his company to private equity five years ago and since then has taken on a quieter role as the leader of Bellini Capital, an investment firm. The firm has several missions, including environmental ones such as saving the Florida panther, and educational ones like training a new generation of technology workers to address the industry’s coming challenges. One of those challenges, of course, is cybersecurity.

Keynote: Arnie Bellini — Defending Digital Borders in the Age of AI

ConnectWise founder and current CEO at Bellini Capital Arnie Bellini opened his keynote address at Right of Boom on March 8 saying, “Hello, I am back!”

Bellini’s non-compete expired last week, five years after he completed the sale of ConnectWise to a private equity firm. But his presentation reflected one of his new focuses: defending the digital borders in the age of AI.

He believes that MSPs can double their revenue by providing cybersecurity services to clients. There are six components that MSPs must provide to clients that will protect the attack surface by 80% to 90%, he said. Four of those are services they are already offering as part of their IT managed services stack. They are:

They need to add to this:

But MSPs have gotten push-back from clients when they try to sell cybersecurity services. These services don’t increase revenue or impact the bottom line. They aren’t a core part of the business function. It’s hard for customers to justify the expense.

Bellini suggests selling this stack including the two additional service categories as compliance. Of course, not all customers think they need compliance. They aren’t a financial services firm. They aren’t a healthcare firm. But they all do need cybersecurity insurance, and providing this stack of services is a way for these organizations to demonstrate they are a responsible organization and not high risk, which makes it easier to get cybersecurity insurance coverage. It can also lead to lower rates because they are a lower risk business if they have all these boxes checked.

Bellini’s address was a call to action for MSPs, because he not only talked about the potential revenue growth for MSPs by service expansion. He also called on their sense of duty to protect the U.S.’s digital borders against nation states that would attack the country’s infrastructure.

We’ll provide more on the Bellini plan for MSPs and how they can demonstrate the value of cybersecurity to end customers in a separate story coming soon.

Right of Boom: PWNED and OWNED

Mackenzie Brown is vice president of Security at Blackpoint Cyber and previously worked on the incident response team at Microsoft. She is the only woman presenter at Right of Boom, and her presentation was on International Women’s Day, March 8.

Brown covered topics including identity and zero trust and how owning the environment has shifted from predominantly from on-premises IT estates to a combination of on-premises and  the cloud. Her discussion also included information about Living of the Land (LotL), or how attackers use legitimate tools to evade detection.

LotL isn’t new:

Why do they live off the land?

Brown said that according to Blackpoint Cyber data 56% of all incident responses in the last three months did not involve EDR/antivirus alerts. That means these attacks evaded EDR and antivirus.

“We aren’t able to identify bad activity going on, and that is a smoke signal about to lead to a full on wildfire,” Brown said. “Old tech stacks are not effective at highlighting the risks of LotL and legitimate software being abused.”

Credentials are often used to enable LotL attacks. Adversaries commonly abuse valid credentials to laterally move through networks.

Identity Is the entry point, specifically privileged identity. We should be focusing on zero trust and zero trust implementation. Once bad actors own the identity they are going to own the intrusion. Brown shared some data from the Microsoft Digital Defense Report, 2023.

Identity is the entry point

RMM abuse is absolutely the thing we are concerned about.

Once the threat actor has a remote logon session they execute a Powershell in memory, it won’t necessarily be picked up. Many enterprises use RMM tools, too, and they don’t know anything about these vulnerabilities.

Context is king, but with LotL, your tools don’t give you the context they need to detect the intrusion. That’s where threat hunting comes in.

The amount of time between initial access and lateral movement of a threat actor is 83 minutes (source: Blackpoint Data).

Right of Boom: Extortion Tactics

John Strand, owner of BHIS Antisyphon and Wild West Hackin’ Fest, presented this session and sprinkled in many colorful, funny stories which this blogger cannot do justice to in print. But Strand is hilarious, and you should see him present in person sometime.

He told many stories of DDOS attacks and his response to them. Among them was the story of the largest DDOS attack in history, the DynDNS DDOS attack.

DynDNS provides DNS services to some of the U.S.’s largest companies and had paid for Strand’s firm to do some consulting the week before, and suddenly there was an outage.

DynDNS was on the hook for $100,000 per minute of downtime. There was a moment when things seemed under control, so someone taunted the attacker. The attacker came back even harder.

The botnet involved had spread through default passwords on IoT devices and it came through in three waves.