Episode Show Notes

							
			
[START OF RECORDING]



JACK:	Hello, hello! Today is a great day, isn’t it? In this episode I’m gonna gush about ThreatLocker. Why? Well, currently they’re my biggest sponsor, which makes them my favorite sponsor. But what I’m saying is that this whole episode is brought to you by ThreatLocker. But don’t worry, I found some pretty great stories from them that I think you’ll find interesting and educational. So, let’s go.

(INTRO):	[INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]



JACK:	Do you want to mention your name or company name, or do you want to keep that out?



GUEST:	No, I’ll keep that out. I’ll keep that out. Just — I guess that’s just to do with the fact that we don’t want people to know what we use.



JACK:	Yeah, I feel the same way. Everyone’s asking me like, what do you — what’s your privacy stack? I’m like, if I tell you, now you know exactly how to target me.



GUEST:	Yeah, exactly, exactly.



JACK:	Okay, so, the first question was who are you and what do you do?



GUEST:	Yeah, I can generalize. So, I’m the group head of IT operations for a manufacturing company, and I look after the operational running of the IT across the business. We’re a thousand-employee business operating across seventeen different sites in the UK and Europe. I look after the security, cloud, operations infrastructure, servers, client support, etc.



JACK:	Okay, you get the picture. This guy manages a huge network with a thousand employees, which probably means there’s like, ten thousand computers that are all up and operating. Picture a factory. No; picture lots of factories spread all over Europe.



GUEST:	Yeah, we have distribution centers, offices, and big manufacturing sites.



JACK:	So, how’s the network holding up? Have you had any problems?



GUEST:	I mean, right now we’re in a good place. [Music] If you rewind back five years ago, we were in a very bad place.



JACK:	What happened?



GUEST:	Well, unfortunately for me, I was actually on my way on holiday. So, I was in the process of driving the family down to the south coast of the UK, and I got a phone call. I remember the exact words one of my technicians said; I don’t mean to worry you, but something worrying is happening. I was like, okay, calm down and explain exactly what’s happening. He was like, I’ve just had a ticket in where somebody’s tried to go to some files, and all the files are all renamed. I was like, what do they say? He was like, they all end in the word .kanti. I was like, oh no.



JACK:	Yikes. Kanti is a type of ransomware. Well, it’s kind of more than that, actually. It’s practically a full company that’s in the business of ransomware. They’re Russian-based, and they build the ransomware, but then they have sort of an affiliate program that someone could use their ransomware, go infect a company, and then that person would get a cut of the money if the company pays the ransom. It’s devastating and brutal to be hit with it, and this doesn’t sound good at all.



GUEST:	So, I had to make phone calls. I continued to drive the rest of the three hours remaining of my six-hour drive because I had my whole family with me, drop them off, and then turn around and drive six hours back, making furious phone calls the whole way.



JACK:	Really?



GUEST:	Yeah.



JACK:	Oh my gosh. Is there a protocol? Is there a go-to, a run-book or something that like — okay, if ransomware comes in, here’s the button we hit. We gotta turn the network off as fast as we can or something to keep it from spreading. Do you have a procedure in place?



GUEST:	We do now.



JACK:	[Laughs]



GUEST:	We didn’t then. [Music] A number of the people in my team had experienced situations like this kind of, but not on the scale that we got hit on this. I know five years ago — it was a long time ago and a lot of things have changed, and a lot of things — people are more aware of what to do and to have those sort of playbooks in place. We had an element of ‘what do we do?’, and the first thing we reached to was let’s turn everything off. But too much turmoil was going on. We were making too many calls and trying to deal with everything. I just remember at one point my senior infrastructure engineer just told everybody to shut up and give him five minutes to think, because everybody was just asking too many questions and we were trying to work out how we respond to this.



JACK:	Yeah, yeah, I imagine it’s a really hard time to focus. So, how bad did it spread, or how bad did it knock you out?



GUEST:	[Music] Well, in the space of fifteen minutes it encrypted all 250 servers, and like I said, it hit about 350 endpoints as well.



JACK:	So, the 250 servers, were those all Windows servers?



GUEST:	Yes.



JACK:	Okay, so, your whole infrastructure is down.



GUEST:	Yep.



JACK:	Geez. I mean, that sounds like business is gonna stop.



GUEST:	Yeah, and it did. It stopped at that very moment in time, and we assembled a team. I had a very nervous six-hour drive back, making loads of calls to everybody, trying to work out what’s going on, work out which way to go. I had to get people to sites. This was on a Friday evening, afternoon, around about quarter past four that it happened, which is quite a common tactic used because people are just switching off on a Friday afternoon. We pretty much just had to just turn everything off and then work out where we go from there, give ourselves some head space to think, ‘cause it was just too quick. We just couldn’t react to a fifteen-minute window.



JACK:	A lot of CISOs, CEOs, they reach out and they say, I would like to be a guest on your show. I always say, well, only if we’re gonna talk about the worst day of your life.



GUEST:	[Laughs]



JACK:	‘Cause that’s the kind of stuff I’m interested in. Would you say that this was the worst day of your life as far as career-wise goes?



GUEST:	I say that to everybody I talk to about it, which I don’t actually like talking about it, ‘cause taking myself back to that day, that sinking feeling in your stomach, it is absolutely the worst, stressful — the most stressful situation I’ve been through in my career, hands down. I think I did twenty-seven days straight after that.



JACK:	Yeah, I mean, you’ve gotta even worry if your job is on the line here as well, ‘cause if you’re the one in charge of this sort of stuff and now this is what happened…



GUEST:	Yeah.



JACK:	There are people blaming you.



GUEST:	Well, I mean, that’s the first thing that comes into your head. Well, after you’ve tried to work out how to deal with everything. You think, am I gonna get blamed for this? [Music] But then very quickly after that, you realize you’ve just gotta focus on actually doing what you are paid to do, because ultimately, hackers and people that are trying to attack you are trying to attack you all the time, and it’s a constant battle.



JACK:	Okay, so, you drive back frantically. You arrive late night Friday. Do you go right to the office in the night?



GUEST:	Yep.



JACK:	Wow. Then — so, okay — so, there’s a lot of people out there, armchair experts that are just like, well, you just restore it from backup. What’s the big deal?



GUEST:	I mean, the problem with that is you don’t know whether they’re in the backups. You don’t know whether they were already in the — in your environment and they were just waiting for the right time to push the button, which we already believe they were. So, what we focused on was stopping everything and then working out how. How did they get in? Where did they come from? What method did they use to actually spread and initiate the attack?



JACK:	Ah, good point. It’s like trying to set up dominoes when your cat is on the table. You want to get rid of the threat in the network before beginning to restore it. If you restore and the thing just re-infects you, that’s a waste of effort, and maybe it’ll show them where your backups are kept and affect those, too.



GUEST:	So, once we worked that out, we then established a process to be able to check our backups, check each VM as we brought them back online. We established a protocol for rebuilding machines. We printed signs off at the doors of every office and told people where to go with their machines so that we could rebuild them. We kind of employed the whole red, amber, green process.



JACK:	What’s the red, amber, green process?



GUEST:	So, every laptop, until it’s checked, is considered red, then it goes into amber as it’s being worked on, and green, it’s good to go back to the user. Pretty simple, but it keeps it easy to manage because you’ve got a small team — and I have a team of — there was ten of us at the time, and you were managing the throughput of upwards of six hundred laptop users at multiple sites. So, you need a process to check in, check out everything.



JACK:	Yeah, I mean, their devices were toast, and you were just re-imaging them from a fresh image, right?



GUEST:	Yeah, but we had lost our imaging service.



JACK:	Oh, geez. Yeah.



GUEST:	So, we had to rebuild them manually for a while until the process, the team that were dealing — my sort of sub-team that were dealing with the servers were to the point where they were bringing the imaging servers back up. Then you’ve got users wanting to know what’s going on, you’ve got middle management, senior management, board of directors. Everybody wants to know what’s going on, and that completely flusters the situation. So, you can’t understand — you can’t get a clear head to actually focus on the task at hand.



JACK:	Yeah, I imagine there’s a bunch of emotions to manage in this, which is stuff I don’t think anyone talks about, right? You look at the CISSP manual and they don’t explain, okay, well, you’re in the middle of a breach situation. Here are the emotions you’re dealing with and how to detect them and what to do about them.



GUEST:	Oh, there’s definitely moments where you kind of just sit there and you feel like maybe you can’t actually do this. Maybe you can’t get it back. There’s an element of shaky hand syndrome, and anybody can claim to be cool and calm until they’re actually in the trenches with this situation, and it can really — there was a lot of team fighting and arguments and falling out and people popping under the pressure. It was a hell of a ride.



JACK:	When you say ‘popping’, what was some of the stuff you’re thinking?



GUEST:	Well, I had a team member walk out because he didn’t agree with a certain methodology to fix one thing, and another team member fall out with another team member, and arguments happening on meetings while we were trying to work out what’s the best methodology to bring something back online or to grant somebody some slight access. ‘Cause we — I turned around to the business and said, look, I can get us back from backups in this — in about five days. But if you really want the best solution, give me three weeks, and we will build it back how it should have been done in the first place.



JACK:	Phew, what a proposal for leadership to decide on, huh? Business is down. There is no manufacturing happening, no shipping, no revenue coming in, and the question is do we get business back up as fast as we can, or, because those old systems are end-of-life and need to be replaced badly, take advantage of this outage and upgrade everything properly and build for the future? Of course, this incident is all that the business leadership can focus on. All other meetings and projects are canceled until business can come back up. [To Guest] Okay, so, what path — what did they choose, five days, three weeks, or something…?



GUEST:	Three weeks.



JACK:	Really? They wanted the whole thing…? I mean, that’s an ambitious thing to say I’ll redo the entire infrastructure properly this time. Three weeks, they didn’t mind being down for three weeks?



GUEST:	Well, sort of what I did was make sure that certain services came up as reasonably quickly as possible. So, e-mail communications, and then focused on a major system here or a major system there, and slowly brought everything back on. But, you know, by getting those — some of those primary services back up and running, I was able to then get the head space to concentrate on the other eighty percent of the business. The business accepted that there would be some interruption in that process and they wouldn’t necessarily get everything back.



So, a good example was we didn’t turn Wi-Fi back on until the very end of the three weeks. So, nobody had Wi-Fi. That was to stop rogue devices turning up and undoing all our hard work. What if there was still something running on a laptop that we hadn’t got to or identified? Internet was shut down at every single site, and then we only — we kinda had a board where you had every site and all the services and sort of, again, the red, amber, green of when we were ready to start bringing stuff back on.



JACK:	Oh yeah, that’s gotta be the moment of truth, you know? When you flip the switch on and bring the network back up, are you sure every device got cleaned up? Because Kanti is notorious for spreading quick, so if you bring the Wi-Fi up and there’s just one device that’s still infected, it will try to spread all over again. They really need a solution that could give them visibility and, crucially, be able to stop this from spreading again.



GUEST:	[Music] We brought Malwarebytes, the enterprise platform version of Malwarebytes, and paid quite a lot of money for it, and — but quite quickly found that it wasn’t really doing the job that we’d hoped. It was good as a helper, as an assistant to keep — to check machines for being clean, servers and whatnot, but it didn’t really do every — it was more of in the traditional sense of a signature-based scanning tool more than it was anything else, and it found some registry entries and things. So, then we started looking — well, what do we actually need to put in place?



We need an endpoint solution, an actual proper EDR, but we don’t feel like that’s good enough or gonna protect us 100%. So, we probably need something that’s gonna do application control, as in application white-listing. So, I reached out to a bunch of suppliers whilst the sort of end — tail end of that three weeks, and was like, can you find me something that does this? One supplier actually said, oh, we use ThreatLocker in our environment ourselves. So, I jumped on a call and had a demo, looked at the software, and was like, that’s amazing. I need that right now. That’s where we discovered ThreatLocker.



JACK:	So, what was amazing about it to you?



GUEST:	It stopped everything from running if you didn’t allow it to run. It’s as black and white as that.



JACK:	Hm, it stops everything from running? Okay, let’s think about that. You know the difference between a router and a firewall? They’re both network devices. They look at the packet coming in or the data going in, and then decide where it needs to go, and then send that along. At their core they’re very similar, but there’s a big difference. A router really, really, really wants to get all the packets to pass through it and on their way. But a firewall really, really, wants to stop every packet from going through it. See, by default, a router permits everything while a firewall will deny everything, which means the firewall acts as a security guard, stopping everything it doesn’t like. But the router acts like a public park. Just, anyone can come and go. So, you have to poke holes in the firewall if you want anything to get through it.



So, the question is, when you go to run an app or a game or anything on your computer, should it act like a router and just permit anything you try to open, or should it act like a firewall and say, hold on, buddy, you need a permission slip to open that? Traditionally, all our computers just do what we tell them to do, which makes sense. Open app. Okay, done. Because when you need to use an app, you obviously need to use it. But the thing is, malware is tricky. It’s sneaky. It’s hiding. It’s being quiet. But it’s also opening and running and doing stuff without us seeing all secretly in the background. So, what ThreatLocker does is it says, okay, let’s start by blocking every app from opening and running, but if you the user wants to open something, just ask and we’ll let you open it. We just want to block apps that you didn’t try to open or apps that you don’t actually need.



GUEST:	We figured in the world where we had just been absolutely burnt to high hell, we need to stop everything running unless, of course, we allow it; every single device, server, client. We needed to know that it was not gonna run anything that we did not want it to run, and our supplier was using it in their own environment, which is always a very good sign if the person trying to sell you it is also the person that is using it. We were like, yep, how quickly can you get me the installers?



JACK:	So, when you get ThreatLocker, it goes through a learning period where it just listens and allows everything, and from there you get a sense of what apps everyone in the business is using. So, you add those apps to the allow list so business can continue, and then switch it over to secure mode, where if your app isn’t on the allowed list, now it’s going to be stopped from running.



GUEST:	It just says no, and it comes up and says it’s been blocked by ThreatLocker. You can request it, and then when you request it, we have a portal where we can just say yes or no. Then you — there’s a lot of tinkering with the — how you set up the policy, but we pretty much just say no to everything.



JACK:	So, how annoying is this to the users? You imagine some people are just like, ugh, you can’t run anything on this laptop; this is stupid. Do people complain a lot about it or are they okay with it?



GUEST:	Maybe they did originally.



JACK:	I think even if they did complain, you’ve got such an easy card to pull out. You could just be like, okay, back in 2020, let me tell you what happened. We cannot afford to have three weeks of outage again, because this is very serious stuff.



GUEST:	I’ve used that so many times. I turn around to the users and go, you can’t have this piece of software. They’ll be like, why? I was like, because it’s open source. It allows plugins. We don’t know whether it will be safe, and it could be exploited. I’d say, do you want to be the reason that this company gets hit again? And just put it on them. Where if they escalate it to their director, okay, then I’ll say to the director, do you want to be the person who authorized this software that takes the business down? People back off really quick when you say that.



JACK:	Yeah. Okay, so, since getting ThreatLocker, any big security incidents?



GUEST:	No, but I don’t like saying that ‘cause I don’t like tempting fate.



JACK:	Yeah, exactly, right?



GUEST:	But no, we haven’t had anything.



JACK:	I hear you sighing like…



GUEST:	Yeah, I know, I don’t like saying it.



JACK:	[Music] Ransomware is the most successful business model cyber criminals have ever invented. The people infecting us with ransomware are making tens if not hundreds of millions of dollars by hacking into a company, locking up their data, and holding it for ransom. It’s on the rise, even. Just last month I heard it’s more ugly than ever. It’s also one of the most disruptive types of cyber-attacks. When a company gets hit with it, it becomes a huge deal. Companies have gone out of business from ransomware. So, I wanted to talk with someone who defends companies from this type of attack.



HUNTER:	My name is Hunter Clark. I’m one of the cybersecurity engineers at Ark Technology Consultants. My main focus is around endpoint security and how we can help organizations implement some of those zero-trust principles in their organization.



JACK:	Ark is an MSSP, which is a managed security service provider, which means they take care of a bunch of people’s networks. A lot of businesses don’t have a cybersecurity team to keep their network safe, so they hire an MSSP who can keep an eye on everything and help keep it secure. One of the networks he was put in charge of securing was a hospital.



HUNTER:	Yeah, there’s a lot of servers in the environment that run applications that are critical that — like imaging software, solutions that the doctors leverage to diagnose patients. A lot of it runs on servers. So, those are typically what we try to secure.



JACK:	So, he took a look at this hospital’s network, and it didn’t have very sophisticated security tools. So, him and his team brought in ThreatLocker, installed it on all the servers and computers, and went through the learning process of what apps are normal in the network, and then locked it down so no new apps could run. Along with that, they installed an EDR, an endpoint detection and response tool, to monitor for suspicious activity. Then they suggested adding multi-factor authentication or MFA on all the internet-facing portals and computers, but the hospital said no.



HUNTER:	They didn’t have the budget for implementing MFA. They didn’t want to have to train users on how to use it and doctors complaining about having to use MFA, so they did not have MFA.



JACK:	Okay, well, if they don’t have the budget, they don’t have the budget. You do what you do to protect them with what you’ve got. But late one night, something happened.



HUNTER:	[Music] The incident originated obviously in the middle of the night, as all incidents do. But we got a call from the EDR/MDR solution that we were using that there was someone in the environment. This was something that people should consider, is that not all MDR solutions are created equal. Some of them will pull the fire alarm but not help you put out the fire, right? So, they’ll let you know something’s going on but not necessarily step in to stop it until they’re able to get ahold of you.



In this case, it happened at 3:00 a.m. and they’re — we receive the detections that something’s going on and were able to then, early the next day, 5:00 a.m., 6:00 a.m., whenever we got up, start investigating what had actually happened. That was whenever — as part of that investigation we started looking into ThreatLocker logs to see, okay, what actually — what did the threat actor try to do? What user account was likely compromised? Seeing the threat actor bounce around the different servers. That’s whenever we saw that ThreatLocker had blocked the solutions that the threat actor had planned on leveraging, such as AnyDesk and rclone.



JACK:	Someone got into the network, gained access to a Windows server, tried to infect it with ransomware, but ThreatLocker denied it. Nice. Okay, but how did they get in?



HUNTER:	The threat actor had bought credentials off the dark web for a domain administrator account for the environment and was able to just remote in through the VPN, and had full domain admin rights across the environment.



JACK:	Ah, that darn VPN! I mean, VPNs are great. It allows you to connect securely into a company from home or on the go. They are essential, even. But they also are exposed to the internet. They’re a portal into a company’s network. But that’s something that should be super secure since it is out on the internet. But in this case, all that was needed to get into this hospital’s VPN was a username and password, which happened to be for sale on the dark web. How wild is that? A username and password is not good enough to keep people out anymore.



HUNTER:	One of the questions that came up was would MFA have prevented this event from happening? It was a pretty clear yes that if MFA would have been implemented, then at least that initial access, they would — the threat actor would have had to find a different way in than through the VPN.



JACK:	Anyway, this is why there’s defense in depth. You want layered security so that there are multiple places that should have stopped this attacker, and they were lucky that they had ThreatLocker to stop this. But this attacker was clever and motivated, and even though they were stopped, they weren’t done yet.



HUNTER:	[Music] This hospital system used to be made up of multiple different hospital locations. A few of them had been sold off, but they still needed to maintain VPN tunnels between the sites because of certain application dependencies that the hospitals hadn’t had time to build in their own environment. So, because of those VPN connections, to the threat actor it looked like it was just one network, right? It probably looked to them like it was just one big connected network. But really, they ended up bouncing to a different hospital system that was not a customer of ours that obviously did not have ThreatLocker in the environment, then was able to deploy what they needed on those devices.



JACK:	Oh no, they bounced from this hospital to another hospital that was connected internally and were able to do damage there.



HUNTER:	The threat actor ultimately reached out later that week saying, hey, we compromised your environment. We have terabytes of data.



JACK:	They wanted the hospital to pay hundreds of thousands of dollars in ransom to get it back.



HUNTER:	Whenever this happens, right, the company, if they have cyber insurance, they should read their cyber insurance ‘cause it probably says in there that in the event of an incident, you need to call us because we have incident response companies that we trust, that we want to have involved in this. So, that’s what happened. As part of that cyber insurance, there’s also usually some sort of ‘we’ll negotiate on your behalf with the threat actor to try to get that ransom call to drop as much as possible’. So, with the knowledge that we had, that ThreatLocker was able to see, we — they were able, I know, to drop it by quite a bit. I can’t say — I don’t know exactly the number it dropped, but I heard that it was — they were able to negotiate pretty effectively because they knew what the threat actor actually had been able to get to.



JACK:	Okay, so they lowered the ransom and then they paid the ransom?



HUNTER:	[Music] Yeah, they — this hospital system did end up paying the ransom. The hospital was able to ask the threat actor, hey, how can we improve? How can we get better? What should we be doing? The threat actor responded saying that they quickly realized that ThreatLocker was on the Windows devices, so they knew that they wouldn’t be able to use those for the purposes that they intended, and they began to pivot to other locations in the environment that did not have ThreatLocker.



JACK:	Tell us who you are and what do you do.



DANNY:	So, I’m Danny Jenkins. I’m CEO and co-founder of ThreatLocker, but what I do is really build solutions and educate the world on how denying by default is the best way to address security, and it doesn’t have to be difficult.



JACK:	So, you started ThreatLocker. How did all this get started for you?



DANNY:	The first thing is I was — I wanted to do something fun, and I started doing some ethical hacking. I ended up doing more ransomware recoveries than ethical hacking, to be honest, ‘cause people were calling me, and I wanted to make money. So, they’d say, hey, I’ve been hit by ransomware. Can you help with this recovery? We paid a ransom. There was this particular case in Australia, which was the first one I dealt with. It was an insurance broker, so about fifty employees — an insurance company. I got called in by the MSP-managed IT company to help with the recovery. I came in, and they paid the $22,000 ransom, and they hadn’t got their data back. So, they had got some keys, but the keys didn’t work. They weren’t decrypting the files. Their exchange database was encrypted.



Their SQL database was encrypted. Everything was encrypted and broken. They had asked me to come in. So, we start trying to reverse-engineer the code, see if the decryption keys are in the code. We tried to use low-level data recovery tools to get things from the disks that had been deleted or written over from encryption. We’re recovering from — OST files for e-mail databases. We’re trying everything we can to get this company back up and running. During the recovery, the owner of the company called me, and he got quite — first he got quite mad. He was like, when is this gonna be done? I’ve been waiting two weeks and I still don’t have my servers up and running. He’s getting quite mad. I was like, look, you need to be realistic here. I am trying to recover your files, but you have everything encrypted. You have no backups.



You’ve paid a ransom and you didn’t get your data back, and this — I don’t know if it’s gonna be back. We’re doing everything we can to make sure we can get your data back. It then turned into quite an emotional call, and his voice started crackling. He started almost crying down the phone, and I got really awkward at that point because I really didn’t know what to say. To me this was different because every other cyber — I’ll call it a cyber-attack — I’ve dealt with, every other malware attack I’ve dealt with — ‘cause prior to 2014, most malware attacks were really just IT issues. It was, you know, you’re getting adverts. Someone’s sending e-mail out from your server. It had been an IT problem.



IT needs to fix the server ‘cause we’re sending spam e-mails. IT needs to fix the computer ‘cause it’s getting pop-ups. The worst I had seen before that was someone crying ‘cause they saw an inappropriate picture. What I did was — it suddenly hit home that this is a real problem and this guy’s gonna lose his entire business — and he’s close to retirement age — because somebody decided to download a piece of software. I didn’t at that think, oh, I’m gonna go start a company to solve this. What I said to the IT team and what I said to him after we — and we managed to recover enough — was you need to use application control. You need to block software by default. He said to me, okay, well, I’m gonna go and do that. Then the IT team told him that Danny’s stupid.



Don’t listen to him. That’s not viable. We can’t do that. I went out to prove him wrong, and I couldn’t prove him wrong, the IT team. That was really when — the first time we said, well, let’s try and build something to prove him wrong. I kinda went back and forth on this idea quite a bit because it wasn’t an easy lift to build a solution for this, but we had to — it was really — in 2017 we had a product — we had a concept product, and I still wasn’t sure this was the right thing to do, because we knew in order to make zero-trust viable — and today we got 70,000 companies that use our product, from small businesses right up to some of the biggest companies in the world; federal government, airports, banks, everything.



But back then, I was like, if I need — I need to make this so it’s viable for everyone. I need to make it so we can deploy application control. We can block software by default. We can ring-fence applications and make it so you can deploy in hours and days, not months and years. I wasn’t sure that it was gonna be viable without me hiring — well, I ended up hiring hundreds and hundreds of people. But I think in 2017 my mindset shifted, because before 2017 I was thinking about building a business that one percent of the world would sign up to. After 2017 I made the decision; we don’t want one percent of the world. We want to change the market so that ninety percent of the world are using a zero-trust approach.



JACK:	Okay, so, you coded it at the beginning? You built it.



DANNY:	Yep. Yeah, so, I coded the first of it. So, I coded the first version, and there’s four parts, if you like; there’s a service, there’s a driver, there’s a portal, and there’s an API. That’s the four original components of ThreatLocker. I wrote an entire version of it, and I wasn’t so good at the driver stuff. I caused a lot of blue screens. So, we ended up bringing — at the very beginning I wrote the whole thing, and then I got somebody else to come and rewrite my driver code because, frankly, it just wasn’t very good. Since then, that’s probably been one of the best decisions we made. Today, of course, we’ve got 250 people in our R&D department, but back then it was just me writing code and Sammy and John testing and deploying.



JACK:	Can you tell me about the first network you installed it on?



DANNY:	Well, so, I guess the — we obviously installed it on our own machines. I think the first network outside of our own that we installed ThreatLocker on was actually my kids’ school. They had a problem as well. We were looking after our kids’ school IT. It was — we were getting very actively involved ‘cause we couldn’t afford private school for our kids at the time, and we were getting essentially help with scholarships ‘cause we were helping them with the IT systems and everything else.



They were getting malware every single day. It was like, a complete nightmare. We pushed it out to them. That was very difficult and somewhat unstable in many areas because it was things we didn’t even think about, and we were seeing a lot of noise. But they went from malware every day to never since, and that — and still today they’re using the product. My kids aren’t in the school anymore, but our chief product officer’s kids are actually in the school now, and their IT management went down from full time to a couple of hours a month because they just — these systems became very stable, very easy.



JACK:	Deny all apps by default seems like a radical idea. To block everything seems like it’s gonna halt productivity.



DANNY:	Radical depends on where you start, and if you start in a situation where my network is running smoothly and I’m very happy, you would never approach with that idea. You would approach with the idea; we’re going to learn what we have. We’re going to review the list and remove the things from the list we don’t want. Whereas if you start with the situation that I’ve been hit by ransomware, attackers are in my network, the alternative is you shut down the entire network, or the plus side is you allow the network to run, but you only allow these trusted apps. Then every time someone wants something, they request it for the first time, we add it to the list. It doesn’t seem so extreme now because the alternative is the whole network’s shut down until we’ve reformatted every single computer and guaranteed that nothing’s bad on it. So, it really depends where you start.



For ninety percent of customers, they’re starting from a clean slate. So, they’ll learn and they’ll remove the things from the list they didn’t know about. For the other side of the customers who are starting from, hey, we’ve already been hacked, it’s not extreme to say, hey, everything’s blocked until we’ve approved it. It’s also not that difficult, because most people think, oh, well, what about the software we don’t know about? But the average user uses ten, twenty, thirty apps on their machine. It’s Chrome, Zoom, Office, Firefox, and then they have an SAP system or whatever that may be. So, it really doesn’t take long, even when you’re dealing with a response, and you never want to be doing it from a response. But even when you’re not in learning mode, you can say, if you need something, hit request. We’ll review it and we’ll approve or deny it. It’s still not the end of the world, because that’s a lot better than where you were where, oh, ransomware is actively running in our environment.



JACK:	The traditional way we would secure networks was kind of like a castle-and-moat type of system. Everyone inside the castle wall was trusted. They could go anywhere, do anything. Then you put up this giant gate and moat around the whole thing, keeping everyone out that you don’t want in. But the problem with this is that if someone does sneak in, well, now they’ve got access to everything. There’s nothing to stop them once they’re in. If an employee turns rogue or clicks on a phishing link and gets infected, that employee’s computer can go anywhere and do anything. So, the new way people are securing networks today is called zero-trust, and that simply means to verify everything. No longer is everyone on the inside trusted by default. They’re now given the least amount of privileges to do what they need to do, and tools like ThreatLocker are great for implementing zero-trust since you can see and lock down any and all activity in the network very easily and quickly.



DANNY:	So, in the world of zero-trust, you essentially grant access where access is required. Everyone thinks it means no. It doesn’t mean no. It means if you’re the finance director and you need access to all of the financials, we’re going to give you access to the financials because that’s your job. If you need to be able to upload those financials to the internet, we’re going to allow you to upload those financials to the internet because that’s part of your job and requirement.



So, in the world of zero-trust, it’s not about no. It’s about, if you need it for your job, we will grant that permission. In the world of detection and response, you’re saying, if I detect an anomaly or something suspicious, I’m going to block and respond to that anomaly or something suspicious. But if we don’t detect something suspicious, we’re just going to allow it. So, in the world of detection and response, everyone can access the financials. In the world of zero-trust, only the people that need to.



JACK:	What is your mission, or what’s ThreatLocker’s mission, or what are you trying to change in the world?



DANNY:	So, it’s very simple. I want to change the way the world thinks about security from default allow to default deny. So, rather than going into a computer and saying, I’m allowed access to everything until someone decided it’s bad for me to access this, which is how most security works right now on endpoints, I want to change it so I go in and I need to access everything I need to do my job, and everything else is denied until somebody’s decided and granted me that permission. That’s our mission as a company. It’s been our mission since the beginning.



We attend over a thousand trade shows — well, ThreatLocker’s attended over a thousand trade shows this year. We host Zero-Trust World. The reason we do this is education. I think I did 120 trips this year. I will do local events, we’ll do Zero-Trust World, I’ll go to Black Hat, to RSA, to Gartner events, and it’s about educating people why this is so important, but also how it’s not difficult, ‘cause people think it’s going to take them months and years. I’ve onboarded people in hours. Ideally, we want to do it over a week so we can do a nice learning baseline, but it’s very easy to do. It’s very effective to do. So, my mission is to make sure people understand why this is so important and then also educate them how it can be done.



JACK:	Yeah, so, educate me. Educate us. So, you say deny by default. You could explain why that’s so important or even pick another topic and say this is what else is important to me.



DANNY:	Okay, so, deny by default is so important because think about this; if we go back — and we’ve never — as a world, we’ve never been very good at stopping viruses. Let’s face it, we go back to 2000, 2001. We have the Love Bug virus. It infected a third of the world’s business commuters. Now, that virus said ‘I love you’ and e-mailed your friends and said ‘I love you’, so it wasn’t the end of the world. We had the Blaster virus after that. All of these times we had antivirus. We were denying by exception. We were allowing by default and denying by exception, and we weren’t very good at doing that. In 2007, 2008, we started seeing botnet e-mails being sent out. Again, people were getting malware all the time. They were sending the spam e-mails. They were getting pop-ups. But it was a problem, and it was an IT problem. Switch to 2014; we start seeing malware that actually encrypts files and takes down businesses. Malware and software are the same thing.



Whether it’s — they’re literally written in the same languages, work the same way. The only difference is the intent at which it was created. So, every piece of software you run on your computer, whether it’s Angry Birds or a large e-tech support app or Microsoft Office or Google Chrome or — a piece of ransomware can see all of the files that the user who runs it can see. So, you don’t have to be an admin. If you’re a finance director, if you’re in sales, it can see all of your files. So, if you were to say I want to deny software by default and only allow software that’s been approved by the company, what you end up with is a situation where you’re no longer just relying on is — am I going to detect the latest threat? But you’re now saying I’m gonna block everything. It doesn’t matter if I detect it, because if the software isn’t approved by the business, it’s not allowed to run. That is so efficient at stopping ransomware, malware, but also things like Team Viewer and access tools, which are often used by scammers to gain initial access to your network.



JACK:	This is great. Keep going. Tell us more about how to secure a network.



DANNY:	Every secure — or mostly, most security attacks can be stopped with one or three methods. The people, detection, and controls. The first one is through people. But the first example I’ll give you is phishing. In the event that someone wants to phish you or someone in your company, they’re going to send an e-mail to you or a text message, whatever it may be. As a user, you have the power to stop that attack immediately in its tracks by not clicking on the link, not putting your credentials in. The attack is gone if you don’t do that. So, that’s method one. The people don’t make the mistakes, don’t click on the phishing links, don’t give somebody access to their machine. The second method is to detect a threat, and this is where — we look at phishing; this is where we’ll say, is this a known bad website?



Does it exhibit signs that it’s a phishing attack? Again, detection is not a guarantee because the website might have just been spun up. Attackers will switch the website out, use techniques. It’s brand-new. You don’t know it’s a bad website. But it’s a method. If you manage to detect it and you can block that phishing link from being used, the threat is neutralized. The third way is the idea of controls. Controls are where zero-trust really fits in, and this is the most simple way, and this is where you say, well, I’m gonna turn on things like dual-factor authentication, I’m gonna turn on things like IP restriction so it can only be accessed from one of our known IP addresses.



When you do this, it’s — you basically say that I accept my user might click on the link and give the person, the attacker, my password or their password. I accept that my e-mail to security may not detect the phishing e-mail, but I won’t accept that they can still get into my machine. So, what I’m gonna do in addition to this is I’m gonna restrict which IP addresses can log into my Microsoft Office tenant to only the IP addresses of my devices. I know I’m also gonna enforce dual-factor authentication so the password by itself isn’t allowed. They’re gonna have to have the user’s physical device. As an IT or security professional, this is the — the control is the only thing that you can actually control. You can’t control — you can train your users, but users are gonna make mistakes. People are gonna make mistakes all the time.



You can buy detection, but detection can’t tell the intent, if it’s new or if it’s unknown, but you can control whether — if it’s — if someone puts their passwords in, will somebody be able to get into your system? So, that’s the first example of where that’s really important. The second example is when we think about malware. I can put a antivirus on a machine and say, if you download known malware, block this known malware from running. Windows Defender comes shipped with every machine, and sometimes it blocks the malware. Sometimes it doesn’t. I can tell my users to never download detachments. Don’t open things that you don’t know where their source is. If the user doesn’t do it, the threat is foiled. But I cannot guarantee either of those two are gonna apply. If I block un-trusted software by default, if one and two fail, three is always going to be successful.



This is where security has to be. If we think — go back to the — even the eighties and the nineties. We didn’t used to have firewalls on our network. We didn’t used to have firewalls on our computers. Windows didn’t have a firewall built in until Windows XP. We’d get constant malware, and then Microsoft would patch it, and then we’d get malware again, and Microsoft would patch it. Microsoft released the firewall on the computer, and suddenly malware from the user dialing up to the internet or connecting to a broadband connection vanished, and it became people downloading malware because they implemented a we-deny-network-traffic-by-default policy. That’s how all security should operate.



JACK:	Do you have any statistics that you can tell me that makes — that tells me that ThreatLocker is effective? When I go to the doctor and they give me medicine to prevent an ailment — an illness, I don’t know if it actually prevented the illness, ‘cause I can’t tell if I got ill and the medicine fixed it, right? So, if ThreatLocker is here to prevent ransomware, how do I know it worked?



DANNY:	So, I will tell you. So, I’ve got 70,000 roughly companies that use ThreatLocker, and I think…



JACK:	Did you say 70,000?



DANNY:	70,000 companies that use ThreatLocker, from small businesses through MSPs right up to large — some of the biggest software companies, banks, financial companies, hospitals, airports in the world. So, it really is at mass scale. Not a lot of them go through MSPs, so, you take an MSP; they have a hundred small businesses. They’ll manage it. I have never had a customer with a ransomware case that wasn’t ignoring obvious signs. So, we’ll send a report out saying, you have your machines in monitor-only mode. The bottom line is — and there’s no such thing as un-hackable, but the only way somebody — if you go out and you install a network control and you close ports and you stop un-trusted software and you stop power shell accessing things, it’s — nothing’s impossible, but it’s almost impossible to get through that.



If I look at those 70,000 businesses, I’m tracking about 125 ransomware cases on them, and every single one of them has been pure — their machines were not secured or they — the other one we see is where they didn’t — they had open ports on their hypervisor and someone got in. They shut down the VMs and put them in safe mode or something like that. But if they followed the policies, if they followed — we’re gonna stop un-trusted software, we’re gonna close ports and only allow them to trust the devices, I have never seen a case where somebody gained access to a machine.



JACK:	ThreatLocker is hiring, but beware; they’ll tell you in the interview that it’s the hardest job you’ll ever have.



DANNY:	Yeah. I mean, every person that we hire, we make sure that they’re aware this is gonna be one of the hardest jobs they’ve ever had. Because I try and always say to our — I make sure everyone in the company knows we are not supporting a software product. We are supporting a hospital, an airport, a government agency, a local business, and when someone calls in and they’re having a problem — and the thing is about what we’re doing is we often — I would say seventy to eighty percent of our support tickets have nothing to do with us. The reason people call us first is because if you say, well, I’ve got a EDR and I’ve got a zero-trust endpoint security product, and suddenly one piece of my — my dental software is not working, it’s very, very easy for you to say, well, I assume it’s to do with the zero-trust, always.



I’ve been literally four hours proving and diagnosing and working with a competitor of ours on EDR space to say, look, you have a problem here with your software. We’ll uninstall ThreatLocker. We’ll show them the issues still happening, and then we’ll actually go in with a vendor and say, you’ve got a problem with your software here. Because I think it’s easy to assume that zero-trust is the problem, but most of the time it isn’t. But you’ve got this culture change which we’re trying to change. So, people have to know it’s hard, but I think it’s also incredibly rewarding. I think what we do is — there’s nothing better than a feeling that we just stopped a major ransomware attack. My door never gets closed.



My phone is never turned off, but — and I always say to anyone, if you can’t fix the customer issue and you can’t get someone else to help you, go over to the development part and go over to your peers. But also when you — at the end of the day, if it’s 2:00 a.m. in the morning and it’s not working, come and call me. Call me, call Sammy, who’s our other co-founder, and call and say, hey, I’ve got a customer on the phone and they’re saying that something’s wrong and something’s getting blocked and it shouldn’t be, and they don’t understand and I don’t understand why, and I can’t find anyone else. It’s like, well, let’s see what’s wrong, because I think it’s important for everyone to know that we’re willing to take a phone call at 2:00 a.m. in the morning if it solves a customer issue.



JACK:	How many phone calls do you get a month during your sleep?



DANNY:	Probably six or seven.



JACK:	Geez. I hope you get paid overtime for that.



DANNY:	Yeah, no. But I think it’s — we have a twenty-four-hour — I mean, we have customers in Australia. Well, we have offices in Australia, in Dubai, in Dublin, we have staff in eleven different countries. We have customers all over the world. I just — I think it’s more important that we solve the issue for the customer, and that’s the bottom line.



(Outro):	[Outro music] Thank you so much to our guests, and especially Danny Jenkins from ThreatLocker. To learn more about them or to get a free trial, visit threatlocker.com. This show was made by me, the real SQL Shady, Jack Rhysider, mixing by Proximity Sound, and our theme music is by the mysterious Breakmaster Cylinder. I got tired of forgetting my password, so I just changed it to the word ‘incorrect’. Whenever I go and I type in the wrong one, the website always says, your password is incorrect. I’m like, oh yeah, thanks for the reminder. This is Darknet Diaries.



[END OF RECORDING]
Transcription performed by LeahTranscribes