How to disrupt ransomware and cybercrime groups

[00:00:01] CS: Infosec Skills is releasing a new free challenge every month with three hands on labs to put your cyber skills to the test. It's November, and with the colder weather and shorter days coming, we're burrowing deep into insecure networks to practice with the tools and techniques used by expert penetration testers worldwide.

Challenge one, you'll get authentic hands on experience using a variety of vulnerability scanning tools, the same type of tools that pen testers use to expedite processes so they can focus on target specific tasks. Challenge two, you'll leverage a client-side code injection attack to take over a victim's browser. And for your top-level challenge, you'll enter our purple team Cyber Range to exploit local files and perform remote code execution. Complete all three challenges, download your certificate of completion, upload it in LinkedIn and tag Infosec for your chance to win a $100 amazon gift card and Infosec hoodie and a one year subscription to Infosec Skills so you can keep on learning. Just go to infosecinstitute.com/challenge and kickstart your cybersecurity skills today.

After 14 years with the NSA and working in global intelligence, Adam joins us to delineate the process of disrupting ransomware and cybercrime groups by dismantling organizations, putting on pressure, and making the crime of ransomware more trouble than it's worth. Sound impossible? Adam says otherwise. That's all coming up today on Cyber Work.

[00:01:31] CS: Welcome to this week's episode of the Cyber Work with Infosec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of Infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry.

Adam Flatley has over 18 years of cybersecurity and intelligence operation experience. He is the Director of Threat Intelligence for Redacted, Inc. and in his role, he drives the analysis and production of actionable intelligence for client, partners, and the general public. Before joining Redacted, he served as the VP of Tailored Intelligence at a small cyber cybersecurity startup. Prior to that, he served as the manager of Global Intelligence Operations for Cisco Telos’ threat intelligence and interdiction team. Prior to his time at Cisco, he served for 14 years at the National Security Agency in various operational capacities, most recently serving as the Director of Operations of a cybersecurity operations organizations team, which was responsible for incident response, red teaming, vulnerability assessments, and threat hunting on critical networks.

Earlier in his career at the NSA, he founded several new organizations within the agency in order to meet cutting edge challenges posed by emerging threats or changes in technology to support counterterrorism, counter proliferation, and cybersecurity missions. So, Adam joins us today to talk about taking the fight to the cyber criminals, specifically ransomware agents. Apart from not paying the ransom, Adam wants us to understand that ransomware only ends when the people propagating it are neutralized and brought to justice. The time to engage in counter hacking, let's find out.

Adam, thanks for joining us. Welcome to Cyber Work.

[00:03:11] AF: Thank you for the invitation.

[00:03:13] CS: So, I always like to start out and find out our guest’s journey, cybersecurity journey. Where did you first get interested in computers and tech and what got you excited about cybersecurity originally? What was the initial attraction?

[00:03:27] AF: So originally, I was mostly self-taught and I think it started in early high school. I started building computers and playing around with coding before any type of formal training that I had. And actually, I only really had a couple of coding classes and various things, but so as mostly as a hobbyist when I started out. I went through various early career choices that were not in the technical field. But that led me to realizing that I needed to be able to eat. And so, I ended up getting a job as a computer tech. I just went and just like took the A+ certification, got certified and started doing that. That's really what started to lead me down the more professional side of things.

[00:04:25] CS: Gotcha. So, it looks like is you you move pretty much straight from college into the Department of Defense doing analytics and cyber threat research over 13 years. What drew you to the DOD and what sorts of things did you learn to do while you were there?

[00:04:40] AF: So, I guess first of all, my journey through college was quite circuitous. So, I didn't just like go from high school to college and then straight to the DOD. There was a lot of time doing various jobs in between there, until I really figured out what I want to do. But then, I actually chose what I wanted to do for a living before I finished college. I wanted to go and work counterterrorism issues for either – I either wanted to work for the CIA or the NSA. And so, I went back to school and I knocked out my degree, and actually is a political science degree, specializing in counterterrorism policy. It just so happened that I graduated like one month, or probably half a semester after 9/11 happened. So, you can you can imagine that with my background in hands on computer work, plus a degree in counterterrorism, it didn't take too long for me to get into the government after 9/11.

[00:05:47] CS: Okay. So, you were already interested in in counterterrorism even before 9/11? Because I think a lot of people seems like they, obviously, they kind of joined up after that, or it became more personal or what have you. But what was the initial attraction? I mean, what kind of things were you thinking about at the time in terms of like terrorism, counterterrorism?

[00:06:07] AF: Yeah, the thing that really drew me to that was the fact that, that terrorists are people who try and drive their political agenda by harming the innocent. They don't necessarily go after soldiers or government officials, they'll go after regular people and then cause them harm, kill them, in order to drive their message home. That was just so repulsive, to me, the targeting of the innocent, that that's really what drove me into that field.

[00:06:37] CS: Okay, so our topic today, really, so we want to talk about threat intelligence, and some of the counterterrorism, hackers and so forth. But also, talk about careers, and a lot of listeners who are trying to find their feet in the field and get started, whatever. So, I was wondering if you could tell me about your average workday as director of threat intelligence for Redacted. How's your workday start? How regimented are your activities? And do you have to sort of split time between like working with clients? Or do you actually get to get your hands dirty with like the work on most days?

[00:07:16] AF: Yeah, I think the the best way to describe it is that there is no such thing as an average workday in threat intelligence world. Sometimes you're chasing a new and emerging threat. Sometimes, me as a, as a director, I'm also managing a team. So, I'm choosing what priorities the team is going to be focusing on and working on, driving the mission. I also am working with our engineering team to have them build or redesign capabilities that help enable our threat intelligence work. I do work with clients to either share actionable intelligence with them that they can use to help secure their networks. So, it's really a huge amalgam of different tasks that I have to essentially prioritize each day, decide what is the most important thing to focus on, and then drive on that for a while until I have to start spinning some other plates over here.

[00:08:16] CS: Yep. Oh, yeah. It's all it's all plate spinning. So, what are your sort of your favorite aspects of the job?

[00:08:23] AF: So, I think the things that I like the most about threat intelligence in general, but working for Redacted in particular, is our ability to have real-world impact. Because I've seen a lot of people use threat intelligence that just like informs people of interesting things. But to me, that's not good enough. It has to be actionable. It has to be something that someone can do something with. So, they can either take that information and get themselves out of a bad situation. So, if they're in the middle of a crisis, you can help them get out of that. You can help people avoid a bad situation by giving them forewarning for a campaign that's targeting a particular vulnerability that they are exposed to. I think the most satisfying thing is when we can work with law enforcement or other government organizations to help bring cyber criminals to justice so that they are now off the playing field and no longer out there bothering people.

[00:09:26] CS: Yeah. Now, to that end, what are some of the main security threats and threat actors that you're currently researching and dealing with? Are there particular trends or malware types or threat actors that keep you awake at night, so to speak?

[00:09:37] AF: Well, yeah, I mean, all of them do one way or another. But I would say that at some of the biggest things that we're concerned about and tracking, obviously ransomware is one of them. Because of the huge impact that it's having, not just on the security of companies, but also, it's like impacting people in their daily lives. The hacking of the Colonial Pipeline, that caused the shutdown and at least a temporary gas shortage on the Eastern Seaboard, people were panicking, even though it was a very short amount of time. I mean, we saw people filling gas bags or trash bags full of gasoline and putting them in their cars. I mean, it was quite a panic. There was the JBS meats. Then there was a couple of farming cooperatives that were hit that started to impact the food supply.

So, ransomware is a huge concern for us. And so, we're doing a lot of tracking of ransomware actors. But beyond that, one of the other things that's, that's kind of exacerbating it are these access brokers. There are these criminal organizations that are doing essentially nothing but exploiting particular vulnerabilities just across the internet, they're not targeting a specific company, but they're just trying to gain initial access to any company that has a particular vulnerability. And then what they're doing is they're selling that access to other people who want to do more malicious things, and so you can go to these dark web marketplaces, and just sort of look through a menu of here are people or companies in a specific vertical that you're interested in, and causing havoc in and you can just by your access, they ship it to you and then bam, you drop your ransomware in the network.

So, that is making it so much easier by eliminating a lot of the reconnaissance phase and the initial access phase, where the ransomware actors that it's making them go from like 0 to 60 way faster. So, that's something that really concerns us.

[00:11:53] CS: That sounds like the security equivalent of like you'll see someone on our street walking, just walking past every car and testing the doors to see if any of them are unlocked.

[00:12:01] AF: Exactly, exactly.

[00:12:02] CS: And then they report back and say to a car jacker like, “Okay, go get this one.”

[00:12:07] AF: Exactly. That's a great analogy.

[00:12:10] CS: That's wild. So, from a threat researcher’s perspective, what are some things, in your opinion that the cybersecurity industry isn't addressing or isn't taking seriously enough, at the moment, that makes you want to sort of shake everybody and say, “Why are you letting this slide?”

[00:12:24] AF: I don't have a lot of huge criticism against the cybersecurity community, because it's really hard. This is a very hard job and getting businesses to make all the right security decisions is a very complex task, because they have so many things to think about in their day beyond security. They have all of these people who work for them that they're responsible for, they need to make sure that they all get paid, they need to make sure that they have health care, they need to make sure that their businesses running.

So, they have to make these risk decisions based on what will affect their business operations versus what will protect them from a cyber incident. There's no like real easy answer for that. I see a lot of security professionals just like slamming businesses for not doing the smart thing. But like, if you really analyze the decisions that they have to make, it's way more complex than then most people think. And I think it's important that we have empathy with these businesses, and we help them make calculated risk decisions instead of you have to always do the smartest security thing.

[00:13:46] CS: Or are you aware that you're not doing this? How dare you and stuff like that?

[00:13:50] AF: Right. So, I think I think that's probably my biggest criticism is the lack of empathy for victims, and I've seen people laughing at victims for leaving themselves open in such a stupid way. That's not productive, that doesn't help anyone. These people aren't security professionals. They’re great at producing whatever their business produces, right? And so, like going to them with empathy, going with them to help them make calculated risk decisions where they know, okay, maybe we're not going to close this loop, but we're going to do these mitigations to help protect against consequences of this, of someone who could take advantage of this vulnerability. Those are the kind of decisions that need to be made.

[00:14:37] CS: Yeah, I totally agree. I mean, we've really gone away from saying things like, the weakest part of the chain is the human because it just makes it – it really does sort of put it as like you're thinking of them as the sort of ticking time bombs or something like that. It's like another human being is going to make a mistake. Don't put that much on them, it's not going to help.

[00:14:59] AF: Yeah, and you know, people are going to click on malicious links. It's going to happen. And it's not that they weren't trained properly, or they don't know what they're doing. I've seen some really excellent, really excellent phishing emails that would trigger pretty much anyone because it was tailored and focused and timely about some particular topic that was –

[00:15:20] CS: Caught them in a moment when their guard was down, or they're tired.

[00:15:23] AF: Exactly. Or sometimes you're on your phone at the airport, and you're just scrolling through your work email real quick before you get on a flight and you click something and not even realized it because your thumb hit your screen. It’s really not about like blaming the user so much as it is, being able to detect when something like that happens quickly. Removing the fear from people for reporting that they accidentally clicked something, because you want them to report it right away. You don't want them to try to hide it, right? And then having your system instrumented enough to detect follow on actor activity so that you can find them, you can evict them, and then you can kind of shortly backtrack to where it came in, and then shore that up.

[00:16:11] CS: Alright, so let's move on from that the topic of conversation for today. I wanted to have you on the show because your introductory statement was pretty bold, and different from what I normally hear from guests. You said in your intro, “The only way to truly disrupt the ransomware problem is to target the actors themselves, dismantle their organizations, degrade their capabilities and shatter their sense of invulnerability. They need to know that they are touchable and will face consequences for their actions.”

So, tell me more about this. This sounds very much like we've moved from playing defense to going on the offense and taking the fight to the cyber criminals. And I feel like even a couple of years ago, I was not hearing many people say, “Oh, yes, let's hack back.” So, can you explain what's changed and what this means in terms of the way the industry operates right now?

[00:16:56] AF: Okay, so first of all, I definitely don't want to use the term hack back. That is a very charged term, and it means different things to different people. I'm certainly –

[00:17:08] CS: I think that’s why I was so surprised. Okay.

[00:17:10] AF: I'm certainly not advocating like, hack back and what most people consider hack back. But what I would say is that most of the cyber criminals that are out there today, that are causing the biggest problems and the most damage, are operating from countries where the national government is sheltering them, either by actively working with them, or by just ignoring what they're doing, because they're happy about the havoc that it's causing in the West, right?

So, that's where we need to really turn the tables on these actors who are operating from sanctuary, essentially, where there, there is no way for them to feel consequences for what they're doing and they can just continue to operate and operate and operate. So, what really needs to happen here and this has already started, is that we need to treat this like a national security problem. I was actually a member of the ISP Ransomware Taskforce. We got together with a bunch of groups from industry, from government, and we walked through how we could build a framework to actually turn the tables on these actors. We came out with a report in the spring of this year, which was actually passed on to the Biden administration and they have already adopted many of the recommendations that we put together in that framework. And that included really treating it like a national security problem.

Once an issue gets that designation, it's a formal designation that the government can do, that then brings many, many resources to bear against the problem. So, all of the groups that were already working ransomware hard, like FBI and CISO and, and other other State Department, other parts of the government that were already trying to work the issue, they get more esources to help enable them to do more, that not operating with their hands cuffed quite as much. But then it also brings other resources to bear because it's no longer just a criminal matter. It's a national security matter.

So, you can imagine, the intelligence agencies, military intelligence and other capabilities are getting spun up, to be able to look at these bad actors and go after them with techniques that would normally not be used against criminal actors. So, that's where you start to turn this into a carefully driven active campaign. where the government and the private industry are working together to not just protect victims, but also identify the cyber criminals where they are. But that information all together, feed that information to the governments of the world, and then that would do a couple of interesting effects.

Number one, let's say the FBI reaches out to their counterparts in Russia, and they say, “Hey, we have information that these cyber criminals are operating from your soil.” And if they produce, you know, an incredibly detailed docket of information about these people, it's much harder to deny, right? So, you can really see whether or not that that country is being a good partner, or whether they're not being a good partner. And it becomes very evident very, very quickly. If that becomes evident, that would allow the governments of the world to start adding political pressure and financial pressure and other types of vehicles, to put pressure on these governments to comply, if they're not willing to do it just as being good citizens of the world.

So, you're adding this knowledge to this train that will then drive either compliance, or prove that they're not going to be willing to comply, no matter how accurate the information is, right? That’s when you start to drive other types of operations out there in the world that can start disrupting these actors, even if the local government is not going to be helpful. I'm sure you can imagine, there are lots of things that our intelligence agencies can do that will make life really, really hard for these folks, so that they will not be able to conduct as many ransomware operations per year, because they're going to be busy trying to hot find a rock to hide under so that they don't end up having problems.

[00:22:14] CS: So, what needs to happen globally, to sort of set this intention and act on it? How would the tools and tactics have to change for us to go on the offensive in this way?

[00:22:22] AF: So, I think this is definitely an international problem, this is not just a US issue. There are many countries around the world that have a lot of very powerful capabilities, that if they are all used in concert, in a coordinated campaign that's intel driven, that working together, they're going to be able to bring a lot of pressure on the cybercriminals directly, and also on any governments that are trying to shelter them.

[00:22:58] CS: Okay. Can you give me sort of a tactical plan, going from personal company, person or company gets hit with ransomware, and then sort of follow the chain all the way to ransomware where criminals are breached and taken down?

[00:23:15] AF: So, honestly, I don't think it'll go that way. Because we already know who the major ransomware groups are. They have been tearing apart companies in the US in particular, for the past 18 months and a little bit longer. It's been just getting worse and worse and worse in this huge building campaign. So, a lot of the the bad actors out there are already known. So, we don't need to wait for them to hit somebody and then trace them back. So, there's already sort of a list of really bad ones.

From there, the security community has really in-depth knowledge of this problem, because we have been fighting this, in the trenches trying to defend our clients and customers for like, almost two years now against this massive broad. So, there's a really good opportunity here for the government to take advantage of all of this private industry knowledge, and be able to ramp up the activity that they're starting to put together with all of this expertise that we have learned over the past few years, they'll be able to go from receiving a new mission that they've never had to deal with before, to all of a sudden, having all this expertise that they can then drive operations with very quickly.

So, the opportunity that exists here is really for the government to take advantage of all of this expertise that exists in the private industry, and just like get their operations going as fast as possible, effective as possible, and start to really have a tangible impact as quickly as they can.

[00:25:07] CS: All right. So, let's talk about that in regards to, as you say, the talent pool and the people who are available for this sort of work. For listeners who are currently on their cybersecurity journey or building their skills for a future career, can you talk about what kinds of activities accomplishments or education or anything that they need to do this type of work of working against ransomware, and sort of taking the fight to the cyber criminals?

[00:25:33] AF: Yep. So, I would say that in my experience, that it's not about what particular training someone has, what particular certifications they get, what their particular degree program was in. What I look for in people that I hire for this kind of work, is I look for a person that is hungry for knowledge, someone who has this constant curiosity about them where they are learning things in a self-driven way. They're the kind of people who will tear something apart until they figure out how it works. These are the traits that really make a good analyst, that really make a good engineer.

I find that the specific tasks can be taught to anyone who has these traits, right? If they have a strong work ethic, and they are pushing themselves and not having to have someone else push them, they have a positive attitude, and are good at collaborating with others. They learn from other people, they're not embarrassed about making mistakes, they can make a mistake and learn from it and then grow and evolve. People with that kind of an attitude is what I look for. And then we can teach them, any of the specialized skills that they need to learn, because you can't really teach that other stuff. That's just kind of inborn. That's just who they are. That's the kind of person we look for.

[00:27:15] CS: So, when you're looking for that sort of person, you're going through your pile of resumes or whatever, what are some things you absolutely need to see in the person's background? Or what how do they sort of convey this sort of self-learning? What are some things where like a bell goes off? Oh, this looks promising.

[00:27:34] AF: So, when looking through resumes, I don't want to see like a list of technologies that they're familiar with. I mean, that's useful, it's good to have, but like, I want them to show me a little bit about how they think. So, a little bit of pros in there goes a long way, to talk a little bit about like, what they care about, what they're interested in, what they want to do with their life, having that in the resume starts to give me a sense of I want to talk to this person. They're not just a list of skills, right? I started to see kind of who they are, and that will make me put that resume on the top of the pile instead of just straight up list of tools and technology.

[00:28:21] CS: The alphabet soup of certs. So, turning to the ransomware, it seems like both you and FBI Director, Christopher Wray, are of the opinion that you shouldn't ever pay the ransom for ransomware. And public opinion on this does appear to be moving in the direction, this direction for a number of reasons, at least of which is that money goes to fund criminal activities. I think that some companies are eager to throw money at the problem, just make it go away quickly and not disrupt operations. So, to that end, can you talk about some security recommendations that you have, so that when your company does get hit with ransomware, you're in a better position and able to resume operations without paying a ransom?

[00:28:58] AF: Yeah, absolutely. So, I'll start with the caveat of sometimes paying the ransom is the only thing a company can do. So, I won't say never pay the ransom.

[00:29:10] CS: Yes. My previous guests would say, yeah, when lives are at stake and hospital or things like that.

[00:29:17] AF: Sometimes, you know, a company just wasn't ready for it and they got hammered and they really have no other way to get out than to pay. That’s fine. What, what, what I recommend and what Redacted recommends is that people try to pay the ransom as an absolute last resort. They do everything else first. So, that includes having really good backups that are kept offline. There's no way for the actors to get to those to corrupt those backups, so that you'll be able to restore business operations, as quickly as possible without having to pay the ransom.

One of the things that that makes that more complicated now, is that they are – is that almost every one of the ransomware actors are doing what's called a double extortion scheme, where they are exfiltrating a bunch of valuable data first, and then they threaten to leak that data on the internet, or they threaten to sell it to your competitors unless you pay. No amount of backups is going to save you from that. The security recommendations that we have to go along with this threat is really about protecting the crown jewels of your company, as securely as you can in such a way that even if they do steal a bunch of valuable information, it's not going to be the stuff that's going to cripple you. It's not going to be the stuff that destroys your company. It’s not going to be the stuff that is going to make your competitor suddenly have an edge over you.

So, whenever we do a security assessment, one of the very first things we do is we help a company identify what are your real crown jewels? And how can we secure those in such a way that even if an actor does get into your network, getting to those crown jewels is going to be so hard and so time consuming, that they may never get to them, right? And then that reduces the value of what is stolen and it reduces the impact of what is leaked. If a company does this the right way, the ransomware actor can threaten to leak the information that they stole and the company, you can just make an educated risk decision to say, “Fine, leak it. We don't care, we're not going to pay you.”

[00:31:37] CS: Yeah, you've got nothing. You don’t have enough cards in your hand. So, can you sort of talk about – I mean, I think those are great policy recommendations. Can you talk about, like the logistics or the financial cost of sort of changing your security around that? Because I mean, that sounds so sort of lucid and logical that obviously, if it were easy to do, like everyone would have done it by now. So, what are the steps to get your company towards that? I mean, I imagine the first part is letting your board know, the sort of severity of the possibilities and get them to take action. But how do you move towards something like that?

[00:32:18] AF: Yeah, going from whatever your current state is, to being like, as secure as humanly possible is, is a journey. It's not something that will happen overnight and it's not something that will happen without cost, right? What really the best way to go about that is to do it in pieces, and be constantly improving things, doing it in such a way that the members of the board or the members of the C suite, are giving their security team enough funds, so that they can be constantly making these improvements. I've seen where most companies go wrong is where they don't fulfill their CISO’s budget. When they they keep cutting and cutting the CISO’s budget, then all of a sudden, some security incident happens, and then they blame the CISO because of the security incident happened.

[00:33:22] CS: So, I understand, you're saying that, like they give a sort of larger than average budget to the CISO, and then the security team doesn't use the whole thing. And they say, “Well, obviously, you don’t need that much money”, and so they cut the funds back or no?

[00:33:33] AF: No. What I’m saying is, like, often the C suite will cut the CISO’s budget. He’ll submit a budget request, and they’ll say, “No, you can have half of this.” Then the security side of the house doesn't have the resources that they need in order to secure it properly. But then they still get blamed for it anyway, when something goes wrong. So, it's really, really important for that that carefully thought out budgeting happens where yes, you have to fund business operations. it's absolutely essential. But you also have to to fund security and you got to figure out where is that level of risk you're willing to take. Because at some point, you're going to have to say, we don't have infinite resources, so we're not going to fix every security problem. We're going to make an educated decision as to leaving these risks out there. But we're going to mitigate these more serious risks, right? If you're doing that on a constant basis, every year, continually improving, you're getting your company into a better and better place.

[00:34:40] CS: Gotcha. So, looking to the future, with this new paradigm for ransomware and cyber-criminal activity that you're hoping for in terms of stopping it at the source, can you speculate on what these types of cybercrime will look like in 5 or 10 years?

[00:34:56] AF: Well, I think that if we, as a nation international community are able to really bring consequences to the doorstep of these cyber criminals, that they are going to have to change what they're doing in order to stop having this pressure, constantly coming down upon them. So, they're going to basically have to switch from what they're doing now, which is, these ransomware operations are relatively easy right now. They can get in, they can conduct the operation and get a huge payout in a very short amount of time. So, it's tempting.

This is what's drawing all of the big cyber criminals from doing these harder, harder operations, like against banks, and they’re just doing and doing ransomware. But because these ransomware operations have tripped the national security alarm, now the heat is coming. So, what they're going to have to do in the future to get this heat off of them is to figure out where is that line of what trips the national security alarm and make sure they stay under it, so that they are conducting certain types of criminal activity that are not threatening a country's national security, and then that will help them slip back under the radar to continue doing what they're doing.

Because let's be honest, these are no kidding criminal enterprises. These are business. Think of it like the mafia. They're not going to stop committing crimes. But we want them to stop committing crimes that are causing havoc and damage. So, if we can drive them into doing other types of cybercrime that are not as damaging, that is a victory.

[00:36:57] CS: We had a guest on talking about you coauthored the Muhammad report, and just the depth of the materials that they were using to fish people and stuff was just staggering to me, like they created this entire world. I mean, that's a big jump from malware as a service or, you know, just buying something for $250 and crossing your fingers.

[00:37:22] AF: Absolutely.

[00:37:25] CS: So, thank you for speaking to me. This has been a great chat. As we wrap up today, tell me about your company Redacted and what services you offer to your customers.

[00:37:34] AF: So, we are, what I describe as an end to end security company. We will help a company, like I said earlier, look at their network, identify where their crown jewels are, and then help them redesign their network so that it is built with security in mind. We also provide MSSP services, so we will monitor a client's network looking for alerts. If we see anything that looks out of the ordinary, we conduct investigations. If it does turn into an incident, we have an incident response team as well.

But prior to any incidents happening, we also have a very talented penetration testing team that will use to go and test client networks and then help them build or put patches on the holes that we find. So, we really kind of do end to end security service for these companies. We even have a virtual CISO program. For companies that can't afford to have a CISO of their own, we will essentially farm one out to them part time that will help them get all their security policies up to date, at a much lower cost than having to hire your own CISO. So, we really focus on small to medium businesses, is sort of the main market that we go after, people who don't have huge security budgets or a lot of baked in security team knowledge. But we do have some rather large clients as well, because you can imagine the kind of custom work that we do is very desirable for certain really large companies.

[00:39:18] CS: Sure. Especially, if you're starting a new department or whatever. I mean, that's really interesting to hear, because I'm assuming, you're offering this sort of CISO services with the idea that they're eventually going to sort of hire of their own and you're not just – it’s like training wheels basically, right?

[00:39:33] AF: Exactly.

[00:39:36] CS: All right. Well, finally, last question for all the beams, if our listeners want to learn more about Adam Flatley or Redacted, where can they go online?

[00:39:43] AF: I'm on LinkedIn, I'm on Twitter, or they can check out our company website.

[00:39:50] CS: Okay. And that is?

[00:39:51] AF: That is redacted.com.

[00:39:53] CS: Redacted.com. Okay. Adam, thank you so much for joining me today. It's been great.

[00:39:56] AF: All right. Thank you for having me. I really appreciate it.

[00:39:59] CS: As always, I'd like to thank you everyone who is listening and watching today. New episodes of the Cyber Work podcast are available every Monday at 1 PM Central both on video at our YouTube page, and on audio wherever find podcasts are downloaded.

I'm also excited to announce that our Infosec skills platform will be releasing a new challenge every month with three hands on labs to put your cyber skills to the test. Each month you'll build new skill ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we're giving away more than $1,000 worth of prizes each month. Go to infosecinstitute.com/challenge and get started right now.

Thank you once again to Adam Flatley and thank you all so much for watching and listening. We'll speak to you next week.