Darknet Diaries - 167: Threatlocker
Episode Date: December 23, 2025A manufacturer gets hit with ransomware. A hospital too. Learn how Threatlocker stops these types of attacks. This episode is brought to you by Threatlocker.SponsorsThis episode is sponsored ...by ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.
Transcript
Discussion (0)
Hello, hello! Today's a great day, isn't it?
In this episode, I'm going to gush about Threat Locker.
Why? Well, currently they're my biggest sponsor, which makes them my favorite sponsor.
But what I'm saying is that this whole episode is brought to you by Threat Locker.
But don't worry, I found some pretty great stories from them,
but I think you'll find interesting and educational.
So, let's go.
These are true stories from the dark side of the Internet.
I'm Jack Recyder.
This is Darknet Diaries.
Do you want to mention your name or company name or are, or do you want to keep that out?
No, I'll keep that out. I'll keep that out.
I guess that's just to do with the fact that we don't want to
people to know what we use.
Yeah, I feel the same way.
Everyone's asking me, like, what do you, what's your privacy stack?
And I'm like, if I tell you, now you know exactly how to target me.
Yeah, it's happened.
Exactly.
Okay, so the first question was, who are you, what do you do?
Yeah, I can generalize.
So I'm the group head of IT operations for a manufacturing company.
And I look after the operational running of the IT across the business.
We're a thousand employee business
operating across 17 different sites
in the UK and Europe.
I look after the security, cloud, operations, infrastructure,
servers, client, support, etc.
Okay, you get the picture.
This guy manages a huge network with 1,000 employees,
which probably means there's like 10,000 computers
that are all up and operating.
Picture a factory.
No, picture lots of factories.
Spread all over Europe.
Yeah, we have.
distribution centers, offices, and big manufacturing sites.
So, how's the network holding up? Have you had any problems?
I mean, right now we're in a good place. If you rewind back five years ago, we were in a very bad place.
What happened?
Well, unfortunately for me, I was actually on my way on holiday.
So I was in the process of driving the family down to the south coast of the UK.
And I got a phone call.
I remember the exact words.
One of my technicians said,
I don't mean to worry you,
but something worrying is happening.
And I was like, okay, calm down and explain exactly what's happening.
He was like, I've just had a ticket in where somebody's,
I've tried to go to some files and all the files are all renamed.
And I was like, what do they say?
He was like, they all end in the word dot conti.
I was like, oh no.
Yikes.
Conti is a type of ransomware.
It's kind of more than that, actually.
It's practically a full company
that's in the business of ransomware.
They're Russian base, and they build the ransomware,
but then they have sort of an affiliate program
that someone could use their ransomware
and go infect a company,
and then that person will get a cut of the money
if the company pays a ransom.
It's devastating and brutal to be hit with it,
and this doesn't sound good at all.
So I had to make phone calls
I continue to drive the rest of the three hours
remaining of my six-hour drive
because I had my whole family with me
drop them off
and then turn around and drive six hours back
making furious phone calls the whole way.
Yeah.
Oh my gosh.
Is there a protocol?
Is there a go-to run book or something
that like, okay, if ransomware comes in,
here's the button we hit.
We've got to turn the network off as fast as we can
or something to keep it from spreading.
Do you have a procedure in place?
We do now.
We didn't then.
A number of the people in my team had experienced situations like this, kind of,
but not on the scale that we got here on this.
And I know five years ago, it was a long time ago,
and a lot of things have changed,
and a lot of things that people are more aware of what to do
and to have those sort of playbooks in place.
And we had an element of what do we do,
And the first thing we reached to was, let's turn everything off.
But too much turmoil was going on, making too many calls and trying to deal with everything.
And I just remember at one point, my senior infrastructure engineer just told everybody to shut up and give him five minutes to think because everybody was just asking too many questions.
And we were trying to work out how we respond to this.
Yeah, yeah.
I imagine it's a really hard time to focus.
So how bad did it spread or how bad did it?
knock you out
well in the space of 15 minutes
it encrypted
all 250 servers
and like I said
it hit about 350 endpoints
as well
so the 250 servers
were those all Windows servers
yes okay so your whole
infrastructure is down
yep
jeez I mean that sounds like business is going to stop
yeah and it did
stopped at that very moment in time
and we assembled a team
I had a very nervous
six hour drive back making loads of calls
to everybody trying to work out what's going on
work out which way to go
had to get people to sites
this was on a Friday evening afternoon
around about quarter past four
that it happened which is quite a common
tactic used because people are just
switching off on a Friday afternoon
and we pretty much just had to just turn
everything off and then work out where we go from there.
Give ourselves some headspace to think because it was just too quick.
We just couldn't react to a 15-minute window.
A lot of CISO's CEOs reach out and they say,
I would like to be a guest on your show.
And I always say, well, only if we're going to talk about the worst day of your life.
That's the kind of stuff I'm interested in.
Would you say that this was the worst day of your life as far as career-wise goes?
I say that to everybody I talk to about it, which I don't actually like talking about it.
has taken myself back to that day, that, you know, sinking, feeling in your stomach,
it is absolutely the worst, stressful situation I've been through in my career, hands down.
I think I did 27 days straight after that.
Yeah, I mean, you've got to even worry if your job is on the line here as well,
because if you're the one in charge of this sort of stuff, and now this is what happened.
There are people blaming you.
Well, I mean, that's the first thing that comes into your head.
Well, after you've tried to work out how to deal with everything, you think, am I going to get blamed for this?
But then very quickly after that, you realize you've just got to focus on actually doing what you are paid to do.
Because ultimately, you know, hackers and people that are trying to attack you are trying to attack you all the time.
And it's a constant battle.
Okay, so you drive back fantically, you arrive late night, Friday.
Do you go right to the office in the night?
Yep.
Wow.
And then, so, okay, so, I mean, there's a lot of people out there, you know, armchair experts that are just like, well, you just restore it from backup.
Like, what's the big deal?
I mean, the problem of that is you don't know whether they're in the backups.
You don't know whether they were already in your environment and they were just waiting for the right time to push the button, which we thoroughly believe they were.
So what we focused on was stopping everything
and then working out how, how did they get in,
where did they come from,
what method did they use to actually spread and initiate the attack?
Good point.
It's like trying to set up dominoes when your cat is on the table.
You want to get rid of the threat and the network
before beginning to restore it.
If you restore and the thing just reinfects you,
that's a waste of effort.
And maybe it'll show them where your backups are kept
and affect those too.
So once we've worked that out,
We then established a process to be able to check our backups,
check each VM as we bought them back online.
We established a protocol for rebuilding machines.
We printed signs off at the doors of every office
and told people where to go with their machines so that we could rebuild them.
We kind of employed the whole red, amber green process.
What's the red amber green process?
So every laptop until it's checked is considered red.
Then it goes into amber as it's being worked on.
and green it's good to go back to the user pretty simple but it keeps easy to manage because
you've got a small team and i have a team of there was 10 of us at the time and you're managing
the throughput of upwards of 600 laptop users um at multiple sites so you need a process to check in
check out everything yeah i mean uh their devices were toast and you were just reimaging them from
a fresh image right yeah but we'd lost our imaging service
oh jeez yeah so we had to rebuild them manually for a while until the process the team that
were dealing my sort of sub team that were dealing with the servers were to the point where they
were bringing the imaging servers back up and then you've got you've got users wanting to know
what's going on you've got middle management senior management board of directors everybody
wants to know what's going on and that completely flusters the situation so you can't
understand you can't get a clear head to actually focus on the uh task at hand yeah i imagine there's
a bunch of emotions to manage in this which is which is stuff i don't think anyone talks about right
you look at the uh c s p manual and they don't they don't explain okay well you're in the middle of
of a breach situation here are the motions you're dealing with and how to detect them and what to
what to do about them oh there's definitely you know uh moments where you kind of just sit there
and you feel like
You feel like maybe you can't actually do this.
Maybe you can't get it back.
There's an element of shaky hand syndrome,
and anybody can claim to be cool and calm
until they're actually in the trenches with this situation.
There was a lot of team fighting and arguments
and falling out and people popping under the pressure.
It was a hell of a ride.
When you say popping, what was some of the stuff you were thinking?
Well, I had like a team member
walk out because he didn't agree with a certain methodology to fix one thing and another team
member fall out with another team member and arguments happening on meetings while we're trying
to work out what's the best methodology to bring something back online or to grant somebody
some slight access because we I turn around to the business and said look I can get us back
for backups in this in about five days but if you really want the best solution give me three
weeks and we will build it back how it should have been done in the first place what a proposal
for leadership to decide on huh business is down there is no manufacturing happening no shipping no
revenue coming in and the question is do we get business back up as fast as we can or because
those old systems are end of life and need debris replaced badly take advantage of this outage
and upgrade everything properly and build for the future and of course this incident is all that
the business leadership can focus on.
All other meetings and projects are canceled until business can come back up.
Okay.
So what path did they choose?
Five days, three weeks or somewhere in the middle?
Really?
They wanted the whole thing.
I mean, that's an ambitious thing to say, I'll redo the entire infrastructure properly
this time.
Three weeks, they didn't mind being down for three weeks.
Well, sort of what I did was make sure that certain services came up as reasonably
quickly as possible. So, you know, email communications and then focused on a major system of here
or a major system there and slowly brought everything back on. But, you know, by getting some of those
primary services back up and running, I was able to then get the headspace to concentrate on the other
80% of the business. And the business accepted that there would be some interruption in that
process and they wouldn't necessarily get everything back. So a good example was we didn't turn
Wi-Fi back on until the very end of the three weeks, so nobody had Wi-Fi.
That was to stop rogue devices turning up and undoing all our hard work.
What if there was still something running on a laptop that we hadn't got to or identified?
Internet was shut down at every single site, and then we only, we kind of had like a board
where you had every site and all the services and sort of, again, the red, amber green of
when we are ready to start bringing stuff back on.
Ah, yeah, that's got to be the moment of truth, you know.
When you flip the switch on and bring the network back up,
are you sure every device got cleaned up?
Because Conti is notorious for spreading quick.
So if you bring the Wi-Fi up and there's just one device that's still infected,
it will try to spread all over again.
They really need a solution that could give them visibility
and, crucially, be able to stop this from spreading again.
We brought malware bytes, the enterprise platform version of malware bytes,
and paid quite a lot of money for it but quite quickly found that it wasn't really doing the job that we'd hoped it was good as a helper as an assistant to keep to check machines for being clean servers and whatnot but it didn't really do everything it was more of in the traditional sense of a signature-based scanning tool more than it was anything else and it found some registry entries and things so then we started looking well what do we actually need to put in place we need an
endpoint solution, an actual proper EDR, but we don't feel like that's good enough or
going to protect us 100%. So we probably need something that's going to do application control,
as in application whitelisting. So I reached out to a bunch of suppliers whilst the sort of
end, tail end of that three weeks, and was like, can you find me something that does this?
And one supplier actually said, oh, we use threat locker, in our environment ourselves. And so I
jumped on a call and had a demo, looked at the software, and I was like, that's amazing.
I need that right now.
And that's where we discovered Threatmocker.
So what was amazing about it, do you?
It stopped everything from running if you didn't allow it to run.
It's as black and white as that.
Hmm.
Stops everything from running?
Okay, let's think about that.
You know the difference between a router and a firewall?
They're both network devices.
They look at the packet coming in or the data going in and then to decide,
where it needs to go and then send that along.
At their core, they're very similar.
But there's a big difference.
A router really, really, really wants to get all the packets to pass through it and on their way.
But a firewall really, really wants to stop every packet from going through it.
See, by default, a router permits everything, while a firewall will deny everything,
which means the firewall acts as a security guard, stopping everything it doesn't like.
But the router acts like a public park.
Just anyone could come and go.
And so you have to poke holes in the firewall if you want anything to get through it.
So the question is, when you go to run an app or a game or anything on your computer,
should it act like a router and just permit anything you try to open?
Or should it act like a firewall and say, hold on, buddy, you need a permission slip to open that.
Traditionally, all our computers just do what we tell them to do, which makes sense.
Open app.
Okay, done.
Because when you need to use an app, you obviously need to use it.
But the thing is, malware is tricky, it's sneaky, it's hiding, it's being quiet.
But it's also opening and running and doing stuff without us seeing all secretly in the background.
So what Threat Locker does is it says, okay, let's start by blocking every app from opening and running.
But if you, the user, wants to open something, just ask and we'll let you open it.
We just want to block apps that you didn't try to open or apps that you don't actually need.
And we figured in a world where we've just been absolutely burnt to high hell,
we need to stop everything running unless, of course, we allow it, every single device,
server client.
We needed to know that it was not going to run anything that we did not want it to run.
And a supplier was using it in their own environment, which is always a very good sign,
that if the person trying to sell you it, is also the person that is using it.
And we were like, yep, how quickly can you get me the installers?
So when you get Threat Locker, it goes through a learning period where it just listens and allows everything.
And from there, you get a sense of what apps everyone in the business is using.
And so you add those apps to the Allow List so business can continue and then switch it over to Secure Mode,
where if your app isn't on the allowed list, now it's going to be stopped from running.
It just says no, and it comes up and says, it's been blocked by Threat Locker.
You can request it.
And then when you request it, we have a portal where we can just say yes or no.
and then there's a lot of tinkering with how you set up the policy
but we pretty much just say no to everything
and so how annoying is this to the users to like you know you imagine
some people are just like you can't you can't run anything on this laptop why
this is stupid like do people complain a lot about it or are they okay with it
maybe they did originally and I think even if they did complain
you've got such an easy card to pull out you could just be
like, okay, back in 2020, let me tell you what happened.
And we cannot afford to have three weeks of outage again because this is very serious stuff.
I've used that so many times.
And I turn around to the users and go, you can't have this piece of software and they'll
be like why.
And I was like, because it's open source, it allows plugins, we don't know whether it will
be safe and it could be exploited.
And I'd say, do you want to be the reason that this company gets hit?
it again and just put it on them or if they escalated to their director okay then i'll say to the
director do you want to be the person that authorized this software that takes the business now
and people back off really quick when you say that yeah okay so um so since getting threat locker
any big security incidents no but i don't like saying that because i don't like tempting fate
Yeah, exactly, right.
But no, we haven't had anything.
I hear you sighing like that.
Yeah, I don't like saying it.
Ransomware is the most successful business model
cybercriminals have ever invented.
The people infecting us with ransomware
are making tens, if not hundreds of millions of dollars
by hacking into a company,
locking up their data, and holding it for random.
It's on the rise even. Just last month, I heard it's more ugly than ever. It's also one of the most disruptive types of cyber attacks. When a company gets hit with it, it becomes a huge deal. Companies have gone out of business from ransomware. So I wanted to talk with someone who defends companies from this type of attack.
My name is Hunter Clark. I'm one of the cybersecurity engineers at ARC technology consultants. My main focus is around endpoint security and how we can help organizations.
implement some of those zero trust principles in their organization.
ARC is an MSSP, which is a managed security service provider,
which means they take care of a bunch of people's networks.
A lot of businesses don't have a cybersecurity team to keep their network safe,
so they hire an MSSP who can keep an eye on everything and help keep it secure.
And one of the networks he was put in charge of securing was a hospital.
Yeah, there's a lot of servers in the environment that run, you know,
applications that are critical, like imaging software,
solutions that the doctors leverage to diagnose patients.
A lot of it runs on servers.
So those are typically what we try to secure.
So he took a look at this hospital's network,
and it didn't have very sophisticated security tools.
So him and his team brought in Threat Locker,
installed it on all the servers and computers,
and went through the learning process of what apps are normal in the network,
and then locked it down so no new apps could run.
Along with that, they installed an email.
EDR and endpoint detection and response tool to monitor for suspicious activity.
And then they suggested adding multi-factor authentication or MFA on all the internet-facing
portals and computers, but the hospital said no.
They didn't have the budget for implementing MFA.
They didn't want to have to train users on how to use it, doctors complaining about having
to use MFA.
So they did not have MFA.
Okay, well, if they don't have the budget, they don't have the budget.
You do what you do to protect them with what you've got.
But late one night, something happened.
The incident originated, obviously, in the middle of the night, as all incidents do.
But we got a call from the EDR-MDR solution that we were using, that there was someone in the environment.
And this is something that people should consider is that not all MDR solutions are created equal.
Some of them will pull the fire alarm, but not help you put out the fire, right?
So they'll let you know something's going on, but not necessarily step in to stop it until they're able to get a hold of you.
And in this case, you know, it happened at, you know, 3 a.m. and they're, you know, we received the detections that something was going on.
And we're able to then, you know, early the next day, 5 a.m., 6 a.m., whenever we got up, start investigating what had actually happened.
And that was whenever, as part of that investigation, we started looking into threat locker logs to see, okay,
what actually, what did the threat actor try to do,
what user account was likely compromised,
seeing the threat actor bounce around to different servers.
And that's whenever we saw that Threat Locker had blocked
the solutions that the Threat Actor had planned on leveraging,
such as Anydesk and R clone.
Someone got into the network, gained access to a Windows server,
tried to infect it with ransomware, but Threat Locker denied it.
Nice.
Okay, but how did they get in?
The Threat Actor had bought credentials off the dark web for a domain administrator account for the environment
and was able to just remote in through the VPN and had full domain admin rights across the environment.
Ah, that darn VPN.
I mean, VPNs are great.
It allows you to connect securely into a company from home or on the go.
They are essential even.
But they also are exposed to the internet.
They're a portal into a company's network.
But that's something that should be super secure.
since it is out on the internet.
But in this case, all that was needed
to get into this hospital's VPN
was a username and password,
which happened to be for sale on the dark web.
How wild is that?
A username and password is not good enough
to keep people out anymore.
One of the questions that came up
was would MFA have prevented this event from happening?
And it was a pretty clear yes,
if MFA would have been implemented,
then at least that initial access,
the threat actor would have had to find a different way in
than through the VPN.
Anyway, this is why there's defense in depth.
You want layered securities so that there are multiple places that should have stopped this attacker.
And they were lucky that they had threat locker to stop this.
But this attacker was clever and motivated.
And even though they were stopped, they weren't done yet.
This hospital system used to be made up of multiple different hospital locations.
A few of them had been sold off, but they still needed to maintain VPN.
tunnels between the sites because of certain application dependencies that the hospitals hadn't
had time to build in their own environment.
So because of those VPN connections to the threat actor, it looked like it was just one
network, right?
It probably looked to them like it was just one big connected network, but really they ended
up bouncing to a different hospital system that was not a customer of ours that actually
did not have threat locker in the environment and was able to.
deploy what they needed on those devices.
Oh no, they bounced from this hospital to another hospital that was connected internally
and were able to do damage there.
The threat actor ultimately reached out later that week saying, hey, you know, we compromised
your environment, we have terabytes of data.
And they wanted the hospital to pay hundreds of thousands of dollars in ransom to get it back.
Whenever this happens, right, the company, if they have cyber insurance, they should read their
cyber insurance because it probably says in there that if the event of an incident you need to call
us because we have instant response companies that we trust that we want to have involved in this
so that's what happened and as part of that cyber insurance there's also usually some sort of
will negotiate on your behalf with the threat actor to try to get that ransom cost dropped as much as
possible so with the knowledge that we had of threat locker is able to see we're they're able
I know to drop it by quite a bit.
I can't take, I don't know exactly the number it dropped,
but I'd heard that it was,
they were able to negotiate pretty effectively
because they knew what the threat actor actually had been able to get to.
Okay, so they lowered the ransom and then they paid the ransom?
Yeah, this hospital system did end up paying the ransom.
The hospital was able to ask the threat actor,
hey, how can we improve, how can we get better?
What should we be doing?
and the threat actor responded, saying that they quickly realized that threat locker was on the Windows devices,
so they knew that they wouldn't be able to use those for the purposes that they intended,
and they began to pivot to other locations in the environment.
They did not have Threat Locker.
Tell us who you are and what do you do?
So I'm Danny Jenkins, I'm CEO and co-founder of Thet Locker,
but what I do is really build solutions and educate the world
and how denying by default is the best way to address security
and it doesn't have to be difficult.
So you started Thet Locker.
How did all this get started for you?
The first thing is I wanted to do something fun
and I started doing some ethical hacking.
I ended up doing more ransomware recoveries in ethical hacking
because people were calling me and I wanted to make money
so they say, hey, I've been hit by ransomware.
can you help with this recovery?
We paid a ransom.
And there was this particular case in Australia,
which was the first one I dealt with.
It was an insurance broker,
so about 50 employees insurance company.
And I got called in by the MSP, managed IT company,
to help with the recovery.
And I came in, and they paid this $22,000 ransom,
and they hadn't got their data back.
So they got some keys, but the keys didn't work.
They weren't decrypting the files.
Their exchange database was encrypted.
Their SQL databases was encrypted.
Everything was encrypted.
and broken.
And they'd asked me to come in.
So we start trying to reverse engineer the code,
see if the decryption keys are in the code,
try to use low-level data recovery tools
to get things from the disks that had been deleted
or written over for encryption.
We're recovering from OST files through email databases.
We're trying everything we can
to get this company back up and running.
And during the recovery,
the owner of the company called me
and he got quite, first he got quite mad
and he was like,
well, when's this going to be done?
I've been waiting two weeks
and I still have my servers off and running
and he's getting quite mad
and I was like, look, you need to be realistic here.
I'm trying to recover your files,
but you have everything encrypted,
you have no backups,
you've paid a ransom,
you didn't get your data back,
and I don't know if it's going to be back,
and we're doing everything we can
to make sure you can get your data back.
and it then turned into quite an emotional call
and his voice started crackling
he started almost crying down the phone
and I got really awkward at that point
because I really didn't know what to say
and to me this was different
because every other cyber,
I call it cyber attack I dealt with,
every other malware attack I dealt with
because prior to 2014,
most malware attacks were really just IT issues.
It was, you know, you're getting adverts,
someone sending email out from your server.
It'd been an IT problem.
IT needs to fix the server
because we're sending spam emails.
IT needs to fix the computer because it's getting pop-ups.
The worst I'd seen before that was someone crying
because I saw an inappropriate picture.
And what I did was it suddenly hit home
that this is a real problem
and this guy's going to lose his entire business
and he's close to retirement age
because somebody decided to download a piece of software.
And I didn't at that think, go,
I'm going to go and start companies to solve this.
What I said to the IT team
and what I said to him
and we managed to recover
enough was you need to use application control. You need to block software by default. And he said to
me, okay, well, I'm going to go and do that. And then the IT team told him that Danny's stupid. Don't
listen to him. It's not viable. We can't do that. And I went out to prove him wrong. And I couldn't
prove him wrong, the IT team. And that was really when the first time we said, well, let's try and build
something to prove him wrong. And I kind of went back and forth on this idea quite a bit because it
wasn't an easy lift to build a solution for this. But we had to, it was really, in 2017,
we had a product, we had a concept product, and I still wasn't sure this was the right thing
to do because we knew in order to make zero trust viable. And today, we've got 70,000
companies that use our product from small businesses, right up to some of the biggest companies
in the world, federal government, airports, banks, everything. But back then, I was like,
if I need, I need to make this so it's viable for everyone.
I need to make it so we can deploy application control.
We can block software by control default.
We can ring fence applications and make it so you can deploy it in hours and days,
not months and years.
And I wasn't sure that it was going to be viable without me hiring 100.
I ended up hiring hundreds and hundreds of people.
But I think in 2017, my mindset shifted because before 2017,
I was thinking about building a business that 1% of the world would sign up.
to. After 2017, I made the decision we don't want 1% of the world. We want to change the markets
and 90% of the world are using a zero-trust approach. Okay. So you coded it at the beginning.
You built it. Yeah. Yeah. So I coded the first version and there's, you know,
there's four parts of Threatlock if you like. There's a service, there's a driver. There's a portal
and there's an API. That's the four original components of Threatlock.
And I wrote an entire version of it.
And I wasn't so good at the driver stuff.
I caused a lot of blue screens.
So we ended up bringing at the very beginning the whole thing.
And then I got somebody else to come and rewrite my driver code
because frankly, it just wasn't very good.
And since then, that's probably been one of the best decisions we made.
And today, of course, we've got 250 people in our R&D department.
Back then, it was just me writing code and Sammy and John testing and deploying.
Can you tell me about the first network you installed it on?
Well, so I guess we obviously installed it on our own machines.
I think the first network outside of our own that we installed Thratlock around was actually my kids' school.
And they had a problem as well.
We were looking after our kids' school IT.
We were getting very actively involved because we couldn't afford private school for our kids at the time.
And we were getting essentially help with scholarships because we were helping them with the IT systems and everything else.
And they were getting malware every single day.
It was like a complete nightmare.
And we pushed it out to them.
Now, it was very difficult and somewhat unstable in many areas
because there was things we didn't even think about.
And we were seeing a lot of noise.
But they went from malware every day to never since.
And still today, they're using the product.
And my kids aren't in the school anymore,
but our chief product office's kids are actually in the school now.
and their IT management went down from full-time to a couple of hours a month
because these systems became very stable, very easy.
Deny all apps by default seems like a radical idea.
Like to block everything, it seems like it's going to halt productivity.
Radical depends on where you start.
And if you start in a situation where my network is running smoothly
and I'm very happy, you would never approach with that idea.
you'd approach with the idea, we're going to learn what we have,
we're going to review the list and remove the things from the list we don't want.
Whereas if you start with the situation that I've been hit by ransomware,
attackers are in my network.
The alternative is you shut down the entire network,
or the plus side is you allow the network to run,
but you only allow these trusted apps,
and then every time someone wants something,
they request it for the first time, we add it to the list.
And it doesn't seem so extreme now,
the alternative is the whole network shut down
until we've reformatted every single computer
and guaranteed that nothing's bad on it.
So it really depends where you start.
For 90% of customers,
they're starting from a clean slate,
so they'll learn and they'll remove the things from the list
they didn't know about.
For the other side of the customers who are starting from,
hey, we've already been hacked,
it's not extremes to say,
hey, everything's blocked until we've approved it.
And it's also not that difficult
because most people think,
well, what about all the software we don't know?
know about, but the average user uses, you know, 10, 20, 30 apps on their machine.
And it's Chrome, Zoom, Office, Firefox, and then they have an SAP system or whatever
that may be. So it really doesn't take long. Even when you're dealing with a response,
I mean, you never want to be doing it from a response. But even when you're not in learning
mode and you just say, if you need something, hit request, we'll review it and then we'll approval
deny it. It's still not the end of the world because that's a lot better than where you were
where over and somewhere is actively running in our environment.
The traditional way we would secure networks was kind of like a castle and moat type of system.
Everyone inside the castle wall was trusted.
They could go anywhere, do anything.
And then you put up this giant gate and moat around the whole thing,
keeping everyone out that you don't want in.
But the problem with this is that if someone does sneak in,
well, now they've got access to everything.
There's nothing to stop them once they're in.
If an employee turns rogue or clicks on a fishing link and gets infected,
that employee's computer can go.
anywhere and do anything. So the new way people are securing networks today is called zero trust.
And that simply means to verify everything. No longer is everyone on the inside trusted by default.
They're now given the least amount of privileges to do what they need to do. And tools like
Threat Locker are great for implementing zero trust, since you can see in lockdown any and all
activity in the network very easily and quickly. So in the world of zero trust, you essentially grant
access where access is required. Everyone thinks it means no. It doesn't mean no. It means if you're the
finance director and you need access to all of the financials, we're going to give you access to
the financials because that's your job. If you need to be able to upload those financials to the
internet, we're going to allow you to upload those financials to the internet because that's
part of your job and requirement. So in the world of zero trust, it's not about no. It's about if you need
it for your job, we will grant that permission. In the world of detection and response, you're saying
if I detect an anomaly or something suspicious, I'm going to block and respond to that anomaly or
something suspicious. But if we don't detect something suspicious, we're just going to allow
So in the world of detection and response, everyone can access the financials in the world of zero trust, only the people that need to.
What is your mission or what's threat law's mission or what are you trying to change in the world?
So it's very simple.
I want to change the way the world of things about security from default allow to default deny.
So rather than going into a computer and saying, I'm allowed access to everything until someone's decided it's bad for me to access this, which is how most security works right now on endpoints.
I want to change it.
So I go in and I need to access everything I need to do to my job
and everything else is denied until somebody's decided and granted me that permission.
That's our mission.
As a company, it's been our mission since the beginning.
We attend over a thousand trade shows.
Well, Threatlock has attended over a thousand trade shows this year.
We host Zero Trust World.
And the reason we do this is education.
I think I did 120 trips this year and I will do local events.
We'll do Zero Trust World.
I'll go to Black Hat, to RSA, to Gartner events.
And it's about educating people why this is so important.
but also how it's not difficult because people think it's going to take them months and years.
And I've onboarded people in hours.
I mean, ideally we want to do it over a week so we can do a nice learning baseline.
But it's very easy to do.
It's very effective to do.
And so my mission is to make sure people understand why this is so important and then also educating them how it can be done.
Yeah, so educate me, educate us.
So you say deny by default, you could explain why that's so important or even to pick
another topic and say this is what else is important to me. Okay, so deny by fault is so important
because think about this. If we go back, and we've never, as a world, we've never been very good at
stopping viruses. Let's face it, we go back to 2000, 2001, we had the love bug virus. It infected
a third of the world's business computers. Now, that virus said, I love you and emailed your friends
and said, I love you. So it wasn't the end of the world. We had the blast the virus after that.
All of these times we had antivirus. We were denying by exception. We were allowing by default and
denying by exception. And we weren't very good at doing that. In 2007, 2008, we started seeing
botnets, emails being sent out. Again, people were getting malware all the time. They were sending
these spam emails. They were getting pop-offs. But it was a problem, and it was an IT problem.
Switch to 2014, we start seeing malware that actually encrypts files and takes down businesses.
Malware and software are the same thing. Whether it's, they're literally written in the same
languages work the same way. The only difference is the intent it was created. So every piece
of software you run on your computer, whether it's Angry Birds or Logitech support app or Microsoft
Office or Google Chrome, or a piece of ransomware can see all of the files that the user who runs
it can see. So you don't have to be an admin. If you're a finance director, if you're in sales,
it can see all of your files. So if you were to say, I want to deny software by default and only allow
software that's been approved by the company, what you end up with is a situation where you're
no longer just relying on, is, am I going to detect the latest threat, but you're now saying
I'm going to block everything. It doesn't matter if I detect it, because if the software isn't
approved by the business, it's not allowed to run. And that is so efficient to stop in ransomware,
malware, but also things like team viewer remote access tools, which are often used by scammers
to gain initial access to your network. This is great. Keep going. Tell us more about
how to secure network.
Every secure, or mostly, most security attack can be stopped with one or three methods.
The people, detection and controls.
And the first one is through people.
But the first example I'll give you is fishing.
In the event that someone wants to fish you or someone in your company, they're going to send
an email to you or a text message, whatever it may be.
As a user, you have the power to stop that attack immediately in its tracks by not clicking
on the link, not putting your credentials.
in, the attack has gone if you don't do that.
So that's method one.
The people don't make the mistakes.
Don't click on the fishing links.
Don't give somebody access to their machine.
The second method is to detect a threat.
And this is where we look at fishing.
This is where we'll say, is this a known bad website?
Does it exhibit signs that it's a fishing attack?
And again, detection is not a guarantee because the website might just be
span up, attackers will switch the website out, use techniques. It's brand new. You don't know
it's a bad website. But it's a method. If you manage to detect it and you can block that
fishing link from being used, the threat is neutralized. The third way is the idea of controls.
And controls are where zero trust really fits in. And this is the most simple way. And this is
where you say, well, I'm going to turn on things like dual-factor authentication. I'm going to turn
on things like IP restrictions so it can only be accessed from one of our known IP addresses.
And when you do this, you basically say that I accept my user might click on the link
and give the person the attacker my password or their password.
I accept that my emails of security may not detect the phishing email.
But I won't accept that they can still get into my machine.
So what I'm going to do in addition to this,
and I'm going to restrict which IP addresses can log into my Microsoft Office 10
to only the IP addresses of my devices.
I'm also going to enforce dual-factual authentication.
So the password by itself isn't allowed.
They're going to have to have the user's physical device.
As an IT or security professional,
this is the controls are the only thing that you actually can control.
You can't control.
You can train new users, but users are going to make mistakes.
People are going to make mistakes all the time.
You can buy detection, but detection can't tell the intent if it's new or if it's unknown.
But you can control whether if someone puts their passwords in,
will somebody be able to get into your system?
So that's the first example of where that's really important.
The second example is when we think about malware.
I can put a antivirus on a machine and say,
if you download gnome malware, block this known malware from running.
And Windows Defender comes shipped with every machine,
and sometimes it blocks the malware, sometimes it doesn't.
I can tell my users to never download attachments,
don't open things that you don't know where their source is,
and if the user doesn't do it, the threat is foiled.
But I cannot guarantee either of those two are going to apply.
If I block untrusted software by default,
if one and two fail, three is always going to be successful.
And this is where security has to be.
And if we think, go back to the, even the 18s and the 90s,
we didn't used to have firewalls on our network.
We didn't use to have files on our computers.
Windows didn't have a firewall built in until Windows XP.
And we'd get constant malware and then Microsoft would patch it.
And then we'd get malware again on Microsoft would patch it.
Microsoft released a firewall on the computer.
And suddenly malware from the user dialing up to the internet
or connecting to a broadband connection
vanished, and it became people downloading malware
because they implemented a,
we deny network traffic by default policy.
That's how all security should operate.
Do you have any statistics that you can tell me
that tells me that threat locker is effective?
I mean, when I go to the doctor
and they give me medicine to prevent an illness,
I don't know if it actually prevented the illness
because I can't tell if I got ill
and the medicine fixed it, right?
So if threat lockers here,
to prevent ransomware
how do I know it worked?
So I will tell you
so I've got 70,000 roughly companies
that use threat locker
and I think the best one is my kid's school.
70,000 companies that used that locker
from small businesses through MSPs right up to
large some of the biggest software companies,
banks, financial companies, hospitals, airports
in the world.
So it really is a mass scale.
Not a lot of them go through MSP, so you take an MSP, they have 100 small businesses, they'll manage it.
I have never had a customer with a ransomware case that wasn't ignoring obvious signs.
So, like, we will send a report out saying you have your machines in monitor-only mode.
And the bottom line is, and there's no such thing as unhackable.
But the only way somebody, if you go out and you install network control and you close ports
and you stop untrusted software
and you stop power shell accessing things.
Nothing's impossible, but it's almost impossible
to get through that.
And if I look at those 70,000 businesses,
I'm tracking about 125 ransomware cases on them
and every single one of them has been pure,
their machines were not secured.
Or they, the other one we see is where they didn't have,
they had open ports on their hypervisor
and so one got in, they shut down the VMs
and put them in safe mode or something like that.
But if they followed the policies that they followed,
we're going to stop untrusted software,
we're going to close ports and only allow them to trusted devices.
I have never seen a case where somebody gained access to a machine.
Threat Locker is hiring, but beware.
They'll tell you in the interview that it's the hardest job you'll ever have.
Yeah, I mean, every person that we hire,
we make sure that they're aware this is going to be one of the hardest jobs they've ever had.
Because, look, I try and always say to our, you know,
I make sure everyone in the company knows,
we are not supporting a software product.
We are supporting a hospital, an airport, a government agency, a local business, and when someone
calls in and they're having a problem.
And the thing is about what we're doing is we often, I would say 70 to 80 percent of
our support tickets have nothing to do with us.
And the reason people call us first is because if you say, well, I've got an EDR and I've got a zero
trust endpoint security product and suddenly one piece of my cell, my dental software is not working,
it's very, very easy for you to say,
well, assume it's to do with zero trust.
Always.
Like, I've spent literally four hours
proving and diagnosing and working with a competitive vials
on the EDR space to say,
look, you have a problem here with your software.
We'll uninstalled threat locker,
we'll show them the issue still has happening,
and then we'll actually go in with the vendor
and say, you've got a problem with your software here.
And because I think it's easy to assume
that zero trust the department, but most of the time it isn't,
but you've got this culture change which you're trying to change.
So people have to know it's hard.
But I think it's also incredibly rewarding.
I think what we do is there's nothing better than a feeling
that we just stop the major ransomware attack.
My door never gets closed.
My phone is never turned off.
And I always say to anyone, if you can't fix the customer issue
and you can't get someone else to help you,
go over to the development department, go over to your peers.
But also at the end of the day,
if it's 2 a.m. in the morning and it's not working,
come and call me.
Call me, call Sammy, who's our other co-founder
and call and say, hey, I've got a customer on the phone
and they're saying that something's wrong
and something's getting blocked and it shouldn't be
and they don't understand it.
I don't understand why and I can't find anyone else.
It's like, well, let's see what's wrong.
Because I think it's important for everyone to know
that we're willing to take a phone call at 2am in the morning
if it solves the customer issue.
And how many phone calls do you get a month?
during your sleep?
Probably six or seven.
Jeez.
I hope you get paid overtime for that.
Yeah, no.
But I think it's, you know, we have a 24-hour,
I mean, we have customers in Australia,
where we have offices in Australia in Dubai, in Dublin.
We have staff in 11 different countries.
We have customers all over the world.
And I just, I think it's more important.
that we solve the issue for the customer.
And that that's the bottom line.
Thank you so much to our guests, and especially Danny Jenkins from Threat Locker.
To learn more about them or to get a free trial, visit Threatlocker.com.
This show is made by me, the real SQL shady, Jack Recyter,
mixing by proximity sound and our theme music is by the mysterious breakmaster cylinder i got tired of forgetting my
password so i just changed it to the word incorrect and whenever i go and i type in the wrong one
the website always says your password is incorrect and i'm like oh yeah thanks for the reminder
this is darknet diaries