Ready.Set.Midmarket! Podcast: Trust Your Gut During Cyberattacks
Branko Mitkovski is a 27-year veteran of the midmarket as a vice president of IT. Mitkovski talks firsthand about navigating his organization through a potentially devastating cyber incident and how no matter how sophisticated your security defenses may be, don’t be afraid to “trust your gut” when making security-related decisions.
In this episode of Ready.Set.Midmarket! co-hosts Adam Dennison and Samara Lynn speak with Mitkovski on the importance of trusting your instincts when it comes to security alerts, the negotiation process with threat actors and the need for midmarket companies to bolster their cybersecurity measures.
The full episode can be watched on YouTube and heard on Spotify and Apple Podcasts.
Previous RSM! episodes are here.
https://player.simplecast.com/935031a8-2f3a-430d-b803-35d0121bd219Transcript:
Adam Dennison
Hello and welcome everyone to another episode of Ready. Set. Midmarket! the podcast for all things midmarket business and IT. I'm joined as usual by my co-host, Samara Lynn. She's the senior editor of MES Computing.
Samara Lynn
Hello
Adam Dennison
Hello, and we also have a very important guest today, Branko Mitkovski He's the owner of Bit Networking and he's also a 27-year veteran of the midmarket, in the midmarket, as a VP of IT. Welcome Branko.
Branko Mitkovski
Thank you.
Adam Dennison
So let's get this started, folks. It's not very often that we get to speak with a former VP of IT that was involved in a cyber incident. And Branko is willing to talk to us about that. This happened recently in the spring of March of 25. And Branko, I'm just going to go ahead and turn it over to you. And if you can kind of walk us through.
Give us a picture of the organization you're in, what the size and scope of that organization looked like, what the preparedness looked like heading into it, and then kind of walk us through what happened. And Samara and I will ask you a few questions in terms of how you were able to respond to it, how your executive teams reacted, how your vendors responded to it, and things of that nature.
Branko Mitkovski
Sure. I came from an organization that was about 350 users across 10 offices. And I would guess about 30 to 40 % were just fully remote. And there was a great organization, still is. For the preparedness, we had gotten hit about eight or nine years ago. We were able to get out of that one very easily. So we were prepared for that because then we were using things like Malwarebytes. There wasn't a lot of budget. And after that, you know, I would assume typically in most organizations our size, once you get hit, it's the checkbooks wide open for whatever it takes not to get hit. We were using CrowdStrike and two other tools, which I won't disclose just for their, you know, for their security purposes.
One was monitoring the network ... the whole, our whole Azure infrastructure. So we, we'd been ready for years to hopefully not get hit. And what happened was in March, we got an alert that an end user machine was running some commands. Um, I sent it over to my SOC and I was like, 'Hey, is this okay? Can you check it, this, that, and the other?' um, The SOC checked that they said that they had cleared the machines, said it was fine. The issue was they were running Linux commands on a Windows machine and it was just an end user, not an IT person. Later after the dust had settled, my senior analyst said, 'Yeah, we think that that was actually the beginning of the hack.' And what happened was they used those commands to get into a server that was on the network, but under a workstation, not on domain. It had not been built out yet.
And they crawled the network for about two weeks. And about two weeks later, I got an alert about a Kerberos ticket being copied. And I sent it to my SOC and that SOC had told me that it was a false positive, not a big deal, but that was them replicating AD. For me, the biggest thing is, see these alerts because we all get alert fatigue.
Branko Mitkovski
And we get these alerts and when those come out, it's not alert fatigue. It's, hey, this looks like something to me. So I would tell anyone that's in the shoes I was in, whatever you do, gut instinct, trust it. Because it doesn't take anything to lock a user's machine, brick it, change your password, replace it, whatever. That is pennies to the dollar what it takes.
But we got hacked by one of the bigger groups. Luckily, the first time it happened a number of years ago, we got cyber insurance. And our carrier was really good. We called them. We told them what happened. They set us up with two different teams. One team was going to negotiate with the hackers, or the threat actors, as they call them. And the other team was a remediation team. I could not speak more highly of my remediation team.
Branko Mitkovski
The other team that was negotiating and they have a lot of interaction ... [the] remediation team were on it right away. We found that same day we found that we had crawled the network with some of their tools. We found this machine. Was like, 'that's a new file server.' It's not on the domain yet. As soon as I jumped on it, we ran a few commands and he's like, they have an RDP session open and are probably watching what you're doing. At the firewall level, we were able to block traffic in and out there. And then we started full remediation, which was changing the Kerberos ticket every single day for two weeks straight. You'll need to do three of them, but we did it every day just as a precaution. We also had people change passwords. Within two weeks, I think everyone had to change their password five or six times. And we went from nine-character minimum password length to 12.
Adam Dennison
Yep.
Branko Mitkovski
And had always been complex password. And can't reuse the last dozen, I believe.
Adam Dennison
How did that go over with the employee base?
Branko Mitkovski
Most of them are fairly annoyed, now, understandably so. My -- and I had changed twice a day for two weeks and it was bad because I was at home and I ended up writing a ... I had a post-it note on my desk. You know, the thing you shouldn't do but when you're changing it twice a day, you're like, which iteration of which password am I trying to use today? And I can't lock myself out of the network. So, you know, they're fairly annoyed. I just did it last week.
Adam Dennison
Yeah.
Branko Mitkovski
I understand we're trying to protect the network. At the end of the day, they were fairly understanding what we're trying to do. Eventually, what ended up happening was they had gotten, when they were on that machine, they had gotten my credentials and they were using my credentials and actually RDP'd into my machine. And I made one mistake that I never thought about as being a mistake. I named my laptop 'Branko' with some of the specs of the machine.
Alright, so I would tell people in the future. I'll never do that again. Don't name your machine anything close to your name. Use generic like everybody else, but they were on my machine running Linux commands, trying to. We had two sets of backups and one set was encrypted. The other set was just backing up virtual machines. They had actually deleted my Azure blob storage of the backups of all my virtual machines right before they started encrypting the hosts. They were able to encrypt two of the three hosts, but they weren't able to encrypt most of the VMs. They encrypted about half, which is about 30. Luckily, of the 30, would guess 15 were old historical data or things that we were, they were coming to a close. They were being sunset. So it wasn't life or death that we got them. A few were. So.
We ended up paying because it was within our budget. We ended up doing what we had to do to get those machines back up and running. I won't disclose their number, but we ended up paying a small amount. But it was all covered by the insurance. So today, everything's back up and running. It's all in hindsight. I was fortunate I had three new hosts for my virtual environment. So we were able to just spin those up, get them up to the latest and greatest and patched.
And the rest is really history for us. It was the longest two months of my life, I think.
Adam Dennison
Yeah. Can you bring us back to the cyber insurance team? And I'm not an IT leader, right? I know enough to be dangerous. But can you bring us back to the cyber insurance team? How quickly did the remediation team get going for you? And then the second question I have is on the negotiation team, you said you weren't that involved in that piece of it. Was that held pretty much with legal and the CFO and the CEO? What did that look like?
Branko Mitkovski
It was all with legal mostly. I work with legal and I was on the email string, but it was really up to him talking to the board and deciding on, you know, numbers. And it was an orchestrated attack. We, I know someone that worked in our office and her husband hit the company he works for works with another company in the same field we're in. They got hit the same day we did.
Adam Dennison
Yeah. Okay.
Branko Mitkovski
So, we knew of two companies that had gotten hit at the exact same time. So, it was an orchestrated attack. But the remediation team was within hours. I was told this is my contact. Here's his email. We started up a chat string. We just created Google accounts so that nothing was on the domain. That way we, in case there were still remnants of something, couldn't track it or read it or anything. So, everything was done via text or Google account.
And we just did a Google chat and we just went from there. It was ... was a great experience for as far as the remediation team. They were on it. They had people. that I had one contact, and he had specialty people in the background He was very knowledgeable It was it wasn't until like five or six days in that he's like I've exhausted my resources on what I know how to do here. Let me ask so-and-so
And even then, when he did that, most people were on the line and in the chat within a few hours. You know, we had some replication issues.
Adam Dennison
And is this the first team that you had? Is this the first cyber insurance company that you'd worked with? Okay.
Branko Mitkovski
Yeah, the first time we didn't have it we end up having, finding a decrypter the first time a number of years ago. And then it was just that we would decrypt it, and it would re encrypt So at that point it was decrypted and then it was silence was king of the castle. So, we went with silence and as soon as we decrypted and saw silence it killed the ransomware attacker, and we were just able to clean up. I put that on everything, and we just sailed forward without thinking twice about it for another almost 10 years.
Adam Dennison
So, when you said you, the first thing that really tipped you was not the alerts, because you got alert fatigue ... When there's a Linux running on a Microsoft, is that what really tipped you? And what would you have done differently today? Just keep pressing that button?
Branko Mitkovski
It was Linux running on Microsoft because I know the user being there over two dozen years. I just I know the user and I couldn't ... I was like, he doesn't know how to do that.
Samara Lynn
Yeah, Branko, just really quick. So the SOC that initially flagged the alert as a false positive, now is that the same group that helped you with ... the negotiation?
Branko Mitkovski
It is not, but it is the same group that got us through the first ransomware attack.
Samara Lynn
Okay, so you employed a SOC and another entity to help you with this attack.
Branko Mitkovski
Yeah, well, our SOC was after the first ransomware. We found out that the SOC, the cost of a SOC was less than me finding a a senior analyst, a cyber expert. And I had a team that was 24 seven, right? I had a senior analyst. I had, you know, junior analysts at night when let when there's a lot less traffic and all that, but they cost me less than six figures. And, you know, when you hire someone,
And I'm not deterring people from hiring. We were of the size that we couldn't afford someone that would be there 24-7. At some point, the person needs a vacation, is sick, time off, sleeps. When you have a SOC, there's someone that's always on. They had two analysts running all night.
Samara Lynn
So the analysts were part of the SOC
Branko Mitkovski
Yeah, the analysts are all part of the SOC. And then when we called our insurance company, they gave us a remediation company that worked with it. And we worked with the SOC because they had our CrowdStrike and everything. So they were able to give the remediation company full access to that. And they were able to work hand in hand to figure out where it started and how.
Samara Lynn
So there were really three components that really helped you get out of this attack. And that was having internal alerts, the SOC, and the cyber to help you with the negotiations. Yeah.
Branko Mitkovski
Yep. Yep.
Branko Mitkovski
Correct.
Yeah, like I said, mean, if you're in our the reality is nowadays, it's not if I get hit, it's when, right? You know, when you have companies, the, you know, Fortune 10 and 50 companies getting hit, you don't necessarily hear about it. mean, we Equifax got hit earlier this year or last year, right? You have companies like that that get hit. Midmarket companies don't really stand much of a chance. You don't have the pockets deep enough and it's just part of the life now, unfortunately.
Samara Lynn
What was the timeframe, would you say, from the first alert to when you were fully operational again?
Branko Mitkovski
First alert about the Linux command was two weeks after that's when we got hit. From the day we got hit till we were 100 % operational with everything's back online, about five to six weeks.
Samara Lynn
Wow, okay.
Branko Mitkovski
Now that being said, we had a lot that was already functional. Our file servers were not hit. Our ERP was not hit. Our Azure infrastructure wasn't hit. And one of the reasons was we had a one-way replication from on-prem Active Directory to Entra. They kept trying to change passwords at the Entra level, but it wouldn't replicate back, so it wouldn't let them do it. So it was about five weeks, and that was just minimal. was our historic SharePoint site that a few people use and a few other servers. We had a homegrown app that we were kind of delving away from, but we needed some historical data from that. It wasn't life or death, it just makes life easier. So it was, I would say about 15 % of our working environment that we would have loved to have up and running was down during that time.
Samara Lynn
Wow, you know, and I just got one more question, Adam. I'll shift back to you. And Adam, I'd like to know your thoughts on this too. You know, I always think to myself, when I hear about these types of attacks, you know, you do your negotiation and they offer to decrypt, you, you pay them. What happens if you pay an attacker? They'll say, okay, once you pay us this amount, we're gonna decrypt. And they don't, they just don't do it. Like, how do you get a guarantee that they were gonna decrypt after they were paid? Like, what's the...
Branko Mitkovski
Actually a concern we had. But we were told by the negotiating company that the threat actor was using, it was a well-known threat actor, their name escapes me today. But they're a well-known threat actor and they actually, the way a lot of money they make is they do it as a software as a service. They're not necessarily doing it. They're saying Adam calls out and he's like hey I want to hack and they say you can use the tools we get X percentage.
Samara Lynn
Right.
Adam Dennison
Wow.
Branko Mitkovski
So, we were told that they do it software as a service and if Adam doesn't keep his word when he gets paid to leave us alone, then they will go after anything Adam ever does.
Samara Lynn
It's like a ... well-oiled business. Wow.
Branko Mitkovski
100%. They said a lot of the threat actors are not the main people that have written it and done it initially. They're just farming out their software now.
Adam Dennison
They're the intermediary, they're like the bully in the school that says you can kick on this person but only for this long. That's crazy.
Branko Mitkovski
Yeah, they're like, if you get paid, you're going to honor your work and you will leave them alone.
Adam Dennison
My gosh.
Branko Mitkovski
One of the concerns we had was A, if we pay, will they leave us alone? And B, if we pay, will that put a target on our back by other threat actors on, well, this company is going to pay, so let's go hit them. And they said most of the time, as much as they're deceitful because they're doing what they're doing, they told us most of the time, once they get paid, they leave you alone, forget about it, and it's put to bed.
Adam Dennison
Yeah.
Adam Dennison
There's plenty of companies out there for them to target I assume.
Branko Mitkovski
Yeah, I mean, the billions, right?
Adam Dennison
Yeah, absolutely. Wow. Yeah, I've learned a lot in just the short 15 minutes here. So Branko, what would you say, know, trust your instincts is one thing, but we're serving midmarket, we're serving your peers, right? So what are some pieces of advice you'd have, maybe even in further preparedness or what if somebody doesn't have cyber insurance right now? What is your statement to that? I mean, that was a big topic at MAS events just two, three, two, maybe three years ago. And a lot of folks in the room didn't have it, didn't think they needed it or it wasn't in the budget, couldn't afford it.
So what's your, and you were a pretty good size mid-market organization, so what is your recommendation around that? Or someone's saying, I'm just gonna keep waiting and then they don't have that safety net there.
Branko Mitkovski
If you have the right tools in place, we had tools that were monitoring the network, we had tools that were monitoring each machine, we had three cyber tools in place at all times on every machine. If you have those tools in place and you have your alerts set up properly, think that while people say that it's expensive, it's less than a cost of a mid-level employee annually.
It's worth its weight in gold. You know, I mean, when I was working with the remediation team, the first thing they did was create six jump boxes in my new virtual environment. So six people could be on there at one time, just chugging along. And I was like, man, that's the size of my whole team. And I just doubled my team for however long this interaction is. So I would say that it's invaluable tool to have.
And especially if you do things right, right? If you have conditional access set up for logging in through anything, we happen to be an Azure shop. But if you do conditional access to log in, if you have the tools in place, it's the cost of the cyber insurance is not as much as people would think. You just have to find the right carrier and get the right scope for it, arget you based on how much you make and how much they think you can afford. They ask for initially 3 % of what our gross revenue was.
Branko Mitkovski
Which isn't, isn't I mean it's not like they were asking for whatever our gross revenue was I'm sure they hit a Fortune 50 company that number skyrockets compared to mine, right? But they asked for 3 % and they ended up settling for about half a percent
Adam Dennison
Sure.
Samara Lynn
How do you even know that? I mean, a lot of midmarket companies are private organizations. Their financials aren't out like a public company. How do they even find this information out?
Branko Mitkovski
I was told that one of the ways they look at it is they will, when they're getting in your network, that's what they do. They will scour, let's look at the finance drive. And they'll see what numbers you have and they'll decide what they think you can afford. And they realize that no one's ever gonna pay the first number. So they inflate that number just so that you can talk them down to the number they're happy.
Samara Lynn
Got it.
Adam Dennison
Yeah, that's negotiation tactics. It's like buying a house. Yeah. I mean, you say, you know, you say 3%, it doesn't sound like a lot, that could be organizations raises for the next year. I mean, that's a significant amount of money. Yeah.
Branko Mitkovski
Yep, negotiation 101, right?
Branko Mitkovski
100 % is right, you know, if it's a hundred million dollar company, three percent, three million. That's, that's more than raises probably. But it's not like you know in our case I said it was three percent, know it's not like it's a hey you guys make a hundred million and we're asking for 50. Because they know they'll never get any of it. They're trying to get paid. Yeah, they're trying to get paid so they'll do it.
Adam Dennison
Yeah, absolutely.
Adam Dennison
Right, right.
You even do that. You'd be out of business. Absolutely. Yeah.
Branko Mitkovski
They'll give you a number that they think is legit and that'll work for them and that you can swallow and negotiate now.
Adam Dennison
And off they go and hit someone else a couple weeks later, I assume.
Branko Mitkovski
Weeks or days the remediation company told me that he's like it's funny because during summer vacation nothing happens, he's like 'cause they they want to take vacations too. He's like they're gonna hit you on holidays. He's like, you're gonna get hit on Thanksgiving. You're gonna possibly get hit New Year's, Christmas, 4th of July in the United States, know any of the major holidays. He said that's when they hit.
Because most people are not paying attention because they're off with their families enjoying life.
Samara Lynn
Wow.
Adam Dennison
So my final question is, was the organization you were with able to take some positives out of this and make some changes going forward? Or you said there were some homegrown systems and things that weren't being used that much. Were they able to say, okay, let's take a whole look at what our environment looks like and shut all these things down because we don't need these anymore and kind of do even a mini reset moving forward?
Branko Mitkovski
We absolutely were able to shut down a lot of servers. Anything old and historic that was just not needed. I didn't delete them, I just shut them off so you can't touch them. Then we hardened our Azure infrastructure heavily. We had some conditional access, but we went very heavy on conditional access. We have some people who travel internationally. We did international travel policies that you'd have to put in effect the day they leave and you could take them off the day they came back. But those policies also didn't allow them, you know, if you were going to whatever, England. If you went to England during that time, you couldn't log into your machine in the United States. It was one or the other. So it was, there was a very fine line you had to dance with.
Travel and people being on planes trying to use the Wi-Fi because they could not get their Microsoft products. But yeah, we built some more firewall rules. We built some more, a lot of Azure hardening, put a better firewall in Azure instead of just the basic one. And everything was just, it was a lot more complex, but it was a lot better.
Adam Dennison
Did it end up costing a significant amount of investment that [you] might not have?
Branko Mitkovski
I would say it was still under 120,000.
And a lot of that was the consulting fees of paying someone to do it. Cause we were, I had a team of six total, including myself and most of them are end user and I had a developer. So it was just me doing it and one person can only do so much at a time. It was just, let's get this fixed ASAP and move forward.
Adam Dennison
That's the long two months you went through, guess. Yeah. Understood. I can't thank you enough, Branko, for being open and discussing this story with us. Just so the audience knows, we ran into each other at an MES lunch a few weeks ago. And he said, hey, I'd like to tell this story here and go on the podcast. And I said, let's do it. Let's hear it directly from an IT leader.
Branko Mitkovski
Yeah.
Adam Dennison
Someone that's just been through it. So I really appreciate that. What's next for you, Branko, in terms of what you're looking to do from a career standpoint right now?
Branko Mitkovski
I enjoy IT leadership. I'm currently on the market. I'm looking for the right opportunity for myself. I've taken a few weeks off just so can spend a little time. I have a five year old so spend a little time with the family, enjoy the rest of the summer. But now he's back in school so back on the market I go.
Adam Dennison
Now you're itching to get back in it.
Branko Mitkovski
Yeah, you start to miss it and let's be real with IT. You know the longer you're out of it, the more you miss right? The more you miss it as far as learning and keeping up on things. Things just take awhile.
Adam Dennison
I also think from a marketability standpoint, you can come in and say, I've been through it recently, and this is the steps we've taken. These are the lessons learned, and this is what I think needs to happen in here to further harden this organization before we move forward. I think that's a big positive.
Branko Mitkovski
I couldn't agree more. My old chairman was a, he's a wonderful man. And one of the things that I had asked him about doing this podcast before I left and he's like, yeah, goes, you know, we talked about not revealing too much information about the organization, but he said, if we can help some, any other company avoid what we had to deal with, I'm all for it. You know, he's published a few magazines for the industry and he spoke of it in those, you know, not much. I was probably more in depth because I was in the trenches. But he spoke about what happened, some of the things we tried to do. we were always a company of, if someone can learn from our mistake, then that's great. Let's not let someone else struggle the way we did, especially when it's not a competitor, when it's a threat actor.
Adam Dennison
Yeah, absolutely. Absolutely. Well, I think that's true also. I you think about, I've been with MES just over five years. There's a lot of companies in the midmarket but they need to kind of stick together because they're all dealing with similar situations as far as resources and budget and things of that nature. and to your point, yeah, now it's definitely hitting midmarket firms. It's not just your fortune ones that you're seeing making The Wall Street Journal headlines. So you guys kind of have to learn from each other and share information to stay ahead of things.
Branko Mitkovski
I mean, yes, April was my first one. And that's one of the things I loved about it is just, you know, everyone in companies similar sizes just talking about the things they go through and deal with. And in the boardroom I was in, one other person had told me they had just gotten hit within the last year as well. Right. But it's not something most people want to talk about because it's a negative, it's a negative stain on your reputation.
Adam Dennison
It's a reality today. It's not, yeah, it's you're one if you haven't been hit.
Branko Mitkovski
It is.
Samara Lynn
Right. What I was going to say was the more companies are protected, the more of the supply chain stays intact because, you know, another midmarket company could be your partner. You could be sharing software, you know, and data. So, yeah.
Branko Mitkovski
Yeah, correct.
Branko Mitkovski
100 %
Adam Dennison
Well, like I said, Branko, thank you so much for taking the time with Samara and I and Ready. Set. Midmarket! and to share your story, certainly appreciate it. There's anything we can do to help you moving forward, let us know and we'd love to have you back at an MES event very, very soon.
Branko Mitkovski
Awesome, thank you guys for your time and letting me share my experience. All right.
Adam Dennison
Thanks a lot.