X

Easy Prey Podcast

Their Loss is Another's Gain

Understanding Ransomware and Defense Strategies

“Sometimes the best move is to ask for help—being open and honest about your vulnerabilities is key to learning and growing.” - Paul Reid Share on X

When it comes to cybersecurity, most people think about firewalls, passwords, and antivirus software. But what about the attackers themselves? Understanding how they operate is just as important as having the right defenses in place. That’s where Paul Reid comes in. As the Vice President of Adversary Research at AttackIQ, Paul and his team work to stay one step ahead of cybercriminals by thinking like them and identifying vulnerabilities before they can be exploited.

In this episode, we dive into the world of cyber threats, ransomware, and the business of hacking. Paul shares insights from his 25+ years in cybersecurity, including his experience tracking nation-state attackers, analyzing ransomware-as-a-service, and why cybercrime has become such a highly organized industry. We also talk about what businesses and individuals can do to protect themselves, from understanding threat intelligence to why testing your backups might save you from disaster. Whether you're in cybersecurity or just trying to keep your data safe, this conversation is packed with insights you won’t want to miss.

“Our team's motto is 'think bad, do good.' We want to think like a bad guy and help do good things for our customers.” - Paul Reid Share on X

Show Notes:

  • [00:58] Paul is the VP of Adversary Research at AttackIQ. 
  • [01:30] His team wants to help their customers be more secure.
  • [01:52] Paul has been in cybersecurity for 25 years. He began working in Novell Networks and then moved to directory services with Novell and Microsoft, Active Directory, LDAP, and more. 
  • [02:32] He also helped design classification systems and then worked for a startup. He also ran a worldwide threat hunting team. Paul has an extensive background in networks and cybersecurity. 
  • [03:49] Paul was drawn to AttackIQ because they do breach attack simulation.
  • [04:22] His original goal was actually to be a banker. Then he went back to his original passion, computer science.
  • [06:05] We learn Paul's story of being a victim of ransomware or a scam. A company he was working for almost fell for a money transfer scam.
  • [09:12] If something seems off, definitely question it.
  • [10:17] Ransomware is an economically driven cybercrime. Attackers try to get in through social engineering, brute force attack, password spraying, or whatever means possible.
  • [11:13] Once they get in, they find whatever is of value and encrypt it or do something else to extort money from you.
  • [12:14] Ransomware as a service (RaaS) has brought ransomware to the masses.
  • [13:49] We discuss some ethics in these criminal organizations. Honest thieves?
  • [16:24] Threats look a lot more real when you see that they have your information.
  • [17:12] Paul shares a phishing scam story with just enough information to make the potential victim click on it. 
  • [18:01] There was a takedown of LockBit in 2020, but they had a resurgence. It's a decentralized ransomware as a service model that allows affiliates to keep on earning, even if the main ones go down.
  • [20:14] Many of the affiliates are smash and grab, the nation states are a little more patient. 
  • [21:11] Attackers are branching out into other areas and increasing their attack service, targeting Linux and macOS.
  • [22:17] The resiliency of the ransomware as a service setup and how they've distributed the risk across multiple affiliates.
  • [23:42] There's an ever growing attack service and things are getting bigger.
  • [25:06] AttackIQ is able to run emulations in a production environment.
  • [26:20] Having the ability to continuously test and find new areas really makes networks more cyber resilient.
  • [29:55] We talk about whether to pay ransoms and how to navigate these situations. 
  • [31:05] The best solution is to do due diligence, updates, patches, and separate backups from the system. 
  • [35:19] Dealing with ransomware is a no win situation. Everyone is different.
“If you really want to learn what is happening in the world, become a threat hunter. You will really see another side of cybersecurity.” - Paul Reid Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Paul, thank you so much for coming on the podcast today.

Thanks, Chris. Great to be here.

I’m glad to have you here. Can you give myself and the audience a little bit of background about who you are and what you do?

The name is Paul Reid. I’m the VP of Adversary Research at AttackIQ. I get the pleasure of working with our adversary research team, looking at the ongoing emerging cyber threats taking place in our countries and in our nations. I work directly with our clients and with our researchers to identify the ongoing emerging cyber threats that people care about.

We really want to help our customers, and in general, the marketplace, be more secure. We all know it’s only a matter of time before you’re attacked or breached, but what you do when it takes place, that’s really important. We can help customers understand how well their compensating controls work, when a breach may be taking place or is taking place, and know that if something does happen, they’re protected. That’s really, really important to them and also to us as well.

We all know it’s only a matter of time before you’re attacked or breached, but what you do when it takes place, that’s really important. -Paul Reid Share on X

My background in cybersecurity really spans for the past 25 years. I started out early on working in Novell networks, setting up Novell Directory Services, and moved in general directory services with Novell, Microsoft, Active Directory, LDAP directories. I spent a lot of time there in the authentication and authorization world.

I moved into smart cards. I got a really cool opportunity to write some PKCS #11 libraries early on, which was a lot of fun. I got to grow up during the PKI growth days, the whole move from symmetrical to asymmetrical and public key encryption. Those were exciting times.

From there, I moved into a little bit stronger aspects of cybersecurity, really looking at strong ways to authenticate, the something-you-are, something-you-know, or something-you-have world. That was a lot of fun. I spent some time there.

I actually moved into a job where I was helping to design classification systems and classifying information, classifying documents, to understand the value of what you have because you can’t protect what you don’t know. You have good value there and understand what you have.

From there, I was very fortunate to move into a startup that was focused on user and entity behavior analytics. I learned a lot about data science, big data, and did some programming in R.

From there, I actually got the opportunity to run a worldwide threat-hunting team where we actively hunted and tracked nation state actors across the world for several years and got to do daily hand-to-hand combat with some of those guys. That was really interesting. If you really want to learn what’s happening in the world, become a threat hunter. You’ll really see another side of cybersecurity.

What really brought me to AttackIQ was my time doing threat hunting. There are so many times we would be threat hunting and my team and I would stop and go, “If they only had…if they’d only done this. If they’d only done that.” The opportunity at AttackIQ to do that breach attack simulation and being able to answer questions, “Have you had and will you do the things you need to do to be secure?” That’s really what drew me to AttackIQ.

At the end of the day, our team’s motto is, “Think bad, do good.” We want to think like a bad guy and help do good things for our customers.

At the end of the day, our team’s motto is, “Think bad, do good.” We want to think like a bad guy and help do good things for our customers. -Paul Reid Share on X

I like that. In going into this career, was this always where you wanted to be, has this been the normal evolution, or did you go kicking and screaming into this?

Going into university and leaving university, my goal is to be a banker. My degree is in economics. It was only through an economic downturn where the bank I was going to work for got rid of my position, that I really went back to my first passion, which was computers and computer science. I got hired into a number of companies early on, working with them, and really my degree in economics combined with business acumen has taken me really far in my career.

I think that’s something very unique that more of us need that understanding of business because as we’re going to talk about today with ransomware, that’s a business-driven decision. If you understand businesses, especially in today’s world, cybersecurity is really important.

So it really happened organically. It led from one thing to another. I’ve been very fortunate to have a lot of great world experiences, being able to grow up in our industry, and see it mature and evolve to what it is today.

I love that. I totally agree that whatever your skill set is, you also need to have some understanding of how business works, because that drives the decisions that your team needs to make or that your team needs to respond to, whether you’re in the cyber security department, you’re in the legal department. Even if you’re in customer service, knowing why the company is doing what it does really helps you do your job better.

We see a lot of the cyber threats today are driven economically. It’s about ransomware. It’s about generating revenue. It’s not necessarily about standing up for a particular thing or the hacktivism stuff that started out to be. Really, now it’s a big business. You look at ransomware as a service and things like that, and hundreds of millions and potentially billions of dollars in losses being generated from it. This truly is a business activity.

We see a lot of the cyber threats today are driven economically. It’s about ransomware. It’s about generating revenue. -Paul Reid Share on X

Before we go and do a deep dive on ransomware, because you’re in cybersecurity, I want to ask you the question that I ask such guests: Have you ever been a victim of a cybersecurity incident, fraud, or a scam?

I got a couple of interesting stories there. One company I was at—it was back in the early days where people were just figuring out a lot of the attacks using email, faking emails, fraudulent emails and things like that—our director of finance received an email supposedly from our CEO saying to transfer a large sum of money, like $20,000, to a particular supplier.

At the time, our company was growing. We were doing a lot of trade shows. There are a lot of weird names coming through the payouts of all the different places we’re going to. It only happened to be from a hallway conversation that we bumped into each other. Other people were there that they mentioned, “Hey, I’ve got to transfer this money for our CEO. He needs it done quickly because we’re trying to get our booth space or whatever it was.” We all just said, “Well, that seems really strange. I haven’t heard about that. Have you heard about that?” “No, I haven’t heard about that.”

We went back and looked at the email. We come to find out that one of the letters had been replaced with a Cyrillic character. It’s one of those, so easy. It could happen to anybody. You’ve probably seen those ones online where someone pushes something on and goes, “Tell me what’s wrong with this message,” or, “Tell me what’s wrong with this email.” A lot of time it comes down to that O, that I, or that E isn’t quite right. It’s just so easy just in human nature just to read passed it. That one was really interesting.

I think one of my favorite stories is actually an application of cybersecurity in the real world. About five years ago, my daughter was on a study abroad program in London. She called us one night and said, there is a pop-up for Fall Out Boy being stood up and Pete Wentz was going to be there. She was going early in the morning, like 1:00 AM, to go stand in line to make sure she got in there, one of the first 100 people who were getting in.

When she got there, there were four or five people already in line and struck up a conversation with them. I come to find out some of the people who were there ahead of her and said, last time they had one of these, there’s a huge lineup, and then just a huge crush of people at the end pushed their way to the front, and all the people have been there all night didn’t get a chance to get in.

My daughter, God bless her, she’s so smart, she thought of the idea of blockchain, actually. What she did was they each signed each other’s hand with a number. They created a chain of custody of people in line.

What happened, just like they said, when the doors opened, this crush of people showed up and they went up to the people in front and went, “Look at our hands. We signed each other’s hands to know what order we arrived in.” Sure enough, they honored that. They all got in in the way they were supposed to. That was a great one.

I like the story about the CEO’s email in that the people, the company felt comfortable enough to talk about something just seems just the slightest bit off, that there was that environment where people were allowed to question. There are companies out there who are like, “You don’t question anything. You don’t ask questions because that’s bad. We’re the bosses; we tell you what to do.”

I think being in a small cybersecurity startup, we all had that cybersecurity mindset because everyone was involved in the day-to-day operations of the company. Even the people in finance, they knew what we were doing from a cybersecurity standpoint. They were aware of the type of threats we were facing. I think one of the things we need to talk more about is that it’s OK to ask for help. It’s okay to admit you don’t know.

I think one of the things we need to talk more about is that it’s OK to ask for help. It’s okay to admit you don’t know. -Paul Reid Share on X

I’ve been in this industry now for 25-plus years. I’ll often turn to my team and I’ll send them stuff and go, “Does this make sense? Am I talking crazy?” And you know what? We’ve got to do more of that because that’s how we’re going to learn and grow. If we’re afraid to make mistakes, then we won’t get the innovation we need. I think it’s really important to be open and honest when it comes to cybersecurity and ask for help.

Fear will definitely stunt a company’s growth.

Sure will.

Let’s do a deep dive into ransomware. Everybody has probably heard about ransomware, but let’s do a little bit of primer. What is ransomware?

Ransomware is an economically driven cybercrime, basically. Somebody wants to take something from you and hold it for ransom. In the old days, it was, “I’ll steal your painting. I’ll take your children. I’ll steal money from a bank or a unique piece of information that you need.” With the advent of the connected world, it becomes so much easier now to do those types of attacks.

A ransomware attack, the attackers want to get in through whatever method they can, whether that be social engineering, brute force attack, password spraying or whatever it is. Once they end, they want to identify the things of highest value to you. Once they identify those items of highest value, they’re going to take control of them and potentially encrypt them in place, exfiltrate them, and so on, possibly do extortion-based ransomware as well.

It’s a growing trend. We’re seeing it more and more. The reason why is because it pays. If you think about the old adage of mass marketing. If you have a thousand things you mail out and you get a 1% response rate, you’re highly successful. They launch thousands of attacks and 5% or 10% payout, that adds up really quick.

What is the difference between the concept of ransomware and Ransomware as a Service?

What we saw as an evolution from the standalone use ransomware thing, where these larger organizations like LockBit and others have realized that by building out an affiliate network, they can get more done. We’re human. We only do so much in a day. It’s really interesting. When you do some of the analysis on the ransomware attacks, the activity, a lot of them appear just to be a 9-5 job. They show up to work, they clock in, they do their thing, they go home.

I think by creating Ransomware as a Service and building out that affiliate network really brought ransomware to the masses. It’s so easy now to pay some money, point and click, deploy, and you’re now a Ransomware as a Service affiliate and going after different organizations.

If I’m a group like Lockbit and I can go after X number of companies a year, but if I’m an affiliate, we can go after 20 or 30 times that. If I’m taking a small percentage of those, I’m still making more money than I did before. Again, as we talked about before, economics is a business all onto itself.

Is it a little bit of that they’re trying to, in a sense, keep their hands clean? “We weren’t the ones who did the infiltration; they just used our software. That’s not our fault”?

That’s really interesting. We actually saw in the past couple of days with the release of the Black Basta chat logs and some of the conversations they have about, “Hey, if someone pays us a ransom, we actually got to do what we say we do. We have to deliver value for money or people are not going to pay us.”

We also saw in those logs conversations about, “We shouldn’t be targeting children’s hospitals, emergency services or things like that.” Does that mean the bad guys actually have a heart after all? We don’t know. They really seem to be more of a be-bad-for-business. It’d be bad for business if you’re targeting these vulnerable sectors and these vulnerable people. It’s certainly an ever-evolving threat.

In a sense, because it’s a criminal organization, it’s this weird balance of, “We have to be ethical about our lack of ethics. We have to be honest thieves because if we don’t unlock when people have paid to get their stuff unlocked, then people aren’t going to pay to have it unlocked.”

Exactly right. What’s really interesting about that is we also see a lot of these—I’m sure you receive them and the listeners receive them too—emails saying, “Hey, I’ve got compromising information on you. Just send me a quarter of a bitcoin. I won’t let everyone know this compromising information I have about you.” Some of that comes out of the fact that we have the news articles about these ransomware gangs and the others actually delivering what they said they would.

Now these other scammers, they’re like, “Hey, I’m going to play off of that and live off of that by saying, ‘If you pay me, then you’re fine,’” even though us in the industry know there’s very little chance what they’re saying is actually true. For the average person, you have no way to do it.

Another personal story: A relative of mine who runs a small business got one of those emails. He’s like, “What do I do? What should I do?” It was really interesting as we went through the actual request from the so-called attacker. It looks like they just took a whole lot of ransomware stories and ransomware letters, threw it into a generative AI and said, “Generate me an attack focusing on this type of business.”

As you read through, there are certain inconsistencies in it, like they were talking about using Pegasus software, which we know is mobile-focused on that industry, that they’re going to attack their router with it and things like that. I think that’s one of the things we’ll see.

It’s funny because people are just playing on people’s own fears. I’ve tried to remember, I get those probably once a month, once a week, or something like that. There was one time I got one that actually they had done some merge with the data breach or something else. They actually had additional information about me.

It was like, “Well, this stuff is clearly from a breach.” I’ve thought that the person who doesn’t know isn’t paying attention to data breaches, all of a sudden they see, “Oh, hey, I used that password at some point in a past life. Oh, that is my address, that is my zip code. Oh, that is my phone number.” All of a sudden, that threat looks a lot more real than just, “Well, you just take my email address off this so that it could be anybody.”

Right. We talked about that in the industry, about being able to create data that in and of itself may not be risky, but when you combine it with other data sets, it gives a much higher degree of risk. That’s exactly what you’re talking about, where you take multiple pieces of information.

Maybe they just scrape the white pages of your local phone book, got some information from it, and got an address and a name. They went to one of those dump sites and found something that matched. You got an email address from there, did some basic OSINT and found out you had a Facebook account. Maybe you had some public posts on Facebook.

One of the ones we investigated as a threat hunt team was a person who was targeted. He got a phishing email saying, “Hey, I was Joe in your fifth-grade class. Here’s a picture I found at my mom’s after she died. It’s a really great picture of us.” There’s just enough believability in it. They have just enough information. Sure enough, you click on it and you’re compromised.

That’s the scary thing. With AI, you can now start merging all of these disparate data sources and start producing stuff that potentially looks more legitimate, and then scale it up to ridiculous levels.

Yes.

We’re talking a little bit about LockBit. What’s the history of the LockBit organization?

They’ve been around for a while. They had some takedowns, they had some resurgences. They’re almost like a really good Rocky movie—they’re down and out and then they come back again. I think it was around 2020 when they really started outdoing their things, and then we had the takedown of them, but they clearly rose back up.

Part of it was because of the distributed nature and the resilient nature of Ransomware as a Service. They came back really fast. It’s that decentralized Ransomware as a Service model that allows the affiliates to keep on earning, even if the main ones go down. It allows them to persist beyond that.

One of the things we saw that really potentially helped with that is if you think about the ability to not be detected in your attacks, one of the things we saw was that the certain parts of the ransomware attack lifecycle had a really good chance of persisting beyond initial detection. That’s a big problem. If you can’t get rid of it and it sticks around, it’s going to have a chance to grow back.

Again, the exfiltration detection rate last year in some of our testing was as low as 25%, which is pretty low. If you have the ability to remain active, even while the system is being taken down, and you can wait for it to come back or find other ways, you still have the ability to generate revenue, generate income, and people will continue to do it.

Is that a more common thing that you’re seeing? Someone will gain access to a system and infrastructure and just sit silently enough in there for a long enough period of time that even if someone restores from a backup, they’re still in there from the backup?

There are actually two interesting points about that. It really depends upon the level of sophistication of the ransomware group. We’ve seen over the past several months, if not the past year, the closer working of nation states with ransomware gangs and other criminal cyber gangs, they tend to be a little bit more patient in the work they do because they have a longer term play.

A lot of the Ransomware as a Service affiliates are more smash-and-grab. We just saw not that long ago, I think it was even this week, there was a DFIR report about a breach that took place. From the time the initial breach took place until they left, it was two hours.

A lot of them want to get in and get out quickly, get what they need, start the ransomware process, and move on to the next victim. They don’t want to necessarily give you a chance to detect them. The time to detect is even becoming more and more important. Of course, the time to remediate and fix the attack is even more important.

It’s almost as if we just want to get our money as quickly as we can. If we can’t get in, we’re just going to move on to something else. They’re not really looking for, “What other exploits can I do? It’s just, let me just do this one thing and get my money.”

Exactly right. We actually see them branching out into other areas and increasing their attack surface, targeting Linux and macOS. VMware ESXi services are another one that they’re really going after. They’re expanding their evasion techniques. If we look at things like LockBit 4 Green, I believe is how it’s referred to, they employed advanced evasion techniques like API hash and DLL proxy sideloading.

Again, in the command and control of that, being able to command and control a large ransomware team, group, and inside the organization itself. If you look at the MITRE technique 1701, the application layer protocol, detection rates were as low as 20% in some cases. Again, the ability to avoid detection is something that these gangs rely upon. We need to get better at detecting and preventing, but really detection is paramount.

scammer enjoying their spoils…

What do you expect them to be doing going forward? Just getting better at what they do, or waiting longer, going faster?

I think despite our best efforts, ransomware is going to continue to thrive. Again, it’s that resiliency of the Ransomware as a Service setup and how they’ve distributed the risk across multiple affiliates. If one affiliate gets taken down, they can continue on doing ransomware in a different part of their affiliate network.

We’re seeing an evolution of these that they’re really focused on the look and feel of the ransomware infrastructure now, the usability, point, click, fire type of things. You don’t need to be an advanced level hacker now to do this stuff. We are really going to see it. We think of an expansion from ransomware service to Malware as a Service. It’s just a natural thing to add onto it.

Of course, as much as we try, the increase of the ability to exploit other things like VPNs, routers, and edge devices for access, our attack surface is not getting smaller. It’s only getting bigger. You have to think that our best attempts are always going to be the best thing we do. No one goes to work thinking, “I’m going to be breached today,” or, “I want to be breached today.” It’s just the nature of the business we deal with. We have an ever-growing attack surface.

It’s hard for us. We don’t have unlimited budgets. We don’t have unlimited people and unlimited resources. We have to really focus on the things that matter. It’s really important for us to start providing visibility to our customers of where the real threats are and where they’re really coming from. We’re doing a lot of work inside of our team to incorporate a lot more of what we’re calling proactive cyber threat intelligence into our ability to lead our customers to where the biggest risks are right now for them.

Based upon the results we have about where they’re lacking in their coverage, their resiliency, their mitigating controls, we can say, “We think the following threat actors might be of interest to you. If they are, they’re going to use these types of tools and techniques, these types of CVEs. By the way, we know that you have these failing parts of your infrastructure, these failing machines that might be susceptible to it. You may want to start there.” We’ve got to be better at identifying the possible threats and then finding ways to address them as quickly as we can.

We’ve got to be better at identifying the possible threats and then finding ways to address them as quickly as we can. -Paul Reid Share on X

When you’re doing threat emulation, in general, how successful are you and your team?

As I said at the outset, our motto is “Think bad, do good.” The other one is “Do no harm.” One of the things we pride ourselves on is being able to run our emulations in a production environment. You don’t have to take them to a lab or a test environment, because everyone knows your lab and test environment, it’s nothing like production. It’s real world, it’s dirty, it’s not clean, and people do silly things. Being able to actually do the testing and production is really important for us.

What does that mean? It means that when we go to emulate certain attacks, we can’t do everything because we would do harm. We certainly do enough emulations in such a way that the mitigating controls should be able to detect and respond, detect and protect the customer from our attack. They know if something did take place, they’d actually be protected.

An awful lot of times, it’s not necessarily the damaging attack that is most detectable. It’s oftentimes reconnaissance, the installation of the attack tools, or the lateral movement that is a really great opportunity to interdict these types of attacks before they become too bad.

We really focus our things on providing good overall coverage of the threats and then being able to give our customers a chance to make sure their compensating controls will actually protect them.

Got you. What are some of the biggest mistakes that they’re making, or noticeable, or repeatable?

I think one of the things we’re hearing from a lot of our customers on the use of our continuous threat emulation and our adversarial exploitation validation tools is they’ll deploy mitigating controls and they’ll set them up to figure them, but they are organic. They change over time. People add new things to them, or the supplier will change a setting or how something works. They may not necessarily know that’s taking place.

We don’t have time to RTFM on every release, but being able to know that having continuous testing and validation, they can find out if something has changed in their environment, that’s really important.

The other thing that happens, too, is business happens. A lot of the time, you will find out that I didn’t know my company was doing that. Then some guy will go, “Oh, yeah, we had a business need, so we did the following.” They go, “Well, you broke our cybersecurity.” By having the ability to continuously test and find those areas, that really makes them more cyber-resilient. It actually helps people sleep at night knowing that, “Hey, today we tested these things and our controls worked.”

By having the ability to continuously test and find those areas, that really makes them more cyber-resilient. It actually helps people sleep at night knowing that, “Hey, today we tested these things and our controls worked. Share on X

I can see the situation where it makes sense that you, “Oh, we had to poke a hole for this,” or, “We had to make this exception to do these things.” I wonder how often when those original use cases disappear that people go back in and say, “We don’t need that hole anymore; let’s close it. We don’t have that use case anymore. Let’s undo what we did to support that use case.”

I know in my own life, it’s very, “Oh, let me poke a hole for this, poke a hole for that.” Years later, I’m like, “Why did I do that? I did that? I left that open for that long? I just needed that for 15 minutes. How could I have forgotten that?”

Two quick examples of that. Working with one company, we did the testing for them and they’re like, “What’s this jump server? Why do we still have this jump server?” They finally go to it and it’s like, “It’s a Windows 7 jump server; why do we still have this?” It’s just like you said: they needed it for something, it was used, and then it was totally forgotten about.

On a personal note, going a little bit back in the time machine, when Heartbleed came out, my parents were actually in Florida, and they wanted to connect back to Canada to watch some web shows and things like that. I set up a VPN server in my house. Just an extra machine, threw it up, stood up in the corner, put it on a segmented network, totally forgot about it. Heartbleed happens.

About six weeks after Heartbleed happens, I go, “What’s that thing in my corner over there? What’s that machine running?” I go over and I hop on it. I’m like, “Oh, my God. It’s fully compromised.”

Here's a perfect example. Somebody who’s in the industry stands something up because they had a need, because my parents wanted to watch their web episodes and totally forgot about it, and then it gets compromised. We wonder how these things happen. It happens to everybody. It’s the best intent.

I’m sure there is a machine in the closet of almost every single business that’s been open for 10 years that nobody knows what it does. There’s a sticker on it that says, “Don’t turn this off.”

That’s right. That’s very true.

I won’t say ransomware is inevitable, but for those that get ransomed, there’s this discussion of, “Do you pay? Do you not pay?” I know there was discussion. The US government was thinking about making ransomware payments to particular organizations criminal. How do we navigate that aspect? How do you help your customers navigate what to do?

That’s really hard. You’re in that moment and bad things are happening to you. There’s somebody saying, “Hey, we’ve done these bad things to you, and I make this pain go away if you do this.” Then you get that whole moral and ethical conversation. Paying ransomware fuels the RaaS ecosystem. That’s what they’re counting on.

When you think of a LockBit, there are reports of over $120 million extorted from victims over the past several years of it. It’s a really hard thing. I think one of the best things we can do is do our best to avoid it but recognize this thing happened, and do the basic things. I call it eating your vegetables. It’s patch. It’s having separation of duty. It’s having dual custodians. It’s two-factor authentications. It’s having reliable backups.

I think one of the best pieces of advice I heard from my team this week when we were talking about this was that your backup servers should not be part of your necessarily domain system or your centralized authentication system. They should stand on their own with their own authentication with very strong authentication controls and strong passwords. No password reuse and limited access. So if something bad does go and they get your credentials, they get Active Directory, they get admin, or they get a golden token or something, you still have the ability to protect that backup from there.

I guess the other thing, too, is encryption at rest, encryption in motion, all the things we’ve talked about for years are important. If someone steals your data, and you are a company that does consumer-facing stuff, and you’re RSA 4096-encrypted, people will go, “Hey, that’s really great, but we know 30 years from now, maybe they’ll break that encryption. They’ll steal your data.”

At that point, is the data even useful anymore? It’s going to be addresses, it’s going to be credit card numbers, and things like that. Again, the basics really help and then being prepared for when it happens. Testing your response to what takes place. “What am I going to do when this happens?” This is not if, but when.

Almost every company at some point is going to face this dilemma. It’s not something I’d want anyone to go through, but it’s like why do we do fire drills in schools? We don’t expect schools to burn down. We don’t expect something bad to happen. But if it does, are we prepared and are we going to respond to it appropriately?

Whenever I hear people talk about backup, please test your backup processes. I don’t know of anybody who’s had a significant issue where they’ve had to go to backups that didn’t have problems and weren’t able to recover everything because the backups weren’t working in the way they thought they were working.

If you’re not practicing disaster recovery and switching over to secondary sites, secondary lines, and things like that when the pressure is not on, what’s going to happen when the pressure is on? -Paul Reid Share on X

Absolutely. If you’re not practicing disaster recovery and switching over to secondary sites, secondary lines, and things like that when the pressure is not on, what’s going to happen when the pressure is on?

I remember doing simple things back when I was a single admin for a small company and go, “What happens when all my servers go away? I’ve got these tapes. I’ve got a tower of Hanoi rotation, and I have a full backup and partials on these. How do I restore it?” My gosh, it was quite stressful.

I can imagine trying to do it when the world’s on fire and everyone’s screaming to be back up and running, and customers want access to their data. Your advice is well-placed—test your backups.

There was someone that I knew that their full master reset backup was once a year, and that they had tape backups for the differential for every week. I thought, “Well, how long does it take to do that weekly differential restore from that?” “It takes three hours.” I’m like, “Do you realize that if it’s week 51 and you have to restore, you’re talking about 150 hours, or you’re talking about five or six days of down just to run your restore process?” He’s like, “Oh, I didn’t think about that.”

Right. It sounds great doing incrementals and things like that. Even today with some of the nearby cold storage and cloud storage. Even personally at home, backing up to the cloud because I’m upgrading our home computers, restoring everything from there and just even for our home can take hours, if not days, to pull down all the data again. You’re right. We need to take that into account.

I’ll put you in a spot here. I noticed you avoided the do you pay or do you not pay ransomware. What are the thought processes that you would give a customer on not what decision to make, but what things to consider in that decision?

I think that it’s going to be individual by the industry, by the type of business that you have, the type of things you can do. It’s not an easy conversation. It’s not an easy decision for anyone to make.

I know that some of the government agencies and different industry bodies are starting to bring some regulation to it to help you make decisions on. Of course, you’re either way the bad guy in this situation. People say, “Well, if you don’t pay the ransomware, I wouldn’t have got my data back.” You pay the ransomware, they go, “Well, you’re the bad guy. You’re enabling the attackers to keep doing what they’re doing. You’re the problem.” It’s a no-win situation. I think that there are a lot of really good companies out there to turn to to get help.

We recently did a webcast with myself and a legal expert talking to some of the legal implications of cybersecurity, and there’s a really good conversation he had on there about paying ransomwares and things like that. It’s situational. I would never be one to judge anyone for what they did or how they did what they did. From my standpoint, it’s really not my story to tell. It belongs to each individual as they experience it and how they react to it.

My biggest advice is to listen to the experts, listen to the people around you, and come to a conclusion that everyone can support. Not necessarily in line with, but at least support your path forward.

As we saw over the weekend with that crypto heist, how did that company respond? Open, transparently, constant communication, working with partners. It’s really a shining example of how you respond to an incident like that. Really, I think that companies being honest up front as quickly as they can when things like this happen just puts them in a much better light. I think transparency and the bright light of transparency just makes things so much better.

The cover up is almost always worse than the crime.

Yeah.

Not always, but often.

It’s so hard.

Is there anything that you’re seeing the government doing in a positive way or some challenges that’s like, “Sure, you’re working to protect an individual client, but you’re not a law enforcement agency. You can’t shut down these organizations.” Do you see that the government is going to be able to take them out in any serious way, or is it just a hydra where you lop off one head and it’s going to be back again a week later?

That’s the hard part of Ransomware as a Service because being a nature of it’s so hard. We see a lot of intergovernmental, interdepartmental support, investigations taking place. There are large players in the industry that are actively working with government and law enforcement to take down these gangs and to address those threats.

I think that as we mature continuously in our cybersecurity world, we’re going to find better ways to work together. I think that private-public partnership is a really important aspect to it.

Our governments don’t have unlimited funds as well. A lot of times, they’re not necessarily experts in the systems being attacked or systems held for ransom. We in the industry have a responsibility to work where we can with the government and other agencies to support them when the time comes.

Try to build regulations that support proactive disclosure and not necessarily punishing the company that’s attacked. Although there are times when there’s a lack of due diligence and due care, and that needs to be investigated. But in general, I think we need to be in a world right now where we encourage people to be open and honest about what’s taking place, bring out the shadows, bring to the forefront, and let us address it in a hopeful way.

Do you have any resources online that talk about the latest threats in the industry?

On our website, we have an area there for the adversary research team. We have some really great content and blogs up there about some of the latest adversaries that are developing and coming. That’s a really great resource. I think the other thing that AttackIQ has is we have our AttackIQ Academy, where tens of thousands of people have gone through all kinds of different learnings in the cybersecurity world.

I’ve taken a number of courses from there. They’ve been very excellent. They cover everything from simple incident response and OSINT to more detailed things about how do I measure my risk? How much does my exposure? I think those things that AttackIQ offers really help us and help our customers become more cyber-secure and cyber-resilient.

Awesome. We’ll make sure to link to those in the show notes as well. If people want to get a hold of you or AttackIQ, where can they find you guys online?

Obviously, the website is attackiq.com. You can find me on LinkedIn. That seems to be the primary method we’ve been using lately to share information. The LinkedIn community has been very, very active and very supportive. That’s a really great place to find us. Of course, we have our website and our own channel on LinkedIn as well for AttackIQ.

Awesome. Paul, thank you so much for coming on the podcast today.

Thank you for your time. I really enjoyed it.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Notified When We Release New EpisodesALERT ME

X

Logo

Get Notified

When we release
new episodes

We will only send you awesome stuff!

Privacy Policy

×

 
×

Easy Prey Self Assessment Cover

Are you safe or at risk? Find out.

We’ll send you instructions to download the self-assessment right away. It takes only a few minutes to complete.

We hate spam and promise not to spam you.
Unsubscribe at any time.

Privacy Policy

×

Hire Me To Speak

Privacy Policy

×

Privacy Policy

Your privacy is important to us. To better protect your privacy we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used. To make this notice easy to find, we make it available on every page of our site.

The Way We Use Information

We use email addresses to confirm registration upon the creation of a new account.

We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose and are not shared with outside parties.

On occasion, we may send email to addresses of registered users to inform them about changes or new features added to our site.

We use non-identifying and aggregate information to better design our website and to share with advertisers. For example, we may tell an advertiser that X number of individuals visited a certain area on our website, or that Y number of men and Z number of women filled out our registration form, but we would not disclose anything that could be used to identify those individuals.

Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above.

Our Commitment To Data Security

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

Affiliated sites, linked sites, and advertisements

CGP Holdings, Inc. expects its partners, advertisers, and third-party affiliates to respect the privacy of our users. However, third parties, including our partners, advertisers, affiliates and other content providers accessible through our site, may have their own privacy and data collection policies and practices. For example, during your visit to our site you may link to, or view as part of a frame on a CGP Holdings, Inc. page, certain content that is actually created or hosted by a third party. Also, through CGP Holdings, Inc. you may be introduced to, or be able to access, information, Web sites, advertisements, features, contests or sweepstakes offered by other parties. CGP Holdings, Inc. is not responsible for the actions or policies of such third parties. You should check the applicable privacy policies of those third parties when providing information on a feature or page operated by a third party.

While on our site, our advertisers, promotional partners or other third parties may use cookies or other technology to attempt to identify some of your preferences or retrieve information about you. For example, some of our advertising is served by third parties and may include cookies that enable the advertiser to determine whether you have seen a particular advertisement before. Through features available on our site, third parties may use cookies or other technology to gather information. CGP Holdings, Inc. does not control the use of this technology or the resulting information and is not responsible for any actions or policies of such third parties.

We use third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. For information about their specific privacy policies please contact the advertisers directly.

Please be careful and responsible whenever you are online. Should you choose to voluntarily disclose Personally Identifiable Information on our site, such as in message boards, chat areas or in advertising or notices you post, that information can be viewed publicly and can be collected and used by third parties without our knowledge and may result in unsolicited messages from other individuals or third parties. Such activities are beyond the control of CGP Holdings, Inc. and this policy.

Changes to this policy

CGP Holdings, Inc. reserves the right to change this policy at any time. Please check this page periodically for changes. Your continued use of our site following the posting of changes to these terms will mean you accept those changes. Information collected prior to the time any change is posted will be used according to the rules and laws that applied at the time the information was collected.

 

×
close
Embed this image

Copy and paste this code to display the image on your site