Transcript
multi-factor authentication, using codes, using apps, some hard tokens, some way so that there can't be anyone that gets in between you and the multi-factor authentication code that you're receiving is really the best way to protect identity-based attacks, which is still the primary way we see adversaries doing it. Hello, and welcome to Data Security Decoded, where we deliver actionable insights to reduce data security risks and improve cyber resilience outcomes. I'm your host, Caleb Tolan. And in this episode, I sat down with Cynthia Kaiser, SVP of Halcyon's Ransomware Research Center. We spoke about how ransomware attacks have evolved over the past several years, how emerging technologies are manifesting in cybercrime groups, and what defenders can do to best prepare for modern ransomware attacks. Let's get into it. Cynthia, welcome to the show. I'm so excited to have you on Data Security Decoded, and I would love to start the conversation around your recent testimony in front of the House Homeland Security Committee, where you advocated that ransomware groups that target large hospitals be designated as terrorist organizations. Now, some could say that this would make it illegal for victims to pay, effectively sentencing those hospitals to permanent downtime if they don't have the perfect backups. What would this shift in designation mean for healthcare organizations? And would they get more resources to maintain continuity? What would that designation shift really look like in practice? Well, so let me back it up a little bit for what I was advocating for on the Hill. So really, one of the things I'm passionate about is figuring out how to stop the worst of the worst of cybercrime from happening. Even since my time I was at the FBI, now I'm at Halcyon, looking at when ransomware actors choose to target hospitals, and it's something they used to have some kind of unwritten code that they didn't do this. Now they are actively choosing to target these hospitals because they believe that the threat against human lives is going to get them a bigger payout in the end. They're not naive to the consequences, that if a hospital's down, if someone has to go for a longer ambulance ride to a hospital nearby, that patient outcomes deteriorate, that people die. They know that. They've just chosen to believe that it's somebody else's problem, and as long as they're getting their financial win, it's okay. So they're actively choosing to put people's lives on the line. I don't know what you call that other than murder, other than terrorism. And I think we need to come up with ways in which the actual consequences of these types of ultra heinous crimes actually match what the consequences are. So let's peel that back a little further. I think what I advocated for on the Hill is like, yes, if you ask Cynthia Kaiser, I think it's terrorism. I think there's downsides. I think there's upsides. Let's talk through it. Let's parse through all those details. But we need an honest legal review and analysis across departments to really make that determination. We haven't taken up this cause in this debate yet, and I think that's the real tragedy here. We need to have big ideas. We need to arbitrate them, and we need to be okay that sometimes there's downsides to big ideas. Because what we're doing now is important. How the federal government's been able to counter ransomware actors is, I think they've done it the best that they could do with the resources and authorities they have, but it's akin to keeping your grass mowed, right? It could be even worse if they hadn't done anything, but we need to stop this activity. And I feel like figuring out the policy process around how do we make ransomware not kill people, that feels worthy, right? It feels like something we can take on. We can do big things. We can do this. Now I'm going to actually answer your real question, which is, you know, does this create an effective ban for hospitals to pay? You know, in the end, no. It could, right, if you go much farther down the line where there are lots of actors designated as terrorists, and you're kind of going through these processes behind the scenes to figure out what you can do if you're a hospital under attack. But what I will say is we've convened groups and tables of major insurers in the space for cyber insurance to talk through this. Would it be an act of terrorism to pay, like act of terrorism when there's an attack, therefore rendering insurance unable to pay, right, or unwilling to pay, to trigger some kind of items within insurance policies? I think the answer is probably not, right, but we have to shape insurance a little bit differently if we want to move forward with that. But in terms of an effective pay ban, ultimately, you might get to this place where all of these actors are designated that a hospital can't necessarily pay, but it's not a punishment on that hospital. If an actor knows, if a ransomware gangster knows, I target this hospital, they can't pay, what other choices are they going to make? They're going to go to a different target. If an actor is kind of looking and saying, well, if I target this site, this network and it's got hospital in the site address, I'm going to be labeled a terrorist. What choices are they going to make? Maybe they'll choose a different target, right? It's about influencing the target selection and putting red lines down that says, no, you can't do this. And I guarantee you there's going to be massive amounts of federal support for any hospital that's under attack that needs to be able to wade through that. That already happens now. So I think kind of throwing up this one flag about, but what if this, well, like, let's talk about how we mitigate that then. Let's not throw out the ideas that enable us to really shape adversary behavior. Right. Absolutely. You have to propose the big ideas to make a really big difference. I totally, totally understand that. And I want to ask you a little bit, you've already talked a bit about extortion as it relates to hospitals and ransomware, but I want to ask you a little bit about some creative extortion tactics that you're kind of observing. So for example, I know we watched the North Korean IT worker scandal kind of shift a little bit away from, or not away from, but just in addition to, it originally started as laptop farms fueling the economy of a notorious nation state to an extortion machine. And we see that they're infiltrating Western companies as remote IT workers, and they then can exfiltrate data based off the permissions that they have as remote IT employees. And then they can hold that data for ransom for the businesses that ultimately discover them and then fire them. So that's just a very interesting model shift that we watched in that particular case study. What are some of the other unique stories or emerging trends in the worlds of cybercrime that you're keeping a really close eye on and that are, you know, particularly like unexpected techniques to extort organizations? So you bring up such a great point because what I like to tell people a lot of times when you're thinking about a cyber operation, it's a why choose adventure. So yeah, maybe you have these IT workers and they're doing the laptop farms, but I think for a while we were saying, but if you have access to the network, you can do other things. You can steal, you can attack, you can hold hostage. Same thing with espionage operations. We've seen multiple different nation state espionage operations turn around and become cyber attack operations. Great example is when Iran targeted Albania a few years ago, they'd had espionage access for 14 months to government networks when they were angry at Albania for something that we would consider like a perceived like political slight. Then they turned that to an attacker and said, here, right, go attack. They used ransomware, they did wiper activities, took the emails that had been stolen, use them for information operations. And so we can never look at these operations in a silo and like it expect them to stay within that lane. Adversaries are going to use the access they have to the benefit of what they need at the time. And so when thinking about like then what's creative, like what are we seeing now? A few elements. One is, I'm just going to talk about how fast ransomware is. It used to be we worked out, we saw like, you know, weeks of dwell time. But when we reviewed last year's data at Halcyon, we identified one of the main groups, Akira. They had conducted attacks about an average four hours from the time they got onto a network to the time they encrypted a network. Some of them were in under one hour. That's crazy, right? Like that's the time in which it takes to have dinner with your family. To that point, what's the most common time for a ransomware actor to actually conduct their attack? It's Wednesday evenings. So like you are looking at groups that like in one weekday night can enter and encrypt your entire system. That's very different, but like that's a one hour attack. I think another creative item I've seen is, I'm going to call it a 31 day attack, which is we've seen ransomware actors get onto a network, access to whatever account they needed to unsubscribe from backup services, waited 30 days, day 31, when those backup services were no longer in place, but no one knew it at the company, that's when they attacked to try to maximize, right, how they're actually gaining access here. So it's almost a creativeness, less so in the technical and more so in the application, how do they create the most pain, how do they do the most damage in the shortest amount of time possible? Right, right. Those are both very interesting case studies in particular, and especially on that piece about like the dwell time and the time it takes from entrance to executing an attack being so short. I'm sure AI, especially with technologies like Methos, that's just going to get accelerated even more. But I don't want to get ahead of myself because I want to ask you about that in a little bit. But I want to shift gears a little bit and talk specifically about ransomware attacks that are focused in the cloud. Now we know that threat actors are targeting cloud environments, and it's becoming increasingly more common as more organizations adopt multi and hybrid cloud environments. And it's easier, I get it. Once in, they can kind of hop around cloud apps and escalate their privileges much easier than an on-prem environment. But what I want to talk about is that recovery piece of a cyber attack. So why is it that cyber recovery from ransomware targeting cloud environments is so different than recovering from an on-prem environment, especially, like I said, knowing that organizations are operating in hybrid and multi-cloud environments? Well, I think focusing on just the interconnectedness in general of our networks, that's actually what's fueling some of these like the shorter timeframes of attacks. So being like the ransomware actors, getting on, be able to target hypervisors, which is like allowing a lot of the virtualization across all of our connected devices and the like enables them to then rapidly grow across and do rapid encryption. But in particular, with cloud-based infrastructure, when you're doing recovery, what's the most difficult part of a recovery operation is making sure the actors are actually kicked off, right? Making sure that they aren't hiding in certain places, that they're not able through like the general increased connectivity across the network to be able to really like find a place, find a user account, find a way in which they're privileged accesses across the board and use those to their advantage to be able to reinfect again and again and again. And I think where this really shows is there's a much higher rate of re-attack of victims. So if you're a victim once, you're much more likely to become a victim again. If you pay, you're even more likely to become a victim again. But when I was at the FBI, we would see that in, you know, 10 to under 10 days, being victims twice, under 48 hours becoming victims twice. And really it's, you know, these actors, they're lying in wait, they're finding different places across the network to hide. And so then they are re-pivoting, becoming an affiliate, right, a subcontractor for a different ransomware group, and then going again, doing the same activity all over again. We've seen where we've kicked off certain threat groups from networks, then try to come back, you know, in a different way, and then try to come back and pivot using a different vector and come back again and again, like trying their different ways. And so being able to really identify and eradicate and evict the actors in the network just becomes harder and harder with all of this kind of connectivity, privileged access across the board. Right. The industrialization of cybercrime and how it's actually become like these strategic jobs is truly, truly mind boggling to watch. And I know I mentioned it a little bit earlier, I promised I would come back to the, to the mythos and the AI conversation. But recently you spoke about ransomware wannabes is kind of what you labeled them. Groups like the Sakari group using AI to ugly chain attacks together. Those are some of the terms you used. I just love that. Which is just increasing the volume of messy and destructive attacks rather than improving the quality of their code. And the industry's, you know, terrified of mythos and its ability to autonomously outpace PDR. So I kind of want to shift through the noise or sift through the noise rather on AI. So what are your biggest concerns that are on the horizon when it comes to cybercriminals leveraging AI? Is it prompt injection for agents? Is it threat actors identifying zero days for mythos? Is it groups like Sakari haphazardly using AI for their ransomware? All of these, something else entirely. What's kind of on your mind? So I would put it in one of my short-term concerns versus long-term concerns, right? I think in that short-term area, I am really worried about the wannabes, the amateurs who couldn't do an attack today if they wanted to, right, but now have the most powerful tools humans ever had in their hands and can get to 5% effectiveness, 7% effectiveness. That's really good for them. But I think what that's going to manifest, and we're already seeing this across networks, is the number of incidents and attacks are going up, even if they're known, right? Even if you're able to identify them, security teams are finding them, they're doing the right incident response, they're kicking them off. That's a lot of time, right? And we're going to fatigue all these internal teams if we don't have more automated ways in which to stop these attacks before they start because while you're looking at the most noisy types of operations, the quiet ones have an easier time slipping through. So I think, you know, yeah, there's more destructiveness in groups like Sakari, but really this idea that you could have a lot of bad actors doing bad, noisy things, it's a distraction, but it's a distraction that can cause a lot of harm. So I think that's the biggest short-term problem. Like, let's go 12 months, looking at the next year, especially as Methos has come out and we've been having a lot of these conversations with industry. What is most concerning about new tools like Methos, as well as the existing AI capabilities we now know, is that it is so much easier to get onto a network. The operations still look relatively the same once that initial access is established, but getting on is just much easier than it was even a year ago. Think about it. It's easier to lie with AI, right? So you have better spear phishing, you can do spear phishing at scale, you have better deep fakes. We've seen actors use deep fakes to conduct operations against help desks where they pretend they're the employee and doing the help desk reset. We see deep fakes deployed in that way. There's a much shorter just patch to exploit window, like when a patch is announced versus when adversaries can exploit, and that's aided by AI, and now with Methos, really being able to identify unknown vulnerabilities, especially, I would say, at the edge of networks, like the way in. That's another data point where you just have to almost assume breach at this point. So if you assume breach, we've been talking about this a little bit, right, with zero trust and how do you segment your networks? This isn't new, but I think it's a re-emphasis on, you can't just look at preventing. You can't just put up an electric fence but leave all the doors unlocked inside. You have to create a lot of defense in depth, you have to create alerts, ways to identify actors if they get on, inevitably, probably get on some way to your network, be able to contain them, quickly remove their access from your network. All of that's going to be critical moving forward to be able to mitigate the attacks of the future because there just isn't a way, I think, to stem the human threat vector of just being able to be tricked or finding zero days and being able to utilize those at scale. It's going to be really an issue for the next few years, ultimately. I think we're going to be able to get to that self-healing software, self-healing hardware, right? The actual software and hardware itself identifies vulnerabilities and fixes it. It's going to be an amazing future a decade from now, but we have a while to go and we know what it looks like to try to replace technology. It's a long process and that's a long decade plus of vulnerability along the way. Right. Well, speaking of kind of technology ahead of us, so as somebody who's kind of a newly obsessed ransomware fanatic, I know you spent a lot of your career focusing on espionage. How concerned are you about quantum technology making its way into cybercrime circles and how concerned are you about the concept of Harvest Now, Decrypt Later? I think those are two separate items. Ransomware actors typically understand that the information collected today is disposable. Disposable is the wrong word. The ransomware actors, what they collect today, it has an expiration date, right? It's most useful when you first collect it. It's probably not like for the ransomware actors, you know, making a reputational problem with a company, with their clients being upset that their, you know, latest information is out there. There's a lot more utility in that being fresh and current than down the road. Espionage is totally different. Learning secrets today to be able to use them later down the road is something that's really scary, especially if you think about, like, who they might be collecting on, what type of information operations could be conducted, et cetera. So I kind of view it in these two different tracks. But quantum overall, it's interesting because, you know, we want to look towards this, you know, next big technological advancement, but the ransomware actors are really good with the technology they have now. Like, even among the sophisticated groups, we see them using AI, but like in the same way you and I are using AI, like, oh, hey, I want to check my code, right? Hey, this might save me a few minutes in writing this if it already knows me and I give it some really good prompts and some really good sources. It's not, they're not using it wholesale for doing their operations because it has a much lower success rate than their actual operations do. I think it's the same thing when you're approaching quantum. We've seen, even, I think, recently, there was an article that came out about a ransomware group that claimed to be using, like, certain types of quantum technology. It was more or less a marketing ploy, like when we peeled it back and looked into it, where they really weren't enabling and using that type of technology in the way in which they said they were. And so you're going to see a lot of these false claims out there about, like, look it, we're able to do so much, right? They're trying to build themselves up, make themselves the boogeyman. But, like, even with, you know, I think we're still waiting on wider adoption of AI across the actor sets, given that they're just so good and have had so much repetition and really have refined their operations using just using native tools, like across a network, hiding among the noise. They're still very successful. Ransomware attacks are still up 20% from 2023. Right. So I want to kind of pose a difficult question towards you. So manufacturing, healthcare, financial services, any critical infrastructure kind of sector, they're all some of the biggest targets for ransomware. And I know it extends to pretty much all industries, too. And so I know we don't want to, you know, it's hard to paint in broad strokes and make generalizations, especially when every industry has its own unique use case, if you will. But what would you say are three actionable steps that you would like to see defenders take across the board to best prepare for ransomware and be able to respond when they eventually are targeted? Yeah, that's a great question. I mean, the three ways that I would really advise any defender to best protect their network include phishing resistant, multi-factor authentication, ensuring that like any check is better than no check. Right. You know, text message, multi-factor authentications that I of course have, you know, on certain sites is better than nothing, but phishing resistant, right? Using codes, using apps, some, you know, hard tokens, some way so that there can't be anyone that gets in between you and the multi-factor authentication code that you're receiving is really the best way to protect identity based attacks, which is still the primary way we see adversaries going in. So I would absolutely prioritize that as number one. Number two, I would ensure that I'm focusing, I mean, zero trust is a large thing, but just having defense in depth. And by that, I mean, if you can build a wall, that's great, but some people figure out how to scale a wall. You need barbed wire at the top, right? If you have across your street, there's three houses with walls with barbed wire and one without which one's going to be, you know, broken into first. And so really ensuring you have the double checks because nothing's perfect. It can be, you can misfigure, you know, certain areas. So making sure that you have some additional security in place is also critical. And finally, I'd make sure that all organizations and defenders understand that they are going to be targeted. They are going to be attacked. And to my like point on AI, they're going to get in somewhere probably onto your network. And I'd say this for an organization, but I'd say this for a grandparent that was just targeted with, you know, the elder care fraud calls that we see go rampant or the cryptocurrency, you know, fraud and other types of crimes related to that too, is the most important thing to know is you're not alone and to really, you're not alone. You're also, you're a target, no matter who you are, what organization you are, which means you need to practice incident response. You need an incident response plan, you need to take it off the shelf, make sure it's accessible, even if your networks go down and you need to incorporate all the right people into an incident response plan. Not just IT, but executive leadership, marketing PR, so you know how transparent you want to be, especially if an actor's lying about what they did to you, right, in public, figuring that out. So really, like, these aren't going to sound new to any defender, but they work and they're critical and important to being able to rebuff, but also be resilient from ransomware attacks. You know, anybody who's been listening to the show for a long time is probably going to note this, but I've said this anecdote a couple of times, but it goes back to the conversation of eat your vegetables, eat your fruits and vegetables, like all of the basics of security hygiene still matter for the vast majority of organizations. So I absolutely resonate with that sentiment that you shared. And then also, a couple of episodes ago, for anyone who hasn't already listened, we had a conversation with John Falker over at Trellix, and he shared this sentiment of like, organizations, especially those in healthcare, like you were talking about at the top of the show, some of them have this idea of that there's a cyber Red Cross that makes them kind of immune to cyber attacks just because they're a very mission-driven organization. And as much as I wish that were true, unfortunately, like we've been talking about here, that's just not necessarily the case. And everyone has a target on their back. And if you don't think you do, then that probably means you have an even larger target on your back than you even realize. So couldn't agree with you more. Yeah. These actors have no shame, right? These people doing these attacks have no shame, they don't have morals, like they just are looking to make money or make it painful for you. You spent many years of your career in the public sector, and now you're making a massive impact in the private sector. And I want to ask you two inconvenient truths. One that governments need to accept to address ransomware, and one that the private sector needs to face in order to become better prepared for when ransomware attacks happen. On the government side, and this is something that I used to really beat the drum for, so it's almost a confession at this point, but one item that government really needs to readjust its thinking on is the conversation on information sharing. It's important. I get it, right? More information, bringing it all together, it can't be siloed, but the private sector has so much data. And even coming from my vantage point of knowing what I want to tell FBI and like talk to them about it and provide over to them, I don't understand fully what would be most useful. And if I don't understand, I can't imagine anybody else understands exactly what would be useful over into government, because I can't just send all of my data over. They don't even have the tools to be able to parse through it, right? They're a little behind on AI and, you know, that kind of data analysis capabilities overall. And so, you know, what, like being more specific, what kind of information do you want? Why? How do we get it to you? But like kind of stopping having this more generalized conversation around it and getting into much more specifics with private industry really matters here. I'd say on the private sector side, it's interesting, Halcyon did a study of talking to CISOs, and we asked a lot of questions. One is, you know, how prepared do you think you are to be able to rebuff a ransomware attack? And, you know, I think it was about 70% said, yeah, I'm really prepared, right? I could rebuff a ransomware attack. And we asked a similar question. How many of you think that you would pass, like a red team target, how many of you would pass kind of that pen testing, that testing people do of your network, right? And about 70% said, oh, I don't think we'd pass. There's a conflict there, where like the ransomware actors act just like a red team. They act, you know, just like you're going to see companies that come in and are testing your network, and they're trying to use your native tools against you and go across surreptitiously and really find, you know, what's most valuable, all of those things, the same tools that we would see them use, we see the ransomware actors use. So I think there's this overestimation in the private sector about how prepared they are to rebuff an attack and stop it, and I think there needs to be more of like an honest accounting for how sophisticated cybercrime is. It's so much more sophisticated, different than it was just two years ago. Kind of understanding that and knowing you have to do things differently than two years ago as well is critical to being able to protect your network from these awful, malicious, heinous attacks. Right. Right. Absolutely. That's a very interesting juxtaposition there of those two responses. And I would have a couple of questions for that CISO who maybe gave those exact answers on that survey. But, Cynthia, it has been wonderful having this conversation with you. What is the most important message you want to leave with our listeners today? I'm going to leave two. One is ransomware is so different than it was two years ago, right? So make sure you're keeping up to date and relooking at how you're protecting. But the last one is that we should all be a lot more angry about ransomware than we are. We should be honest about what the impact it's causing, and we should be honest about getting together and needing to work together to do something about it. Absolutely. Absolutely. I think that is a very refreshing take to end on, and I think it's a very realistic take too. So again, Cynthia, thank you so much for joining us today. This is a really, really wonderful conversation. And until next time. That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on either Apple Podcasts or Spotify. Your feedback helps me understand what you want to hear more about and is the best way to support the show. If you want to reach out to me about the show, email me directly at data-security-decoded at n2k.com. Thank you to Rubrik for sponsoring this podcast. The team at N2K includes producer Liz Stokes and executive producer Jennifer Iben, content strategy by Mayim Plaut, sound design by Elliot Peltzman, audio mixing by Elliot Peltzman and Trey Hester, video production support by Bridget Kirkywild and Sorel Joffe. Until next time, stay resilient.
