Cybercrime – The Landscape – Part 1/4

Cole French:

Terry, thanks for taking the time to join us today on the Cyber Compliance and Beyond podcast. I’m really looking forward to this conversation. I think this is a really interesting topic.

Terry McGraw:

No, thank you, Cole. I really appreciate the invite to speak on this. It’s a topic I’m pretty passionate about and I speak pretty frequently about it, and so I appreciate the forum.

Cole French:

Yeah, let’s kick it off with, I know we’re here to talk about cybercrime incidents, things like that. So I think obviously for an incident to become an incident something has to take place. So if you could just get us started. In your experience, and I know you have a lot of experience in the realm of incident response, where do most incidents originate? What takes place? What happens to bring about an incident within an organization?

Terry McGraw:

Yeah. So I think at first, let’s just clarify when we talk about threat actors and who’s participating in these kind of attacks that we see on networks, we tend to lump them into categories based on their motivation. So for example, in cybercrime, clearly the motivation is financial gain. It’s all about the Benjamins. It is opportunistic, meaning if you’re on the internet, you have the potential of being a victim of cybercrime. And the data is very, very clear that the vast majority of activity that we see falls into cybercrime and these opportunistic kind of threats.

And then as you move to the right, which is more targeted activity, nation-states, clearly is about governmental and industrial espionage. Then you have hacktivism, which are people ideologically driven. Those are people wanting to make a big splash, make a point online, web defacement, those kind of things. And then you have the insider threat. Generally speaking, insiders are disgruntled or they’re looking for a financial gain or some combination thereof. And so that makes up sort of the threat actors as a whole.

And then you move down. Well, how do they get in? How do they do what they do? And so because the vast majority of what we see in the wild is of course cybercrime, the data tends to skew towards that, but it is remote access. So even nation-state actors and those kinds of things use very, very similar mechanisms to get inside a network remotely.

And so the three top initial access vectors that we’ve seen... And it’s been this way for at least a decade, I’ve been speaking on this topic publicly since 2014, and sadly, the top three shift between what’s the most prevalent from quarter to quarter, but they remain unpatched servers that are publicly facing, unpatched systems let’s just call it that. Malware born through email, all types of spear phishing, regular email phishing, all of it is just sort of malware being introduced in the environment through phishing. And the last of course is stolen credentials. And stolen credentials enabled because organizations have not implemented multifactor authentication with conditional access or have not implemented correctly or have only partially implemented because if you don’t have it everywhere, you have it nowhere. And so those are the top three. And sadly, it happens time and time again.

And even when we talk about sophisticated upstream supply chain compromise, think of things like the SolarWinds compromise or some of the Microsoft compromises, or Kaseya, what we find after the fact and after all the investigation, all the dust settles, it’s still one of those three that led to the initial compromise. So it’s sad, but it is true that those three still remain the most prevalent. And of course, as you get further away from the top three, things like web compromise, watering hole attacks, those kinds of things tend to play out in the date as well. But they’re kind of variants those top three anyway.

Cole French:

Yeah, I think it’s interesting that with the proliferation of the internet, of connected technology, all of that kind of stuff, I think we’re prone to talking about things as though they rapidly change and we can’t keep up and all this kind of stuff. And I think there’s certainly some truth to that. But I think conceptually, philosophically, things like that, and you’re saying exactly that really a lot of that stuff stays exactly the same. It’s have you configured access control properly within your network and within your system, that’s going to dictate a lot of what happens from an incident perspective or from a breach perspective.

Terry McGraw:

Yeah, I like to say the third string wins the Super Bowl every year, you never have to risk your first string. I can stop sophistication levels at whatever easily gets me inside. And so as long as those things are successful, we’ll continue to see them prevalent in the data. But initial access vectors, initial access, getting in is really limited in its problematics for the victim organization. Why do I say that? Because if I compromise a user who has no elevated privileges, no administrative privileges, or doesn’t land on a box that has a service account that’s been logged in and it’s not well architected, or the passwords haven’t been rotated since it was conceived, or you have service accounts that are bridging multiple tiers of your architecture. Look when they’re harvested, from a hacker’s perspective, from a threat actor’s perspective, elevated privileges is all about it.

So everything that we do should be geared on denying privilege to the threat actor. So even if they got in, there’s very limited things they can do if they’re just compromising a typical user. And we don’t talk enough about that. I think we do focus on how they got in, but if you can deny them the ability to escalate privilege in your environment where you have a well-architected identity and privilege access management scheme in your environment, well then you’re prohibiting the operational impacts and the very costly recovery and response costs that go along with that. And potential litigation costs, god forbid, should data be taken from your environment. So I think it’s important to look at that holistically. It’s not just how we prevent, but it’s how we limit the operational impact of an attack should it happen in our environment.

Cole French:

Yeah, it’s a good point. I think too, another, when you talk about privileges, it reminds me, and I know we’re going to get to some fun incident response stories and things like that, but a story that I remember from this is many years ago, but I think another aspect of privileges is how we train our users to use and not use privileges. And to think about when I’m using a privileged to or privileged access, really thinking about how am I using that? Is this the appropriate scenario, appropriate system? And it’s a story, a pen test was conducted for an organization I was working with many years ago, and they were good to go. They had everything set up properly, things were segmented, all that stuff.

But they had five or six Windows XP machines on their network to run some legacy systems, and they were properly segmented. The pen testers were not able to pivot and go anywhere, even though they were able to compromise those systems. However they were, or well, they tried and were successful at installing a keylogger on those compromised systems, and then they killed the antivirus. Thinking, hey, as soon as I do that, an administrator is probably going to get an alert and he’s probably going to come, and he might even put in administrative credentials to re-enable the antivirus. And sure enough, it’s exactly what happened and they got keys to the kingdom.

That story reminds me of why it’s important to think about not only privileges, but as an end user and someone who has privilege access, really thinking through, am I using my privilege access appropriately? Is there a risk I might be taking in using my privilege access in a particular way? Just I think something to think about out there.

Terry McGraw:

Well, no, you’re absolutely right. Putting a finer point on it. Active Directory, Microsoft has a ton of recommendations on how to appropriately set up tiered security in Active Directory using a three tier model. It’s been supplanted now with Entra ID, formerly known as Azure AD. And Entra even makes it easier to implement security controls with roles and group-based policies. But if you’re not tiering... I’ll give you an example.

So an incident engagement that was kicked off. A user had a phishing email. The tagline was, please update your W4 form ahead of tax season. And it gave a hyperlink to a drop. The user was prompted for username and password, even prompted to enter their MFA token. Of course, they captured the token in transit. So now they immediately log in an automated way as that user. Now the software that was dropped was QakBot, which of course now has been defunct by the FBI, but we still are seeing it re-emerge. But it was very capable software. To your point, it has a keystroke logger, it had worm-like properties. It had the ability to capture cookies, had the ability to capture and harvest credentials. And so that’s exactly what happened.

Now, again, this was an average user with no significant privilege, et cetera, and it would’ve stopped there with maybe looking at whatever the shared files that that person had access to, that would’ve been the end of it. But a network engineer at some point in the past had used their domain-level creds to do help desk tickets. And as such, now their domain-level creds were stored in the LSAS of that endpoint that was compromised. So if patient zero, the first patient gets tagged, they harvest domain-level creds, and of course they log right back in. And of course, what do they do? They kick out all the other domain admins, they add a few of their own, they turn off antivirus, as you said. This organization unfortunately also administered their backups through privilege credentials that were authorized through Active Directory. So what do they do? They just pivot over and then blow away all the backups.

So it becomes a crippling attack very, very quickly. And all of which could have been avoided if in fact not only did they have a tiered model, for example, tier zero, anything that touches tier zero is isolated to that to include a privilege access workstation. Those accounts are only used for top-level domain administration, et cetera, and nothing else touches that infrastructure. The next tier that you would have in the Microsoft model would be the server administration, the enterprise level, how am I doing my systems and servers, all of the administration across that server infrastructure. And then the last tier is the endpoint, the end user, what we’ll just call help desk for all intents and purposes.

And does that mean that a network administrator now has to worry about three different accounts and three different roles? Yes, they do. But we have them for a reason. Is it a more of a pain in the butt for the administrator? Of course it is. Entra ID makes it easier with role-based access and controls applied and group policy, but you still have to have those accounts created and the administrator has to log into them to limit the damage that could be done. And so if that architecture is not in place and you’re just using a one set of creds, that means any box that you’ve done any kind of administration on is now retaining your credentials that can be harvested and then log back in and do incredible amount of damage.

So something as simple as that... It’s not simple, it’s simple in concept. It’s problematic to do if you haven’t done it already and it certainly takes re-engineering of your infrastructure. It may require you to have to break some things in order to fix it to create that tiered model and this includes service accounts again. And making sure that you don’t have cross tier connectivity or attack paths enumerated in Active Directory because you haven’t fully cleared your ACL and your trust. And we’ve seen that as well, where in a large enterprise, you’ll have inherited trusts that end up having a regular old account, can have global admin in a different domain just by the way those ACLs work. So you have to do attack path enumeration as well.

So again, it sounds simple, but it’s nontrivial. But once you do it, now you have a really, really resilient environment and you bring down your risk profile immensely.

Cole French:

Yeah, we talk a lot about compliance on this podcast and two controls, at least. I’m thinking from a CMMC perspective, but I know these are common controls that you see is around separation of duties and least privilege. And I mean this conversation is exactly why those two things are important. And I’ll just say that those two controls, I think they give people probably more headaches than most other controls just because exactly what you just described, it’s an extremely difficult problem to solve because it’s a web and a lot of organizations have this way, they’ve been doing things for a long time, and to fix it actually would require re-engineering it, breaking stuff like you mentioned.

So I think it is, it’s a very difficult problem. So the fact that it’s in that top three of where incidents originate makes perfect sense, and hopefully the technologies are getting better, and we can do this a little bit easier with some of the tools we have. But at the beginning it starts as it’s a thought problem. It’s how are we going to design this? How are we going to build this within our organization so that we’re as secure as possible and we don’t have privileges laying around anywhere and everywhere that can be compromised?

Terry McGraw:

And we’re following a design principle. And oftentimes it does. It’s a data transformation strategy. So data transformation, architectural strategy, your security strategy, they all have to be nested. They all have to be considered. None of those things are trivial when you go to undertake them, but they’re so critically important. I’m here to tell you that the amount of money that a breach and or a successful ransomware attack on an organization will dwarf any amount of time or investment that you do to re-engineer your network correctly.

And most folks don’t even consider the litigation cost. So in most attacks we see, particularly in the realm of ransomware, there is almost a ubiquitous data theft component. Meaning, they steal data as another way to extort you into paying. And it is in the data exposure thread and if they does get exposed or even the threat thereof, you had data leave your environment and that is now known because they publicly disclose it in their leaked sites, even if it’s proof of life data, you now have the potential of litigation because you expose someone else’s data. And those costs will dwarf the ransomware, will dwarf the incident response costs. When you start talking protracted litigation to defend yourself against the potential of data theft, now you’re talking serious money.

Interestingly enough. Small and mid-sized companies, 60% of small and mid-sized enterprises that get hit with ransomware, go out of business in six months. It’s that costly and it’s that impactful in their operations. So again, these are me existential threats to the business. They are business risks. And I always implore my CISOs when I’m trying to coach CIOs and CISOs and the rogue CFO is we need to talk about it in terms of business risk and business risk mitigation. As soon as you start talking cybersecurity, folks’ eyes glaze over and you lose them. But what we are talking about is an existential business threat, and we need to frame it in those terms so that the board and those that fund it understand it.

Cole French:

So you mentioned ransomware, so I know that’s a type of attack. Would you say that’s the most successful type of attack or breach that we’re seeing out there today or are there other more successful types?

Terry McGraw:

Yeah, well, in terms of impact financially, ransomware of course is still the 900 pound gorilla and it’s still unfortunately prevalent in the thousands of victims, tens of thousands of victims globally, and it’s in the hundreds of billions of dollars globally that’s lost because of that. But even if the malicious binary that encrypts your environment is not successful, you still have a data breach problem. Even if all they did was come into your environment and get unauthorized access and hunt around for the keys to the kingdom, you managed to get them and kick them out, they’ve still harvested credentials from patient zero. So you’ve had some level of data leaking out of your environment even if it’s just them harvesting credentials off a box. And so that does constitute a breach.

So yes, we see ransomware is the most prevalent followed by business email compromise. Ransomware of course is holding you hostage and then either for the threat of data release and or encrypting your environments, you can’t actually operate. Those two do get very costly and people tend to pay to avoid the impact. Business email compromise, it is a direct path to monetization for the threat actor. They get in, they monitor email, they’ll compromise an email box or create an email box, they’ll harvest an invoice, they’ll change the account, and then you pay them directly when they submit it to finance. And these can be in the tens of millions. I think the FBI reported last year that the global total for business email compromise had reached $64 billion I think, or no, it was $46 billion. I had to inverted. It’s $46 billion globally just in business email compromise.

So yes, those are still the two most prevalent. And I think until we have legislation that addresses this, the SEC is trying to impose some of this. CMMC is trying to impose this kind of thing. Yes, it’s ransomware. Yes, it’s business email compromise. Yes, it’s being done by cyber criminals. But these are the same initial access vectors and the same attack paths that the nation states do when exfiltrating data from environments. And so as a consequence, the government had no choice to implement things like CMMC and the SEC imposing fines and taking people to trial based on negligence because this has just gone on way too long. This is just Terry McGraw, I do think this is a clear and present danger to the United States and our citizenry just by the financial impacts it’s having. And if you lose your job because of this, it’s real to you, it’s very impactful to you. And I think we need to do more governmentally as well as just as communities in spreading these kind of words and making our architectures more defensible, more resilient.

Cole French:

And when you say legislation, I assume you mean accountability is essentially what I’m hearing you say. So you feel like we need more legislation that brings down the hammer, so to speak, on these organizations and individuals that allow insecure environments essentially to perpetuate and these attacks to succeed and all the consequences that come from that?

Terry McGraw:

Yeah. It’s funny I have a really dear friend of mine, Kevin Haynes, and he said, thought piece isn’t a thought piece if 40% of the audience doesn’t disagree with you viscerally. And so when I say this, I expect at least 40% of the audience will react viscerally. I am not a fan of big government and regulation just as a person. But look what happened when we saw Sarbanes... Sarbanes-Oxley was a deliberate response to the Enron and Arthur Andersen travesty that happened and affected billions of dollars towards people innocent, and it destabilized the market, people lost faith in the market, et cetera.

And Sarbanes-Oxley, although it was highly contentious when it was rolled out, looking back historically, I think most folks would say it had a net benefit of helping renew trust in the environment, trust in the markets, and restored faith for investors. And I honestly think we need something like that for cyber where the C-suite has to have accountability for where they are in reducing these threats because they’re financially impactful, they’re operationally impactful, they impact people, they impact the data loss. And I think that there needs to be a level of accountability that we bring in through legislature.

Like I said, the SEC’s trying to do it for publicly traded companies, but I think we do need something very similar to Sarbanes-Oxley and the cyber arena. Again, that’s just an opinion, but we haven’t been able to do it ourselves. CMMC is... That is why it’s so disruptive in the defense industrial base, but it’s long overdue, folks. The things that CMMC is imposing are things we should be doing anyway. This is the stuff that’s keeping us whole as organizations. And it shouldn’t be as painful as it is, but it just says how far off the mark we really are. And so I do think we need mechanisms like CMMC and other legislation that will help shore this up so that the impact on our citizenry is much less. And that’s globally too, by the way.

Cole French:

And to your point about accountability, CMMC’s a great example. CMMC, I know the way it’s been received out there is very much like this is a new set of requirements, oh my goodness, we got to do all this, it’s going to cost so much money, et cetera. But the reality is the requirements have actually been there for a long time, now CMMC is just introducing a means by which, to your point, we can actually start to begin holding some folks accountable, certification, a third party assessment resulting in a certification that’s designed to bring in some level of accountability to, hey, you say your system is secure, you’re attesting to it, but is it actually? So I think that’s an important step.

And when it comes to accountability, and maybe tell me what you think about this, but I think with cyber, is it difficult to identify where the accountability should lie? I mean, obviously the C-suite... It’s sort of like sports. If you constantly field the losing team, well, I mean the coaches, general managers, things like that are the ones that are going to bear the brunt of accountability there. But it feels a little bit like sometimes with cyber it’s a little difficult. Certainly it doesn’t translate to the layman, if you will, exactly how something occurred or why it occurred. And do you think that plays into some of the resistance to accountability or the difficulties we’ve had in bringing accountability into the cyber arena?

Terry McGraw:

Yeah, well, it does. I think it is hard to hold individual accountable because some of it is like victim blaming or victim shaming. So I left my window open, does that mean the burglar has the right to come in my house? No, absolutely. You’re still a victim of crime. But if you live in a really, really bad neighborhood and you don’t put doors or windows on, you’re somewhat culpable in creating the situation that allowed you to become a victim. And I think that’s where the SEC is starting to fall is I don’t think there’s a desire to go after every organization that has this because clearly these are victims of crime.

But for example, if you’ve got thousands of servers or virtual instances in your environment and you’re operating systems and services off a 2008 non-supported systems or VMs that have been aged off after 10 years, I think you can make the argument of negligence at that point. And I think we are seeing where boards are now being held accountable, they have a fiduciary responsibility to ensure that these things are getting done. So I do, I spend a lot of time educating boards and doing board presentations of what questions should they ask. These are not necessarily cyber savvy folks, but they have a responsibility to ensure that these things are being done to reduce business risk. And so helping them ask the right questions and CMMC helps do that at a more operational and tactical level.

But I think at the board and the C-suite, we certainly need folks to ask better questions and a way to validate that. Is it more difficult in cyber than it’s financial? Well, I think that’s only because the body of evidence and the standards and the ability to inspect that data is way more static than the cyber environment. And I think we have a lot of history in asking the right questions in the financial arena where only the techies know the right questions to ask on the cyber side. So I do think that we need to help.

And Kratos is a great example of this, by the way. I’ve had the pleasure of watching you all in action doing an assessment. The level of professionalism, the level of accuracy, the level of demonstrating that there needs to be a level of proof provided, et cetera, all of that and was done extraordinarily professionally, not antagonistically was not a gotcha game, but just the epitome of professionalism. I know I’m singing your praises, but it was true. And I think when you have that level of help for both assessment and folks like we here at Cape Endeavors, where we’re helping educate and prepare and getting that ready to withstand that level of assessment, I think those kind of mechanisms go hand in hand.

But we need that more broadly. It can’t be just in the CMMC arena. We need that level of expert help. We need to educate our C-suites and boards and we need to help provide... I mean, this is amazing, it provides a lot of great frameworks, but again, there’s a level of esoteric knowledge that’s required to implement that. And so guys like you and I and gals need to be able to help those less technical folks understand how to translate cyber risk into business risk.

Cole French:

Well, first of all, thank you, Terry. I appreciate the kind words on that and to exactly what you’re saying, it’s interesting. So when I’m looking for assessors or folks working in the compliance arena, I think one of the most difficult things is finding people... So I get a lot of people with highly technical resumes. They have a lot of technical experience. What I’m reading is they’ve been hands on keyboard, that’s what they want to do, stuff like that. But in the compliance space into what you’re talking about, kind of translating what happens on endpoint systems and things like that to how that can impact an organization, there’s something in the middle there where you need to be able to talk to these things in a way that resonates with people, that people understand.

Because like you said, financial, I mean, to some degree, I mean, there’s definitely complicated things within the financial sector, but in general, we can all understand numbers and stuff like that. To your point about our team and what we do, that’s exactly what we look for. We look for people who can come in and have those conversations and ask the right questions so we get the right answers about how things are actually done. And what those things that are done, how they impact the business and how they impact security within the organization.

Terry McGraw:

It’s interesting, I had a gentleman who was a customer of mine, and he was a CISO of very, very large chemical producer abroad. We don’t discuss our clients obviously, nor do you, right? But broadly, so a few decades ago, actually, we had a roundtable discussion. We’re like, how do you communicate to your board? How do you communicate to your C-suite? And it was amongst very technical CISOs, and he gave an example that really resonated with me. That company had had a chemical spill, if you will, that affected a broad swath of the local population and resulted in deaths and impacts. And it was incredibly painful for both the community and the company. And after that, the language of the board became one of personal security, people security, how do we ensure public safety, et cetera. And everything that they did, even as a chemical company when translated back to how they communicated to the stakeholders and to those that had oversight was in terms of safety and security of the population. And it wasn’t about chemicals anymore. It was like, what’s the impact that that has?

And so he translated everything about his cybersecurity needs in the same language, in the language that they’d already adopted of how do we ensure security of the people in our communities, et cetera, and how do we lessen our impact on the environment, et cetera. It became the same types of language that he used to describe the needs of the cyber arena towards a business. And he said it was very, very successful. And so I started to use that. When I talk to boards or C-suites preparing to speak to their boards, we try to solicit what’s the language that your board really understands? What’s the population of your board? What do they do? What’s their background? What’s our company background? What’s the ethos of our company? And then we translate cybersecurity into those terms and it becomes much more successful.

We also have technology, which is also playing a role in why this gets really difficult, the market texture. I walk around RSA and Gartner and the AUSA Conference, and you see all of the tech vendors out there. And much like the medical field, you’re sort of monetized by the failure of your customer base. You’re successful when everybody else. But we’ve also sold everyone on the idea of panacea, silver bullets, and we have the latest and greatest tool. And as we were earlier discussed, technology has muddied the water rather than clarified it. And they’ve made decision making and they create gaps in seams because things don’t work well together and we don’t spend a lot of time talking about the architectures and how this all plays together. And again, I’m not touting CMMC exclusively. But frameworks like that and the NIST 800-171 or 53 if you’re in the government, is really designed of how do we not let individual technological solutions creating seams where they don’t exist or lack of full implementation, et cetera, et cetera.

And I really do think that changing the way we speak to the boards and the non-technical folks and then adopting architectures that support end-to-end resiliency and defensive posture, I don’t think you can actually prevent cyber incidents. I think you can defend against them really well. And so by using these frameworks, look, if you don’t know where you’re going any road would take you there. Compliance does not equal security, but it’s a hell of a lot better path to get there than trying to do it ad hoc.

Cole French:

It’s interesting you say all that because I’m actually reading a book right now on leadership, and one of the things that they’re talking about in the part of the book that I’m on is actually one of the biggest things leaders are responsible for is building a culture. And I’ll be honest, I never thought of that in light of cybersecurity. I think we think of that in terms of how people get along and all that stuff. And I mean that’s all true and that’s all good. And you definitely want to have people who want to show up to work every day who love what they’re doing, et cetera. But I am kind of taking from what you’re saying a little bit and applying it to that, that really cybersecurity is also is a cultural component of your organization.

So I really like that example of instead of talking about cyber in terms of maybe our products or whatever it might be, talking about cyber in terms of the people in our organization and the culture we’re trying to create in our organization, maybe that’ll change some things that’ll make it more real for folks.

And then I think too to what you’re saying about compliance is true I think, or compliance versus technology, I think there’s a push-pull between those two things sometimes. But compliance, a lot of people are like, check the box. But I think people look at technology the same way where it’s, like you said, a panacea or silver bullet. I just throw this thing into my environment now I’m good to go. But I really think that the benefit of compliance or the positive compliance if it’s done well is that compliance is really aimed at getting you to think about these things like we talked about with separation of duties least privilege. It isn’t just, hey, I threw up Active Directory and I set up some groups and I’m good to go. It’s, now that I take a step back and look and see, okay, I have these three roles, but I have six different people with those roles, but they also have these roles and where do they overlap and how does that introduce additional risk, things like that.

So I think that’s an important thing to keep in mind when it comes to compliance is maybe trying to look at it more like how does this help me think in a better way about my organization in addition to obviously putting things in place that do make me more secure.

Terry McGraw:

And again, compliance and security go hand in hand. Can you be really secure without having a compliance and regulatory body? Yes. But what we find is that industries that have more regulatory and compulsory compliance around their frameworks have a much less prevalence in the data when it comes to cyber criminal activity particularly. The financial industry is a perfect example. Yes, we went through the periods of banking Trojans and stuff, but the evolution, we see much less in the banking and financial sectors as far as cyber crime overall, particularly with ransomware then we do, let’s say, manufacturing, which has almost no regulatory bodies in that segment. And so we do tend to see that regulated markets tend to do better because they’ve had a framework to work with for so long. And then you actually have to show demonstrable evidence you’re doing these things, hence CMMC again.

But back to a point that you mentioned about culture, and I get into this a lot, particularly in mid-enterprise companies where the sales team doesn’t want to be inconvenienced because they’re on the road and they don’t want to have to mess with MFA and they don’t want to mess with the VPN to get in, or I don’t want to use the virtual infrastructure, et cetera, et cetera. And I kind laugh about that too because we allow those conversations to happen. No one thinks twice about locking their house when they leave. No one thinks twice about locking their car or their vehicle. No one thinks about making sure their kids are secure. I mean, we care about the things that we understand why we should care. I mean, no one complains about, man, you mean I got to lock my car every night when I come in? I mean, you don’t hear those conversations. And it’s because it is, it’s a cultural component.

We just have to educate folks that, look, I know it might be a three-second inconvenience to add conditional access to your login, but your job’s at stake. You know what I mean? I’m sorry, it’s a three-second inconvenience. But some of that is we just haven’t educated them enough of why it’s important to do these things. And so again, I think it’s about how we communicate.

Cole French:

So jumping back to ransomware, just to, I guess maybe close the loop on that before we chat a little bit about incident response stuff. So in your experience with ransomware, do organizations usually pay and for organizations that haven’t paid but have successfully either thwarted the attack or recovered from the attack, what are you seeing in terms of how organizations handle ransomware?

Terry McGraw:

Yeah, it’s interesting. I’ll reference a data study that was done by Secureworks, company that I’d been formerly a part of. They do an annual data pool of what’s in the wild. They’re a fantastic organization, they’re counter-threats concerned. But what they did is an interesting, no one actually openly reports this or very few do, so you have to infer the data. And the way they went about doing it is they looked at all the leak sites that they were tracking, and with the 214 or whatever threat groups that they are aware of, and they track religiously, now all of them have some level of leak site. So if I’m going to steal your data, I’m going to threat to expose it, I have to expose it somewhere. So there’s a TOR site where they will expose that and say, hey, I have your data here, here’s all the files I stole, proof that I’ve actually stolen it. Now pay me.

And what they did is they looked at 33,000 of these... Excuse me, that’s not great. It was several thousand, I guess, maybe it was in the hundreds. I’m getting my data wrong. The point was they looked at all the leak sites are monitoring, and this was the data point. They saw that 33,000 victims globally had proof of life data exposed by the collection of all of these leak sites. You can relatively assert that that means that there’s at least 33,000 victims globally last year of ransomware. How do we know they paid? Well, threat actors follow through with the threat. If you don’t pay them, they will dump the data that they stole. That’s the extortion part. And if they didn’t do it, who would ever pay them again. Conversely, why do we not see a lot of threat actors publishing data after they got paid? Well, because that would be a disincentive for the next victim not to pay. I mean, so they’re not doing it because they’re compassionate, they’re doing it because it’s a business model.

But what we found is that the follow-up data dumps is actually only about anywhere between 15 and 20% of organizations have their full data dumped. And so the implication there is I have 33,000 victims that have had some level of their data published, but only 10 to 15% get full document dump. That implies that the vast majority of folks are still paying the ransom. Why? Because operationally, it can be very, very, very expensive. As I said before, it’s high exposure to litigation, et cetera, et cetera. And these are all very costly, very impactful things to business. And so we do see that, it just appears from that kind of study that most folks are still paying the ransom.

Cole French:

So if an organization, or have you seen an instance where an organization was able to kick out the ransomware actor, restore access or prevent them from prevent the attack to some degree or another? Do the attackers in that case still dump all the data that they stole?

Terry McGraw:

Yeah. So the answer is yes. I’ve been a part of many instant response engagements where they did have viable tested backups. Quick word about backups. Backups won’t help you with data exfiltration, but they will help you not have to pay ransom for malicious binary, if I can reconstitute my environment. And to do that correctly, you need to have your management of your backups out of band. Meaning, they can’t be accessible through the same Active Directory infrastructure that the threat actor compromises. So separate set of creds, a third party cloud... Some mechanism that keeps it out of your day-to-day network, makes it very successful. And there’s lots of companies out there that have very good backup capabilities now. So you can reconstitute your environment very quickly now, and there’s products out there that help you reconstitute your Active Directory infrastructure as well.

But that does not help you if they stole your data. And what we see is that most of the threat actors will steal data as a way to keep the extortion pressure, even if you can reconstitute your environment. But the answer is, I have been part of the organizations where the decision was made by the leadership to not pay the ransom, reconstitute their environment and bear the risk of litigation going forward. And so they just said, yep, we’re going to have our data dumped. And they do their best to get in front of that by contacting those who they think the data would be representative of, and they just try to get ahead of it with good messaging, public engagement, and just overall good transparent leadership and management is how they overcame that.

Cole French:

I can see how that puts organizations in a really tough spot, though. I mean, you’re kind of stuck in the middle. Either option is obviously much less than desirable.

Terry McGraw:

Well, and if you’re dealing with the defense industrial base, that data disclosure, well, I mean it has very real consequences. And it’s not just the individuals, maybe my financial or my social was dumped, but now I might have sensitive DoD data. I might have sensitive fed data. I might have data that will A, shakes the government’s credibility in me. B, could be sensitive data, which now we have to really worry about who is looking at that outside of where it’s supposed to be. Again, going back to CMMC, this is why that’s so important. But the data component, the data loss component of that almost always is worse than the ransomware payment. So a lot of organizations still choose to pay.

Cole French:

I can completely understand why. Yeah. So as we kind of round things out here, and I know we’ve talked a lot about cyber crime and culture, getting ready or preparing your organization having everything you need in place. So just want to, if we can leave our listeners with one sort of practical thing they can take away, obviously I think there’s plenty of stuff we’ve talked about that you can take away practically, but just from an incident response perspective, I mean, I know working in compliance, we work with a lot of organizations in building out incident response plans, testing them, stuff like that. So as somebody who works in this space, more on the response side of things, which I think there’s a lot of lessons to be learned as we’ve talked about today. What kind of recommendations do you have for organizations that want to test their incident response capabilities? A lot of times we see tabletop exercises where we just kind of talk through how we would respond to an incident. I know that there’s also technical exercises you can go through, but from your experience and any recommendations you have, feel free to share.

Terry McGraw:

Yeah. Well, as far as the sort of the tabletop exercise, if we’re focusing on that, I recommend you bring in somebody. This is not a sales pitch, but literally when I run a tabletop exercise, I am running it as if this was an actual real event. And we’re taking real-world data. It’s like know snatched from the headlines Law and Order. We’re taking real-world scenarios that happen to similar organizations. A tabletop exercise should drive you to make decisions like, A, identify weaknesses and, B, you don’t have to wait and have the conversation, do I pay a ransom on the day you ask to pay the ransom? These are things that you should have already thought about. You should not only care about asset criticality and system criticality, but you should look at data criticality. Where does that data reside?

So here’s an example. If I get slacked with an encryption binary and it locks up all of my files, do I know based on my server what data was housed on that because I can’t inspect it anymore? Forensically, I can’t tell you what was on there because it’s now encrypted. So do you have an asset and data schema that you know of where your data was logically and physically and who it was critical to and what the severity and risk of litigation to exposure that you would have? And those are all things in the rubrics that you can add. What is the operational cost if X, Y, or Z system was down hourly, daily, and sometimes to the minute? I’ve seen financial transaction companies that do financial transactions for retirement funds where they’re doing daily puts all day long that, you talk minutes, can end up to millions of dollars and so of liability anyway.

So I say all that to say the tabletop exercise should be to drive decisions before you have to make them in a crisis. They should identify weaknesses in your plan and you should actually do some things like, hey, part of this tabletop should be bringing part of our critical infrastructure up from a backup. If you’ve never done it, A, you should be doing it all the time. But B, we’re going to do that here. I also think that the tabletop needs to be three levels. You should have a technical and tactical one. You should have one for your operational management. And then you should have one for your very senior leader, your C-suite and your board. And they should be tailored to ask different questions.

On the technology side and system side, I implore the listeners to do an attack path enumeration of your active directory or your identity and privilege asset management. Do not wait to be surprised and find out that your entire environment could be crosswalked based on a Qakbot infection, for example. So that takes a level of investment, and I think it’s well worth it. It’s probably the single best recommendation I can make to someone is ensure that your privilege access management is well in hand, well under control and well secured.

And the last part I think is one thing I would suggest to everyone. I did a white paper on the Kübler-Ross grief cycle when it came to ransomware. I had noticed after doing dozens of these ransomware engagements, that the folks that came out on top the fastest were the ones that went through that Kübler-Ross grief cycle fastest. And so you’ve all heard it, it’s you have denial, then you have anger, then you do bargaining, and then eventually the grief cycle gets you to acceptance. And I did a little analogy of I’ve seen leaders who get stuck in the anger and denial phase, then the bargaining part is just like, hey, work through the weekend. Let’s go to press. And three and four days later, people are dropping like flies and they’re no further along than they were when they started, et cetera.

But the leaders that can manage to get through all of that, avoid the blame storming. They understand that this is going to be a marathon, not a sprint, et cetera. And they really put in the controls to handle it in a programmatic and an emotionless way. They end up recovering way faster. And so my advice to the leaders is think through the emotional reaction you’re going to have to this, understand the phases you’re going to go through, and the more you can understand, the faster you get to acceptance and just treat it as, hey, we got to get through this. Let’s build a program and a project around it. Let’s just get it done in a dispassionate way. Those organizations recover way, way, way faster and more completely than those whose leadership fall into that emotional morass.

Cole French:

So again, it comes down to prepare, prepare, prepare. I think that’s the biggest takeaway. And I appreciate you going into details there with examples of how organizations can prepare for incidents. Sort of like insurance, I have it to hope to never use it. Incident response plan is the same thing. Obviously I don’t want to have to use it, but I better be well versed in using it and carrying it out so that if I do have to, things will go well for me.

Terry, I really appreciate you taking the time to chat with us today about incident response and sharing all the wealth of knowledge and experience you have in this area. I really do think listeners will find this episode extremely valuable. I know I really enjoyed the conversation, so thanks again. I really appreciate it.

Terry McGraw:

No, thank you, Cole. I appreciate you inviting me on and I appreciate all the things that Kratos is doing out there for the defense industrial base and our citizenry writ large. You guys are great. Thanks.

Cole French:

Thank you.