Ransomware Trends and Emerging Threats with Dan Lohrmann

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the show, Joe Carson, Chief Security Scientist and Advisory CISO at Delinea. It's a pleasure to be here with you. We've had so many amazing shows over the years, and it's always great to bring back fantastic, great leaderships, and those who have a very interesting perspective on the world. So, we have a returning guest on the show. I think this is probably the third episode, maybe, that you've been on, so welcome back to the show, Dan.

Dan, do you want to give the guests just a recap into who you are, what you do, and some of the backgrounds that you've shown in the industry?

Dan Lohrmann:

Absolutely. Thank you so much, Joe. Thanks for having me. It's great to be back on your show, and thank you for being on our show. It's been great to work with you over the years.

My name's Dan Lohrmann, I'm a field CISO with Presidio and I work mainly with public sector clients now, but I have more than 30 years in the security industry. I started my career at the National Security Agency, was in England with Lockheed and ManTech in the '90s, and then 17 years in Michigan government. So, in Michigan government, a lot of different roles. I was an agency CIO, I was a chief technology officer for the state, enterprise-wide CISO, first CISO for all 50 state governments.

And then, after I was CTO for three years, I went back and we brought physical and cybersecurity together. So, I was the CSO, chief security officer for Michigan, did about six years plus at Security Mentor. We did a bit of security awareness training, and now I've been with Presidio. We're a global digital solutions' provider. We work with clients all over the world, and I'm really excited to talk about... Mainly my focus is with SLED, state, local government education, but I certainly do work with some corporate clients as well. So, it's great to be with you today.

Joseph Carson:

Fantastic and awesome. Also, you have your book and your own webcasts and stuff. Do you want to tell the audience a bit about your book first as well and also your webcast-

Dan Lohrmann:

Yeah. I should hold it up. I don't have it with me right now. Sorry about that. I should have brought-

Joseph Carson:

I-

Dan Lohrmann:

But it's all good.

Joseph Carson:

It's a fantastic book. All I have is the audio copy, so...

Dan Lohrmann:

Yeah. One up. Cyber Mayday and the Day After is the name of the book, and I'm actually doing a blog coming up on this. But I finally got to meet my co-author in person in Sydney, Australia over the Christmas because I was there for two weeks. So, Shamane Tan is my co-author, she's amazing. Got to meet her and her husband. My family finally got there after four attempts to get to Australia because of COVID. And just the whole story is an amazing story, but I was going to be going there and going to a wedding in 2020, and long story short, then obviously everything got wiped away.

I was speaking at a conference in Sydney. That got moved online. It ended up being three times bigger by being a global audience online. And Shamane and I worked well together, like I work well with you. Maybe you and I need to write a book, Joe. But did really-

Joseph Carson:

Let's keep that in mind.

Dan Lohrmann:

We might do that. And Shamane is amazing. She, done TED Talks, Cyber Woman of the Year in Australia several times. And so, anyway, we thought what was missing, at the time, when the book first came out in the end of '21, so it came out at the end of, basically, December '21, it's called Cyber Mayday and the Day After: A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruption, which I know is a mouthful, but it's really true ransomware stories. We didn't want to just say ransomware, but data breaches as well. But mainly, through the eyes of the C-suite, what happened? What happened, negotiating ransom demands, negotiating and its extortion, really. But the good, the bad, the ugly, best practices.

And very proud that at the beginning of '22, not anymore, but it was the bestseller on Amazon, and did really well, and still doing really well. I just was at a conference in Florida where they gave every attendee a copy of the book, about 300+ copies of the book because it's really practical resources that people can use.

Joseph Carson:

No, fantastic. And also, you also have your webcast as well that you do as well with Earl.

Dan Lohrmann:

Yeah, thank you so much for highlighting that. And we do BrightTALK. Me and Earl Duby do a CISO insights BrightTALK session we do, and I blog for Government Technology magazine. So go to govtech.com every Sunday morning, Monday, it's the lead story, but I do a weekly blog for them. It's called, Lohrmann on Cybersecurity. Been blogging, actually, it's hard to believe... I started blogging in '06, so it's been I'm coming up to my 20-year anniversary.

Joseph Carson:

Oh goodness, looking at 20 years soon.

Dan Lohrmann:

18 years. But it started with e.Republic and govtech.com in '08. But I've been blogging for them for a long time, and just really enjoy it. A lot of stories, and just did a book review on teaching cybersecurity, but just really different topics.

And had you on our show, talking about predictions. Our annual prediction report, gets a lot of attention, looking at not my predictions, but the top industry predictions from all the top vendors, and then ranking them and giving awards, and what are the trends that we're seeing as the top trends?

Joseph Carson:

Yep, absolutely. I really enjoy being part of the show and the webcast, and it was fantastic. And it's really great to hear the insights. And that's really what we'll definitely make sure for the audience is that, we'll make sure there's a link to the book and also to the webcast as well so that in the show notes the audience can go and take a look at those afterwards.

But it's great having you on. And one of the things that we want to talk about today is the evolution of ransomware and what types of trends did we see in the past year. So, what did you see significantly that was evolving in ransomware? What changes happened? Is it still a big issue for organizations? So, what's a bit of your insights in the past year with ransomware? What direction has it been taking?

Dan Lohrmann:

Yeah. I'd love to dive into some of that at a high level. We will dive into the details, I'm sure. Joe, you always are great at details. But I will say, we take you just for 30 seconds back just over the next last four years, because 2019, I mentioned in my blog, the top story of the year that I had was how state and local governments in the U.S. were getting ravaged by ransomware. And then, it doubled in 2020, during COVID, doubled again in '21, doubled again in '20... Well, actually, I'm sorry. Stop. So then, '21, everything's like double, double, double. The number of attacks, the amount of money, all the different numbers were crazy.

'22, it actually dropped back, and there's a lot of different theories on that, a number of different reports. And I know it's literally... And I'll mention a couple of them here in a moment. But there's a lot of different numbers from... you got a Verizon's report, you've got a lot of different companies that have their own research that talk about different numbers around ransomware attacks and et cetera.

But most reports, and most insurance companies will tell you the numbers dropped in '22, but then in '23 they surged again. So, headlines, and I'm looking at a couple of headlines here. But 95%, it basically doubled from '22 to '23. So, the overall numbers last year were up big.

It's interesting, a little side note here, but it's related to this, Joe, talk about insurance premiums. Everyone's saying, "People stopped buying cyber insurance." I know we've done a whole session just on cyber insurance, and we can talk about that and the trends that have happened with that. But rates kept going up, up, up, and even got to the point where many organizations said, "I can't even afford insurance anymore." But then, after '22 and then in '23 people said, "Yeah, but, Dan, the insurance rates started dropping again."

Guess what? They did, because there weren't a lot of incidents in '22. So, the rates and the policies, and also some of them may have excluded ransomware payments, you're not-

Joseph Carson:

Correct-

Dan Lohrmann:

Going to pay the ransom, different-

Joseph Carson:

A lot of limitations. They put limitations on the payouts as well.

Dan Lohrmann:

Correct.

Joseph Carson:

And also, very specific wording around what a data recovery was.

So, I did quite a few number of research around the cyber insurance as well, and one of the things that with talking with insurers, what I found was, they said that in between 2021, 2022, what they did was that pricing increase in the premiums in 2022 was an overcorrection. They went way too up, and therefore it was recorrecting itself during 2023, so the premiums were starting to come down. But it was also because of that stagnant year 2022 was... It was either ransomware had stagnated, didn't increase, didn't decrease, or in some reports we showed a decline in certain areas.

In 2022, I think it was probably an impact of the Russia war against Ukraine, the sanctions that was applied, organizations got a bit better at securing themselves against ransomware. And also, the targets changed. I saw ransomware groups targeting Latin and South America and African countries. So there was a lot of... The change in landscape happened quite significant in 2022. But yeah, the cyber insurance industry did say that they overcorrected in their pricing, and a lot of policies came down last year.

Dan Lohrmann:

I agree. And my prediction, or a lot of other people predicting, not just me, it's going to go up again in '24 because there were a lot more ransomware attacks last year. And so, we saw more and more... I've got just a whole list of headlines here from all across United States. I mainly focus on the U.S., I do some international, but I know you're global in your reach and audiences. But number one area in ranking from last year, from the Verizon report by sector or industry, education, construction: first, construction and property, second, central and federal government, third, media, entertainment, leisure, the MGM, the hacks in the gaming industry. I'm going to be out in Las Vegas here in a few weeks. There'd be a conference out there, the Game Protection Conference. Local and state government at number five. So, those top five, education, federal government, local and state government, media, construction and property.

Healthcare, a little bit surprising on this list, down at 11, because I saw a lot of attacks against hospitals, but the number of organizations hit, the impact, last year, just a couple of the headlines, we can talk about specifically what types of attacks they faced, but opening day, and first day of school at University of Michigan, they literally shut down the network with a ransomware attack, and they got to cancel classes. I mean, that's pretty embarrassing. The first day of classes for a major university like the University of Michigan being hit. A week later, Michigan State gets hit right here in the State of Michigan where I live. But universities being hit across the country, K through 12 schools, lots of examples across the United States in that area, federal government, lots and lots of local and state government impacts, through the big ones were in Dallas. Dallas County were hit, were big, huge ransomware attacks that struck them.

But we saw it across Florida, because as I mentioned, I was just in Florida. The numbers are pretty... They continue to go up.

According to the Verizon... I'll just mention one other big trend and then we can dive into the details here, Joe. But according to a number of these reports, they were saying, we're still seeing triple extortion, we're still seeing people exfiltrating data and asking for ransoms, and reselling the data and other things like that.

But one person I spoke to, who I trust, I'm not going to name the company, but trusted person who has their own research, he's saying, "Dan, they're seeing 90+% right now are not even encrypting the data, they're just exfiltrating it."

Joseph Carson:

That's exactly-

Dan Lohrmann:

So, I'd love to hear your thoughts on that, Joe, and get your feedback, but that shocked me a little bit. I would not have thought that 90+... We think ransomware, we think we're going to encrypt the data, right? We're going to encrypt the data and we're going to write me a check or send me some Bitcoin or whatever it is and whatever they might do, and then we'll give you that data back. But is that something you're seeing?

Joseph Carson:

Absolutely. One of the things is we just recently conducted and finalized research last year on last year's trends in ransomware. And one of the things we found was that data extortion has actually overtaken encryption with data extortion tax.

And one of the reasons for that is that when you do a data encryption type of attack, it's very noisy. The public know immediately, the employees know, everybody knows. So it becomes very public knowledge and it puts a lot of pressure on the organization in regards to how they respond.

When you get a data exfiltration attacks that are just exfiltration only, what happens is very few people hear about those types of attacks. So the organizations then, because of course the attackers didn't bring the business to their knees, and they're basically threatening now to disclose that data, it's a lot more stealthier and it's more easier for the organization to make the payment without having the public, let's say, visibility or awareness of it.

So that's something that it means that the attackers are a lot more easier to stay stealthy. They don't get the media attention that they typically would get with a data encryption type of attack. They may get lower payments, so the ransom may be much, much lower. But what they're doing is they're trying to stay out of that headline visibility. So this is where we've seen that attackers, they want to stay hidden and when they do a type of attack that is extortion only, it means the business are more willing because the business can continue to operate.

So that's one of the things that's been interesting, and I think it's going to be continuing that trend that data extortion will con... and you might have different types of guys decide on different types of motivations. They might want to do that much more quick grab. And the quick grab is at the data encryption side where the other attackers may want to do a little more stealthier, longer and slower, and it's the data filtration, but it really comes down to what type of data they're getting. Is it data that's heavily sensitive? Is it something that could potentially harm the organizations?

And one of the things that was really interesting is is we started seeing, even with the new SEC rule that came out about the material impact that we saw, so with material impacts, what happens is an organization now has to report it to the SEC if they're listed. And that means one of the things is we started seeing even the attackers actually going to filing the report with the SEC that-

Dan Lohrmann:

Wow-

Joseph Carson:

This organization who's been a victim has not reported it to you. So it puts a lot of pressure on basically there's different rulings as well. But absolutely data extortion seems to be the method that's going to top and continue this year.

Dan Lohrmann:

That's amazing. I had never heard, that's a really... that the hackers are turning you into the SEC.

Joseph Carson:

Exactly. So-

Dan Lohrmann:

It's like the guy robbing the bank turning you into the police or something. That's crazy.

But yeah, I mean, and some of the other trends I just would mention briefly, I found some of these numbers from the Verizon report to be interesting. I don't know if this rings true for you, but 93% of ransomware incidents did not result in any loss of... Basically they didn't pay the ransom 93% of the time. Now it doesn't mean they didn't have downtime and it doesn't mean they didn't have other obviously incident response costs and other kinds of costs, but that seems a different number than what maybe in previous years it seemed like more people were paying, I don't know, it was 50/50 or a third or 40, there's different numbers I've seen over the years, but the medium ransomware demand being $650,000 and then cyber insurance claims 19% were ransomware related. Interesting that number and the average ransom payment, $365,000. So those are just some of the Verizon numbers.

I've seen different reports say different things, but I certainly would love to hear your thoughts on those numbers.

Joseph Carson:

No, absolutely. I think one of the things is that the Verizon Data Breach Investigation Report, it's always retrospective. So one of the things, it's always on the year previous. So-

Dan Lohrmann:

Sure-

Joseph Carson:

The one that we're looking at is the one that's based on 2022, which basically gets released in May 2023. So it'll be really interesting to see how that basically compares this year's, which basically will take the 2023 data.

And one of the things I've seen as well is organizations that they didn't pay the ransom because somebody else paid it for them. So what they're doing is they're paying a cost of those services rather than saying paying the ransom. So what happens typically is you might get an instant response company who will do the negotiation and the payment. You might get somebody who's brokering on behalf of the insurance company who's doing the negotiations. So what you're going to get is you're going to get the bill for the entire, basically, ransom response services, but you may not actually... The way it was paid was through a third party.

So that might be some of the things that we might be seeing for some of those, how they're phrasing it or wording it that they didn't pay the ransom because they didn't pay it directly. It would've been indirectly. So that's sometimes some of the things you end up seeing. But there's been a lot of ongoing negotiations happening.

I have seen organizations where one organization I saw sharing their experience on last year's ransomware case, and it was a company here in Estonia and they went through, the point was they had a backup off into their systems and then they had the secret backup that basically was meant to be the catch all and the attackers found all of them and encrypted all of the backups. So they basically got in the situation where they did a negotiation, I think it was out of the price that the ransomware gang was asking for, they got down to about 50% of the ransom demand, so they got 50% off what was being originally requested.

So a lot of negotiations happening, and that's one way organizations... But I think that we probably will see the research that we conducted for 2023 shows that there was an increase in ransom payments for last year. So-

Dan Lohrmann:

Wow-

Joseph Carson:

I expected probably to see something similar in the Verizon Data Breach when it comes out later this year. But that's my expectation is that there will be an increase in ransom payments. And we saw-

Dan Lohrmann:

So those numbers are deceiving you're saying? Those numbers-

Joseph Carson:

Yeah, the numbers are deceiving because it's been a retrospective from the year before. Even though it gets released in May 2023, it is typically based on the year, January to November data timeframe. And we saw two different types of perspectives. We saw the MGM response to the ransomware incidents' back in September, and also we saw Caesar's response, two very different approaches. One, the hard stance about not negotiating and the other one negotiating and paying. And that's what you typically see how those both organizations were financially impacted as well was very, very different how they both responded.

And it's always interesting to see, I'd love to see a full case study of both of those incidents side by side because they were targeting the casinos in Vegas at exactly the same time, but how they responded were both very different.

Dan Lohrmann:

And I think the other, I was mentioning Verizon, but looking at it, and we talk about predictions here in a moment, but what the companies are saying about ransomware for the coming year, which I find fascinating, we talk about that in a second, but just looking at some of these, like the Corvus Insurance Report, I don't know if you've seen that, that came out from Dark Reading, there's been a number of other reports that have come out talking about Q3, Q4 of '23 and some of their trends, and they're saying 95% increase over 2022 for 2023. There's talking about the top factors that drove numbers, the Clop mass exploits peaked, threat actors cut summer, about summer breaks.

Key industry trends upward. Basically the numbers are up and really talking about a quarter of all victims in the 70%, a lot of accounted for nearly uptick, excuse me, in numbers. They're saying a lot of it is in governments. So they talked a lot about LockBit, but they're talking a lot about cities and municipalities are up 95%, manufacturing up 60%, oil and gas up 142%, transportation, logistics and storage up 50%. So it's big numbers.

I guess the clear thing is, and we talk about this, because this is backward looking obviously-

Joseph Carson:

Correct.

Dan Lohrmann:

But '23, but they're saying the numbers were up big in '23 really pretty much across the board.

Joseph Carson:

I completely agree, and I think one of the things is, I always look back in 2022 where it was the year of transition for the variance is where attackers were looking at improving them. They were refactoring their code base. So during that timeframe they were also getting into more ransomware as a service and actually providing more of an affiliate type of an approach. But in that time we also saw the code bases changing into things like with Rust or into with GOLINE. And ultimately what that resulted in is making it much more transportable and also more platforms can be impacted as well.

So this is where we started seeing, and also the techniques transitioned as well. We started seeing them be able to use social engineering a lot more. Using social engineering in order to get past the multifactor and two-factor authentication that many organizations really put as their defenses against ransomware was MFA and 2FA, but we saw the social engineering being able to get into where it was 2FA and MFA fatigue, and that resulted in basically social engineering to bypass those.

And once they were getting bypass it, they were able to deploy the ransomware quite quickly. So this is one of the things that it was that year of advancing their techniques, making it much more streamlined, much more repeatable, and then also using even generative AI with things like ChatGPT to be able to improve.

Because one of the things we always say that Estonia was protected for many years from these types of campaigns because the translations were horrible. When you get into translating these phishing campaigns or ransomware campaigns into basically the local languages, they were not very good. But what's happened is is that generative AI has removed that limitation, meaning that now in real time they're able to do real time campaign translations and the translations are perfect. So now, Estonia having that protection of the language barrier is gone, that language is no longer protecting them from those types of campaigns, and that means that the attackers are using those to do real time translations.

So I do think that basically over time what we will see is those campaigns becoming much more real time and really impacting organizations and being successful with social engineerings' aspect and also getting to the point where it'll multi-platform also where it'll be able to impact not just traditional Windows and Mac devices, but also impacting things like IoT devices or even getting into terminals and other types. So I do see that this is a stage where we will see a very aggressive campaign going forward.

Dan Lohrmann:

And looking at the reports. I agree 100%. I think looking at some of the big predictions for '24 from all the top companies, everyone, I mean, some people say it's just more of the same every year. I mean, I think the big theme is around AI, it's around gen AI, different types of attacks, and we talked about that in our BrightTALK show, "Bring your own AI." That's my favorite prediction. Everyone's going to be bringing their own AI because their companies won't, not yet, they're going to get to a point where we're going to have the right types of protections and governance and security around LLMs, but right now it's a lot of individual employees out there are bringing their own AI to work, whether that's on their smartphones or their own accounts, their own Bard or ChatGPT or whatever it might be. And then that's leading to compromises.

One interesting thing I want to throw out, and so a lot of that is in that report, the top 24 security predictions of 2024, and we lay that out. Joe's in there in part two. Your predictions I think were outstanding. You did a great job-

Joseph Carson:

Thank you-

Dan Lohrmann:

With that and your company predictions are outstanding.

I think one thing that shocked me a little bit recently, I'm actually an ambassador for Gartner on their platform and I put a poll question out and talked about, what's your top security priority for 2024? This gets back to ransomware in a second, but I'll explain why this is related. I was expecting governance around gen AI, shadow AI, bring your own AI or protecting LLMs, all the things. There's a lot of podcasts, a lot of presentations out there on that really important stuff. I'm not downplaying that. And then I said, "Okay, identity management projects both for internal staff and external clients and customers," and then a couple of other options.

I was shocked, like 65% said their top priority is around identity management. And that surprised me. I was expecting it to all to be like gen AI, attacks on gen AI, LLMs, and I think it's both. I don't think it's either/or, but I do think that, you mentioned it a moment ago how people bottom line, whether they buy the credentials on the dark web, whether they do more sophisticated phishing using gen AI to get into your systems, I mean the big thing is once they're in, they've got this whole plethora or this whole series of options of what they can do once they're in, like you say, staying stealthy. If they can log in, they'll log in. I hack in, if I can log in, if I can buy the credentials and log in, great. That's how they did it with actually several different breaches have examples of that.

But the Colonial Pipeline, literally they stole credentials and they logged in. But bottom line is, I think the identity management piece around ransomware is huge because once you get that access, whether it is triple extortion, whether it is encryption, whether it is just data exfiltration, whatever, or all of the above, whatever is... the bottom line is it gets back to that identity management piece. And I think so much, we've talked about that in previous shows, but I guess I just didn't expect that to be the top thing and not even close. I mean it was two to one, identity management is the biggest concern and how do we get our arms around credentials, multifactor authentication, passwordless-

Joseph Carson:

Making it ransomware resistant MFA and phishing and cyber MFA fatigue as well. How to make sure you're getting it to a point where even you can't get accidental by clicking on the wrong place on the phone.

There's one really great talk that I always loved was Jason Haddix did a talk at the Microsoft blue team event last year and he talked about his experience. He was the CISO at Ubisoft when they got attacked and he went through the point is that it was all coming down. When attackers can go and buy credentials in the dark web for $10 or whatever, $20 and that's their entry point into the organizations, what is that $10 worth? What is that worth to you? Do you want to find where your credentials are being sold? Get out there and start looking and making sure when they're being advertised because you want to be at the ability to make sure you can actually eliminate that before they are actually used and abused. Because ultimately those attackers are going to sell them multiple times. You want to make sure you know what credentials are out there and which ones are being sold so you can actually make sure you can actually mitigate and do something about it.

So it's really important. That's ultimately the entry point, is those stolen credentials for many of the attackers. They very rarely... Only when we see new vulnerabilities coming out and there's zero days and there's that time in between, sometimes it's basically related to what they're looking to elevate privileges, and that's one of the things they're using those vulnerabilities for, but we have to get to a point that we want to make sure that we're actually getting that entry point. And that's I think why identity and access management is a top priority. And one of the things that Gartner's stating is something that many organizations are prioritizing going forward, especially also within a hybrid workforce as well, where it used to be you're able to manage it much more within your own infrastructure, but now we're in a hybrid workforce working remotely, that identity becomes much more the perimeter of what you need to protect.

Dan Lohrmann:

Yeah, I just want to say one other thing. I know you got to wrap up, but I didn't mention this a moment ago. One of the other options I did have on there again, what are you... this is directed to CISOs, hundreds of respondents, I put in there incident response, preparing resilience. I think data breach, incident response, preparing being a resilient enterprise, I put about seven items in there, right? Just a whole list, anything about getting ready for that bad day where you wake up and you get that phone call or whatever, and that got like 7%. I'm like, "You got to be kidding me." Now, this was not scientific, I know this wasn't, but still, I mean, wow. I mean I was shocked. I mean, gen AI clearly was up there in the 30s and identity was up there in the 60s and then the other couple of items that I put in, it didn't get any points, but that bad day, that incident response priority was in the single digits.

And so it's always interesting to me, that you think you know this stuff and then you get some of these results and maybe it was all just, I don't know, maybe they're all working on identity management projects right now. So that's what they-

Joseph Carson:

From your experience as well, is what's some of the best practices? Because one of the thing I do think that organizations have done in the past couple of years is they've had a ransomware resiliency program or some type of strategy and they started prioritizing doing ransomware resilient backup strategy. They have improved their incident response plans and done simulations in readiness.

What types of things have you seen organizations, what's their... also and improving their data access management side as well for the employees because they're being targeted from phishing and social engineering attacks. What's some of the best practices that you've seen organizations prioritize and put in place?

Dan Lohrmann:

Yeah, no, good point. And we talked about some of these, I think in the last time we talked about ransomware last year or maybe... I don't know exactly when the last time I came--

Joseph Carson:

It was early last year, so it was-

Dan Lohrmann:

Last May maybe. But I think everyone talks about tabletop exercises, everybody talks about having a good incident response plan, having good playbooks. But I think what I saw a lot of last year and seeing now is people saying, "Okay," not just doing these virtually, not relying... more and more people admitting, "Well, we haven't done it in person since before because of COVID or something." That's a long time, right? That's four years-

Joseph Carson:

It is a long time-

Dan Lohrmann:

Three, four years. So saying, "No, we're going to do these in person. We're going to go a little bit more..." the scenarios are going to be a little bit tougher, and I think you and I talked about this, how many people have had a scenario where, what would that mean to a organization if Russia would go into Ukraine or now again, I don't want to be the doom and gloom guy, I hope and pray it never happens, but what if China went into Taiwan? What if... I mean, those are really, maybe for a lot of people, stretch things that why... but that might dramatically impact your business or your government or your organization if something like that were to happen, supply chain, what the issues would be.

My point is not any one of those scenarios, but having more stretch scenarios that aren't like everybody gets an A every time they pass and the donuts are good or cold and the coffee's hot and everybody's happy and it's sunny on a Tuesday morning, but in reality, that's not how a lot of these things happen. A lot of them happen on the Friday before a four-day weekend or right before the holidays. The bad actors know they want to come at you when you're not ready for it. And so preparing for different scenarios I think is a big thing right now.

I think one tip I've given, I don't think I've given on this show in the past, but one thing I learned going back 20 years when we had the blackout, and I mentioned this in the book, and I talk about the whole story, the blackout in the Northeast and we lost power. And you say, what does that have to do with cybersecurity? Well, a lot because we can learn from all hazards. What happens in fires, floods, tornadoes, natural disasters, emergency response, especially in government? The lights go out, the lights go out. How is your business prepared to be resilient?

One of the things we learned when it first happened, two thirds of the people didn't show up to the emergency coordination center, and over the next two days, it ended up being about a third never showed up for a whole variety of reasons. Some of it because of the fact that they were on vacation, it was legitimate. They were in Mexico at the time. The guy who is supposed to run the whole incident wasn't there.

Well, so how does that impact us today? Well, I tell people, "If you're doing a cyber exercise, go around, tap a third of the people on the shoulder and say, 'You're now an observer. You can either go back to your desk, you can watch, no phone calls, you don't talk to anybody in the room, you are on vacation in Europe, you're not available, now what are you going to do?'"

It's funny to watch the team, how they respond to something like that. When you throw them a curveball to prepare for something like that, immediately, one of the things I see happen again and again and again is they huddle, they talk and then they try and do swaps. They try and bring in, don't take Frank, take Sarah, the intern, right? I mean, it's like you pick the wrong people, we need... It's just funny to watch the behaviors in those kind of incidents, which I think all of those kinds of things can help to learn from real incidents, what happened to others in your industry, what happened from other people who were hit by ransomware? And throw some of those curves into your strategies, into your response plans to really help your team really prepare.

Joseph Carson:

Yeah, make sure you get into the unexpected because they always happen. You're always going to have something. To your point, I think that scenario is brilliant is that all of a sudden, well, they think they've got everything in order and they've done a plan and they got it ready and they simulated it, but they've simulated assuming that everyone's available.

Because to your point, I think most ransomware cases' incident response that I've actually been called on has always been the weekend. It's always been the late Friday night. It's been an early Sunday morning. It's never your Monday morning at 9:00 AM. It's never-

Dan Lohrmann:

Or Tuesday morning at 10:00 AM. It's like, no, no, no, no.

Joseph Carson:

Everything happens especially, and then people's unavailable.

And one of the things I find as well is that when you get into the scenarios, the attackers have done so much preparation, they know everything. They know your ransom response plan because they have access to it, so they can go through it in detail and it might even be encrypted as well as part of-

Dan Lohrmann:

Got you-

Joseph Carson:

The ransom demand. So you have to prepare for all of the unexpected scenarios and really think about, "Well, what if this part of the exercise isn't available? What if we can't do it? What's our alternative?" So I think those are really important, so it's great.

One of the things, what else do you think about? What's some of the future... What are you predicting in the future? What's going to happen with ransomware? Are we going to still see it evolve? Is it going to change? Are we going to see any new sophistication or new regions getting involved?

We started seeing, let's say in the area around what we're seeing, the supply chain and the ships being attacked. Do you think that that's going to escalate into... Because I always find that the shipping industry and the piracy were the first actually types of ransom demands, but it was for container ships and that always seems to introduce new ideas. Where do you think ransomware is going to go in the future?

Dan Lohrmann:

I always find it interesting. I try and listen to the top, the generals in the Military, the people out there, the CISA, Secretary of Homeland Security, and people who are talking about this who have access. I did have a TSS. I had top secret clearance and everything. I don't have that today, so I don't have access to that behind, which frees me up to talk to you, right, I probably couldn't talk to you if I knew some of that?

Joseph Carson:

Exactly.

Dan Lohrmann:

But when you listen to those keynotes at these different conferences and they talk about critical infrastructure being hit, water supplies being hit, I think again, preparing for... We haven't seen... Like you said, it's been more data exfiltration and keeping it quiet and not bringing down the grid or not bringing down the water supply, although those get a lot of attention, they scare people a lot, I do think those will happen.

I mean, I don't know. I think we have to be prepared and the thing is you don't know when, and that's the thing about these whole prediction reports and trends and looking at the future, it may not be '24, it may be '25, right? It may be people predicted all kinds of things.

Right now, as we speak about the whole situation in the Middle East and what's going on, I say, again, I'm looking at this from a U.S. perspective, I know there's a global audience that watches your show, but what's happening with the U.S. and Iran and all of that, could that escalate? Could some of those actors then, if that were to escalate into a full-fledged war or more, could that then turn around and hit governments, hit more U.S. targets? I mean, I think clearly we have to be ready for that because it's not Dan Lohrmann saying this. This is what the top generals, the top directors of these top intelligence agencies are saying each and every day.

The FBI just came out and talked about the attacks the U.S. is facing from China, the attacks we're facing from these other countries. And so just some of that is like, "Yeah, Dan, I heard that speech 17 times." And it can be a little bit like you feel, "I've heard this before, it never happens." It's like the U.S. debt. It's always just going to keep growing and we're never going to have an economy problem, but I think we have to prepare for those scenarios and there are enough of them that have happened in the last year that serve as a model, whether or not that's going to be widespread and we're going to have big critical infrastructure attacks in the coming 12 months.

Obviously we're seeing election attacks already. We're seeing people using gen AI to impersonate Biden in New Hampshire and other types of things. Certainly social media attacks. A lot of these reports not just around ransomware, but just in all of these areas of data breaches.

And I think the other piece of it, one prediction in there that it's wider than just ransomware, but I thought was very interesting, they're all predicting the role of the CISO, the role of the cybersecurity team, the role of the security team is becoming even more important. It's not diminishing because it is encompassing the gen AI and protecting your LLM and how you put those guardrails around gen AI in your organization and how you protect that and thinking about those attacks and then the defense, I think the role of the security team, the role of the CISO, almost all of the reports was saying it's going to grow in '24, it's going to grow for the next several years.

Joseph Carson:

Absolutely. It's almost, we're no longer just protecting computer systems, we're protecting society, and CISO's role is protecting the business ultimately, and that's where the criticality... and for many organizations who digitalization is the business, then the CISO role becomes vital.

I also do think, who would've predicted that the attackers are going to be notifying the SEC on breaches. That was something that was unforeseen. But something when you think about it, make sense that it puts pressure on organizations.

And I also think that even in incident response we're going to start seeing that evolve much more this year where it's going to be where you're going to have financial analysts becoming part of the incident response team who then start predicting and start looking at what is the material impact financially to the breach, to the incident, to the attack, to the ransom, what is the financial side of things? And that will then help organizations determine whether they're financially impacted, did the insurance cover completely or not? So I think that's an area where we're going to see incident response evolve quite a lot this year.

So what resources do you recommend for the audience to go to? Where should the audience go to to get more help on this topic?

Dan Lohrmann:

Well, certainly they can go to you and to your podcast. It's great, but there's a number of... No More Ransom has a great website, you can go there. You can Google that. And I believe it's nomoreransom.org.

Joseph Carson:

It is nomoreransom.org. Yeah, it's a fantastic set of resources, great-

Dan Lohrmann:

It is-

Joseph Carson:

Best practices and great information. It's definitely one of the resources I would point people to for definitely more knowledge on ransomware.

Dan Lohrmann:

Another one would be NIST, which is the CRSC, Computer Security Resource Center, crsc.nist.gov. Tons of great material there. Obviously the cybersecurity framework is there. That's their 2.0 now and we've got, you can look through, but a wide variety of resources around building an incident response plan, playbooks.

And I would be negligent if I didn't mention my book again, Cyber Mayday and the Day After. We got a whole list, a whole chapter of resources in there is still relevant.

There are some really great resources that are free around state government, local government by ISAC. So you can talk about information sharing analysis centers in the different... You got the MS ISAC, which is state and local governments, but you got election ISAC, you've got transportation ISAC and financial services ISAC, FS-ISAC. So all of those ISACs, many organizations that are listening to this are a part of an ISAC and they have resources within that are specific to their particular industry that have best practices that are at their ISAC website.

Joseph Carson:

Fantastic. We'll definitely make sure we're going to put all of those into the show notes, so make sure everyone can easily have access to it.

Any final words of wisdom or any final thoughts that you would like to leave the audience with? Or one way, what's the best way to reach out and contact you if they have questions?

Dan Lohrmann:

Absolutely. Well, thanks. No, connect with me on LinkedIn, Dan Lohrmann on LinkedIn. Happy to connect.

And I just would say it could be pretty overwhelming. I mentioned this at closing to my talk I just gave in Florida, "But we're in a marathon, not a sprint." So take care of your team members. At a fundamental level, it is about relationships. We always talk about people, process, technology, Joe, but it's relationships with people like you, people like industry experts, but people you know, people you work with on your team, both from people just coming out of school or people that are more mid-career or people who're more seasoned, but we need to really take care of each other.

I've seen a lot of burnout right now, even crazy that people would want to get out of the industry, because there's so much need. But I would just close with that, we have to remain optimistic. I still am an optimist. I don't think I'd be in this field if I wasn't an optimist, but take care of your people. Think people, process, and technology. Technology is really important, we're in the technology industry, but it's also about that repeatable processes, not just doing it once but over and over and over again, and then really taking care of your people and having great relationships. Because we need to partner, we need to work with others. You will fail as an island. You need to work with others.

Joseph Carson:

I think that's probably wise words. And I think that is definitely for the audience. I think that's a really vital recommendation and wise words from Dan is that people is one of the most important things is that we need to make sure... And that's one thing I found in responding to a lot of incidents is that people's mental health and burnout is real. And when you're going through those very stressful situations, make sure you're taking care of the people during the situations and beyond as well.

Dan, it's been fantastic having you on the show again and always looking forward to catching up with you, hopefully in person in the near future at some point. But-

Dan Lohrmann:

Maybe in RSA.

Joseph Carson:

Definitely RSA. I'll be there. So it's great having you on.

For the audience, Dan Lohrmann, valuable insights, great recommendations, great leaderships and contribution to the industry. So many thanks for having you on.

For everyone, this is the 401 Access Denied Podcast. Tune in every two weeks for recommendations, thought leaderships, best practices, and really everything that's hot in the industry at the moment. We're here to provide you the insights and knowledge.

Dan, you've been a fantastic guest as always. For the audience, thank you. And take care and see you next time.

Dan Lohrmann:

Thank you.