Joseph Carson:
Hello everyone, welcome back to another episode of 401 Access Denied your biweekly podcast that brings you all the latest news and information. I'm your host for the episode, I'm Joe Carson, chief security scientist, and advisory CSO for Delinea. Delinea's a new company that's basically bringing together both Thycotic and Centrify and really helping around privilege access security. I'm really pleased to welcome an amazing guest back on the show today, Dan Lohrmann, welcome back again. It's always fun talking to you. So I want to give the audience a brief introduction of who you are, and also I'd like you to kind of also give us some information about your latest book that you've released.
Dan Lohrmann:
Hey Joe, it's great to be back with you again. So thanks so much for having me, really excited to be in the show today. And my background is over 30 years in the security industry. I was with NSA in the late '80s in England, in the '90s, and then 17 years in Michigan government. And now I'm with Presidio and we are a global digital solutions provider. I am the field CISO with Presidio and just really excited to be with you today. My book, which came out in November is called Cyber Mayday and the Day After: A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions and it's really covers true stories of ransomware, true stories of what happened when different organizations were hit by cyber attacks. And we really, my co-author is Shamane Tan from Sydney, Australia. She's just a marvelous cyber leader woman of the year in cyber, several times in Australia, just a great, great leader in the industry.
Dan Lohrmann:
And we really talk about three parts to the topic before, during, and after emergencies, what can organizations do? How can they prepare? Everything from playbooks and tabletop exercises and then what happens during an incident and then how you can learn from that kind of cyber lemons to organizational lemonade, if you will, which is chapter 11 at the end of the book. Lots of references and links to good best practices but most of all, what we thought was missing in the market is really just really great stories through the eyes, not just of security leaders, but also through the eyes of business leaders, technology leaders, and really just small, medium, large government and private sector. So public private sector, and then what happened so a lot of intriguing stories. No way I could go into those today, but I encourage people to go out it's available on amazon.com and wherever books are sold around the world.
Joseph Carson:
Well, that's fantastic. And I couldn't agree more that one for me, one of the most valuable lessons I always learn, when I go to conferences and I listen to talks and I talk to other victims of cyber crimes and other types of security incidents, for me, it's always the lessons learned. It's about what happened before, what was going on during those attacks and what was the lessons learned after and for people to hear the stories and hear what happens and the stress and the changes, because it's always very fast. Everything happens so quickly in a matter of hours and days and I think the lessons learned you can get from that is the best thing that we can do. And I've listened to, I think one of the best talks at every conference has always been someone sharing their story.
Joseph Carson:
Always been somebody telling you about the things that they did right and the things that didn't go so well and the of things that they've learned from it. And I think for organizations who, you want to do this beforehand, you don't want to be the person that's actually learning this in the middle of an incident and calling for help. And then going and looking at the lessons learned, you want to be prepared. And I will say that and what your book for me is probably very much about the difference about not just having an response plan, but actually being in response ready. It's about being able to prepare and simulate and know what things you should actually have ready beforehand. So that's such a critical information, definitely for the audience, definitely do recommend. We'll make sure that we actually have a copy and links in the show notes so that people can easily find the book and make sure they're able to get a copy.
Joseph Carson:
So today's theme I want to really get into is around really the state of current cybersecurity, a lot has been happening in the last couple months. A lot from an industry regulation perspective, we've seen a lot around increases in cyber insurance prices. I mean, even the unfortunate disaster catastrophic invasion in the Ukraine, that's really seeing... I've seen a lot of people talking about cyber war, but when we get into reality, there is elements of cyber being used but I think really if you look at it from a more global scale, we're really talking about an information war. That's what I'm seeing. We've also seen ransomware gangs taking affiliation to NESA states, which is also an interesting, which does mean that there is consequences there for in reporting, consequences in even ransomware payments. So we have to understand about what some of those implications. So Dan, do you want to give me some kind of, what's your current state that you're seeing today? What's the top of mind? What's the top priority that you're seeing organizations should be aware of?
Dan Lohrmann:
Yeah, I mean, it is such an incredible scary time, but really an amazing time right now in the cyber space as we cover in the book, but also just what we're seeing. The explosion of ransomware over the last three years, we kind of ended 2021, everyone was just the reports coming out that more ransomware attacks in 2021 than the last 10 years combined just rationing up '19, '20, '21. So the attacks are continuing. And then of course now we have the alerts coming out from CISA around preparing for possible nation state attacks from Russia or elsewhere really being ready. And I think everyone is on high alert right now. Organizations are really getting regular intelligence whether that be from the ISACs, Information Sharing and Analysis Centers. Certainly, I work a lot with state and local governments and they're constantly trying to get updates on the latest situation but banks as well, utilities, just everyone really, really on high alert. The attacks are accelerating as never before.
Dan Lohrmann:
I think there's a couple different things that people are saying what can we do to prepare. Those questions we've covered on this show many, many times so about ransomware, previous shows I've been on, we talked about ransomware and other things, a lot of the same basic blocking and tackling things, we can walk through those, but I won't go through that list now. The cyber hygiene list, if we want to go there, Joe, we can go there. People can go back and listen to our episodes on ransomware and things. And certainly making sure multifactor authentication is enabled. And we go through the list, awareness training, people process technology so that's huge, I think, but also there's a lot more happening in the sense that organizations are down staffed.
Dan Lohrmann:
I'm hearing everywhere I talk right now, one of the biggest issues, the stress level is just through the roof now in security teams around the US and really around the world because a lot of people are down 50%, 30%, open positions, they just can't find the people. And a lot of times they have money for projects, a lot of times I'm hearing people that aren't really struggling with having the dollars to do things it's more the team and also people leaving. They call it the great resignation, we got another whole show we could do. But that's really hitting security teams hard. And so that's a huge challenge. Understand a couple other quick headlines. I mean CNBC published an article Monday, it's called, doing this the week of the 16th of March, but for the first time in history, anyone can join a war. Volunteers joined Russia Ukraine cyber fight. So I mean, literally people all around the world, activists jumping into this, I've seen a lot of DDoS attacks of course against Ukrainian websites, attacks against Russia. A lot of spillover in that region, a lot of people are wondering, will this hit US banks? Will this hit government sites in the USA? We haven't seen that big, massive attack that some people have kind of worried about yet. Hopefully, that doesn't happen in this round but those are just a few of the things that are top of mind right now.
Joseph Carson:
Yeah, absolutely. Just, I think one of the things you're absolutely right, when we're looking at the war that's happening in Ukraine, and we think about the disaster that's happening there, for me, it's really sad and it's heartbreaking seeing the news that's coming out and you look at it from the cybersecurity side of things you do see Russia is a big supplier of a lot of software. Ukraine is a big service provider for a lot of organizations and we've also seen it, we can go back to WannaCry, we can go back into NotPetya. And we see when you have cyber attacks against a country that is very heavily in supply chain, then it does spill over. I think the wiper attacks that we saw at the beginning of the war did spill over into Latvia and Lithuania which are NATO countries but when you look at Article 5 and you think about, well, why doesn't it trigger Article 5, because the severity of the tax, and they do them the case by case basis.
Joseph Carson:
You look at them each case, they'll determine if this was something, but there will be spillover. And we do have the expected spillover will happen through the supply chains and through the connectivity. We can even look back at even further back to Stuxnet, Stuxnet wasn't just isolated in Iran. It spilled over into many organizations. Ultimately though the trigger and target was very specific, but cyber weapons can actually go into other nations and organizations. And we had to be prepared for if that does happen. So I agree that this is something that we had to be prepared and I think with the CISA launching and making the alert about Shields Up, I think now is a good time for organizations to really go and check your security just to kind of a reminder to go and make sure you're up to date and patches, a reminder to go and for example check your backups, make sure you've got fresh backups, make sure they're valid. It might even be a good time to take an offline backup just to have a good state where you can go back to. So it is a very today in the world is a very cautious, very kind of worrying outlook but my hope is that things will start to deescalate and will start to put things behind this, but at the moment, it's not looking like it any time soon.
Dan Lohrmann:
Yeah. And I think it's clear that even a topic like the reporting legislation that was just signed into law by president Biden is an indicate of the level of concern that you're seeing even from the three letter agencies in Washington, I'm going to say three letter agencies, that's FBI, CIA, DHS, NSA and because there's been hesitancy and I understand why from private sector and others who feel like is a little bit of big brother. There's been legislation, we can talk about really going back a year since colonial pipeline around reporting of incidents and that's been rationing up. There's been some legislation that was really mandating the rules for banks to reporting a ransomware attack or major cyber incidents starting here in May of 2022.
Dan Lohrmann:
But now this new law really, and the detailed rules haven't come out yet, but the law has passed. CISA's got two years to put together the specific details around this. I don't think it's going to take them two years Joe. I think it's going to be more like, I mean, they could rush it in a matter of weeks, I'm expecting six months. I mean, I don't, we'll see. I mean, I think it depends on the situation, but the message is this, there's a lot of people that think that what we're doing now just isn't working well enough and clearly different people have different views about how we go about fixing that. I'll just needless to say that a lot of the criminal justice organizations in the US feel like if we don't even know about it, we can't help.
Dan Lohrmann:
And so the questions have been out there and I've seen different reports, I'm sure you have as well, what percentage of incidents aren't even being reported that we don't even know about how bad is the ransomware really and it was really, really bad in '21 but my point is just this is that that law passing so fast, bipartisan support, Republicans and Democrats, which is not easy to do on these topics shows that clearly that's, I'm not saying we're heading towards more centralization, but certainly more ability to have basically insights or vision open of what is actually happening out there. And awareness of all the different incidents that are going on. And I think organizations either be preparing now for that and that reporting, if you don't have those relationships, what are you going to do in incidents? If you were hit, what is that game plan, what is that playbook tabletop exercises, all of that. We covered a lot of that in the book but really, the whole issue of preparing for cyber incident and how you respond and how that's reported is changing.
Joseph Carson:
Absolutely. And just to kind of point, one of the things that you brought to mind was around if you look at the recent revelations from the Conti ransomware group, we suspected, and this gets into your point about under reporting. It was actually quite shocking for me. We are so, the data that we assumed was around roughly right, was way under reported. We suspected that the Conti group had done somewhere around half a billion in ransomware payments and the revelations come out closer to $2.7 billion, which means that we are way under reporting. And really the cyber crime in ransomware itself is so much bigger than what we actually we assumed it was, and it even reminds me going back to a number of incidents, I remember when I was doing this response for a specific ransomware, which was CryLock.
Joseph Carson:
And during that incident response, in the evidence gathering, I did find another victim in the logs I was looking at was basically, it meant that the attackers are simply just on copy paste of their attack tools and in the logs, I did find other information about a victim. So I thought, well, that's my, as a security researcher to go and inform that victim that I did find information. I saw your, basically, credentials, server names, information, user names, and forth. So I reached out and contacted them and said, "Hey, I found that you've also become a victim of the same group I'm dealing with. Do you want to collaborate sure or is there anything I can help with indicators to compromise? Or were you worried that you were a victim?" And they came back and actually deniability saying, "Nope, we were not a victim."
Joseph Carson:
I was going okay, okay, fine, and then I said, "Yeah, I'll give you another opportunity to work with me or to just I got your data, I'm looking at it, are you sure?" And they came back and said, "No, we are definitely not a victim of ransomware." And it wasn't until, so I ended up having to go to the country cert and I had to say the organization who I was dealing with that was a victim. We started sharing the information about the government cert. And then I decided I had to contact this other victim and let them know that I need to pass over my evidence that I have collected so far to government entity. I just want to inform me that I have to do that.
Joseph Carson:
And at that moment in time was when they admitted they had become a victim of ransomware because when they realized that I had to go and show that data with a government entity. So I seriously do think the reporting side is significantly, probably even, I thought it was by 50%, but looking at some of those numbers, I think it's even, we're probably around 70 or 80% of what's not been reported and it gets into, so the regulation that went signed through, my concern though, when I looked at the data and the filings of that was the four day reporting period. I thought that was, when we did GDPR a long time ago, 14 days was the kind of... Well, it was 14 days was the ballpark, it actually changed the wording that was without undue delay.
Joseph Carson:
And it was really about, depending on the severity of the incident, undue delay was kind of, they give you that indicator about whether you need to do it sooner or later. How much time you had, but four days, for many organizations there's still in the middle of evidence gathering and understanding the impact and even trying to determine what data's lost. So four days, I think really not taking account for the type of incident or the scale of the incident, I think there needs to be a risk based approach in there or some impact piece that should be a little bit more on the timeframe you need to notify or that when you do notify, you have to be cleared that this is ongoing, you're still determining impact. So I was surprised at the four day piece...
Dan Lohrmann:
They will say it's got 72 hours, new reported requirements require covered entities to report certain cyber incidents within 72 hours and report a ransomware payment within 24 hours so, yeah. And so, yeah, and the exact rules have to be now made. So now the laws pass, they've got the authority, what we'll have to wait and see, and what exactly come down. I mean, you're going to be hearing a lot about this in the coming months but the other thing, Joe, it will be important to talk about what's going on right now with cyber insurance. I mean, I think that whole topic, and by the way, just I'll send you the link, you can post with this video. I just did a blog on this and really referencing some of the experts that I'm listening to and talking to in the market.
Dan Lohrmann:
But I just did a blog on what's going on with cyber insurance in the market right now and there's a lot of people talking about Ukraine, what about the war exclusion, what clauses are in there, what are not in there. A lot of talk about and Billy had a video with some experts that just do underwriting for cyber insurance basically for a living and it's another whole hour presentation, I won't walk through all of it, but just the gist of it was really make sure you understand A, some of the trends, but the fine print in your policies. I mean, generally speaking, we're seeing a huge trend right now where a lot of people that I'm talking to just are not even renewing their policies because the price is doubling and the amount of coverage is being cut in half. So I'm hearing that all over the place, I've seen numbers anywhere from 30, 40% increases at the low, low end all the way up to 3, 400% increases. But I commonly hear we're paying double the price for half the coverage, but the other thing is-
Joseph Carson:
And one shot only. You're only going to get one coverage.
Dan Lohrmann:
Well, exactly. And to that point and then what's excluded? People say, well, there's this big case and I won't go through all the, that's really another whole topic and I'm not an expert on cyber insurance, but I will send the link. I encourage people to go out and if you've got policies, look at it, look at the exclusions, look at the war exclusions. And just because we had that case that was recently settled where there was a payment that had to be made from few years back and when they claimed it was war and the court's rule that they had to pay the premiums, that's no guarantee that will happen in this case, but we really do have physical cyber war, not cyber war and a physical war in Ukraine. So my point is, this is every situation is unique. This is a unique situation, different from previous cases where maybe cyber insurance companies had to pay out. So it's a hot topic right now. It's certainly one where Ukraine will certainly test your cybersecurity exclusions and your policy.
Joseph Carson:
Yeah. I remember, when I was getting early maybe 10 years ago, a little bit longer in the whole, I was seeing the cyber insurances kind of come into reality and being kind of tested. And it really started, it was also at the time, it was basically in the shipping industry and logistics and financials and transportation. That was really where it kind of kicked off. And I saw that some of the cyber actually fell into in the shipping industry was under terrorism. So that meant if you did have a cyber attack, you were actually not covered because it was classified as a terrorist attack. And I think that's what we're starting to see now. A lot of those clauses that have actually basically gotten into those cyber insurance policies are likely looking at this from terrorism, that's probably attributing it into a war category as well.
Joseph Carson:
So yeah, so organizations really need to be aware of what they're covered and what they're out covered for. And absolutely, as you mentioned, I've seen cyber insurance premiums double the price in the past year. The year claims has significantly reduced. And also that you don't get repeat, you can only maybe get one claim a year if you're even lucky. So insurance companies are starting to realize that they went into this a little bit, probably over optimistic and blind without having historical data. And then along came cryptocurrency and ransomware, the perfect storm together that really targeted a lot of organizations. And I think insurance companies got really harmed because a lot of these attacks happened and repeatedly, and for large amounts. When you look at some of the ransomware payments were in the tens of millions.
Joseph Carson:
And if you hit a supplier or service provider, then you're not hitting one company, you're hitting all of those companies. If you look at some of the MSPs such as Kaseya getting hit, and you're not dealing with one company of cyber insurance, it's all of those customers that might have cyber insurance as well, just from one cyber attack. And it was an interesting, there was a discussion recently with some peers of mine that we get into even looking at, well, the other thing that we have to be aware of and right now, of course, with the sanctions in place, this really gets into even do you consider paying a ransom? Is it even an option for insurance organization to consider? Because one of the thing we have to understand is that, well, if you consider paying the ransom, okay, is that these are organized criminals.
Joseph Carson:
They're not software criminals, they're organized criminals. And that means that they're not into just software crimes, such as ransomware and Melissa's malware, they're into other crimes, such as weapons and drugs and human trafficking and other really serious crimes as well. So you have to look at if you're paying an organized criminal group, you're funding other types of criminal activities as well. So that's another thing that you get into moral and ethical decisions as an organization. Is that something you might consider, well, paying ransom, I'm only paying software criminals, but in fact, you might be actually paying human trafficking and do you want to be associated to that? So that's one area. The next part of paying ransom is you get into a situation about, well, where's the money going? Where is this criminal located? Is it part of a sanctioned country?
Joseph Carson:
So you end up paying a ransom that could go into a group that could be North Korea, Iran, Russia for example today that could be under sanctions. And that's another area that organizations need to be aware of is where's that money going to, and I think then the transparency about organizations getting that visibility about paying the ransom, then you're likely be the target even more. So there's a big question into the ethics and moral about paying ransoms today. And I think organizations really need to think about more resiliency, how do you avoid having be in that position in the first place? What you can do to make sure that yes, it might impact your business operations and services for a bit of time, but you want to make sure that you're in the situation where you do have a backup, you do have alternative business resiliency in place.
Joseph Carson:
So you don't have to go down that path because I think ultimately paying ransom for me, it's a business decision. I recommend against it, but I defer it to business just those who's responsible for the business because some cases it's life and death scenarios. I've seen cancer research companies been hit, hospitals been hit critical services, ambulance services, telecommunications, phone lines, help lines, all been targeted. And when you think about that, well, if you think about help a call line for people who's looking for mental health or it could be for getting ambulances, if that's hit and down, that's people's lives are in danger. And so I always defer, I always have to say that my recommendation is not to, but I always defer to it's a business decision, but here's your understanding about some of the consequences if you do go down the path of paying, this is what you might be dealing with at a later date, if it does go public. So I think paying ransom today is definitely more triggering now than it's ever been in the past. I think a year ago, you could have got away with it. I think there's a lot of challenges today for organizations who might consider paying.
Dan Lohrmann:
Yeah. And I think in the Ukraine situation that we're in right now, people are thinking... I love an analogy I recently heard, said the Russia attacks are more like a hurricane, China cyber attacks are more like global warming. It's interesting maybe more long term impact of stealing intellectual property and other types of things. But I think organizations, if you're thinking about this as a government entity or business around the world, and you're, okay, to your point, how do you prepare? I've seen organizations that did feel like they thought they had backups and they thought that they were immutable that they were not changed, but it was going to take them seven, eight weeks to restore. And so they had never really worked through the whole process.
Dan Lohrmann:
And they're, I can't be down for seven weeks. I can't be down for eight weeks. And then they ended up paying. And yet the numbers, just another topic because about ransomware today, but it's astounding that some recent reports I heard, more than a third of the organizations that get hit by ransomware aren't prepared that more than a third end up going out of business and going bankrupt within a year. And it's even higher in the UK and UAE. So it is a very, very, very dramatic thing and I think preparing yourself and some of those CISA alerts making sure you've got that basic blocking and tackling. You mentioned earlier, multifactor authentication, your passion, your systems. You're working really well with threat intelligence. And you work with your sector to know about different types of attacks that are coming in, making sure that you're ready with your backups and your incident response plans, they're must have things.
Dan Lohrmann:
I just want to mention one other thing on insurance the case of let's get my mind a few minutes ago was the 2017 NotPetya malware attack. And that insurance case where large insurance taken pricing, underwriting actions in response to the rising claims in recent years, a lot of people saying, well, in that case there was a lawsuit and the insurer had to pay, but they ruled that it wasn't really a physical cyber war. So yes, it was not war, that clause didn't apply and they had to pay. But as a result of that, a lot of people are making adjustments now so, but the other thing real quick I want to mention Joe, that I find fascinating is and yet there's a report that came out about a month and a half ago that I read, and I can send you the link to this if we can include this in the notes that the expected increase in cyber insurance is tremendous over the next five years, that more people will be doing.
Dan Lohrmann:
That's not really what I'm seeing on the ground right now. I see people canceling policies or not renewing them or getting less coverage and yet if they get this sorted out, I don't think cyber insurance is dead. I do think that you're going to see more I don't know changes in that industry. And we could be back on this show a year from now talking about some new model but the bottom line is is that it's not going away. And a lot of organizations are relying on that. It's just that the cyber industry companies are requiring a much better, even in many cases, better risk assessments, even pen tests, looking for vulnerabilities, doing that analysis up front before they take on that risk.
Joseph Carson:
Yeah, absolutely. I think for me, my prediction in the insurance society here, I think we'll start seeing more micro services from an insurance perspective, meaning that they're more specific to the type of tech, rather than these broad, massive cyber policies that try to cover everything. I think we'll start seeing it a lot more segmented microservices that are very specific to different types of threats and impacts. I think that's what we'll typically see. So organizations might decide to get cyber insurance, but maybe there's ransom merger and exclusion part of that so it become more affordable because they might decide that they have a solid backup plan in place that is resilient to ransomware. So we start, we might see more micro segmentation or microservices from an insurance perspective that are more specialized. And I also think that as well that we'll start seeing the share economy starting to take off, especially for small medium types of businesses that just cyber services might be a little bit further away from their capability.
Joseph Carson:
So you might see more of the shared economy where groups of organizations will get together to try and get collective cyber insurance. So, but again, you get into that scenario about how do you make sure that they're doing the best practices? How do you make sure they're putting the right things in place? And that really comes into what you mentioned, risk assessments that you have a certain level of basics that is actually implemented and that very well might be driven through compliance regulations, just getting that certification might show you a level of maturity as well. But I think definitely the insurance industry is going to grow from a cyber perspective for sure. How it's going to grow or how they're going to evolve to be able to deal with the losses today, I think that's still the big question that they're going to have to look at.
Joseph Carson:
The more data they get though, the more better analytical information they can because the insurance industry's driven on data and it's all about trends of the past and predictability of the future and the more information they get, the better models they can make. So they can actually get a better understanding about where does cyber insurance really fit in the industry it is today and where it's going to go in the next couple of years, but for sure, it's a rocky boat right now. And some are doing well and some not so well, it really comes down to some of the policies, the way the policies are written, I guess is really what's going to define the success of this in the near future.
Dan Lohrmann:
Yeah. It's going to be interesting to see how that evolves. And I think the environment is... A good friend Richard Stiennon wrote a book called There Will Be Cyberwar. Well, we're seeing it now. And I think what happens so far we haven't had a major for example, the grid has not been hit hard. Some people made some predictions that there could be massive attacks against businesses in the US at a level that would bring down critical infrastructure and literally, well, say turn out the lights, but maybe hit water supplies, hit other critical infrastructures like colonial pipeline. So far we haven't seen that yet, but we're hoping that it doesn't happen, but a lot of people think it will at some point. So making sure that if anything, the pressure, the importance, the priorities only gone up as a result of the current situation.
Joseph Carson:
Absolutely. And in war cyber is an element. I mean, we look back in history and you can go back to Estonia in 2007 the political situation, the situation where between Estonia and Russia at the time did indicate there was cyber attacks during that. And also there was violence in the streets as well during the unrest at the time. So there was a cyber element to that. And of course that was the establishment of the NATO Cyber Defence Centre of Excellence and it was also the foundation of cyber being introduced into Article 5 as well. And then we can look back in Georgia, same thing happened, 2014 in Ukraine, in the annexation of Crimea, same thing, cyber attacks, they are not the only weapon used, but they are a tool in a real physical war scenario.
Dan Lohrmann:
We've seen that now, we've seen that now in Russia, in Ukraine. I mean, massive DDoS attacks, massive website impacts, I'm not saying... It's huge right now, it just hasn't hit the homeland of the United States yet. I know it's a global audience. It hasn't hit Western Europe, like some people thought to this point, but yeah.
Joseph Carson:
Yeah, I think it's always the pre staging side, it's the preparation. So one of the things as a penetration test or an ethic in IATA, one of the things that we look at in IATA is you don't show your cards until the last minute until you need to. So one of the goals that you tend to do is you want to stay stealthy. You want to stay hidden until the time is right that you execute it. So it's always that 90% of any type of attack is reconnaissance, is preparation, it's preparing this, it's getting into the right locations and staying stealthy as much as you possibly can. So when you do need the trigger, that's what happens. But I think hopefully many organizations that really went through and started doing threat hunting and started looking.
Joseph Carson:
And I always say that as a security professional, my job is always about how do I force the attackers to take more risk? This is all I was saying that I always say is that there's no 100% protection. What you're really doing is you're forcing the attackers to take more risk. And the more risks that they take, the more noise they're going to make and visibility in your network. And it gives you a chance to detect in them early. And it gives you a chance of removing them and stopping them from moving and from elevating privileges and getting to more sense of areas and network. So the goal here is really to really force attackers to create noise, to create visibility and give us a chance and actually stopping them from getting further. So this is where we really need to be doing right now is getting into the threat hunting is assume breach.
Joseph Carson:
We all should be practicing this zoom breach right now, is assume they're on your network and go through and make subtle changes to try and get those ripples to happen, to get that visibility. Maybe practice a password reset in certain parts of the network or certain groups of users. Maybe go through and do an audit log correlation to check to see if there's any suspicious activity. Look for potential uses of things like ... exec on the network. Look for registry changes that will actually allow things like Mimecast to extract passwords and clear text. So we should be going through these practices right now. You don't want to be doing this after the attack has already happened because it's not going to help the organization. It's more about the lessons learned, you want to do this pre attack.
Joseph Carson:
So now is the time to go and do that. And I think this Shields Up is a great indicator that we should be practicing that, we should be going through and doing this proactive things right now. At the same time, also reading your response team, making sure your contact lists are up to date to your point. And one of the things is when we think about also ransomware has also been used as a disguise to other types of attacks as well. It's been used to somewhat distance themselves these state sponsored groups from the user ransomware, they can always say, well, it wasn't the government, it was a mercenary, cyber mercenaries were carrying this site. So it was distance, it was political activism. So they can always do that separation of government accountability and responsibility as well by using ransomware as a weapon under disguise in order to disable systems.
Joseph Carson:
But we had to really get into also looking into, well, what can we do? When we think about ransomware itself, I mean, it is a cyber weapon of mass destruction. It does critical, it does bring organizations down to complete standstill and we really need to make sure that organizations have the best practice in place. They have guidelines. They go through these checklists and make sure that they're actually done as much as they can to make organizations resilient. And this is important. One of the things you mentioned earlier, I think I'm really excited about looking forward to reading in your book. One of the things that comes to mind is that we also have to step away from these security incidents and ransomware happening. We sometimes make them IT each issues or security issues.
Joseph Carson:
They're not security issues. They're not IT issues. These are business issues, businesses risks. And we need to start looking at this, yeah, one system going down or an application failing that might be an IT issue, or it might be a security issue. But when you're targeted with ransomware or you're targeted with DDoS attacks, or you're targeted with data theft, these are business issues and business risks. And therefore it means that it needs a business response. So it means that you might have security instance and these response plans that are tailored just for IT response, but you are into response plan needs to be a business response. We need to elevate it. We need to change the viewpoint because sometimes executive boards, it's the security team's responsibility to put this in place and but it's actually, it's human resources and talent.
Joseph Carson:
It's seals, it's financial, it's legal, it's third parties that you need to contact, law enforcement, maybe external pen tester teams in response teams, digital forensics, you need to have basically your network of resources and organizations also should never be afraid to ask for help in the middle of an incident as well. They should never be able to I think that we can cover this up ourselves and put all of our people to make this go away. They should think about, who can I call for help? Who's been a victim before? And one of the things is other victims are the best people sometimes in the short term to help you because they can tell you about how they recovered and the lessons they learned. Any thoughts?
Dan Lohrmann:
You mentioned, many of those points Joe are really the kind of things we cover in detail. And I'll just give close then we're wrapping this up in a moment but one of the stories we talk about is some lessons that I learned back in the power outage of '03 and really thinking, obviously there's a lot of unique things about cyber attacks, but it really, you need to think all hazards, fire, flood, tornado, and natural disaster, and in your organization, how would you respond if you're in Florida and a hurricane hits, or how do you respond in different situations for fire, flood, tornado, those kinds of things. And I know during the Northeast blackout, we talked about that situation in detail, how much I learned about emergency management and what that meant when all New York and Michigan and Ohio lost power, but just having everyone involved clearly it was from the governor on down in Michigan, we got the president was on the big screen and George W. Bush administration.
Dan Lohrmann:
But I mean, one of the things we learned out of the gate when we showed up was a third of the people we thought were going to be there were not there. The person who was supposed to run emergency management was on vacation in Mexico at the time. So one of the things, little tip you can use, if you're doing tabletop exercises, we're already doing that, or we're already doing exercises, walk around the room, tap about a third of the people or six people, half dozen, whatever it might be, 20% of the people and say, "Okay, you're now observers, go stand in the corner and watch who's your backup." Because you're not here so now what are you going to do? And does your backup know what to do?
Dan Lohrmann:
So so often we think about these very practical sides of things, but the people side does come into play and during cyber attacks and making sure your leadership is involved, who you're going to call, what if the phones are all down? What if you don't have power? Do you have generator backups? We learned this a long time ago. It was 18 years ago. One of our three data centers had backup power generators, but two out of three didn't, and we ended up having to get new generators for them. So we learned a lot through that applied to cyber today. And so really think about it as in many ways it is an all hazards challenge and affects the companies down how does the business respond?
Joseph Carson:
Absolutely. And it is a business response because it is the businesses impact it. It's not just IT systems. It's the services that the IT systems are the dependency that the business needs to provide those business services so absolutely. And one of the things as well is just I think from what I'm seeing right now, definitely it's an information war. I've never seen absolutely anything like... I've been doing this just a long time and seeing the information thw propaganda, the fake news, the disinformation to people trying to get the truth out there, that's definitely where we're in the midst of right now, global information war. And one of the things is just watching and seeing how the information's flowing and how to detect fake information and propaganda versus reality and truth and how to fact check everything. It's really I think showing a lot of the social platforms about how they need to change and improve how they share information. So it's definitely something to for us to watch and learn about what's happening, but it's something that's going to, it's escalating further and further and more groups and people and individuals getting involved. So it'll be interesting to see what the information wars lead to.
Dan Lohrmann:
Yeah. I really appreciate being on your show today. I know we'll probably have to wrap it up, but I do think that this is an ongoing, this is a taste of what sadly the future of if cyberspace looks like, and it's not going away. Hopefully this situation we have in Ukraine winds down, but we're going to be seeing these same challenges and lessons learned in the years ahead. And so absolutely having organizations working with your communication teams and working with your government as public information officers and really knowing how to communicate in an emergency, how you're going to communicate during a cyber attack, how are you going to communicate is all really, really important.
Joseph Carson:
Absolutely. So Dan, it's been a pleasure having you on, I always really enjoy talking with you and definitely look forward to having you on again in the future and I'm really excited to go or soon I'll have the opportunity to read your book and to go through it and learn some insights as well because I'm really excited. I always love learning. And for me definitely your insights and knowledge is definitely something I'm excited to get an insight into.
Dan Lohrmann:
Likewise, love learning from you, Joe. You're the global expert. I travel around the world and Joe's always there so it's great.
Joseph Carson:
It's the people around me, it's people like you, that I talk with and I learn and I mean, that's one of the great things about the podcast is I get so many great people on that I get to chat with and learn from. So for me, what makes my knowledge and my insights is the people, it's my network of people that really provide value to me. So I really do appreciate to you and it's great to have you on the show. So for the audience, it's been a pleasure. And one thing I do want to say is for those whose impacted the humanity crisis, it's happening in Ukraine and the war, our thoughts and prayers are with all the people. That hopefully this unnecessary destruction and we hope that it finds a peaceful end.
Joseph Carson:
I mean, for anyone's listening out there we just hope that it stops and that people can learn from these things. And hopefully we can look for ways to prevent it in the future. So our thoughts and prayers are with everyone who's impacted by this war. So for the audience, again, stay safe. Hopefully, this has been educational. It's been a pleasure having Dan on. Again, tune in every two weeks 401 Access Denied, it's your biweekly podcast to really give you essential information, new details, trends, that all helps to make the world a safer place. So again, thank you, stay safe. And I look forward to being on another episode with Dan again in the future. So thank you.
Dan Lohrmann:
Thanks.
Episode 50