Afternoon Cyber Tea with Ann Johnson 10.19.21
Ep 37 | 10.19.21

Defending Our Infrastructure


Ann Johnson: Welcome to "Afternoon Cyber Tea with Ann Johnson," where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security executives. I'm Ann Johnson. And today, I'm joined by Wendy Nather.

Ann Johnson: Wendy is the head of advisory CISOs at Cisco. She was previously the research director at the Retail ISAC and the research director of the information security practice at 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation, now UBS, and served as CISO of the Texas Education Agency. Wendy was inducted into the Infosecurity Europe Hall of Fame in 2021, and she serves on the advisory board for Sightline Security. Wendy is a senior cybersecurity fellow at the Robert Strauss Center for International Security and Law at the University of Texas at Austin. Wendy, welcome to the show. I am so excited you are here. 

Wendy Nather: Thank you. I am thrilled to be here. 

Ann Johnson: So, Wendy, we have quite a bit to talk about today. Let's start with ransomware. Not a new topic, but there's this recent rise in attacks that's alarming to our customers and a lot of stuff in the news that's maybe misunderstood. I recently read a report analyzing the threats from the past year, and it says that ransomware attacks were up 148% in March of 2020 from the baseline in February due to - largely to the rise of remote work. It also highlighted the spike of ransomware attacks that are closely tied to the COVID-19 news cycle, showing that these threats definitely are opportunistic. 

Ann Johnson: If you think about these disruptions, they are affecting all industries, from financial institutions to education. And Cybersecurity Ventures is predicting that the global ransomware damage will exceed $235 billion by the year 2031. So as soon as we find a new defense, another attack seems to appear. I'd love to get your thoughts about how we kill this Hydra. And do you think that's even possible? 

Wendy Nather: Oh, really good question. I think one of the misconceptions that some people still have about ransomware is that they think of it as a certain type of malware that's different from a virus or a worm or something, you know, that has one purpose in it. And what people don't understand is that any sort of opportunity that any malware has to take advantage of a vulnerability in a system and get entrance can then be used afterwards to plant ransomware. In other words, you can't stop ransomware by just shutting one kind of door because if an attacker can get in anywhere, there's always the possibility that no matter what they've planted beforehand, whether it's a keylogger or, you know, anything like that, they can say, you know, on my way out, I think I'll just sprinkle some ransomware in here. So the ways that ransomware can get deployed are various. And so it's an overarching problem. It's an existential threat to every kind of system. 

Ann Johnson: You know, I think you're right. And the question becomes - and I do have another specific question for you. But before we go there, the question becomes, you know, are these actors opportunistic? We have seen, like, the overlap between nation-states and cybercriminal gangs, where a cybercriminal gang will in essence be the outsourcer, right? They'll be opening up access or stealing credentials for a nation-state. But then they'll launch a ransomware attack 'cause why wouldn't they want to monetize it twice, right? They're getting paid by the nation-state. They're getting paid by the ransom, potentially. Do you think that that's a trend that's going to continue? 

Wendy Nather: I think so. And in fact, our intelligence group at Cisco, Talos Intelligence, recently talked about defining a new kind of threat actor that they call a privateer. And there may not be working directly for the government, but they're certainly not being chased by them, either. So they're kind of enjoying the protection of the government without being directly associated with them. So they're financially motivated, but they act like state-sponsored groups because they get a level of protection from the government, even if it's not intentional. So that's a new dynamic that we're seeing recently. And I don't see why it won't continue unless we take steps to do something about it. 

Ann Johnson: That actually makes perfect sense. And then, you know, in the thinking about those steps - right? - largely due to this rise of ransomware, the U.S. government has created a ransomware and a digital extortion task force that's specializing to combat these things... 

Wendy Nather: Right. 

Ann Johnson: ...Right? They've outlined 48 recommendations. Given your expertise in state government, what you know about threat intelligence, what are your thoughts on the task force? And what should we be focusing on? 

Wendy Nather: Oh, I am a big fan of that ransomware task force. There are so many smart people on it. Cisco also took part in producing that report. I love some of the chairs, like Jen Ellis. You know, I'm a Jen Ellis fan girl. And so I think they had the right people working on it. I loved the recommendations that they made, especially since the top five of them really had more to do with trying to go after the threat actors themselves and trying to defend against the attacks - not in, you know, punishing the victims. The first thing we tend to go to when we hear somebody suffering a cyberattack is well, you should have patched, or you should have done this or that or the other thing. We blame the victim without realizing how difficult it is to really do everything right. But I really like that they had an even-keeled approach to say, you know, let's go after the bad guys, too. Let's not spend our time just hitting the victims over the head. 

Ann Johnson: You know, I agree with you, and I think it's one of the biggest problems about why companies don't report or don't go public, either, is we shame them. We spend so much time shaming these organizations as opposed to empathizing with them and then helping them but actually allowing them to be really transparent about their attack, which will help the rest of the industry. We need to kind of get out of that mental set of just, you know, shaming a company any time they go public about an event that happened in their organization. 

Wendy Nather: Yeah. Yeah. Absolutely. One of the best examples that I've found of transparency was from the Colorado Department of Transportation that suffered a - I believe it was a SamSam attack in 2018. And they really opened up about all the details of what happened. I have heard their CISO giving a talk, and they actually published a white paper describing in detail what happened to them. There's a great article by StateScoop about what they learned in responding to the ransomware. So everything that people would love to know about how it happened, how they should think about protecting themselves, was up front and center, and I respect them a lot for doing that. 

Ann Johnson: As long as organizations will do that - like Maersk did, right? - Maersk was so transparent about the event that they had in their environment. As long as organizations are really transparent, we can learn and become better. And that's what we should be encouraging and rewarding and incenting is that type of behavior. 

Wendy Nather: Yes. Yeah. Yeah. 

Ann Johnson: So, you know, ransomware is not new, right? We've seen attacks from, you know, all the way from floppy disks to attacks that ended in $40 million payouts and from one person behind a screen to this really organized and sophisticated groups of criminals. The threat landscape is certainly broad, and it's constantly changing. I'd love to - for you to elaborate. You've been around this for quite a while, and I'd love to understand how you see the attack evolution and also the threat actors behind it. 

Ann Johnson: There's quite a lot that has changed. You know, we've been seeing this stuff since I don't know. The first ransomware attack was something like 1989. But, certainly, the rise of cryptocurrencies just, you know, poured gasoline on the fire. It just made it so much easier to go out and ask for this where everybody felt like they could get in on the action. And that's difficult for victims. So that's kind of a societal trend that contributed to it. The other thing is that just as we evolve our services and technologies and tech, so do, you know, the threat actors. And we see a lot more of cloud-based services for the bad guys to use ransomware-as-a-service, managed ransomware platforms. You know, for every vendor that builds its own platform, the threat actors are building platforms, too. So they are evolving their business models just as we evolve ours. And I don't know if we can confidently predict where they're going to go just as we do, but we can certainly assume that anything we can think of, they can think of and weaponize. 

Ann Johnson: You made a point about just the governments harboring them, right? And that we - the pressure that we can put on them has to also be on those governments that may just be turning, you know, away from them and pretending not to see them, right? But - or, you know, worst case, they're enabling them. And we have to share that intelligence across the private and public sector so we can use them against these groups. Is that fair? 

Wendy Nather: Yeah, absolutely. We need to do more sharing. And that's easier said than done, but we can also analyze how they are planning their attacks. I just saw a great presentation at BSidesTLV by the researchers at Imperva about the KashmirBlack botnet. And one of the things that I thought was fascinating was they talked about how the threat actors were trying to protect their botnet against having their IPs blocked. When they had their own infrastructure, with their own IP ranges, it was easier for defenders to block those. So they took the next logical step, and they moved their infrastructure to shared third-party services like Dropbox or, you know, the same sort of infrastructure that we use to make it harder for us to block. So you can't block the infrastructure that you're using, even if the bad guys are sharing it. So in return, the defenders found a way to notify these third-party infrastructure providers and get them to shut down the activity. And so if you take that key infrastructure away from them, you can disable things like these platforms that the adversaries are using. So it's a cat-and-mouse game. It's like, you know, they jump to the same platforms that we're using. But we can weaponize actually talking to those providers and getting them to shut these things down. It's a huge battlefield. And it's getting more complex all the time. 

Ann Johnson: Yeah. And even recently, we saw with Colonial Pipeline - right? - that, you know, as these ransomware gangs and attacks are making the headlines, the threat actors are actually playing the long game. They're incredibly organized. They're recruiting actively. They are emboldened as these payouts have grown in size and in frequency. And, you know, the longer the hunt for them, the larger the payout. So why do you think they've become so successful? 

Wendy Nather: Well, again, cryptocurrency made it really, really easy because it's unregulated at this point, although the ransomware task force did recommend looking at that as a topic. And they're very successful because, again, they can find any opening to opportunistically attack anybody. You know, if you're scanning the internet, an open door just looks like an open door. They don't really care who's behind it. We see hospitals falling prey to this. We see nonprofits falling prey to this. There was a nonprofit organization that supplies school lunches for kids and breakfasts. And they were hit by ransomware and could not operate for 30 days. And so that meant that the kids didn't get fed. They didn't get access to food that they were relying on. So there is more critical infrastructure out there that can be endangered by this than maybe we realize. 

Ann Johnson: Do you think that cyber insurance has played a role? Basically, it guarantees that organizations will pay, or there will be a payout of some sort? 

Wendy Nather: I think that's what people believe. I think that's the conventional wisdom. I don't really think it's true, given what I've heard from cyber insurers. I mean, certainly, they don't want to pay out any more than we want to pay out. And for that reason, I liked one of the ransomware task force's recommendations to tip the scales in that economic calculation that victims have to make. Well, it's going to cost us X amount of dollars to recreate our infrastructure from scratch. It's going to cost only Y to, you know, get the decryption key. Let's just pay Y. So the task force recommended a fund for victims to help offset the cost of recreating their infrastructure so that they wouldn't be as tempted to pay the ransom. And so I think playing on the economic levers and incentives is a very good idea. 

Ann Johnson: Yeah. I think that makes sense. And I think the trends - you know, you talked about innovation, right? The ransomware actors are continuing to innovate. Microsoft Research tells us that we're seeing more human-operated ransomware. It's a large and continually growing attack trend that will represent even more threat to any organization. I would love to get your thoughts about that. You know, what do you think about the hands-on-keyboard type attacks? Is it scalable? Is it something we're going to see more of? 

Wendy Nather: Oh, I would hate to try to look in a crystal ball and figure out what's going to happen there. But certainly, where there are humans involved in an attack, you can go after a human. And that is certainly what one of the things that the ransomware task force suggests. And I think we should be targeting any part of the ransomware operation that we can. So can we make it more dangerous, more difficult, more costly for the adversary to run these things with hands on keyboards? Possibly. We really should be looking into this. 

Ann Johnson: Excellent. So we keep talking about trends. I want to shift gears for a second. I want to talk about defenses. And, you know, as the increase in ransomware trends - and they innovate, and they think about new ways to attack us, I'd love to think about how we defend ourselves. One of the things we've talked about a lot in the industry is network segmentation. It certainly helps to detect and stop lateral movement, respond to these attacks. You want to monitor your ingress and egress that can aid in preventing them. What else should organizations focus on to defend themselves against ransomware? 

Wendy Nather: Well, you're going to love this, too. And being with Microsoft, I think the answer is zero trust. Well, maybe not the term itself 'cause a lot of people don't like that term but not taking anything for granted in our defenses, not saying, well, you're coming in on the inside, so it's OK. We're not going to check you again. But that's a very broad concept, and there are a lot of ways to implement it. Network segmentation is a great idea. And if it were easy, we'd be doing it already. So it is really, really difficult for lots of organizations. I think there are a lot of good ideas that we can implement from the concept of zero trust, from network segmentation, from least privilege. But most of all, I think we need to get more active about helping organizations that don't have the money and expertise and influence to be able to set up their security the way, you know, that you in Microsoft and I in Cisco can. It's a lot more difficult for those companies and organizations that I call below the security poverty line. And I think we need to be doing more to help them instead of saying, well, this - you know, these tools are great for everybody. Everybody should be using them - because the answer is almost always, yeah, not quite here. 

Ann Johnson: Yeah. I'm wondering - so when you think about those, you know, below the top - you know, X,000 - and it's not a large group of companies globally that probably have the resources to build some defenses to protect themselves and the people. You know, it's not just tooling. It's also humans. I think that - you know, manned service providers - I think that from us as vendors, there's a role we can play from simplicity - simplifying the - not only the purchase of our solutions but simplifying the deployment of our solutions, making - you know, creating an easy button. Those are the things that are top of mind for me, and then the tools themselves - just improving the efficacy of them. And also, you know, you think about a Microsoft or a Cisco, right? We might need, you know, 60 or 70 or 90% of the capability of a tool we buy. A small business may not need all that capability, and we need to actually get the toolset in a place that they can consume as much of the tools possible at the right price point. And, again, I'm really leaning in on the managed service providers because I think there's a real opportunity - because these small- and medium-sized enterprises aren't going to able to hire the humans, either. Those are my thoughts. Any reaction to that? 

Wendy Nather: Oh, I agree with you because a lot of times, the managed service providers are hiring the people that the smaller orgs really wanted to hire but couldn't afford. So yes, managed service providers definitely have a role to play, and I absolutely agree with you that we need to make security easier to use, not just for technical people - because a lot of small organizations don't have the tech - the dedicated people to be able to do this. I like to say that security ideally should be designed to be as easy to use as a spoon. If you think about a spoon, it's really hard to use it the wrong way, to grab it the wrong way. You know, you pick it up by the handle. I mean, you have to learn it when you're a kid. But after that, you can go anywhere and see a spoon, and you know how to work it. So we should be making security harder to use wrong and easier for anybody who picks it up to be able to use it. 

Ann Johnson: I love that analogy, and there's a reason that, when you have your toddlers, the first thing you give them is a spoon, actually. A, they're not going to stab themself. 

Wendy Nather: Yes. 

Ann Johnson: But B (laughter)... 

Wendy Nather: Yes (laughter). 

Ann Johnson: But B - it's an easy thing to learn to use. You just have to learn to use the right end of it. And then you're off and running, right? You can feed yourself that applesauce or whatever. And that's - you know, when you think about security, it really is the hygiene, right? It's the applesauce of the industry to me of things like - yeah... 

: (Laughter). 

Ann Johnson: Charlynn, my comms director, is going to love that one. But the applesauce of the industry is things like using multifactor authentication for 100% of your users 100% of the time. I can't get through a podcast without saying that at least once, Wendy. 

Wendy Nather: Agreed. Agreed. And I was just thinking of, you know, an incident responder coming into an org and going, man, they have got applesauce everywhere. It's in their hair. It's under the desks. Oh, good Lord, it's in the disk drives. I'd love to run with that analogy and think that, you know, if you just had the right spoon and just a very small amount of training, anybody could have kept the applesauce going where it was supposed to go. 

Ann Johnson: Exactly. Well, this has been a great conversation. I do appreciate you joining, and your depth of knowledge is always - I put on social media that I am a fangirl. And I am because I love listening to you because I learn. And on "Afternoon Cyber Tea," we'd like to send our listeners off with one to two pragmatic, practical takeaways of what they can do today to actually help secure their cyber future, so I would love to hear your response to that. 

Wendy Nather: Oh, boy. OK. First of all, I would say protect your backups as if they were the only copy of the data that you have. We used to think of a backup as just something, you know, you made, and you forgot about. But it is an avenue of attack for ransomware now. You cannot leave it online after you've made it. You've got to get it away from the scene so that you can protect it. So make your backups. Talk with your service provider about what backups they're making on your behalf. Get them offline. Protect them with your life. The second one is don't despair because we just talked about a lot of scary things on this podcast. And especially if you've been in the field around the five-year mark, you start to think, what's the point? Oh, God, we'll never win - and that's absolutely not true. We're making a lot of progress. You have to be able to look at it the right way, and you just have to join forces with, you know, the people you know and trust. So those are the thoughts I have right now. 

Ann Johnson: Excellent. Well, thank you so much for joining us. And I want to thank our audience again for listening and join us next time on "Afternoon Cyber Tea." 

Ann Johnson: So I invited Wendy Nather onto "Afternoon Cyber Tea" because we were so excited to have her breadth and depth of experience. I've actually just been with Wendy at events over the years. I've listened to her speak at events over the years. And I know she has this deep but yet very pragmatic view of cybersecurity and how cyberdefenders can help keep organizations globally more secure. Her base of knowledge but how she presents that knowledge in terms that anyone can understand really made her a compelling guest for our show.