CISO Spotlight, the State of Ransomware, & Intel Briefing
Luke Vander Linden: [Music] Good morning. Good afternoon. Good local time, wherever you may be. I'm Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center, and you're listening to the RH-ISAC podcast. Well, things are slowly returning to normal, at least for our HR SEC staff, as most of us have returned to our regular workspaces, and are finally rested up from the IHI SEC Cyber Intelligence Summit earlier this month in Plano, Texas. I said most of us because several of our staff members hit the road right away again, to share intelligence and expertise at other organizations, events, and conferences. Here's a quick rundown. Kristen Dalton, who leads our research and analytics team was at the Authenticate Conference in California, moderating a panel on the retail perspective of passwordless authentication. Her teammate, Jackie Delaplane [assumed spelling], was in Delaware moderating a panel on ATO with the Loyalty Security Alliance fall conference. And our own Ms. Maven, JJ Josing [assumed spelling] was at the Hack Lu conference in the Grand Duchy of Luxembourg, discussing how we spun up and use our own MISP instance to enable the sharing of cyber threat intelligence. And someone recorded his presentation and put it on YouTube. It's worth a watch. If you have half an hour or so. This is all what the RH-ISAC does in an effort to protect the retail sector and to promote sharing and collaboration amongst our industry partners. If any of these topics interests you, please shoot us an email at email@example.com, and I'll put you in touch with the people in our team so you can have a discussion. Coming up later this week. The IHI SEC has collaborated with Cisco's commercial facilities sector on a webinar on cyber threats facing retailers this holiday season, and tips for how companies can prepare. That's this Friday, so don't delay. Head on over to our events calendar at rhisac.org/events to see what's coming up. Speaking of coming up, we have a lot coming up on today's episode, I got to sit down in Plano with Marnie Wilking. She's the CISO at Booking.com and came to the summit all the way from her home in the Netherlands. She's had a career that spanned a number of industries, now travel, of course, but retail and financial services as well. And importantly for me, she's also on our board, and heads up our European Advisory Committee. We're also welcoming to the podcast Chip Witt, Vice President of Product Management at SpyCloud. SpyCloud is of course one of our associate members, so we thank them for their support and expertise. We're going to talk about a lot of the different work they do, but importantly also about how cybercriminals are circumventing authentication and techniques we can use to help retailers protect themselves. And last, but definitely not least, it's time for the briefing. Our own intel analyst and writer and all around great guy Lee Clark will join us. We just published our Tri Messerli Intelligence Trends Summary Report, which uses the intel sharing Request for Information surveys[music] and a wide variety of other engagements within our own sharing community provide insights into the major security concerns and challenges facing our sector as a whole. We'll go over that report and other breaking news with Lee. So without further delay, let's get to it. [ Music ] And now we're joined on the RHS Tech Podcast by Marnie Wilking. You're one of our board members. So thank you very much for coming on the podcast.
Marnie Wilking: Of course. I enjoy being on the RHS Tech Board, and I'm so happy to be here on the podcast.
Luke Vander Linden: Excellent. Thank you. And, of course, I know you're originally from -- you were the CISO of Wayfair. And now you're a CISO at Booking Holdings. Tell me a little bit more about your background and how you ended up to where you are today.
Marnie Wilking: Sure. So I've spent pretty much my entire career in IT and cyber. I started out with consulting doing, you know, programming, like most people who were recruited by consulting firms. Eventually, literally stumbled into a cybersecurity job at Wells Fargo in a brand new department called cryptography services.
Luke Vander Linden: Oh, wow.
Marnie Wilking: And it was my undergrad is in math. And it was just the right amount of math and paranoia. And it was really fun. And I got to my first project was implementing encryption on the mainframe, and then we moved to building out internal [inaudible 00:04:42] system and certificate authority internally. It was very fun. From there I moved around a lot within Wells. Wells was big.
Luke Vander Linden: Yeah.
Marnie Wilking: And so a lot of the functions are relatively siloed. So if you move around within the company, you get to go very deep. So I think I've done everything except pen testing and sock analysts so.
Luke Vander Linden: Wow. Interesting.
Marnie Wilking: Yeah. I had a lot of fun. And then the last five years, there was the group information security officer for the mortgage division, which meant that I had responsibilities for everything that mortgage owned and created itself. So mortgage actually had several data centers, well over 1,000 custom built applications.
Luke Vander Linden: Wow.
Marnie Wilking: Hundreds and hundreds of vendors that we were responsible for. But I didn't have to deal with things, like, endpoint security, because that was all done centrally. So it was a really a great introduction to the world of being a cybersecurity leader. And from there, I spent some time at Early Warning, which is now the owner of Zell, as most people would know it. I have a lot of fun actually helping coordinate and do risk management around the acquisitions that then were used to create Cell. So it was a really great experience there. And then move to Orion health, which is a healthcare information technology company, headquartered in Auckland, New Zealand, but with offices in Scottsdale and Boston and London. So I got to do lots and lots of traveling with that. And it was a really great experience with cloud and building things and securing things in the cloud. And it wound up being a really interesting, and it really did a case study around DevOps. I had a very small team and we worked really, really closely with the DevOps director and his team, built a really great relationship, and were able to get the product launched and get hydrous compliant in a much shorter timeframe than we expected. So it was a really, really great experience.
Luke Vander Linden: Wow.
Marnie Wilking: Yeah. And then moved to Wayfair for a few years. And we had global operations there too, so Wayfair has the headquarters in Boston, but has engineering office in Berlin. So I got to spend quite a bit of time in Berlin, which is awesome. And now I'm on Booking.com. And obviously, as you can tell, I really liked to travel. So this was such an amazing opportunity to both work in an industry that I'm very passionate about, because I really think that when people are given the opportunity to travel the world that they become better global citizens in general.
Luke Vander Linden: Right.
Marnie Wilking: And it gives you a very different perspective on other people's cultures. And, you know, how people do and think things differently. But I also got to move to Amsterdam.
Luke Vander Linden: Yes, that's incredible. So, well, first of all, you know, we run across a lot of our members who have been in financial services and healthcare. So you exemplify that before they get to retail, but you were elected to our board when you were at Wayfair, and you stayed in our sector, so you could continue on the board. So we really love that. We love that when people stay, but we do have some board members we've lost over the years, because they've gone to different sectors. So I love that. But you got to move to Amsterdam. And as folks can hear, probably you do not have a Dutch accent, you're an American citizen. But that's exciting that you're able to relocate there. So tell me a little bit about that. And what that is like living in a different place.
Marnie Wilking: It's been really fun. The culture is welcoming there. It's most people speak English, almost everybody speaks English. And so that really helps. And frankly, as an American, I really, really appreciate that everyone puts the effort into speaking English because a lot of it --
Luke Vander Linden: Helps?
Marnie Wilking: -- don't. Yeah.
Luke Vander Linden: I will say people who know my last name, I'm of Dutch extraction. But I'm very proud of the fact that the Dutch actually have the highest percentage of English language proficiency of any non English speaking country in the world.
Marnie Wilking: I am trying to learn Dutch. There's one customs agent every time I come back into the country who will if he's still in there will ask me if I'm learning Dutch, and so I try to learn one new phrase every time I come back into the country. So now I can ask for a glass of white wine in Dutch.
Luke Vander Linden: That's very important.
Marnie Wilking: You got to get your priorities straight.
Luke Vander Linden: So booking Holdings is one of these companies that has a lot of different brands, like, a lot of public, or consumer facing brands do. And they have a lot of different offices all over the world that you brought them in as a member, which is great. So you're in Amsterdam, and you're there's several CISOs. You're one CISO in charge of what?
Marnie Wilking: Well, so Booking.com I am the CISO for Booking.com.
Luke Vander Linden: Okay.
Marnie Wilking: There's one CISO for Booking.com. So Booking holdings has five brands, Booking.com, Priceline, Agoda, Kayak and Open Table. So each brand has its own CISO. Each brand is a separate company, a separate entity, except we're all owned by the same parent company. So we all became members of RH-ISAC at the exact same time as part of the parent company. We collaborate a lot, actually, which I'm very, very proud of and I'm very happy about. Because we're all in the travel industry, but all in different areas. So Priceline is headquartered in the US east coast.
Luke Vander Linden: Connecticut.
Marnie Wilking: In Connecticut, yeah.
Luke Vander Linden: Is part of why I go there.
Marnie Wilking: Yeah. Agoda is headquartered in Bangkok. And Kayak is also US east coast and Open Table is US west coast. So we're spread out all over the place. We have offices in a lot of places as well. Bucharest, Bangalore, several places in the US, all over Europe. So, you know, not only do we encourage and facilitate global travel, but we are as booking holdings as an entity. Entity is really truly a global company.
Luke Vander Linden: Right? It's one of the -- it's very impressively global. And we dealt with that during the onboarding process, as we scheduled calls from Bangkok to the West Coast to the East Coast to Europe as well. So really kind of practices what it preaches. So from a cultural standpoint, is it difficult to keep everybody on the same page? Is it difficult to communicate? What are some of the challenges that you saw and the ways they deal with it?
Marnie Wilking: Yeah. So I think, for booking.com, specifically, it's like a lot of tech companies that have grown really, really fast, because at its heart, it's a travel company, but, you know, comments all about e commerce and all of these companies are. And so when you grow that fast, sometimes you don't have a chance to get all of the communication processes in place. And so everybody, the culture is that everybody wants to share, and everybody wants to make sure everybody knows all the right things. Sometimes it's hard to find the right people to make sure. So the culturally, no. I mean like you said everybody, it's a tech company at heart. Everybody wants to share, everybody wants to do the right thing. And it's a really -- I have a great team that I work with. It's been great.
Luke Vander Linden: Yeah. As we continue to grow globally, as an organization, the RH-ISAC, which started in the US, we have mostly North American based members. But a lot of their teams are Middle East, India, Asia, and then increasingly Eastern Europe, Western Europe. So we're seeing that as well, which is interesting. And a lot of times we get the question about whether, particularly if we're talking with a company that may be based outside of North America, if there's a difference between or a validity to are threats going to be more regional, so European focus threats, or are they going to be more sector specific, in our case, consumer facing companies, retail, hospitality?
Marnie Wilking: Yeah. So in the experience, I've had in the multiple companies that I've been doing this, what I've seen is while the attackers might start in a given region, very rarely does the attack stay within that region. It's very often targeted at sector, and so maybe it will start in, you know, Asia, and then move to Europe, and then, you know, start moving around the globe. Or maybe they decide where they think, you know, the high value targets are, and start where those are, and continue to move through those high value targets, which are probably spread out regionally. So mostly, what I've seen is that it's not the threats, and the attacks themselves are not regional, but more sector based.
Luke Vander Linden: Right.
Marnie Wilking: But may start in a specific region. But I would caution everybody to not assume if you see something happening in a specific region, don't assume it's going to stay there. I think we have to assume that it's going to spread. And so by having organizations, like, RH-ISAC to share that information with, RH-ISAC is going to be able to take that information and extrapolate a little bit more and make sure it gets to the right members so that they can actually act on it or prepare for it before it actually starts to spread.
Luke Vander Linden: Right. Because it's just a matter of timing. Not if, but when on a lot of these things.
Marnie Wilking: Yeah.
Luke Vander Linden: So as we think about some of those threats that you just mentioned about how they start off in one place, but move around the globe. And you mentioned how some of them are more sector specific than just broadly. What is the importance where you would think for the RH-ISAC fits in that?
Marnie Wilking: Yeah. I think I'm very excited. We've been talking within the board about expanding more into AMEA. And I've actually started doing outreach and bringing more companies in. I really think that that will improve the richness of the information that we have. And I think just give exposure to what the ISACs are all about, making sure that we are sharing because, again, It's a very global economy now and the travel sector and the retail hospitality sector is very global. People are traveling more than ever at this point and buying things worldwide. So I'm very, very excited to continue our RH-ISACs mission and, like, expand into Europe, Middle East, and Asia and Africa, and start really, you know, building those communities of CISOs and security professionals throughout the world.
Luke Vander Linden: Now, we I think we'd benefit greatly from that support from you. We did in 2023, our first workshop in Barcelona, and then another one, pretty a couple of weeks later in London. And we're still putting together our plans for 2024. But I would say at least a couple of events in the region are definitely in the cards.
Marnie Wilking: Yeah. My team loved the event in Barcelona. And so we're looking forward to doing more of those with you too.
Luke Vander Linden: Excellent. We look forward to that as well. So at our summit this year, our Cyber Intelligence Summit this year, you were on a panel that focused on digital fraud, emerging technology, AI, some of these hot topics, emerging topics. As we look forward to 2024 and beyond, how do you see topics like these or other things affecting the threat landscape?
Marnie Wilking: Well, I mean, I think cybersecurity is, like, our whole jobs are risk management, right?
Luke Vander Linden: Right.
Marnie Wilking: It happens to be a specific piece of risk management. And we know from experience, the threats change on a regular basis, the threat landscape, the risk landscape. And so doing the regular analysis, and again, checking in with your peers, and your ice axe can really help with that, to say, you know, I'm seeing this thing is it just hitting me or is it hitting everybody? So understanding how that threat landscape is changing. Also getting information from other organizations on what are they doing for things, like, Gen AI? And I think most of what I've seen is, you know, Gen AI is a new technology and a new tool. Those happen every now and then.
Luke Vander Linden: Right.
Marnie Wilking: And so, putting various specific prescriptive requirements around how to protect yourself against emerging technology is sort of a losing battle, because you can't predict what's coming next. There's always going to be the next thing.
Luke Vander Linden: Right.
Marnie Wilking: And so I think as security professionals, as security leaders, our job in the emerging technologies space is to make sure that we're helping, where the business sees that they need to embrace it, you're going to need to embrace it. But figure out how do we actually help them embrace it in a way that addresses the risk, managers the risks to an acceptable level to your company. Different companies are going to have different risk tolerance.
Luke Vander Linden: Right.
Marnie Wilking: But, you know, understanding your business and how your business wants to use those technologies can be really helpful. We actually have had the opportunity internally within Booking holdings, because we have five different companies. And each of the five companies is experimenting a little bit differently with AI. We've been able to share those learnings with one another.
Luke Vander Linden: Wow.
Marnie Wilking: And actually speed up the process in, you know, in other areas, because we have those learnings. So that's actually a really fun thing to be able to do.
Luke Vander Linden: Yeah. So, well, I mean, we talk about AI often in this industry in a negative light, because of the threats that it has. And we, you know, we can't stop people from using it. You can't pro, you know, prohibition never works, but putting a positive spin on it and putting some guardrails around it. But you've as a board member, you've been very, a big champion of emerging technologies that are here to help us in a positive way. So can you talk a little bit about the importance of that in this industry as well?
Marnie Wilking: Yeah. I think that having -- a lot of us are involved in different groups, or we get calls or have colleagues that are, you know, that have a cybersecurity startup. Sometimes it's just a matter of getting those in front of other people and doing that one person at a time is hard. Some of those new technologies that are coming on the landscape to help us from a cybersecurity standpoint are really innovative and really interesting, and very helpful. And if you're moving into cloud, a lot of them are cloud native, which we didn't have, you know, five, 10 years ago. And so I think it's a really interesting space. And the thing I like about the RH-ISAC emerging technology forum is that it provides a way for all of us as members to bring, to the RH-ISAC. Hey, you know, I know this new company. I've seen this new technology, I think it's great. And I would love for everybody to see it. Because the more we share that and encourage and support the ones that have really great ideas, the better we will all get.
Luke Vander Linden: Right. And largely based on your instigation, we have created a couple of opportunities for these emerging tech companies to come in and present. And as you say, the challenge of doing it one on one, you know, at least to a larger group of our members who are interested. And that not only gets the word out about this technology, but gives them an opportunity to hear from CISOs and other cybersecurity professionals about whether this is valuable or not, or ways to tweak the product to make it and make it a little better.
Marnie Wilking: Yeah. I think having a forum like this for those companies to come to and get that feedback is really valuable to them as well. And all it can do is help improve the products as we move along.
Luke Vander Linden: So without necessarily naming any specific products, what kind of emerging technologies are you most excited about?
Marnie Wilking: So I do think talking about AI, I know that there are a lot of companies that have, you know, suddenly slapped AI on their product, it's really --
Luke Vander Linden: On everything.
Marnie Wilking: Yeah. A lot of it's still really, you know, machine learning. But at the same time, there are companies that are doing some really innovative things with AI to help in the cybersecurity landscape, so I am excited. I've talked with some colleagues about you know, how do we make sure we know the difference between somebody that's just saying they have AI and what's actually --
Luke Vander Linden: Sure.
Marnie Wilking: -- AI, and, you know, sort of separating those things out. And really what it comes down to is making sure you understand your use case, your team understands the use case. And you make sure that you understand where the data, where the model, data model is coming from. And whether it does in fact actually meet your use case. Because otherwise, it's a little bit hard to tell. But I do think there's some really interesting things coming out. I'm also aware that, you know, there's a macro economic climate right now that's putting some downward pressure on some of those companies, so I think we will probably see some mergers and acquisitions --
Luke Vander Linden: Sure.
Marnie Wilking: -- speed up over the, you know, hopefully, we don't lose many companies. But I think we will start to see some acquisitions [music] happening somewhere.
Luke Vander Linden: Marnie Wilking as firstname.lastname@example.org, thank you very much for joining us on the >> RH-ISAC Podcast. [ Music ] All right. I'm now happy to be joined on the RH-ISAC Podcast by Chip Witt, Vice President of Product Management at SpyCloud. Chip, thanks very much for joining us.
Chip Witt: Hey, thanks for having me.
Luke Vander Linden: So SpyCloud is an associate member of the RH-ISAC. We thank you very much for your support, especially in sharing your expertise and thought leadership, some of which I assume we'll hear today. But before we get into it, tell me a little bit about what you do, Chip. And for our listeners who don't know, what SpyCloud does.
Chip Witt: SpyCloud is leader in recapturing data that's been stolen by criminals, by many different avenues, whether that's breaches of organizations and the stealing of credentials and other PII, or, more increasingly, info stealing malware, taking people's information directly off their machines, and using that for all sorts of different types of fraud. And so we provide that to our customers to help them prevent fraud, and to prevent account takeover and other sorts of criminal activity on their networks. I personally, I'm responsible for the product management team. So I actually drive the product with my team to deliver the value to the customers that we serve.
Luke Vander Linden: That's great. And obviously much more needed as every day goes by. So what are the types of fraud? I suppose is ransomware. It's one of those things that always be in the top three, two, one of things that our members are thinking about and planning for. But every once in a while you hear someone say that threat actors are moving on to something else that's more valuable, but and then it'll of course, we'll come back and say it's the biggest threat again. So what is the state of ransomware right now as we sit here in 2023?
Chip Witt: It's kind of interesting you asked that question. Last year, we actually saw a little bit of a reprieve. We actually saw that ransomware had gone down in terms of criminal activity. However, it's come back with a wild rage here in 2023. It's on pace now to become the second costliest year ever for ransomware. That's just crazy. We just recently reported released a ransomware defense report and we have a lot of really interesting statistics and in depth coverage of what we're seeing in the market, but overall ransomware attacks remain very high. At least 81% of organizations surveyed for the report were affected by ransomware at least once in the past 12 months, so it's not going away.
Luke Vander Linden: Right? It's still here and we have our CISO, our Fifth Annual CISO Benchmark Report out right now and ransomware is always near the top for our members as well. So what does that mean for industries like ours, retail, hospitality, consumer facing businesses?
Chip Witt: Well, people often talk about the two truths in life that, you know, death and taxes. There are actually three underwritten truths that also exist around cybercrime. Cybersecurity is an ever shifting landscape. That's number one. Number two, criminals are ever vigilant. And number three, humans are going to human. It's impossible to solve 100 percent of problems around human behavior. Phishing, social engineering attacks, they're always going to work to some degree. So security teams need to adjust their approach and layer on additional technology driven measures beyond awareness and training to mitigate the inevitable risks of human driven behavior.
Luke Vander Linden: Right. And obviously, without mentioning any specific incidences recently, a lot of social engineering is at the foot of all this. So turning to, SpyClouds work in, like, ATO and identity protection, passwordless access or passkey seem like a really cool buzzword or a solution to the cybersecurity space right now. I've only personally experienced it with a couple of the accounts that I have. What's your view? Should retailers be going passwordless, since passwords are apparently such a big problem when it comes to access and compromised accounts?
Chip Witt: Well, passwordless is just a different type of authentication security. It's really a solution that solving for convenience for users, making it easier to manage logging in, logging out, that sort of thing. And solves for an actually big problem around cybersecurity, which is password reuse. This is something that has cost a lot of money to organizations and data breaches where people are using a single password across multiple sites. However, at its base, it's still a form of access and authentication. And as technology evolves, and allows for things such as passkey authentication, criminals evolve along with that, right, and they figure out new ways to do something with that data. If nothing else, criminals are very, very innovative. And they're already finding ways to bypass authentication methods altogether to gain access, which means it's not necessarily more secure. Passkeys come with their own challenges. They're recovery issues that can lead to vulnerabilities, as well as new malware that targets where passkeys are stored on the individual users devices.
Luke Vander Linden: Right. So what are these new ways to bypass authentication?
Chip Witt: Well, one of these new cyber threat methods includes using stolen active session cookies to commit what's called session hijacking. And this essentially negates the effectiveness of these traditionally used username passwords or new passkey protections. So cyber criminals use info stealing malware to exfiltrate cookies, among a plethora of other data types and PII from infected devices and insert them into anti detect browsers, which is a new term. It's basically a tooling kit that allows criminals to take that data and plug it in and look like the user. And you can't distinguish them from legitimate users at that point, because it's legitimate users data. Interesting stuff. Posing as legitimate users criminals can move through network uninhibited, perpetrate all sorts of fraud, facilitated ransomware attacks, steal critical company data, all sorts of crazy stuff. Because session cookies are used to authenticate a user's identity, doesn't matter if the user logged in via username or password, passkey or completed a multi factor authentication requirement to log in, a session cookie bypasses all of that. Last year alone, SpyCloud researchers recaptured 22 billion stolen cookie records, which indicates criminals are shifting tactics to steal, buy, and trade this highly accurate and highly valuable data minimizing their need for larger breach data sets that may be clouded with old outdated, and for their purposes, somewhat useless data.
Luke Vander Linden: Wow. So I mean, it's it sounds a little bit of doom and gloom here. You know, as you said, cybercriminals always innovating, always finding new ways to get around security solutions. What can we do to not feel completely defeated about this situation?
Chip Witt: Well, I mean, there's a bigger picture that needs to be looked at when it comes to securing your organization. To strengthen network defenses and protect customers, companies and security leaders have to have a clearer understanding of how criminals use stolen data for gaining access to their organization, and to protect themselves against these threats. Training and education is still crucial, as is implementing usage of password managers, multi factor authentication. Other actions you can take, disabling remember me options on platform login pages, and frequently deleting cookies stored in browsers reduce the risk of session hijacking. These things combined will create a multi layer security strategy. But admittedly, it's still not enough anymore. Implementing a comprehensive post infection remediation strategy or PIR to proactively address the risk of stolen, but still active data being used for follow on cyber attacks. The post infection remediation approach involves a series of steps that augment existing incident response protocols to effectively remediate info stealing impacted devices, applications, and users. This approach mitigates damage to organizations by addressing the threat of stolen data before it spirals into a full on security incident. Using a PIR strategy, leaders and executives can create a successful cyber incident response plan that allows security teams to proactively reduce the threat posed by stolen session cookies and other exposed authentication data.
Luke Vander Linden: Wow. Great, great, great advice. Just, you know, looking forward, I often ask my guests to get out their crystal ball. What can you tell us is coming up for you guys and for the world of cybersecurity and ransomware?
Chip Witt: Well, as we already said, cyber criminals continue to innovate, continue to evolve. We solve one problem, they come up with a solution to attack us in different ways. So you have to stay ever vigilant. I used to like to say in all my speaking engagements that, you know, a criminal only has to be right once. As security defenders, we got to be right every single time. So staying on top of things, making sure that you're doing the right things to not just respond to threat, but to be more proactive and increase your scope of visibility will be increasingly important as we move forward into the future because that's what the criminals are doing. They're trying to outthink us.
Luke Vander Linden: Excellent. Great advice. Chip Witt, Vice President of Product Management at SpyCloud. By the way, as an associate member, you do have an offer to our RH-ISAC members to do a two month look back at those stolen web session cookies you were talking about, complimentary for our RH-ISAC members. To find out how to access that, go to our website, our rhisac.org and click on membership in the navigation and then associate membership. Or if that's too much, just email us at support@ rhisac.org, and we'll point you in the right direction. Chip, thanks so much for joining us on the RH-ISAC Podcast. [ Music ] All right. We are now joined as we are every other episode by the RH-ISAC's own Lee Clark for The Briefing. Thanks for joining us, Lee.
Lee Clark: Pleasure, as always.
Luke Vander Linden: Now, you usually give us a rundown on the trends you're seeing in our sector, but three times a year you do a really deep dive on the trends from our sharing platforms. And we just published that report.
Lee Clark: Yeah. That report is called the intelligence trend summary. We've talked about it here on the show before. Once upon a time it was called the Clear Report. And essentially what we do is we get our research and data analytics and education team to put together a really detailed look at what topics members are sharing on over the course of the previous four month period. And we look at how those trends measure up against the previous period, right? So it's a really good way to track trends for our membership to see what the overall threat landscape looks like as reported by members.
Luke Vander Linden: So what are we seeing as far as maybe techniques or threat vectors that actors are using?
Lee Clark: Sure. So the most interesting thing in the report this year for me was that generalized credential harvesting disappeared off the main threat report, right? Typically, credential harvesting and fishing trade places for first place, the most reported trend by members. Now, this year, we lost credential harvesting completely. And that's interesting because it's almost always number one or number two. And instead what we have is phishing in first place with Microsoft related threats being in second place. Now this is interesting because these Microsoft threats they're being reported by members are almost certainly credential harvesters. But what this shows us is that members are, one, reporting a more diverse threat landscape, first of all. And second of all, members are doing a deeper investigation into what credential harvesters are looking for when they are targeted, and they're discovering that they're looking for Microsoft credentials. So this second place Microsoft is almost certainly members seeing emails impersonating Microsoft services, like, OneDrive or even office logins, right, for O365 login pages that are attempting to steal people's Microsoft logins. Right? So those qualify as credential harvesters, but we're seeing it reported at a more specific level. So that's the most interesting thing. The second most interesting thing that I would bring up is that ransomware comes in both second and fourth place this year. Generalized ransomware, just the topic of ransomware, is third place with 13% of total reporting, but right behind it is Clops, specifically Clop at 11%. Now, of course, the membership, and our listeners will remember that Clop went on quite a spree over the course of summer exploiting the MOVEit zero day. And we've reported that here on the podcast as well. In addition to that, I'd like to note as a little taste of what's to come a little forecast, that in the Holiday Threat Trends Report that we're going to release here in the coming month, that will include a significant retrospective look at the ransomware threat landscape for 2023 as compared to the ransomware threat landscape of 2022. All of this data is member sourced as well. So it's specifically what the RH-ISAC communities ransomware threat landscape looks like comparing this year so far to last year. And a lot of this will be based on data collected from my talk at the summit last week. Right?
Luke Vander Linden: Right. You have a lot going on. So a lot of the same tried and true threats that we're seeing some of the basics, right?
Lee Clark: Sure. So if we look at malware that members see, specific attributed malware that members report to us, there are no surprises or significant changes whatsoever, right? Cobalt strike comes in first, overwhelmingly reported by members. Then we see Cuba in second place, Agent Tesla in third place, Ice ID in fourth place, all of those are I could have predicted those off the top of my head, right? So these tried and true tools that threat actors are using to target our community remain just static. Oldies, but goldies, right?
Luke Vander Linden: Sure. But I liked that members are kind of digging deeper and doing a little bit more analysis and then sharing it to the community as well, as you said with the Microsoft stuff.
Lee Clark: Yeah. It's a testament to how increasing capabilities of our membership actually trickles down, to use a loaded phrase and to our entire membership. So one member significantly improving their technical analysis capability actually ends up strengthening our entire community with our ability to correlate data and determine trends for the community. We're not -- we're getting more and more specific and focused all the time as our members develop their own programs, and we develop ours to keep in touch with them.
Luke Vander Linden: Excellent. So what else do we learn from the top sharing trends?
Lee Clark: Sure. One thing that I would point out on the podcast in the past, we've talked about the threat actor Galaxy project that the intel team here at the ISAC is working on, right? We have a number of active threat actor profiles that we've put together, those include public incidents, closed source intelligence, TTPs, technical indicators, right? And what we've seen so far is that Fin6, scattered spider TA 505, APT 38 are topping the list of threat actors that our membership reports is attacking them. And all of those threat actors are organizations that we profiled immediately because we knew a little bit about this data in advance, right, when we had previous periods data, and we were able to determine that those are the groups we need to focus on. So at the same time, our membership is reporting that these organizations are the ones that are most prevalently targeting them with advanced techniques. We are also profiling them to try to help members with a little bit of active defense for those groups.
Luke Vander Linden: I love that, that whenever we brought up a threat actor, chances are we've already profiled them, which is terrific. Moving from CTI to more general request for information, what kind of trends did we see over the last three months in that area?
Lee Clark: Sure. So overwhelmingly, at the ISAC, we have seen a number of topics come through as key areas of interest for our membership, right? One of the key ways that members engage with us through requests for information, right? And we get those primarily through our analysts community and through our CISO community, and we see a lot of overlap with what these two communities requests information for, right? Overwhelmingly, they're asking questions about identity and access management, right? IAM processes, tools, procedures. They're also talking overwhelmingly about vulnerability management and fraud, right? We've kind of joked here at the RH-ISAC, that fraud is the buzzword for this year. 2023 is the year of fraud for the intel team in a number of ways. And it makes sense that it's one of the most important topics, as reported by members asking us questions about mitigating those types of threats, right? So that's at the CISO level, for the most part. If we come to analysts RFIs for this same period, it's interesting. Overwhelmingly, what we see questions from analysts are, are in security architecture, how to manage data within security architectures, how to make tools work together within your architecture. And then the second one is on risk management, how to make those enterprise operations as safe as possible and to make them conform to regulations. Right? We see those questions a lot this year.
Luke Vander Linden: Right? Well, I mean, it is a great report. Just it's hot off the press. And I said three months. It really covers a four month period. So I encourage everybody to give it a deep read. And but though, because it uses data from our sharing channels, the full version of the report is TLP Amber Plus and members only. You have created a TLP clear version that's been sanitized though. So if you're not a member of the RH-ISAC and would like a copy of that version, you should reach out to Claire Green on our membership team at email@example.com to request it, and she'll send it your way. Now, Lee, before you go, unfortunately there's that terrible situation over in Israel right now. And with any conflict like that, there's always reports of cyber warfare being part of the activity. What do we know about any cyber tactics involved?
Lee Clark: Sure. So there are overwhelming reports of a number of different cyber activities related to the conflict, including state sponsored as well as cyber criminals and what are commonly referred to as hacktivists. Right? Or what we would describe as politically motivated threat actors. The primary risk, in my view for the RH-ISAC community and for our listeners who work in the retail and hospitality space, is on politically motivated attacks against organizations that make public statements related to the conflict, right? Publicly announcing support for one organization or another, or in the form of, for instance, say hosting a conference of a group that is affiliated with one side or the other. One thing that we see historically is that, especially website defacement and DDoS attacks, as well as doxing and occasional data leaks end up becoming pretty prominent cyber attacks that we see against organizations. And I mention this specifically, because it's not uncommon for a large retail or hospitality or travel organization with an international presence to voice support for a group after some type of tragedy. It makes sense, right? And when organizations do that, their security team should be aware of the risks related to that. And those primarily come from politically motivated actors. But I'd be remiss if I didn't point out that a number of cyber criminal organizations including Russian and Middle Eastern organizations, have made public announcements on our telegram channel that they will conduct cyber operations in support of one side or the other. Right.
Luke Vander Linden: Right. Of course. So, well, thanks for that. And by the way, it was absolutely terrific to see you in person earlier this month in Texas. You mentioned the summit. Most of the RH-ISAC staff only gets to see each other once, maybe twice a year. So great, great opportunity for us, and a great summit.
Lee Clark: So I know I'm biased, right? But it is my favorite cyber event we have of the year. And I think it's a testament to Alex and Joe and Sam, our events team. They put together a show with a disparate group of attendees with a huge diversity of interests. And then they put together a content specials that cater to these, right? So at the summit we had, we had dark web programming, right? We had ransomware programming. We had active deep dives into threat intelligence investigations. We had IAM presentations. So if you were an incident response engineer, there was for active content at the summit related to your job and how to do it better. If you were a threat intelligence analyst focused on fraud, there was content for that. If you are a hotel security analyst, we had a panel for that. And overwhelmingly, the feedback that I tend to get from membership is that our events tend to be so focused on making their jobs easier, and how to build skill sets for those jobs, that our event becomes a must attend, right? That's a little bit of bragging. But it's also an opportunity for us to build camaraderie and rapport, both between the ISAC staff, which ultimately helps our members and for our membership. Our members are so warm and welcoming, and just shockingly intelligent, and capable and solid at their jobs. And when you get these people all together in a conference space, you can actually feel the brainpower in discussions about how the community is running cyber operations. It's a unique atmosphere among professional cyber focused events. And I think the focus on hard skill sets and hard issues facing the community really makes it a unique event for our membership. Right?
Luke Vander Linden: Yeah. [Music] And, you know, we have, you know, we exist to have our members interact with each other, but it's so important for them to be in person to build that rapport, as you said. Well, hopefully the events team and by the way, this summit organizing team, which is part of our membership, all the speakers, presenters that we had, I hope they're listening to those great words that you had to say about the summit. As always, Lee, thanks for joining us on the podcast. [ Music ] And, of course, thank you to all of my guests. Marnie Wilking, CISO with Booking.com. Chip Witt, Vice President of Product Management at SpyCloud. And, of course, Lee Clark, whose insights are always, always terrific. By the way, if you want more information about anything we've discussed today, how to use our [inaudible 00:47:05], the Intel Trend Summary Report, our Associate Member Program, or just want someone to bounce some ideas off of, keep it cybersecurity related, please, shoot us an email at firstname.lastname@example.org. Or if you're a member, find us on Slack or member exchange. And if your company is not yet a member of the RH-ISAC, what are you waiting for? Go to rhisac.org/join to learn more and to start the process. As always, thank you to the production team who do their best to make the sound good. For the RH-ISAC, that's Andy Chambliss and Marisa Trishanekki [assumed spelling]. And from N2K Networks, formerly known as the CyberWire, that's Jennifer Eiben, Tree Hester, and Elliot Peltzman. And thanks to you for tuning in. Stay safe out there [ Music ]