Threat Vector 3.21.24
Ep 18 | 3.21.24

Public Meets Private: Forging the Future of Cyber Defense Unpacking Congressional Testimony from Sam Rubin


Sam Rubin: There was a hospital actually from my home state of Vermont there coincidentally. And there was a school district from Texas. And they both spoke about their experience as victims of ransomware attacks. And the administrator from the Vermont hospital, what he said was pretty remarkable in that they ended up spending more in the ransomware response and recovery at the hospital than they did through all of COVID and sort of adjusting their protocols to providing patient care during that pandemic. So just incredibly painful and impactful experience for them to go through. [ Music ]

David Moulton: Welcome to Unit 42's "Threat Vector" where we share unique threat intelligence insights, new threat actor TTPs, and real world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host David Moulton, director of thought leadership for Unit 42. [ Music ] Today I'm talking with Sam Rubin, VP and global head of operations at Unit 42, about his testimony to Congress. Sam shared insights about the evolving sophistication and speed of ransomware attacks, the changing tactics of threat actors, and the impact on sectors like education, healthcare, and government. He also talked about the importance of AI and automation in cybersecurity defenses, and the importance of public-private partnerships in combating cyber threats. Let's get right into this conversation. Sam, you traveled to Washington, D.C, sat before Congress. What prompted you to go out to D.C and talk to our legislators?

Sam Rubin: As a company, Palo Alto Networks is very engaged with the federal government as well as state and local governments. And we got this opportunity just because of the relationships that we have with various law makers. They had scheduled a hearing in September on the threat of ransomware and how it's impacting organizations. And so just as part of Palo Alto Network's relationships, we had this opportunity. And it was offered to me. And, you know, I jumped on it.

David Moulton: So your testimony placed a significant emphasis on the evolving sophistication of ransomware attacks. What have you seen in this regard and how should this evolution change the approach to cybersecurity?

Sam Rubin: I've been in this space doing instant response for 20 years, and really helping organizations respond to ransomware ever since it's been sort of a threat out there that organizations have faced at least 10 years. And there's been quite an evolution over that time. Back when we started, I would characterize the attacks as sort of spray and pray, indiscriminate, targeting based on phishing. And then what would happen from a demand standpoint, you're looking at, you know, $500, $1,000, to decrypt. Contrast that with where we are today where many of the targets are large enterprises, large state or federal government entities. The demands are in the, you know, hundreds of thousands to millions of dollars. I think our median demand is around $650,000 that we see. And the tactics that are being used are much more sophisticated in terms of how they're getting in and also what they do after the threat actors break in. Just a constant evolution of sophistication and speed really.

David Moulton: Talk to me about that sophistication and speed a bit more.

Sam Rubin: First of all let's talk about how they break in. If you're thinking of it from a minor attack standpoint, it's the intrusion vector. How are they getting into the organization? And one of the things that we see in terms of sophistication is rapid weaponization of disclosed vulnerabilities. So things that are essentially like a zero day kind of, you know, day one after notification or, you know, within hours of notification we star to see weaponization of those vulnerabilities and you know our instant response team starts to get the call for attacks that have followed from those very newly disclosed vulnerabilities. I think, you know, for example, right now the past week or two we've seen the Ivanti VPN being an example of that. But it's -- it's constant. It's sort of what's disclosed leads to very quickly rapid weaponization. And that's -- that's a newer trend. Then when we talk about after they break in, sort of post exploitation, the sophistication is coming in how quickly they're moving from intrusion to exfiltration. And we're seeing that drop. This is something that we've measured for some time. And between, I think, you know, where we were in 2021 where that dwell time was about 30 days or so, we're seeing it now, you know, 1 to 2 days. So just they're getting in. They're going much more quickly in terms of when they're taking data, locking files up. And that's making it very, very hard to defend against.

David Moulton: Sam, how should this evolution change the approach to cybersecurity?

Sam Rubin: In many ways, David, some of it is what we already know. Some of it is the same message that you've heard practitioners and security leaders saying for years which is, you know, that the hygiene having a robust vulnerability and threat management program, having readiness baked into your infosec program in terms of your response plan, having redundancy, those are all things that we've been hearing for a long time. But I think beyond that, you know, what's new or what's different is because of the rapid exploitation of vulnerabilities and the sophistication of the post exploitation activity you need to think about your defense strategy a little bit differently. If you are going to be defending against a vulnerability that, you know, comes on the scene within hours, there's not much you can do. Yes. You should have that threat management and vulnerability management program. But you need to think about it from a defense in depth standpoint. You need to assume breach, that there will be a foothold in the environment, and it's about what you can do after that to make sure that there isn't that break out from that patient zero to infect the rest of your organization. So can you contain and detect and stop on patient zero? That -- that's a big part the strategies that we advocate

David Moulton: In your testimony you specifically mentioned ransomware threats to sectors like education, healthcare, and government. What is it about these sectors that make them targeted so much more often?

Sam Rubin: Education, healthcare, and government. I think collectively if you look at them they represent what I would say are resource poor, but target rich environments. Target rich in that they often have large digital footprint, a large attack surface, a very diverse set of IT infrastructure which oftentimes isn't as tightly controlled or managed as you might get in a corporate environment. Right? Like if you think about a university, for example, there's a lot of autonomy sort of allowed within different schools, divisions, and as a result of that you can think about students as well. You've got a very sort of lax state of security controls. And then you combine that with a common sort of lack of funding from a security standpoint. Right? A lot of these organizations, state and local governments specifically and municipalities, they don't have the resources or the budget that they might want otherwise to spend on cybersecurity. So you put all that together. It just creates a very sort of opportunistic environment for the threat actors.

David Moulton: And you mentioned this just a moment ago, that the attacks are changing. And you certainly dedicated part of your testimony to discussing the rise of harassment and multi extortion in ransomware. Why do you believe it's important for organizations and policy makers to understand these particular tactics?

Sam Rubin: Yeah. First of all, some context on that. Again if you go back a couple of years when we would respond to ransomware attacks really it was just that it was just the encryption of systems. And you know we would do the forensic investigation to determine how they got in and what they accessed, and almost all the time we would see that they just sort of beelined to encrypting files. And they weren't, you know, doing a lot of other reconnaissance. They weren't taking information. Contrast that with today and over 70% of the IR matters we do we're seeing another factor of extortion. So most commonly being data theft. The threat actors are spending time to go seek out sensitive information assets whether it's, you know, patient information for a healthcare organization, intellectual property and source code. All these types of things that when they take really ups the ante and changes the leverage of, you know, what they can demand from an extortion standpoint. And you asked why it's important. Really comes down to the additional risks introduced by data theft. It's one thing to have your systems locked up and that be disruptive to your operations. It's another where you actually are losing control of information that you're charged with safeguarding. Another consideration. What if you're, you know, in technology, and your source code which is your -- essentially your intellectual property is going out the door. That can really raise the ante in terms of harm not only to the victim organization, but also to, you know, customers or patients or investors. So it just broadens the -- broadens the impact.

David Moulton: AI and automation were key topics in your testimony. What led you to emphasize those technologies and how do you foresee them shaping the future of cybersecurity defenses against threats like ransomware?

Sam Rubin: Congress was really interested in hearing from Palo Alto Networks about both AI as a threat as well as AI in cyber defense. And from a lawmaker's perspective they're really looking at, you know, what do we need to do to be thinking about how we protect our citizens from the risks of AI whether that's sort of discriminatory lending practices, whether it's the bad guys using AI? But they also acknowledge that AI can be used as a force for good. And really that's a lot of what I focused on in my testimony is how as defenders we can be using AI to do a better job in protecting our organizations.

David Moulton: Now that you've testified in front of Congress on ransomware attacks and the sophistication and speed that we're seeing, what impact do you hope your testimony will have on lawmakers and their approach to cybersecurity policy?

Sam Rubin: I think there's really two things. The first is just simply awareness. Right? So I think a lot of -- a lot of good can come from there being greater awareness sort of outside the circles of infosec, outside the circles of the SOC, for people to know what the threat is, what the risks are, and what needs to be done about it. I think just awareness helps in everything from, you know, that user not clicking on that phishing link to leaders in organizations allocating more budget so that, you know, us as defenders have the tools and the resources and the colleagues that we need to better protect ourselves. So I think a lot of good comes from that awareness. And then the second one is, you know, Congress holds these hearings because they're looking to see how they can help and what they should be doing. And so that's part of what they asked. Like, "What can we do as lawmakers to fight against this threat?" And, you know, this is the law making branch, the legislature. So they're not -- they're not law enforcement, but certainly, you know, from a budgeting standpoint, you know, they hold the keys to the bank, so to speak. And so understanding that federal law enforcement could do more from an enforcement standpoint in going after some of these groups. That international collaboration with some of the other nation states where some of these threat actors may reside and international diplomacy can go a long way. And then being aware that some of the grant programs that they've been responsible for passing in different laws, that those also go really a long way to helping a lot of state and local government entities get the budgets that they need to defend themselves, to adopt better cybersecurity practices and tools and have those resources.

David Moulton: Do you anticipate that the insights on ransomware attacks that you testified about will influence future cybersecurity legislation or amendments to existing laws?

Sam Rubin: I don't have any direct or specific examples of that, but I certainly hope so. I certainly hope that when certain funding initiatives come up that the lawmakers have that awareness and that they say, "Yeah. This is something that my constituents need." Right? This is something that people in my home state, you know wherever it may be, you know Texas, Vermont, that they will benefit from. And, you know, one of the things I didn't mention, David, is that on the panel with me in Congress, you know, I represented the perspective of the cybersecurity industry and what companies like Palo Alto Networks are doing. But there were also victims on the panel. There was a hospital actually from my home state of Vermont there coincidentally, and there was a school district from Texas, and they both spoke about their experience as victims of ransomware attacks. And the administrator from the Vermont hospital, what he said was pretty remarkable in that they ended up spending more in the ransomware response and recovery at the hospital than they did through all of COVID and sort of adjusting their protocols to providing patient care during the -- during that pandemic. So just incredibly painful and impactful experience for them to go through.

David Moulton: Absolutely. And it siphons away resources for a school or for a hospital or any organization to meet their mission to deal with this, this scourge that's a part of our daily lives right now.

Sam Rubin: Yep.

David Moulton: In your testimony you emphasized the importance of public-private partnerships in combating cyber threats. And you were alluding to that a little bit about how can we bring grants together and how can we take the experiences of a hospital or a school district and make them the kind of thing that move legislation, move lawmakers, in a direction to, you know, fund and bring about change through laws? What impact do you think your testimony will have on strengthening these collaborations?

Sam Rubin: Yeah. I hope that the stories that we told, that I told, about you know what we do when we're helping an organization respond to a ransomware attack, I hope that the stories that were told by the hospital and by that school district help the lawmakers understand, you know, the pain points, number one. And two, the benefits of the programs that they fund. And so from a private-public partnership standpoint there's also this aspect of information sharing. You know, of which the Congressional testimony was one example. But just on an ongoing basis programs like the JCDC as well as some partnerships with CISA and other federal entities really go a long way to helping the government understand more about the tactics and techniques of the threat actors, and then help the private sector sort of understand what the government is seeing in their investigations and analysis of, you know, what these threat actors are doing. So that threat -- that information sharing just sort of makes us all better at protecting ourselves.

David Moulton: You discussed the importance of preparing the cyber workforce for tomorrow. How should educational institutions or training programs approach cybersecurity education?

Sam Rubin: I think we've seen tremendous progress in it being even part of the curriculum. You know, certainly when I went to college while there was sort of CS as a discipline, there certainly wasn't really cybersecurity. Now a lot of universities and colleges have cybersecurity specific programs. You know, we partner with a number of universities to, you know, talk to their students, to recruit, and so I think just first of all recognizing that there's a need and, you know, there is a tremendous shortage in the workforce for having trained cybersecurity experts and having people who are, you know, ready to enter the workforce in this area is a huge step in the right direction.

David Moulton: Sam, this has been helpful for me to learn a bit more, a bit deeper, about what your impact is when you go in front of Congress. I'd wonder what you think the most important thing our listeners should remember from this conversation is.

Sam Rubin: No organization or entity is in this by themselves. And that, you know, we're all stronger when we share information from a threat intel perspective. We're better off when, you know, maybe as a state or local government entity we can avail of programs supported by the federal government where if you're a commercial entity or running a cybersecurity program having great partners to bring in, you know, when you need to break glass and get some help. And so hopefully you can do that proactively to secure your organization, but then hopefully you've got a team there on speed dial should you need additional help in the context of an incident.

David Moulton: Absolutely. Sam, thanks for joining me today on "Threat Vector."

Sam Rubin: Yeah. My pleasure. Thanks for having me on, David. [ Music ]

David Moulton: In reflecting on this conversation and the testimony that Sam gave, I think it's important for us to revisit the significant shift from the spray and pay to the highly targeted schemes that Sam talked about. He mentioned that the median demand was 650,000, and I had to go back and look in our ransomware and extortion report to see the details around this. While demand was 650, median payout was only 350. And I say only, but on the high end we observed some demands as high as $50 million and payouts reaching $7 million. That's a significant payout. And if you're concerned about ransomware and extortion, you should check out our webinar Unabashed, Unashamed, and Unpredictable, the Changing Face of Ransomware. Sam along with Unit 42's managing partner Chris Scott and consulting directors David Faraone and LeeAnne Pelzer share what it takes to keep your organization protected. I'll include a link to that webinar in the show notes. That's it for "Threat Vector" this week. I want to thank our executive producer Michael Heller, our content production teams which includes Sheida Azimi, Shelia Droski, Tanya Wilkins, and Danny Milrad. I edit the show and Elliott Peltzman is our audio engineer. We'll be back in two weeks. Until then, stay secure, stay vigilant. Goodbye for now.