How Cybercriminals Leverage Disruption for Maximum Impact
Wendi Whitmore: These attackers know that if they cause true business disruption, an organization's ability to operate with their partner ecosystem, with the vendors that are so critical to doing their job, and then to provide services to their clients, it's like on the healthcare front, we're seeing an impact in billions of dollars, in some cases really impacting GDP of particular countries throughout the world, because of the downtime that's being caused by just the level of these attacks. [ Music ]
David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience, and uncover insights into the latest industry trends. I'm your host, David Moulton, director of thought leadership. [ Music ] Today I'm speaking with Wendi Whitmore, the senior vice president at Palo Alto Networks, who leads the Unit 42 team. With an impressive background spanning government, academia, and industry, Wendi is a recognized leader in national security and cybersecurity. She's contributed her expertise to the U.S. Department of Homeland Security's Safety Review Board, served on advisory boards for Duke University and the University of San Diego, and actively engages with organizations like the World Economic Forum. Throughout her career, from serving as a special agent with the U.S. Air Force, to leading global cybersecurity teams at Mandiant, CrowdStrike, and IBM, Wendi has demonstrated an unwavering commitment to safeguarding organizations and individuals from cyberthreats. Today we're discussing the increasing speed and sophistication of cyberattacks. As cyberthreats continue to evolve, how can organizations keep pace with attackers and adapt their strategies? This is critical for organizations' operational resilience and for the national and global security landscape. Here's our conversation. Wendi, welcome back to Threat Vector. It's always a pleasure to have you on the podcast.
Wendi Whitmore: First, David, great to be here. Excited to be on Threat Vector. Love this show, love listening to it, so happy to talk to you again today.
David Moulton: In your last appearance, we talked about the evolving speed and sophistication of cyberattacks, and how AI is becoming a gamechanger for attackers. I remember you specifically pointed out how AI is enabling attackers to move faster, reducing language barriers, and increasing the effectiveness of social engineering tactics. That conversation really opened a lot of eyes in our audience. Before we dive into today's discussion, I'd love to revisit your work shaping the next generation of cybersecurity professionals. You're involved with academic institutions like Duke University and the University of San Diego, helping guide future leaders in this field. Could you share a bit more about your passion for mentoring these students and what skills you think are most critical for their success in cybersecurity?
Wendi Whitmore: Well, I think it's no surprise that there's a massive shortage of jobs that are filled today, right? So we don't have enough skills in cybersecurity to fill the jobs we have today, and those jobs are likely only to continue to grow. So the more great students we can get involved at an early age, the better. One of the areas we want to continue to focus on is just awareness, so making sure that students, not just starting at the high school level, but certainly before that, are aware that cybersecurity is a great field, that there's some really cool jobs out here that are challenging, and that going - that those students are then going into the college programs at the undergraduate level, and then continuing that, right, at the graduate level, to really hone those skills, and then have great opportunities for really fulfilling work moving forward. So the more that all of us can do to get great students in the pipeline, the better.
David Moulton: My daughter came into my office about a year ago and told me, dad, I want to go into the FBI. And she goes, I like helping people, and I like solving puzzles, and had an opportunity to visit the San Antonio FBI office and - and visited with the CART team there.
Wendi Whitmore: Oh.
David Moulton: And that ended up being that awareness that this career exists, and that this is a really valuable place to spend your - your time and your - your talent, and you know, go crack some tough problems, and I love it that you're an advisor to students. Those students are really, really fortunate to have such a great mentor in you. And so today we're going to get into adapting to some new attack vectors, and we've got a lot to cover, so let's jump into our conversation. Wendi, we've seen a huge surge in high-profile attacks targeting a lot of different sectors. Could you share some insights into the most impactful cybersecurity attacks in recent years, and what made them so damaging?
Wendi Whitmore: So over the last year to let's say year and a half, what we've seen is just a huge increase in the scale of the attacks, and the sophistication of attackers, and certainly the speed with which they're operating. When I'm mentioning sophistication of attackers, I'm going to focus particularly right now on cybercriminals, and just our ability to really understand how businesses operate, and how they work together, what that organizational landscape looks like in terms of when contracts are awarded, how an organization onboards a vendor, how they offboard a vendor. And then what results in that are times where there may be more vulnerabilities based on access to credentials, access to certain providers. But that said, I want to really specifically talk about the last six months. And what we have seen now, more than ever, is disruption of business and very specific, intentional disruption to the end customer and the end consumer. And it really seems to be that if you can bring pain to the end consumer, the attackers can leverage the end consume to put pressure on businesses to make decisions faster, and what the attackers are hoping is that that ultimately commands a higher payout in terms, and in the form of a ransom. We have seen the payments of ransoms I think become an even hotter topic. At this point, just in 2023 alone, Chain Analysis provided a record $1 billion in ransomware payments that were made in that year alone. And if you think about that, that's only really what's recorded and what's known. That number is actually likely to be a good amount higher, and the reality is that these attackers are taking that money, not only paying themselves, and their teams, and all of the delegate systems they have set up, but they're also leveraging that to invest in future R&D, and making sure that their capabilities continue to grow and become even more advanced, and I think that's pretty concerning.
David Moulton: Amazing to hear you talk about a billion dollars in ransom paid. You also mentioned how some of the attacks seem like they are focused on disruption and chaos. What have you seen in regards to that destructive or disruptive modern threat?
Wendi Whitmore: Yeah, David, I think these attackers know that if they can cause true business disruption in abilities - an organization's ability to operate with their partner ecosystem, with the vendors that are so critical to doing their job, and then to provide services to their clients, certainly then there's going to be a lot of dialogue at the business level around, hey, how do we make this problem resolved as quickly as possible? In some of these cases, like on the healthcare front, we're seeing an impact in billions of dollars, in some cases really impacting GDP of particular countries throughout the world, because of the downtime that's being caused by just the - the level of these attacks.
David Moulton: And so it sounds to me like the shift has gone from a targeted business to upstream or downstream to grab that leverage. Is that a new tactic or are we kind of coming back on a cycle here?
Wendi Whitmore: No, that's a good question. I think when we look at disruption kind of over the years, there's certainly a number of attacks that we could use as an example, but when we look at ransomware, I think the one that's most widely known was Colonial Pipeline. And in that case, there was a lot of business disruption caused, but the thought process around it was that wasn't intentional by the attackers, right? That was a byproduct of actions that the organization decided to take to decrease our operational impact. Ultimately, you know, resulted in these crazy long lines along the eastern seaboard to try to get gas. Well, what we're seeing now is very much intentional, and an attacker who wants to disrupt an organization's ability to deliver those end services. Whether it's healthcare, whether it's, you know, checking into a hotel, whether it's the ability to buy a car, there's so many examples over the course of just the last six months alone, and the attackers are really leveraging that to their advantage at this point.
David Moulton: So it seems like there was a - an accidental learning, and now that's been applied and scaled, and they are finding new tactics or new sophisticated ways of getting leverage over businesses. In Unit 42's research, we've seen that increase in the speed and sophistication, as you mentioned earlier, in cyberattacks. What are the factors that you think are contributing most to this trend, and could you give a couple of examples?
Wendi Whitmore: Definitely. So one is just the scale of data that's available out there. So you look at all of these massive breaches that have occurred, that have resulted in the loss of credentials, right, for their organizations, and ultimately then those credentials get - tend to be bought and sold on the dark web, placed on a variety of forums, and attackers have access to these. So they're using that volume of information to break into environments in a much more rapid manner. They're also leveraging vulnerabilities at scale. So no longer really looking at just, hey, you know, I want to get into this one organization, how - what kind of information can I find out about how to do it. It's really about, hey, I want to leverage pieces of software that are widely used in order to be able to break into multiple organizations at the same time, and then be able to move as rapidly on the inside, once I'm inside the environment, to get access to more information. Whether that's to steal it and then extort it later, whether that's to cause disruption, there's - it's really kind of off to the races from that point.
David Moulton: Yeah, it seems like the model of software to be as distributed and used as often and as many places as possible, touching as much data, having as many integrations as possible, ends up being kind of the other side of the coin, giving the attackers an advantage if they're able to find a way to grab leverage, because they have access to such a massive trove of data. What are some of the recommendations that you give to organizations who are facing this seeming huge problem?
Wendi Whitmore: Well, I think what you're really highlighting, David, is the reality that the attackers have a lot less rules to play by than the defense teams do, right? And they use that to their advantage, whether that's with technology, or access to it, or maybe lack of processes, lack of worrying about some sort of jurisdiction or compliance requirements on the back end. All of that, unfortunately, tends to work in their favor. So what I would say is, the good news, though, when we look at recommendations to organizations is we're really still, and I feel like a broken record because I've said this now for over 20 years, we're really still able to focus on best practices. Right, it's the ability to detect activity quickly, create kind of as many tripwires in an organization as possible, so that you can identify that activity quickly, right? The more times that your organization has the ability to detect something malicious, the shorter timeframe you're going to be able to detect it, which is key, and the more challenging you're going to make that same task for an attack. So cause them to actually be right at every single step of the attack, or you'll detect them. Being able to detect and decrease that mean time to detect means you'll also decrease that mean time to respond. So you're giving your organization and the defenders more opportunities to see what's going on, and to respond quickly and make an - take an action that's going to protect an environment, and you're making it more difficult for the attacker every step of the way. [ Music ]
David Moulton: At some point there has to be a limit to how fast these cyberattacks can occur. I'm wondering, as you look into the future, how do you think these trends are going to play out?
Wendi Whitmore: Well, I think there's some good news here, right? So I think the speeds across the board will increase, but that means the speeds of the defenders will also increase. And so, with the advent of generative AI in particular, we have a really unique opportunity, I think, to integrate testing into every phase of the software development lifecycle, so that we're building better, more resilient software in the first place. We're then also using those same kind of technologies to do things, like, in a SOCK. Reduce the mean time to detect, the mean time to respond. Make sure that we can prevent these actions from growing from a singular bad action, if you will, to an organizational-wide compromise. I think that's really what AI, in particular, is going to help us leverage, and be able to provide as a - a positive benefit.
David Moulton: Wendi, you've led numerous incident response efforts. Do you see some common patterns in the major cyber incidents over the last six months, maybe the last year?
Wendi Whitmore: Yes, and I would say we could probably take some of those commonalities to even a broader timeframe, right? More than the last six months, but the reality is, and I think I'll focus this answer just on what happens once a - an attacker is inside an organization. They're going to move as quickly as possible to get to systems of interest. Depending on the technology that's in the environment, some of those systems could change, but they're still going to be systems that house critical data, for the most part, right? By and large, so whether that's Windows domain controllers, or whether that's a virtual machine that's the primary authentication point for a lot of the admins within the environment, that end goal is still there. They want to get to systems which house critical data that they can download more credentials, and ideally those credentials being related to administrative, super user service - services, applications, that type of credential, so that they can then take further action.
David Moulton: Right.
Wendi Whitmore: So the sooner they can do that, the better. They are continually going to take advantage of systems within an environment that don't have multifactor authentication installed, and so those are always going to continue to be critical. But certainly with the onset of a wide variety of cloud computing environment, as well as virtual machines, we see cybercriminals in particular really moving into that environment pretty quickly, and then wanting to change credentials, and then lock the valid administrators out of those, so that they can change the passwords and then go about their business. Whether that's deleting information, exfiltrating it en masse, whatever it is, it's to get to some sort of end goal to be able to take data and take actions that can be monetized down the road.
David Moulton: Wendi, with that in mind, what do you see as the next major cyber threat on the horizon?
Wendi Whitmore: Well, David, I think I'd answer that, is instead of talking about one particular threat, because I think people can tend to over-rotate on, okay, am I prepared for this one thing, right? I think the reality is, the trend is going to continue to lean towards disruption and operational impact. And so the more businesses can identify quickly and test those systems in advance, right? What happens if critical systems are taken offline? How do we rebuild a new environment that's clean, quickly, and do that so that your entire ecosystem of businesses, whether that's vendors, suppliers, consumers, can connect back into your environment with clarity that they are going to be safe? How do we move applications over into a new environment? These are all the kind of discussions that we're getting into with our clients about how do we rapidly solve this problem. So the more that you can have those discussions on the front end, practice the response, practice how we would actually make these changes, the better prepared an organization's going to be.
David Moulton: So as you're talking about that, it strikes me that that might be a technical solve that we can get to, but how do you get to the point where your partners, your upstream and downstream, trust you after you've had an incident, you've recovered, to connect back into their systems? Is that part of that practice that you're talking about, to include third party, fourth party vendors in that - in that situation?
Wendi Whitmore: It absolutely is, and I think that's one of the biggest parts of this challenge, right, of this operational disruption, is that organizations need to feel confident that they can reconnect to your environment with certainty that it's not still exposed, and not still compromised, and they're not then, by virtue of connecting to you, exposing their own environment. So the more that you can test in advance, and practice scenarios involving that whole ecosystem, the better off you're going to be, making sure you have points of contact for those organizations, that you can rapidly connect to them, and that you've got playbooks - joint playbooks that you can work through.
David Moulton: So Wendi, I want to change directions a little bit here. Some of the defensive strategies that we try to put out are - are to protect us from exploits of human behavior, things like reusing a password and - and social engineering in general. I think those have always been hard to implement, especially in a - in a place where attack techniques that we're observing continue to evolve. How do you see that cat and mouse game playing out?
Wendi Whitmore: Well, cat and mouse game is a great way to put it, David, because it's always going to continue to evolve, right? There's going to be new technology that's introduced, maybe initially that's going to favor the offense, but over time tends to favor the defense, who's able to build much better tools and detection capabilities. It certainly will continue to evolve with the advent of AI, and in particular generative AI, as attackers really work that into their workflows more, right? It's going to increase their speed with which they're able to do business. It's potentially going to create some new attack vectors, and on the human side, when you talk about human behaviors, right? It allows them to communicate more effectively, whether that's more effective native language written word, or whether that's verbal communications that AI can - is leveraging. And then certainly deep fake technology kind of remains to be seen, the full extent to with which that's going to be used, but no doubt that's going to be another angle we need to all be concerned about.
David Moulton: How has the rise of automated and AI attacks changed the nature of the threat landscape, and is a defender, can we keep up?
Wendi Whitmore: I think there's good news. The defense can keep up. As you mentioned in, you know, the earlier common term of cat and mouse game. It's going to continue to be that - that sick scenario that we live in, and I think the reality of doing business, if you have business connected to any kind of online environment. But I think as we think about how do we really combat this threat as it continues to evolve, there's more focus than there ever has been on real-time visibility. So creating the opportunity for your organization to detect at every step of an attack, to make sure you've got logging and monitoring at each of those steps, so you can go back and quickly identify what action occurred, who was responsible for it. And then really being able to leverage AI at every step of the way, right? So integration into your ability to defend at the network level, at the cloud level, at the endpoint, and to coalesce all that information as quickly and rapidly as possible, is absolutely going to be key. The faster, then, that we can create kind of that embedded sequence all together is going to mean your SOCK's able to detect threats in real time. They're going to then be able to reduce that volume of attacks and focus on those with which are going to cause the most destruction or disruption, and be able to prevent those singular events from becoming a widespread, organizational-wide compromise.
David Moulton: What's the most important thing that somebody should take away from this conversation?
Wendi Whitmore: I think that it's the focus on fundamentals. So fundamentals of practicing response in advance, ensuring that you've got strong visibility throughout the environment, you've got as many layers of defense as possible, and that you're working with your entire organization. So if you're in a CSO role, you're on a SOCK team, for example, it's not just your teams that need to be able to defend, right? You've got to have all your peers within an organization also have really clear understanding of what their role and responsibility is, and then to have as many points of contact, to broaden that out to your providers, to your supply chain, to your vendors and your end consumers. The more you can practice all that in advance, the better off the organization's going to be. [ Music ]
David Moulton: Wendi, thanks for the great conversation today. I really appreciate you sharing all of your insights on adapting to some of the new attack vectors in cybersecurity.
Wendi Whitmore: You're so welcome, David. Really enjoyed talking with you today. [ Music ]
David Moulton: That's it for today. If you like what you've heard, please subscribe wherever you listen, and leave us a review on Apple Podcast or Spotify. Those reviews and feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer, Michael Heller, and our content and production teams which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]