Our own Matt Hartley was a guest recently on the Fuse Founders Guiding Founders show. Below is a partial transcript of what he and host David Tran discussed. To hear everything they talked about, listen to the full conversation below.
On the evolution of cyber security and privacy and the types of risk they encompass
I would say cyber security has evolved from being technically oriented as protecting data and computers to encompass protecting the organization and the way they operate. It’s evolved to take much more of a risk slant, as in the risk to the organization and how to reduce it.
In terms of risk, it’s sort of “all of the above.” I would say an organization, while it is trying to protect its employees, it’s probably not personal risk per se. Most other types of risk that you can think of that a business usually thinks about, like physical risk, there’s an overlap. For example, for physical risk, building controls now are automated and networked. You have financial risk like you said. The recent Colonial pipeline attack is a good example of paying out ransomware, it’s a financial risk for every business. Business risk, operational risk. For each of us as individuals, there is that idea that your personal data and your personal assets, that you want to “buy down” your personal risk. Cybersecurity and privacy are ways to do that.
Need help with an incident response strategy?
Leverage the BreachRx platform to build an actionable incident response plan today!
On the recent Colonial Pipeline attack and ransomware
Ultimately, it started off with an adversary group that’s known as DarkSide, a group of “bad guys.” They actually run a ransomware as a service platform. As you can imagine, that’s something that’s evolved over the last 10 or so years along with “as a service” in the computing world and software world in general. Bad guys sell their software as a service, their malware basically. What happened in this particular incident, based on what’s in the news, Colonial Pipeline was compromised, and ransomware was installed throughout their corporate network. It sounds like they didn’t really have their arms around how fast this ransomware was spreading in their network, so they shut their industrial control systems off as well, shutting their pipelines down.
If you’re not familiar with ransomware, basically its malware that’s installed on computing infrastructure and it will encrypt some or all of the data on the computer, and then demand a ransom to decrypt it. Adversaries have been increasingly using this type of attack. It’s actually pretty insane right now, the number of ransomware incidents a week happening.
Ultimately you have a decision to make if you have one of these events, you can either hire someone to try to crack the malware so that you can decrypt the data, pay out the ransomware to get your data back, or bite the bullet and reload your entire organization, potentially using those backups that you hopefully have and were hopefully currently and safely protected from the malware.
From what I’ve read in this case, they shut their pipelines down in part because they didn’t have access to their billing systems anymore and so they couldn’t actually see who was getting oil and whatever else they were delivering, and therefore they felt like they needed to shut their pipeline down. They again also seemed unsure where the malware was and if it could potentially compromise their industrial control networks.
On how these attackers may have launched their attack
What’s really common in a lot of these incidents is someone gets phished inside the organization. There’s a myriad number of ways that boil down to the threat actor managing to get a foothold in the in the network of the organization they’re trying to compromise. Phishing is the most common, where they send an email and hopefully getting someone to click a malicious link, for example. I think many people nowadays have been exposed to some training on phishing and don’t click everything that they get in email, hopefully at this point. So that’s a really common attack vector.
What’s fascinating about the underground and the different types of cyber criminals that are out there, they look more and more like businesses. Early on in the early 2010s for example there were a lot of what were called bulletproof hosting providers, so literally they were like ISPs for bad guys.
And they’re like a real ISP, so they have support people, they had tier one and tier two support, they had marketing, they had sales. It was like a full business and that was the early 2010s, and things have just evolved from there. So as I mentioned, the DarkSide group in this Colonial Pipeline attack, was selling ransomware is a service
20 years ago, a bad actor had to build their full stack to attack someone. Now they can pick off pieces, buy pieces, rent pieces and use “as a service” offerings to launch attacks. In this particular case, it’s a little unclear based solely on what what’s out in the public so far, but it doesn’t seem that it was the DarkSide ransomware as a service group themselves that attacked the pipeline, it was actually one of their customers.
This was interesting because you saw the DarkSide group basically announce they were going to change their ransomware so that their customers couldn’t attack certain industries anymore. They didn’t like the negative publicity obviously, because it hurts their bottom line, just like a real business, and that’s how a lot of these criminals operate now.
On malware available in the underground
Yes, there are forums where you can buy it. They advertise, you can get samples, etc. What’s really interesting is it’s much like the traditional organized criminal underground. These groups are organized – you’ll see a group build a set of capabilities, and then they’re doing research and development. They build a version 2.0 of their capability and then they’ll go sell 1.0 out in the open underground because they have 2.0. As they continue to evolve, they basically push their older code out to a broader market.
This is a huge problem. I mean the proliferation of these types of capabilities, and especially when you start to look at some of the nation’s state attacks and how they overlap here, we start to see military grade tactics being exposed to these criminals, who then adopt some of those same techniques. This just ups the ante for all the defenders in the world trying to keep up with the increasingly complex attackers.
On these adversaries, their sizes, and structure as a lone hacker or a group
It varies…. If you if you include nation states then there are probably thousands because you’ve got militaries in the mix. I would say most of the criminal groups are in the tens to low hundreds maybe but it widely varies. It’s very, very unusual nowadays to see the one lone hacker. The same way a lot of people incorrectly believe in science you had the genius inventor who does all the work. It’s not really the case, right? There’s a team behind the inventor. Similarly here.
Largely nowadays, it’s a group of people that are doing things, and as they’re more successful, they hire more people. We’ve seen criminals over the past decade advertise on places like Monster to try to hire help. I mean, it’s truly insane in some ways. I like to go back to the TV show Alias, where you think you’re working for a legitimate organization, but you’re actually working for the bad guys. There are actual instances of that over the last decade or so, people who were hired legitimately and thought they were doing legitimate business but were basically conducting money laundering.
On how BreachRx helps its customers
At BreachRx, our goal is to help customers be ready for these types of attacks and then to recover from them if they occur. And what we’ve seen is even the largest organizations that are out there aren’t very well organized for an event like this that happens. If you look at the very top of the market like the most sophisticated largest enterprise, they’re going to have a lot of folks focused on this problem because they’re going to have a lot of incidents that go on all the time that are small. But when you get outside of that roughly Fortune 50-ish range, then what we’ve heard repeatedly from law firms and consulting firms we’ve talked to is that no one’s prepared, no one is really organized and no one’s really ready.
Our particular focus is on privacy and so you’re probably familiar with the privacy laws that have come up in the past few years and their requirements from what’s been in the news, like the big data breaches that happen. From that viewpoint, everybody gets their notification, they used to get like free credit monitoring when their data was compromised, which happens a bit less now. There’s a lot for a breached organization to figure out. Our goal is really to help companies through that process because a lot of time they’re using paper or they’re using spreadsheets or Word docs and they’re relying on conference calls.
We’re building automation software for them to be able to manage it all. We’re automating the workflows that the privacy teams have to go through in order to prepare to pull together all the obligations that their organization has when they have an incident. We also help them work through other workflows to respond to those obligations during an incident. Each obligation, like for example a privacy regulation, has a set of requirements that you have to accomplish if you have an incident that makes that regulation applicable.
So for example in Europe, they have the General Data Protection Regulation, GDPR. Our goal is basically to help customers who’ve had an incident or had an event or even a big data breach understand how GDPR applies, because maybe some of their data was from European citizens. There’s a set of obligations that they have under GDPR and they’ve got to take care of those and make sure by the way that they accomplish parts of it in 72 hours. The law actually requires organizations notify the regulators in Europe within that timeframe.
That’s what we’re helping customers do is to pull together all those obligations. If they have an incident, they can really easily hit the ground running knowing exactly what they need to do with a built-out, actionable incident response plan. And then they can just execute and make this a more routine process than what it is right now, which is more of a crisis response.
We’re focused on helping privacy teams and chief privacy officers (CPOs) in particular, or if they don’t have a CPO then an associate general counsel for privacy or the general counsel themselves. Our goal is to focus on them given they have to do a lot of work manually right now still. There are a lot of organizations that don’t have much awareness about the problems here in the space. You have technology companies, for example, with huge amounts of data, that haven’t really thought through the implications of what would happen if they had an incident. If they have a gigantic amount of information about their customers, then they’re at a pretty high risk if they have an incident, and will have a lot of work to do and a lot of legal fees and consulting fees if they’re not on top of all this.
On the percentages of businesses with breaches in the last year
That’s a good question actually. I’m not sure I have a percent off the top of my head for that. You know there’s a crazy statistic that we heard recently—there were two different law firms talking about their work with insurance companies on a panel at a conference and they both said they were doing more than 70 incidents a week. Because they’re different law firms, these are different incidents, there’s basically zero overlap, so when you think about that, it’s nuts there’s that number of incidents.
There is some degree here you have to think about the size of the incident also. I think generally people think about mega breaches that we read about, like the Equifax breach a few years ago. Capital One also had a really bad breach a few years ago, so there’s these giant ones that make the news, but there’s a lot of companies that have little breaches all the time.
A good example to think about is a pharmacy. It has a ton of personal information, personal health information, and it’s not uncommon for a pharmacy to accidentally mix up prescriptions – they give you somebody else’s prescription and they give them your prescription, so that’s a privacy incident, because they’ve exposed the data, that personal information to each other. So those don’t really make the news. The larger size companies I mentioned earlier can easily have 50 incidents in a month.
On human error and other causes for data breaches
It’s a wide gamut of different things. There’s definitely human error, there’s a lot of the same implications from cyber security failures. It’s malware, it’s a bad actor, it’s an insider threat, someone on the inside could be helping launch the attack. There’s machine error, an error in automation. It can also be your partners, for example your cloud providers, they may have an incident of their own and that exposes your organization’s information, so there’s the second order effect to consider. And misconfiguration is another one.
So, yes, it’s pretty wide ranging. I should say a lot of organizations are actually fairly well prepared for security incidents nowadays and IT incidents as well. For example, if somebody lost their laptop and it has customer data on it, that typically in a lot of places is either thought about as an IT incident or security incident or maybe both, but there are still far too many organizations that aren’t thinking about that as a privacy incident yet. So that’s another tier in the process that organizations need to be thinking of.
On the need for data security requiring a holistic solution
You really need to understand the full gamut of your organization and what it’s trying to do and how it’s doing it. I think one of the one of the key aspects when it comes to data is really understanding what data you have, where it’s at, and that is a great starting point for the privacy aspects of incidents. Most organizations have a business continuity plan, they have a disaster recovery plan, and something that I like to recommend is to take a look at it. For example, if you’re coming into an organization as a new CISO or a new CSO, actually take a look at that.
If you think about that recommendation in the context of Colonial Pipeline and what we’ve read about in the news, with their billing system being down, and the second order effect they had to shut the pipeline down, you would hope that if someone had looked at their disaster recovery plan, they probably had that billing system in there. And so if the processes had some plan for an earthquake or some other type of physical event, they could have tried to apply those same approaches from those types of scenarios from a cybersecurity and a data privacy standpoint as well.
Take the risk out of your breach response
Automate your incident response today