The Voice of Cyber®

Episode 147: Sean Duca
First Aired: November 29, 2022

Sean is the Regional chief security officer for Asia Pacific and Japan at Palo Alto Networks. In this role, Sean spearheads the development of thought leadership, threat intelligence and security best practices for the cybersecurity community and business executives.
With more than 20 years of experience in the IT and security industry, he acts as a trusted advisor to organisations across the region and helping them improve their security postures and align security strategically with business initiatives.

Prior to joining Palo Alto Networks, he spent 15 years in a variety of roles at Intel Security (McAfee), with his last position as the Chief Technology Officer for Asia Pacific. Before this, Sean was involved in software development, technical support and consulting services for a range of Internet security solutions.
Sean actively discusses security issues in mainstream media, including television, radio, print and security related broadcasts. He regularly participates in forums, conferences and panels, and provides intelligence on cybersecurity matters to the public and private sector.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction: You're listening to KBKast, the cyber security podcast for all executives. Cutting through the jargon and hype to understand the landscape where risk and technology meet. Now here's your host, Karissa Breen. KB: Joining me today is Sean Duca, regional Chief Security Officer APJ from Palo Alto Networks, and today we are discussing to pay or not pay a ransom. So Sean, thank you so much for coming back. I thought males would get you on the show because I know I'm always gonna get honesty from you. So thanks very much for joining. Sean: Thanks for having me. KB: Okay, I wanna start with, now there's a lot of articles recently actually floating around in the space on social media or wherever you read your local news around to pay or not to pay. Now I wanna get into this, and I know if we zoom out, the answer's gonna be, it depends kb, but I really wanna explore both sides. So maybe let's start with your high level thoughts around paying. What does that look. Sean: So I think that there's a number of things to consider. There's always the key part that we always say, which is you're effectively funding a criminal organization, potentially even a terrorist organization as well. So I think putting that aside, because I think we all are aware of that one. The key part is also thinking about what does it actually mean to your own organization? First and foremost, today, there are no laws that prohibit you from actually paying the only law and potential. Gotcha. Is the fact that if the organization or the criminal group that you're actually paying, if they're actually sitting in a country or they're actually a group that is actually being listed, A band entity. So I anything that's currently in Russia right now is obviously under sanctions. So if you're actually paying that organization and they're sitting in Russia, that is the illegal part. So that's the part to probably be aware of right now. But in terms of should you pay, should you not pay? The honest answer that I could give? It depends. And I think it really comes down to the organization. Every organization needs to understand their own risk appetite, and that's one of those, Points in time moments, and it's a moment that's probably gonna go through many times as a business leader, where you have to sit down, look at each other around a boardroom table, the executive leadership team, the board of directors, and actually work out what is your level of tolerance. Would you be willing to accept if something was to actually go wrong, to what level and threshold or would you look to mitigate it? See if there's another way that you could try and deal with it as. A ransom that is typically gonna come from a, let's say a ransomware group is gonna be a starting price. And let's just say hypothetically it's 10 million. The key part from what we've actually seen from our own investigations, and obviously working with clients that have been have experienced this as well, is it's a case of actually working and having an open dialogue with the group. One, you're gonna try and as. How serious is the group? What are their actual demands? Keeping the communication lines open is always gonna be probably more of a prudent thing to do because one, you'll be able to work out who are the actors are they capable, are they sophisticated? Is this a fly by night type of a group? Or is it someone like, let's just say hypothetically Conti, that we know that they they're serious. They target organizations that are, that have revenues in excess of a hundred million dollars. They are a sophisticated organization, and I'll say organization because they do see this as a profession. It's a business to them. So I think it's a key part to understand what are you actually doing when you are paying should you pay? It really comes down to the organization. KB: Do you think people feel pressured because they've got this this criminal on the other end that they're dealing with or negotiating with? They feel more pressured into pain. So for example, if you go and rob a bank, not that I do this, but people are more more willing to hand over the money cause they just wanna get out of that scenario. So do you think. Criminals know this which sort of forces people's hands into pain because no one wants someone like in that sort of environment, like breathing down your neck to be like pay the ransom. So do you think there's a bit of that in there when people maybe succumb to the fact of just paying the ransom? Sean: I think the key part is think about what is at stake. So let's take the example of we've seen recent examples where it's, it all pertains to the data, but what about if it's not data? What about if your systems are actually locked up grants where it's actually being deployed across every single system and it's an availability issue. You're a hospital, your critical infrastructure. Do you openly just turn around and say, I'm not. Because when you start to think about from critical infrastructure standpoint severity one issue is life threatening. Severity one, the corporate IT world is the server is down. So when you start to think about a life threatening versus I can't get access to my data. They're two fundamentally different things. And I think that's the key part to probably be aware of. So it's a little bit hard to just say, cut lunch don't pay. Because I think it really comes down to what's the scenario and the circumstances that are there. If you think about. The other aspect is if you pay, you may not get like a decryption key or you could be paying it effectively. You get nothing in return. It's in the ran where group's best interest to provide that to you. Otherwise, the business model collapses. Think about it, if you don't pay, if everyone stops paying, then effectively they're eventually gonna get to a point where they say, all right, let. You're now starting to burn a lot of data systems, access to systems and all of that. Because if you do pay, it's in their interest to follow what they basically said, which is, I've got your data. If you don't give my money, I've got extort, I extort the people that are actually in that those records, or I'm just gonna simply start releasing the information. If you can stop that from happening, I think it's something you need to consider. KB: Yeah, I get it. And yes, of course every answer's gonna be, it depends. But I sort just wanna walk you through like how I think about it, but then also how you think about it. Because it's just looking at all sides. Of the coin, which maybe some people don't consider. So what about not paying, obviously there's some obvious answers to that. You don't have to forgo 10 million bucks. Your records may not be your clients may not be extorted on the internet, on the dark web, et cetera. But what about some of the other benefits of not paying? Sean: The other benefits of not paying would be you don't wanna succumb to the demands of a criminal organization. But I think first, let's actually go back for a second to the paying aspects. There are practical considerations for victims of ransomware. A lot of the work that we've actually done from an intra response piece is to provide mitigation recommendations to customers based on the circumstances of the types of attacks that they're actually experiencing. But ultimately the decision's always gonna come down to the organization, the. I actually think first and foremost, it's a, you need to probably go through a cost benefit assessment prior to paying anything, because is it a case of is it worth. based on what they've actually got and what they've prevented you from getting access to or or have your data. In addition to considering the payment alternatives, I think the organization needs to start thinking about what's the cost of paying the ransom, and then also what's the cost of not paying the ransom? Because if you think about it from the standpoint of you have been entrusted with someone else's data, you are definitely the victim granted. But what about the actual. Customer data that you've actually, that you're holding because someone actually having access to that data and using it five years from now, that's a long term sort of effect that's gonna add a multiple, it's a force multiplier on your actual customers, not on you specifically. KB: I get it. Okay. You make a great point. Cost benefit assessment. I get that. But when you're in a very stressful environment, you, like I said, you've got these criminal actors in your net, you got the government A up at you. You've got people online going ballistic, don't you think It's then harder to then make a very clear judgment on doing the cost benefit assessment? It's not like it's a Monday morning. Hey guys what's your sales pipeline doing it? A very controlled, normal environment like this is when you've got 10 x the pressure, you feel stressed as an. Individual. You've got other people stressing you out externally. Everyone's losing their minds. Don't you think that then he potentially, perhaps making the wrong decision? Cause you're not in the best frame of mind. Sean: But I think that's where you should probably always prepare for that day today. Prepare for the unforeseeable event, because the reality is it's a question. of whether When it will happen, not if, I think that's the reality that everyone probably needs to accept first and foremost. When you start to go through and understand what is the value of the data that you hold, the systems that you have, you know it's really understanding what your crown jewels are. That's an exercise that should take place today, not the day that you're actually being compromised, not the day that someone's actually got access to your crown jewels. You need to actually work out what that is. today and when you start to work that one out, you need to then work it out. What's the value to you? What's the value to your adversary? It's start to think about what's the actual value of that bit of information. If someone stopped you from getting access to that, if someone took that. What is it worth? And I think you'd be very surprised if people, one, they probably haven't done that. Two, if they do that today, all of a sudden you don't really have to go through the pressure co scenario when the time comes to sit down and work out, okay, is it worth us paying that much? Because one, everything's a negotiation first and foremost, so you can go through that process. We've seen instances where something started at 10 million went down to a couple hundred thousand. Now we're ultimately as a company, as work that we've done as part of the ransomware task force that we did with the US government. We're consistent in the approach where we always recommend that an organization should always look at what are the alternatives before paying any ransom the IR services that we provide to customers. It's always around mitigation recommendations and what they need to think about. But ultimately it always has to come down to. Customer or the organization themselves that have been impacted, what are the circumstances? What's being asked? What have they got access to? And the other thing is if someone has actually gone into your environment once, okay, have you now show up your defenses to prevent them from coming back because there's no immunity cell that you basically get after paying anyway. Someone could easily come in and mind you, another group could also come in and ask for the. KB: Yeah, that may. That's a great point. So going back to the practicing side of things, do you think that this is where the adversaries. Relying off knowing that companies probably aren't prepared, they're not got the armed with all their armor and their swords and their horses, and they're ready to have this fight. Maybe that's where that gotcha moment is because they're like maybe eight outta 10 companies aren't ready, so we can just hustle long in and it's easy money for us. Do you think there's a bit of that in there? They know that people aren't prepared, aren't practicing, aren't in the right head space. Makes the companies an easy target. The guys get what they want, they walk away with their money. It's done. They're onto the next. Sean: Absolutely. I think there's a large part. Would be spot on. I think the other element to probably also consider is many organiz, many of these groups, they know exactly how much your, how much revenue you're bringing into the organization, what your profit is. They're looking at balance sheet, they're doing all these different things. Take the example of Conti. They only target organizations that have revenue at excess of a hundred million dollars. So they know how much money you're making. So their ransom demand is not gonna be some ludicrous amount. It will be something that they know the organization could possibly pay. They also may actually know that you've got an insurance policy and the insurance policy goes to X amount of dollars. We've seen instances where someone has broken into an organization and they're looking for the policies to understand what is the actual cap. KB: Gotcha. So the same way. Companies should be doing their costs benefited assessments. Some of the adversaries, okay, this company makes X amount of dollars, we might have to do this approach in order to potentially get this amount of money. So they're equally very calculative in their approach. Like they're not necessarily just going for. Sean: The people are gonna be very targeted as to who they're gonna go for. Sure. You can turn around and say, cybercrime is indiscriminate by nature. Cast net as far and white as you possibly can, and maybe someone's gonna land in there. But when it comes to ransom any type of extortion, there's gonna be an element where someone will say to you, okay how much is that worth to that organization? Could they. What's the point of deploying, breaking to an organization, deploying rans? Where if you, if they know that you've got absolutely 10, you don't have 10 cents to your name, what's the point? Why would you actually go through all that the work to get to that place? Small businesses do get targeted, but the ransom that's being asked is a lot less than what a large organization would be. KB: Yeah, I get it. Makes sense. Again they're not just taking a stab in the dark. It's quite. It's, they're calculating this is exactly what we need to do to get that type of money, depending on the size of the organization. So you mentioned a point before Sean, where people like as in companies, think, okay, we are the victim, but you are saying, yeah, you are to some part that's actually potentially your customer's data that's been out there. So do you think companies perhaps don't consider the impacts if they don't pay? Sean: It's hard to say if companies do or don't, but I think that's the very key part that everyone needs to factor in because take the example of if it's sensitive information that relates to a, an individual. Sure. You've been entrusted with that. Bit of information, but are you prepared to actually deal with the backlash? If you start to think about there's gonna be some potential lawsuit that could come out of it, the cost of not paying may end up actually coming back to buy you tenfold what that actual asking price was from legal expenses and dealing with the actual fallout of the breach a success. Class action wants to take place. Yeah. Let's just say it's $10,000 is gonna be paid to every single individual. What happens if you've got a million records? What happens if it's 10 million records, 20 million? All of a sudden that number becomes very high and you start to weigh that up of the asking price was 10 million versus this could cost us a couple hundred million. Should you not? And. I appreciate the fact that you potentially could be funding a criminal organization, but it's something that people need to factor in every single time. Cause that's, it's a key part. It's gonna be the case of what do you actually need to restore order in your organization? And if it is an organization that requires availability of their systems, not just simply data has been taken, that's a very big question answer. Definitely a different one compared to someone just taking the data. KB: Yeah I totally get what you're saying. Okay, what's coming my mind is the backlash. Don't you think? It's a bit of a catch 22. You pay the ransom, someone's gonna arc up. You don't pay the ransom, someone's gonna arc up. So how do you win? Because just it seems hard. There's always gonna be someone out there that disagrees, and I get that. That's life. But I think it's a hard place to be in because no matter what you do as an. , you're always gonna be wrong in some person's eyes, whether they're the right eyes or not. It's just how do you sort of navigate that then how do you justify why people did what they did? With recent cases in the press at the moment, some people say they should have just paid. Some people say they shouldn't have paid. So it's just so hard to navigate and there's so many different details that we are not privy to. So I'm just, I'm curious for you with your experience, how does one handle this? Sean: Look, it's this is my own personal opinion, so we don't have recommendations around paying or anything like that. We're keen to understand how big or small is the problem. A lot of the recommendations that we've put forward, especially being part of the ransomware task force, was we should probably definitely ensure that there is some form of reporting because the only way that you can start to make some sort of policy around should you not ban this, should you make it illegal? Really comes from an understanding of how big or small the problem is. Yes, we know there is a problem, but how big is it? Before you actually start to make something illegal. I think we should always be thinking about that first and foremost. My own personal opinion, the way that I think about it would be someone has entrusted me with their information. I'm holding the keys to systems that people need to get access to whatever the actual sort of scenario is. Whatever the type of organization I am I always think about a customer. At all costs, protect the customer, and that may come across as pay the ransom. I don't recommend that everyone should be paying, but I would always be thinking about how could I protect my customer? Because for me sure, I could be the CEO of the company, I could lose my job tomorrow, but what does that actually mean for the members, the customers that we've actually got? That's the thing that I think people should always factor in. KB: So do you think people do factor that? Sean: Not sure. It's hard to say. I'm sure a lot of the times we've seen where it hasn't been reported, if people have or have not paid. I'm sure a lot of the times people have actually factored that in. What are the actual implications to the customers at the end of the day? Because this may be a case of, okay, just change your driver's license, change your passport. Cool. That's something that you can replace. How do you change? Health conditions, how do you change any potential sort of reputation damage that could come out of it? If someone finds out that you've got mental health challenges does that mean that potentially there could be a bias towards you getting a job in the future? One, you probably may not ever find that one out, but it could go against you. How would. I think that's the key part to always think about what does this mean for the individual. We saw from some recent examples where they were very, very targeted about what type of information was actually gonna be leaked. Very sensitive information for the individuals of concern. So you've, I think you've always gotta factor that part in, and to say that it does or it doesn't happen too hard to say. KB: Yeah, I get that. And even if someone literally thought about. The customers that are being impacted by this is, again, there's always gonna be someone that said, oh, they didn't think about it enough. So it's like you ded if you do, you ded if you don't. But again, it's about having these discussions about how you would logically think this through. You mentioned it before, Sean, around costs benefit assessment. Is there anything you'd like to add to that? Like how people can assess whether. They should or shouldn't pay. And I understand it's not so binary, but like maybe what are some of the other driving factors? Is it gonna be around the backlash? And what people on social media say? Is there other things as well that should go into the decision of paying or not paying? Sean: I think making sure that you've got a process and plan in place. Many times, and you can always tell based on the way that someone responds to an incident have they actually prepared for this day? Other times you've actually seen where people are tight lips, they're not sharing any information, they don't really know what to share, they don't really know what to do as well. They're clearly organizations that have never really prepared for this particular day. When the person that is answering the questions, if you see that they are being led in a certain direction and they are answering question you control the narrative. It doesn't, the narrative doesn't have to be controlled by the media cycles. Too often, how many times have you actually seen where someone will come out and say, there's been a breach, and you go, oh, wow, okay. That's concerning for the organization. But then all of a sudden you start to hear, we believe that it was a particular country nation state attack actor. How would you know that? Within the first 24 hours, the first 48 hours, the first week of an. Correct. So you start to think about it that you know, you can only share the information based on the data that you have. Sure, it's gonna be frustrating, but I think it's making sure that people are comfortable with ambiguity because I think that's the key part. You will never know the information, but let the data tell the story, I think is the key aspect there. Going through and working out what is the crown jewels to an organization is something that you should be doing today. It does not make a difference if you have an I plan in place today. You should know what you should be protecting because no, no bit of information, no system is created equally. So start to work out where do you actually protect it? I always use the example, my mobile phone, if I lost it, doesn't really have a material impact to health networks, but to myself, sure it does. Would I spend a million dollars to protect it? No, it's not even worth that. So you start to work out what is your actual risk equation on that? That's your cost benefit analysis. And then start to work it out from there of how much are we willing to. To restore order to our systems, to that particular piece of getting that bit of information back or getting it out of someone else's hands. I think you should always be factoring that in and think about that, because that's the key part that will be your driving factor as to whether or not you should or should not pay talk to your insurance provider. Is this something that we should be thinking about and factoring in? KB: So now's the time to start preparing. So would you say with the conversations you are having in the market, Sean, that people are preparing, people are potentially worried, like we, we should be taking this more seriously. It could happen to anyone. Sean: I think with the recent examples, every single organization should be going through a process right now and simulating, or at least having a discussion could that happen to us. . If so, what's the impact? How could it happen and start to plan and put some sort of transformation project in place to mitigate that. When I hear stories that people turn around and say, oh, we've been breached, and all of a sudden they'll come out and say, we've patched the systems. That's not transformative. All you've simply done is a bandaid fix. Change the way that you've actually gone about doing security before the breach, and then start to think about what the world should look like after. Because in the end, clearly whatever you were doing before didn't really work out And Sure, and adversaries always got the time, the inclination to go through and spend a lot of hours trying to get inside an organization. And they have to be right once, but once they're in, they, all you have to do is just watch them trip up once and that's when you can start to catch them as they're actually going through your own organization. But you have to prepare to end plan for that. KB: So I guess the. The other view that I often see online is there's a lot of people in the industry that are very headstrong on not paying. And I get that. I understand that. And I guess I look at things from a level of neutrality and looking at both sides. I. But then I also interview people saying that they should just pay the ransom to reduce the downtime for organization. Now that goes back to what you said before, it depends on what's at stake. So if all your all your systems are locked up and you can't operate, you can't get revenue, that's one thing. If it's potential the fidelity of the data that's being if it's your passport and all that, like yes, that's bad, but then it's medical records. That's a different kettle of fish again. What do you think about if people are like our systems are all locked up, we can't operate let's just pay the ransom. Let's just move on. Do you hear a lot of that sort of going around in our industry, even if it goes against the not paying philosophy, a lot of people lead with. Sean: I think it's usually the conversation that's probably talked about behind closed doors. People don't often advertise that they've paid. Yeah that, that's a key thing. Can you tell if someone has paid if they're able to restore their systems pretty quickly, and you could sit there and question, they must have had a very good business continuity plan. They must have had a very robust inter response plan. Sure. But sometimes the easy way out is, okay, they got us. How do we actually get ourselves out of a jam now and people pay and we've seen people have paid. But the key thing that we've learned from all of. is having a very open communication line to the adversary working out. Are they a sophisticated organization or are they just someone that's opportunistic? They've just come in. Work out, are you actually interacting with the individual or are you actually interacting with the boss of the organization? We've actually seen from transcripts where they understand your environment very well. They may lay in, wait for a very long time to understand when's the right time to strike. So they've got a very good understanding of how you operate. They could probably work out and understand what your processes actually. So a lot of the times they've got a very good indication and idea of how you operate. They could even be looking at emails half the time we've even seen organizations where they're trying to change passwords and all of a sudden they're still on the network. They're still sitting there, they're watching say every part of communication around internally in your own organization as to whether or not you should or should not pay, should be happening out of band. Definitely you would not wanna be using your internal mail server as an example, because that could be. KB: So in terms. Final comments or closing thoughts? Sean, is there anything that you wanna leave our audience with today to I want to bring you on here to explore different views of paying or not paying, and there's no right or wrong answer. It's just to have that discussion and to have that honest discussion, to look at it from multiple signs of the coin, to give people a little bit of insight into how this looks and how they should be going about conducting their business moving forward. But is there anything else that you'd like to leave our audience with that maybe they'd like to take away from today's? Sean: I, I think a key piece is plan for the day. Because it's a foreseeable event that being instantly connected the way that we actually are. We're transacting online. We've got customers all over the place. We've got a very remote and active workforce. We're connected to all these different applications and systems. Something is bound to come into your organiz. First and foremost, identify what your crown jewels are. Sit down and simulate. Look at the last year's worth of breaches, how people have responded, their reports, what they've actually come out with as press releases, and actually go through a scenario and work out what would we do if this happened to us. And workshop that, but don't sit there. You can use an external organization, you can use what those simulation platforms that are out there. But the aim is not to sit down and wait for a report to come out a couple of weeks. You'll work out pretty quickly how well or not you are in dealing with these types of response these types of breaches or incidents taking place. And start to practice build some sort of muscle memory because when the day does come, you wanna make sure that you understand what your roles and responsibilities are in an organization. Whatever the decision is to pay or not pay, I think is up to the organization. It's very hard for an external third party to tell an organization what their risk appetite should be. because everyone's got a different level of risk tolerance. And I think it's key to try and understand what does that mean? If you were to pay, start to understand what are the legalities around all of that? Are you liable if you do pay? Would someone potentially go to to jail for paying? You may be doing the right thing for your customers, but you may also find out that you're doing the wrong thing by the law. Having those open dialogues and understanding what is actually at. And then also what would you go through to to, for, to have that process? Many times you don't probably know how to do the negotiation. Great. Make sure that you've actually got a third party provider that you can actually work with to ensure that if the day does come, that you could leverage that provider to come in and say, great. Start acting on our, to communicate to this criminal organiz. KB: I think those are easy, simple, key takeaways. Again start practicing if you're not, now's a good time to, to start doing that and to look at it from all angles. So Sean, thank you so much again for your time, for your insight. I wanted to have a very frank. Conversation and who better yet to get a frank conversation from you, Sean. So thank you so much for your time and thanks for coming on the show today. Sean: Thanks a lot. Thanks for having me. Outro: Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security search and recruitment solutions. Visit to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital. This podcast was brought to you by KBI Media, the voice of Cyber.
Share This