You are listening to KBKast, the cyber security podcast for all executives. Cutting through the jargon and hype to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen.
Joining me today is Dr Torsten George, security evangelist from Absolute Software. And today we're discussing why ransomware response matters more than protection. So, Torsten, thank you so much for joining. I think this is a relevant interview. You've probably obviously been following everything that's been happening here in Australia, so I want to start there with why ransomware response matters more than protection. Talk me through it.
Torsten George (01:04)
Sure. Thanks for having me. So I wanted to start with saying I don't envy any security practitioners right now. I wake up every morning at 04:30 a.m., no matter where I am in the world, and the first thing I do is really studying the news. Unfortunately, every day you can read new headlines about cyber attacks and we have seen a tremendous uptick in attacks since the start of the Health pandemic as really cybercriminals took advantage of the unique environment, targeting the weakest link in the attack chain, which is unfortunately the remote worker. And with the current aggressions playing out in the centre of Europe, we also have seen an increase in state sponsored activities. And so it's no longer a matter of if, but when an organisation will face a cyber attack. And this especially how it's true for the Rensor attacks, which have really become one of the preferred tactics of threat vectors. Those attacks alone have increased by 150% year over the year and the rental war tech can really cripple an organisation in a matter of minutes, leaving it incapable of accessing critical data and unable to do business. But that's no longer everything that happens.
Torsten George (02:20)
More recently, threat actors have shifted from just infecting systems with ransomware to multifaceted extortion, where they also publicly name and shame victims. We have this just seen in most recent headlines in Australia steal data and really threaten to release it to the public or sell it. So it really appears logical that organisation need to look beyond preventive measures when it comes to dealing with today's ransomware threats and invest in Rensomware response, which is really about improving their ability to appear and quickly recover from these attacks.
Yeah, I'm in agreement with you. I don't envy subsequently people right now, I think in a normal sort of environment it's tough, but then in a heightened stressful environment, it's even harder. So I'm with you on that front. So I'm curious now to know there are people out there online saying certain companies in Australia didn't handle it well. And what I'm curious to know is just so hypothetically. An organisation did everything right by the book, they didn't put a foot wrong. There's always going to be people out there, though, that say, oh, they didn't handle it right. Are you seeing that as well? And then I guess my second follow up question to that would be, well, what do people want to see? What do they want to see specifically?
Torsten George (03:46)
Sure. When it comes to the recent Australian breaches, obviously we have the high profile text of Optus and Medibank that really illustrated that rental war is one of the most significant threats to the businesses today. It cannot just cause damage for the company, but really goes beyond really just paying the rents. It's about downtime, it's about lost opportunities, it's about cost and expenses associated with removal and recovery of the rentalware itself. And so it's really tough. I'm out of the US and so all I can do is read media to go through a lot of time. You don't have all information at your fingertips to really make an assessment. However, there are a few takeaways as it relates to the response for both the Optus and Medic bank breach that I kind of can bring up here. So one of the things, there was initially a lot of criticism for Optus response to the Cyber attack that they made public on September 22. However, I believe their CEO deserves some credit for responding quickly and being really the phase of the response from day one and putting customers first. For example, they offered immediately to COVID the cost of identity protection.
Torsten George (05:11)
That's very rare. So they did a good thing there. And if you contrast that to Medibank's response, it seemed to be quite chaotic. There were three separate statements, three separate trading holds, and there's still no sign of any of the executive leadership putting a face to a public campaign to really reassure customers. And so, based on the information available in the media, you might even wonder about the state of Medibank's overall cyber hygiene. I give them a lot of credit to deny paying ransom, that's very honourable. Nonetheless, you question why the sense of data was not encrypted and really the response itself, they went out very early and tried to downplay the severity of the impact on the organisation and the customers without having the necessary information. And that's something that people should avoid. You should really gather all information before making statements because otherwise you, erode your customers trust. That's why Cybercurity Security Minister Claire O'Neill was quite adamant about, hey, you guys need to get better. You need to really get your act together and make proper statements and intervene in that scenario. And so take away from people that, listen, today is really your strategy, really needs to resolve or revolve around trust rather than, hey, my friend comes first.
Okay? So there's a couple of things in there that I really want to get into. So you mentioned before how Optus and the CEO, they responded, well, there are people here that said they shouldn't have gone via the media. And Kelly Bayer as Marin came forward and said, well, we did that so we could disseminate the message quicker. Other people are saying Optus should have contacted people first. What are your thoughts on that?
Torsten George (07:12)
Well, I think definitely most don't want to necessarily learn about the data breach out of the media. So at minimum, you want to time it sync with your media outreach. But here again, they gathered information before they made a public announcement, so they were not guessing. They had quite significant information at their fingertips when they went to the media. And again, they immediately offered really compensation for the customers, offered them to COVID the cost of identity protection, which is very important in those cases. So they cared about the customer. And you might now argue, should they have sent out an email first? Again, in the best case scenario, you do that, yes. But here, as a leading telco company where there's a lot of public interest in the outcome, this is being handled. They definitely wanted to go ahead and inform the media about it too.
So would you say torso, in a perfect world, if they could, if they were given the opportunity, again, it should be, okay, deploy the email, then go to the media. Like the timing okay, should have been so broad because people were getting emails like a week after. And I get that they have to do their due diligence and I understand all of that. Okay, so the next question then is now with so for example, optus again, so they were saying it was sophisticated attack, but when they looked a little bit closely after the weeks that have unfolded, like it wasn't so sophisticated. And I understand the reason people want to know stuff, but sometimes you damned if you do, you damned if you don't. If you speak too early, you may say the wrong thing, which is sort of what happens in an Optus's case. If you speak too late, people get angry. So how do you win?
Torsten George (09:02)
Well, I think there is no winner in this situation anyway. What you have to really decide is who should be protected? Who are you caring most about? Again, customers should come first, obviously, because they're making up your business. You want to burn their trust, you want to have continued trust. And if you do it the wrong way, then they cancel their services, they go somewhere else. It's not about brand protection, it's not about your own media profile. It's really customer should come first, and people need to keep this in mind. But we also have to understand, again, I don't envy security professionals. These are very stressful situations. Those guys sit in a battle room, they work 2020, 2 hours around the clock. They have to deal with government agencies where they have to keep them abreast of any updates. They're dealing with third party companies that help them with the assessment. So there are a lot of things going on in the background that a lot of people know about. But one thing I would agree with your statement, as we are always, especially also in the media, there's always this vision of how a hacker look like.
Torsten George (10:20)
Correct. There are thousands of people of hackers in the room that are attacking organisation. That's rarely the case. State sponsored attacks still make not up the majority of attacks. And so the majority of attacks are not very sophisticated, to be frank. They are leveraging the weakest link, which is the human meaning. These are phishing attacks where somebody tries to get a hold of your credentials and then these credentials are being used to basically enter initially, potentially on your endpoint, on your laptop, and then from there they move laterally and at one point end up at the server that holds the crown jewels. And I can even spend a couple of $100 dark web and I get thousands of end users passwords and names and I can try them out and most likely they work not just even for their private accounts, but also for their work accounts. So your notion of that, the texts are not necessarily sophisticated, I would completely agree with it. Still, the human element is still the biggest shortcomings and it's often the root cause for the attacks.
So, going back to the messaging just for a moment now, is it fair to say that if you said the right thing early enough, or you said it late enough, is it fair to say that in any situation, you're just going to get backlash because it's like, oh, well, you said it early, but you didn't say the correct thing? Or you said it too late. So do you think people have to succumb to the fact that even if you did everything right, you said it on time, you said the right thing, there's always going to be someone out there that unhappy with what you said, how you said it, when you said it, where you said it always.
Torsten George (12:10)
You can never please everyone. Correct. So all you can be driven by is, really, who do you care most about? That should be your customers, because they're paying your bills and so you should be honest with them. So if you get out and you make a statement that you have been attacked, you can make that statement. If you don't have enough information yet, don't speculate, don't put anything out where it's not confirmed yet, but just simply say, we have breen attacked, we're investigating and we will keep you updated as soon as we have new information available. That's the better approach than having to correct your storylines. Like it was the case with Medibank, where three times they changed their story and it looked very bad on them.
Yeah, you're absolutely right. Trying to correct the story is a lot harder and I think by having that caveat, by saying look, this is what we think for now but of course subject to change, like there needs to be that caveat there. That to me does seem an obvious thing to do. However, if I'm paying devil's advocate, I'm looking at both sides and that's my job, to look at both sides is it's stressful? So for all of us sitting in our comfy couches and we're not dealing with the problem, it seems obvious that they should have potentially caveat of that and without changing their story three times, as you've alluded to but again, it's stressful in that moment would you say that's the case? Maybe why? That there was a bit of oversight with the messaging?
Torsten George (13:37)
Most definitely. Again, as I said, these are situations people prepare for this primarily on paper. And that's one of kind of the shortcomings that we're facing, that we're not doing exercises, that we're not kind of investing more on recovery, but really it's more we're mandated by many regulation and industry standards to have a business continuity plan and so we know who to contact if something happens. We might know the different phases. So initially focus on recovering your critical infrastructure which contains things like your Active Directory. The second phase would include your business application. And then the last phase might include finally getting to the laptop devices of your employees, even though they are the ones that are supposed to provide continued services to the organization's clients. And everybody is under extreme pressure that they hear the clock ticking. And so it's not easy to deal with that. You see after these attacks there's a lot of turnover in this organisation, a lot of people get burned out by that it's not just taking responsibility for what happened but really they don't sleep. As a security professional you have a lot of passion for what you're doing and so they feel not just obligated to quickly recover from a tech but they sometimes take it very personal that they get victimised and it's a really tough situation and a place with your mind and it's not a healthy situation either.
No, I'm with you, I 100% understand what you're saying. So would you say then Torsten, are people paying more attention to the protection rather than the response? And then if so, why is that?
Torsten George (15:36)
The reality is that organisation are very concerned about the time to recover from rental war tech. They often solely focus on prevention tools without really planning for worst case scenario, meaning falling victim to attack. And the numbers really speak for themselves. In 2021, 54% of all Rensor attacks were successful despite preventive measures in place and so relying on preventive measure has been approached that majority of organisations have pursued for decades. It's part of this approach, it's adding new technologies that's where we go to the trade shows we see if there's anything new tip out there that we can add to our arsenal of tools. And so it's not surprising. According to Gartner, our industry will spend this year alone $173,000,000,000 on It security and risk management solutions alone. So you would think that with so much money invested, I wish they had 1% of that, I could retire, we would really stand up better to all of these cyber attacks. But unfortunately, that's not the reality. And that's really where leading analyst firms like Gartner are nowadays advising their clients to shift their cyber security priorities from really these protective measures to more of a management of disruption through cyber resilience.
Torsten George (17:12)
And so now you might say, what is cyber resilience? Well, according to Mitra, which really studies threats and how you need to respond to threats, they define cyber resilience as the ability to really not just anticipate, but really withstand, recover from and adapt to adverse conditions, stresses and attacks or compromises on cyber resources. And so I just travelled over the last six weeks across the world. I was in Melbourne for the ice conference. I was in Germany, I was in Europe. I was on the East Coast and the US. And wherever I went, it became apparent that more and more companies are really realising that there is no 100% protection and that they have to adapt their strategy. And so cyber resilience becomes more and more top of mind and it's really leveraging these measures to enhance really not just their resilience, but if you invest in recovery and response, in reality, it also helps with your overall security posture.
So how can people sort of invest more in their response? Do you have any sort of insights?
Torsten George (18:35)
I would kind of create three buckets to kind of balance your funding and cyber security. So you should kind of spread things between strategic readiness so these are things like backup of your systems and endpoints consistently reviewing what are your existing security controls, but not just knowing what they are, but really identifying those that be at Ventilware or be a device management tool that are really required to minimise your cyber exposure. And there are also tools that you would need to expedite recovery efforts. That's important. A lot of people are not even aware, what are the tools, what are the security controls that are really needed? And it backfires later on, because a lot of the cyber adversaries that we're dealing with, when they enter into our environments, they're not immediately dropping rents where they do first reconnaissance, they look, what are the security controls, what are the tools that an organisation is using for recovery purposes? And then they turn all of these tools off. So it has the biggest impact when they finally drop their rental in the environment, because suddenly their victims will try to leverage these tools, but they're no longer working.
Torsten George (20:03)
And so they're in a very dramatic situation then. And it allows the attacker to even raise their rents. And so the second area where companies have to really focus on is enable or establish cyber hygiene baselines and consistently monitoring this. And so here for instance, when you determine what are the particular security controls, what are the tools that I need to use for recovery purposes, making sure that these are always working. And that's a tough undertaking in itself. A lot of companies have no insight, they install software, let's say on their laptops for their employees, but they don't know if they are functioning as intended. And so they're new emerging technologies that deal with self healing their money toward these applications. When the integrity is getting impeded, they're healing those applications and ensure that those stay resilient to any external factors. And so that is very important to kind of establish that baseline and then on an ongoing basis monitor that. And last but not least, again, there's no 100% protection, it's about being prepared to respond and recover. That starts with simple things like how would I communicate to my employees. A few weeks ago I was on a call with a sizzler of a big healthcare company and talked about Rensonware and Sizzler was relatively new and he started establishing new best Practises.
Torsten George (21:42)
And so he was very confident that they're very well prepared for a ransomware attack. So I kind of challenged him, I kind of said what are you doing for instance, to communicate with your employees in case of a Rensor attack? Well, we developed different sets of email templates so we could send out something to provide instructions for those that have not been infected yet, other that have been infected. We would give them precise steps, what they have to do, and I can wait a moment. So you're talking about email templates, but in case of a ransomware attack, email doesn't work any longer, that's part of the system that's being attacked. And he turned a pale and started stuttering and said oh my God, you have a point, that's a logical mistake that we made. And he's not alone with that. Again, a lot of times we just do paper exercises when it comes to our response and recovery plans. Here you have to find technology that would allow you, even if the device is compromised, to still send secure messages to that device to give your end users proper instructions. Or you need to have technology in place that allows you to freeze devices so that they don't spread infections further, or you would freeze it for litigation purposes.
Torsten George (23:10)
And then obviously you want to be prepared and have already a set of library of commands, scripts, playbooks, however you call it, available, that allows you to guarantee devices to shut down particular ports to reimage devices. So all of this should be there. You should be asked when you encounter an attack to start building those scripts. You have to have those available already and then obviously a lot of times you can't handle everything yourself. So you should align yourself with third party services. There are players out there that really assist in the recovery efforts and you should look at different, as I said, basis. The first phase critical infrastructure that's probably best handled by yourself, but then business application as well as your endpoints, that might be where you bring in your third party services.
So would you say now, with everything that's going on in the world that there will be a focus on further investment on the response side of things?
Torsten George (24:21)
I believe so. If analysts from like Gartners are propagating that they're very influential, but they're not just propagating it because they want to be a thought leader, but they're propagating it because they're hearing it from their own client base. And again, the conversations I had just over the last few weeks indicate that one more organisation come to the realisation that they have to better balance their funds between protective measures and responsive measures.
So I now want to sort of talk through maybe if you have some examples of when an organisation has responded well and sort of what was the outcome of that?
Torsten George (25:02)
Well, unfortunately, beyond the business continuity or incident response plan that really defines on paper the people and processes direct to cyberattacks, I don't know many examples that I can publicly reference that I've done an outstanding job. It's a sad story. As discussed, most businesses really lack what really matters for a complete response and recovery, which is really that proactive resilience or the ability to bounce back up when you get struck down and come back as strong as ever. But I really encourage our listeners today, similar to people who live in an earthquake zone, businesses need to have a cyber security go back that they can grab as soon as disaster strikes. And so it's really important to increase an organization's rental preparedness and sure that tools needed for remediation medication and recovery are not just in place but really functioning as expected. And as I mentioned as an example, this holds especially true for endpoints. I couldn't talk with you right now as I wouldn't use my laptop and so it's an essential tool for remote workers to really conduct their assigned business task and so recovering them quickly is very important in today's work from anywhere environment.
Torsten George (26:28)
And so we see that more and more organisations really turn to rental or response offerings that exist in the market and it really enables them to assess their rental work preparedness. It allows them to monitor their cyber hygiene as outlined earlier, and really expedite the recovery efforts. Leveraging always on connectivity to their devices, automated restoration capabilities for their key security and management tools and then, as I outlined, also leveraging automated script commands to really be prepared in case disaster strikes.
So when you said there's not many publicly that you can sort of talk through, why is that the case? Because there's many of these breaches incidents going on and if we can't name many of them, it doesn't seem like a very hopeful, bright future, then. Is that sort of the case? Because they're happening every day.
Torsten George (27:28)
I think when we are sealing past, I think things often take some time to shift an organisation. We saw that with compliance, correct. 15 years ago, compliance was the centre point and we all understood that this checkbox mentality doesn't really help much, that you rather should move towards a risk based approach. And it took about a decade for organisation to do that. And nowadays most organisations take a risk based approach over the checkbox mentality and I think we see the same cyber security security we started out with having this picture of. Oh, we can create defence parameter. Well, with the advent of cloud and with now the work from anywhere, that parameter completely diminished and people realise that, but we're still stuck with spending our money and protective measures. I think the health crisis was a big triggering point for many organisations to step back and revisit their computing strategy. And so what we see right now is a shift will not happen overnight, but it will take a couple of years. You will have four sophisticated companies that are able to transition faster, others will take longer, but I think over the next three years we will see that shift towards cyber resilience and balancing out with preventive measures.
Do you think there's too many opinions, though, so you can't cater to everyone? There's too many cooks who out there in the industry. This is the golden rule that we should follow when we're, for example, responding to a breach publicly. Yes, people have got theories, there's companies out there who's done it, but there's no one who really has the standard, so to speak, and it varies. So there's always going to be people saying, oh, they didn't handle it right, because again, everyone's got an opinion which sits there they're entitled to, but they're always going to say that. I just don't know if, like, I think the problem will get slightly better, but I think because there is so many people coaching from the sideline or from the couch, and so many people who are probably not in a position to make an informed opinion. So, like, customers who are not focused on security as much, they're going to have an opinion as well. Right, and they may not have the most informed opinion because not what they do every day. So I'm just curious to sort of unpack this side of things.
Torsten George (30:01)
No, I think you have a good point. There are a lot of influencers correct. Including the vendors. I mean, the vendors have a motivation to push for their particular technology compared to other technologies and it's very tough for security professionals to choose. There are thousands of security tools that they can choose from, which one should I focus on? And another thing to remember is every company is different. Correct. There's a different risk, appetite, the infrastructure is different. So you can't compare apples against Apple when you look at the two different companies alone. And I think for me, always my advice that I give to security practitioners when we sit down is really let's take a step back and start thinking like a hecker. What are they focusing on? Correct. Let's say if I have a limited amount of money available, how would I spend that? And I would spend it early on the areas where the attackers are most successful and that's identity. So 80% of today's data breaches are based on weak or compromise credentials. That's a huge number. So if I would invest, I would invest in identity access management tools. And then the next step is once the attacker has these credentials in their hands, they're not slipping with their finger and showing up on the server.
Torsten George (31:35)
No, in 68% of the cases they use the employees endpoints as their beach head into a network environment. So if I know that too, if that is the common Practise of an attacker, I would invest in this area. So I am basically focusing on the front end of the attack chain. And so my investment here yields the biggest return on investment. And then I would now spend the rest of my money in reality more on okay, so if I can't stop that front end, focusing on the middle doesn't make sense anywhere. So let's my funds to really the recovery and response efforts and be prepared for the worst case scenario. And so again, thinking like a hecker often really opens somebody's eyes to what they should focus on.
So in the eyes of a consumer so not a tech or cyber person, just a consumer. What is it that they're seeking from an organisation once they've been breached? What is it? Is it language? Is it the free services? Is it what specifically? Because it's like going back to and I mean, look, if I look at Australia, for example, I know multiple people that are not security related or tech related individuals that are saying, oh, like, I just wanted to see more, want more accountability. But then it's like, well, what is it? What do you want to see specifically? Do they want them to apologise profusely for another twelve months? I'm just curious to know from a consumer perspective, what are people seeking?
Torsten George (33:08)
I think they seek transparency. And I can give you an example. That what I experienced earlier this year. Out of nowhere, my bank approached me and requested me to exchange my ATM card, which is very unusual. Typically there must have been something happened where you encounter this yourself. You see on your bank account, suddenly something sharp, you get alert here there was nothing. And so I went to to the branch office and handed them my old. Card, got the new card. I specifically asked obviously I work in security so I was very curious what happened. They were not telling me anything, which even triggered more curiosity. And it took them seven months before I now received a letter just two weeks ago where they finally admitted that three of their branch offices there were skimming machines installed in their own ATM machines. And that's why they asked most of their customers to come in and switch out the ATM cards. So for me that was disappointing. Obviously as a security professional more than as a consumer, but as a consumer you feel kind of why didn't they answer me honestly the first time? So I think consumers look for transparency, be open with me.
Torsten George (34:40)
Consumers understand the landscape nowadays. It's not easy to protect their accounts and so they appreciate if somebody comes forward and said this is what happened, here are the action we have taken and here's what we would do to help you. Which often is really the monitoring for your identity protection and that's what consumers are looking for the transparency paired with some coverage of making sure that for the next twelve months we cover your cost for identity protection.
So now I want to sort of understand from you toss and maybe some strategies like how people can start going about ensuring that they're focusing on their response to ransomware like maybe just some practical sort of tips and insights that people can sort of take away from today's interview.
Torsten George (35:35)
I mean, again, obviously a lot of organisation as well as not consumers are aware of phishing attacks. Correct? That's how often text start and that's no longer the myth that still exists. That pencilware is attached to these phishing attacks. That's no longer how hacker operates. They're really trying to gain access to your credentials and then use the credentials to gain access to a corporation's network environment, do reconnaissance and drop with rent somewhere at a later point in time but really still raising the awareness. Correct? And especially when it comes to credentials unfortunately we still have the annual password day because people are still using password one, two, three and all of these things that are easily guessable. So this is the first thing both as a consumer as well as from an enterprise perspective kind of step up your efforts around password management. There are a lot of technologies out there today that really help manage passwords because we're all guilty, we can't remember easy everything. So having a password manager that stores away encrypted those passwords is a very good thing. The second thing for organisation is really a multifactor authentication that helped in many cases.
Torsten George (37:07)
It's often a deterrent. We have to understand hackers, they don't want to spend a lot of time to victimise organisation, they want to get quickly in and quickly out and make money if it takes a little bit longer which often happens when you put multifactor authentication into play, they move on to their next potential victim. And so that's another good preventive measure. Obviously, backing up your data is important too. And then, as I pointed out earlier, it's really establishing your cyber hygiene baseline, consistently monitoring that. Are things working not just being installed, but are they working as Antenna? That's very important. And again, there are emerging technologies out there that help with assessing the security posture and fixing it automatically without human intervention. And then again, being prepared for the worst case scenario, having that library of scripts available, being able to still obtain control of your laptops and your organisation, even if they're compromised, using technology that exists for that which is embedded to the firmware of these devices so it cannot ever be removed. And then really being prepared also to potentially bring in third party services that help to recover your environment.
Torsten George (38:33)
These are kind of just fundamentals that people can apply.
Well, thanks very much for sharing your thoughts and your insights. And again, there's not easy answers to some of these questions around how a company you mentioned before that there's no rule company that's done it well. And I think it's having discussions like these to give people and equip people with better answers, better insights and sharing those. So I really appreciate you Torsten for coming on the show today to share your thoughts and your insights. So thanks very much for taking the time out to do so.
Torsten George (39:05)
Well, thanks for having me, really appreciate it.
Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security search and recruitment solutions. Visit mercksec.com to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital. This podcast was brought to you by KBI Dot Media, the voice of cyber.