Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | iHeartRadio

Voted "Best Cybersecurity Podcast" in the 2021 Cybersecurity Excellence Awards
Cyber Security Excellence Awards 2021

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 31

Ransomware and Critical Infrastructure Q&A with Dan Lohrmann

EPISODE SUMMARY

We discuss NATO’s new Cyber Defence Pledge and the Biden-Harris White House list of critical infrastructure that are “off-limits” to Russian cyberattacks. Will these new rules of engagement result in significant a meaningful change to protect against ransomware attacks? How does the U.S. Government and its allies hold cyber criminals – and the nation-states that provide them safe harbor – accountable? We’re joined by Dan Lohrmann, CSO of Security Mentor, for this fast-paced discussion.

powered by Sounder

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist at Thycotic
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Speaker at conferences globally
mm

Mike Gruen

  • Cybrary VP of Engineering / CISO
  • Manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture
  • 20+ years of experience developing and overseeing the implementation of complex, secure, and scalable software solutions and products
  • Previously served as VP of Engineering and VP of Product & Platform at RedOwl
  • B.S. in Computer Science from the University of Maryland at College Park

Joseph Carson:
Hello everyone, welcome back to another episode of 401 Access Denied. I'm your cohost, Joe Carson from Thycotic. I'm the Chief Security Scientist based in Tallinn, Estonia. I'm again joined with my awesome cohost, Mike. Mike, do you want to give us the introduction and also what we have in store for us for the discussion today?

Mike Gruen:
Yeah. I'm Mike Gruen, VP of Engineering and CISO here at Cybrary based out of D.C. Once again, we're joined by the esteemed, Dan Lohrmann. I don't know where the conversation's going to go today. So much has been happening. I think we were talking. Originally, we're going to talk Colonial Pipeline, and then there was the convention in Geneva. So why don't I just start to Dan and let's just see where the conversation takes us.

Joseph Carson:
Absolutely.

Mike Gruen:
Yeah.

Dan Lohrmann:
Well, thanks guys. It's great to be here.

Mike Gruen:
Dan, do you want to give a quick intro?

Dan Lohrmann:
Sure. I'm Dan Lohrmann. I'm a Chief Security Officer and Chief Strategists with Security Mentor in an undisclosed location. No, just kidding. I'm actually in Michigan. I'm in Michigan, United States and it's great to be back with you guys. It's so much fun to always talk to you guys, but also, the last time we talked about ransomware, some of the predictions, we were like two for two I think.

Dan Lohrmann:
The election one we did, almost everything happened where we said at the end, "Is it going to get worse?" I said, "Yeah, I think it's going to get worse." And it got a lot worse. Now we're back talking about ransomware again and critical infrastructure, and then also what happened at the summit with Biden and Putin and all the cyber implications of that.

Joseph Carson:
Yeah, absolutely. I think we can't... Without a doubt, ransomware is the biggest threat to all companies globally all over the world. I definitely agree, Dan. Our predictions and discussions were probably right on point and very timely as well, especially when we looked at things like supply chain with the critical infrastructure. And literally within weeks, all of them basically had either some major attack or some incident ultimately throwing it in the headlines. So I really think it's organizations really need to look at this.

Joseph Carson:
From the summit itself, what really surprised me was that, one was a couple of major topics that came from the summit. One was of course Putin stating that actually the biggest cyber attackers is the US, and that was one thing that I find surprising, that the US is one of the biggest attackers from cyber attacks globally. And then the second point was as well where Biden had made the statement around what he mentioned around these 16 entities that should be off limits to cybersecurity.

Joseph Carson:
I think when you sit back and you look at that, that pretty much covers everything. It was like a very vague coverage that if it's a tech company, that literally can mean almost all companies ... technology, you can literally be a tech company. So I think it's really interesting to see where the next couple of weeks and months go especially when you think about, when's the next cyber attack? Who's the next victim? And what will be the implications of that? So any thoughts or any kind of... What did you take away from the summit itself?

Dan Lohrmann:
Those are great points. I was just telling Mike earlier, I really think the first thing that really surprised me was the announcement from NATO right before the summit. NATO came out and they made a new policy announcement saying that on a case by case basis, in this new comprehensive cyber defense policy, that they will invoke Article 5 on a case by case basis if a cyber attack happens against any nation. We've always talked about the differences.

Dan Lohrmann:
I think in circles around technology, we've always seen the cyber attack very well could be, especially like a Pearl Harbor or a cyber 9/11, could be the same as a physical attack, but this has never really been stated formerly. Now, they raised the stakes saying, "We're all in this together." And NATO coming out with that right before the summit was huge, I thought. I totally agree with you. This line of Biden coming out, as president Biden coming out and saying, "Critical infrastructure is off limits."

Dan Lohrmann:
Well, and Mike and I was just talking about that. Where is that line? So, okay, you can't touch our gas lines. You can't touch our meat or maybe nuclear. We know what the critical infrastructure sectors are, but is the inverse implied there or it's okay touch the local bakery or? Obviously there's a difference in ransomware here. I think bringing it back to the Colonial Pipeline, I just find it fascinating what happened. We haven't talked about this, the three of us. I know we probably discussed this in podcasts and stuff.

Dan Lohrmann:
But when they came out and apologized and said, "We're sorry. We just wanted the money. We didn't mean to cause no gas in the Southeast United States and the gas lines." I actually believe that. That's probably really true, that they didn't intend. They didn't maybe. Who knows whether they intended that or not. But going forward, there was going to be this line and they've announced now.

Dan Lohrmann:
A couple things; They're going to have a call it what you want to call it, committee, commission, joint task force, whatever, to figure out rules of engagement in this new cyber world. If you want to call it the red phone, you got to call. You cross the line with this one. It's almost like, what is that line? How do you define it? Certain ransomware's okay, but others is not. I know the president didn't say that, but there's going to be a lot of jockeying for position and what does that mean?

Dan Lohrmann:
And plausible deniability. Of course, Russia came out and said that we don't know anything about this. We didn't do anything about it. My sense was, and I came out with a blog about this, we can get it to you guys and we can post it later, but almost two sets of negotiations. Publicly they're going to say one set of things, and then behind the scenes, you got the intelligence. You got stuff at the top secret level.

Dan Lohrmann:
We can prove stuff. The people know what's going on really. And what is that line? How do you define it to make sure that steps are taken? Those are just some of my thoughts.

Mike Gruen:
Dan and I were talking before, and I think this is what's interesting to me on the Article 5 stuff, which is, in the old days, war was war. When a military launched a military operation, you knew that it was backed by the government and so on and so forth. In this new cyber world, a lot of the actors aren't as directly tied to the state, and so it's going to be interesting to see how those rules of engagement also.

Mike Gruen:
What happens if it's just a set of bad actors within our borders? And what does that imply? And how's this all going to unwind? It's just a really messy and interesting. And just trying to wrap your head around all of that is going to be... We'll see how it unfolds.

Joseph Carson:
Yeah. I think one of the things is that, it goes back to a lot of what I've mentioned before on ransomware. Some countries have been giving safe harbor. They've been giving safe havens to criminals as long as they operate against basically not against their own country, as long as they attack other nations that may not be as friendly to their nation. So that's always been the case. Now of the situation... The problem we get dawned to is that there's no accountability for those criminal operators within those countries.

Joseph Carson:
There's no basic extradition. They're not being brought to a criminal court, and that's really where I think the cooperation needs to be focused around that, is that if you do have criminals operating within the country that are attacking other countries and other infrastructure, they need to be held accountable, and it's the government that should be held responsible for bringing them basically to justice.

Joseph Carson:
This was really what we need to get to, and that's where all countries need to come together to provide that corporation transparency and hold those countries who do provide safe havens for criminals accountable for the actions. This is really where we need to get a corporative stance. I hope this is some of the discussions that did happen at the convention and that summit, and I really do want to see some accountability coming out of this. It can't be just words. It needs to be actionable, and that's what we really need to see.

Mike Gruen:
It does make me think of other similar situations. I don't want to get into a whole political discussion, but other situations where it's similar to, let's say I'm just a group that's launching rockets out of my area. I'm not really necessarily part of that government. It's the same sorts. It's, how does the government respond to those people? How does that government? I don't think we have a great track record around the world of dealing with these things. So I agree with you, Joe, but I'm also somewhat I think more skeptical that we can get there. Dan?

Dan Lohrmann:
I think the challenge we've got, for those who don't know me, I come... My background is National Security Agency. I'm not going to talk about those years working with NSA and GCHQ. The reality is you read the books from the Cold War. There's always two sets of things going on. You have these nuclear summits. You have these different things. But behind the scenes, the Russians are hacking the US Embassy in Moscow and all these other things are going on. They're fascinating reads. I love it. It's kind of James Bond kind of stuff, but a lot of it is... Most of it is true.

Dan Lohrmann:
A lot of it is really fascinating. My point is, in this new cyber world, I believe that at one level, there are things that Russia does not want to have happen. They want to be on the world stage. They want to be in the G8 or G7. They want to be a player. The very fact, many commentators were saying before the summit, Putin already won by just having this event. We're watching the cars as they're driving through Geneva, and the president is getting out of the car. And what color is his suit?

Dan Lohrmann:
Putin, he comes walking up and he shakes hands with... All of this, all that pageantry, if you will, is what Putin wanted. He wants to be in the world's stage. He wants to be a player. I don't see Russia giving up. I don't think they can. They think they can compete with the US Navy and the US Space Program and all of that and economically, etc., but they can. I think I believe they think they can compete in cyber, but they don't want to cross that line. They don't want to go into, what is that line? Where is that line?

Dan Lohrmann:
That line is fuzzy of being called a terrorist state. I'm not a North Korea. I'm not an Iran or Hamas just blowing things up or whatever it might be. Maybe they're supporters of Hamas, I'm sorry, but I'm just saying that they don't want to be labeled as a terrorist organization. And so, there's going to be two sets of things going on here. There's going to be, I agree with you, Joe, we need those international laws. We need to hold criminals to account.

Dan Lohrmann:
I'm 100% with you, and yet when you bring nation states in, you've got the decades old espionage hacking what's allowed because I don't believe the US to your initial point is hacking nearly as much as the other countries are, but I have no doubt that the US is doing some hacking from our side. We'll go into that, but I'm sure there's a hack back thing going on to get some of these Bitcoin back and everything else. My point is it's going to be very interesting to see what the new rules of engagement are, like you mentioned, what happens next, how that works.

Dan Lohrmann:
And then maybe a little bit later in the show, we could go through this new practical taskforce recommendations. One of these is about nation states, but there's really a whole list of recommendations that really need to be taken seriously by companies around the world, certainly in the United States to make sure they're doing what they can to defend themselves. One of the recommendations is around nation states, Joe. We can walk through what some of those top recommendations are.

Joseph Carson:
Yeah, absolutely. One of the things I do want to cover as well is that recently, with the ransomware attacks, a lot of it has been impacting critical infrastructure and supply chain, which we've seen that being fragile alone and causing basically panic at petrol stations. We've got gas stations. People are just rushing and filling up their backs of their pickup truck with gas and you're just shocked to see some of those things happening and the price fluctuations as well.

Joseph Carson:
And then looking at, what was it? One third of the global meat supply being impacted? You look at those and really this fragile of just-in-time was it delivery, just in time production, all of those things, the supply chain and how fragile it can be. Who knew that meat could drive a lot of people to panic and increase the prices of certain things significantly? How fragile is it right now? And is this just a tip of the iceberg of what we're going to see coming?

Joseph Carson:
What do you think around the critical infrastructure? And even the amount of money being paid to the criminal on the ground for me was shocking. In a couple of... Let's look at the Colonial Pipeline one. What was shocking for me was it wasn't actually the SCADA controls. It wasn't the pipeline that was impacted, but the billing software. The management decided to shut down the... There's basically the control was in the SCADA and the movement of the gas because they couldn't calculate the billing side of things.

Joseph Carson:
It shows how IT and OT have a very, very strong connection, even if they might be let's say air gapped in some elements, but there is a connection between basically measuring the billing side versus the OT side of things. And then we get into for JBS, that for me around what was specifically interesting there was that they did mention they were restoring from backups. And then all of a sudden, you find out later that they did actually pay a ransom of almost $11 million. For me, those figures are shocking.

Joseph Carson:
What's driving these major companies? What's driving them to having to pay the ransom? I don't think the solution is going to get the FBI to try and siphon some of the money back. I don't think that's the long-term solution either. Any thoughts around, what could these companies do better? And what should other companies learn from it as well?

Dan Lohrmann:
Yeah, there's so much to unpack. It why we have the show. Those are great points. Those are really, really good points. Starting high level, I think we really should at some point walk through these five recommendations, the top five priority recommendations, and several of them do address individual companies. I would say we are very vulnerable. We are very... The very fact that we're having the summit, I'm not...

Dan Lohrmann:
There's a lot of other issues with Russia and the United States right now obviously around dissidence and just a whole range of issues we had to deal with, but I think there's a real sense with some of the other things that were announced in the last few weeks with China hacking different other vulnerabilities and nuclear facilities, other types of announcements, what happened. These are just the two big ones, but the same the week after we resolved the Colonial Pipeline, all of the NHS going down in Ireland and being down for almost a week. The vulnerabilities are widespread.

Dan Lohrmann:
It's a little bit... It's almost like America woke up. I think the Colonial Pipeline, there have been bigger incidents, bigger breaches, bigger problems in America. I don't know that there's ever been anything more impactful than what happened that five-year-old kids are now asking, "Dad, what's ransomware?" Because they're seeing the lines at the gas station. That just has not happened. Even though there's been much bigger ransom payments, there have been bigger incidents than this: The OPM breach, others.

Dan Lohrmann:
The answer to vulnerability is we're very vulnerable. I think it's going to take a sustained.... I do think... Well, no one wants to use the word Cold War. In the release after the summit, they've said, "We're not... We don't want to have another Cold War. We don't want to..." I think we're in a cyber Cold War. I think it is exactly what's going on. Nobody wants to use those words, but I really do believe that it's that line.

Dan Lohrmann:
Crossing that line, there's going to be two sets of things going on. We're going to cooperate at some level, because again, people want to play on the world stage. We're going to have so much with China, so much with Russia, but behind the scenes, there's going to be a lot of espionage going on with both sides. I don't know if you guys are going to read through some of these arguments of some of these...

Joseph Carson:
Oh, absolutely. Yes, please read.

Mike Gruen:
Yeah.

Joseph Carson:
Yeah, let's go through this.

Dan Lohrmann:
First of all, it's just for people to know, go to securityandtechnology.org, securityandtechnology.org, and then hash of /ransomwaretaskforce/report. That's really where this is at. You could just type in ransomware taskforce, it pops right up in Google. The first recommendation is we need a coordinated international diplomatic law enforcement effort proactively prioritize ransomware through a comprehensive resource strategy, including a carrot and stick approach to direct nation states away from providing safe havens to ransomware criminals. That's exactly what Joe was just talking about.

Dan Lohrmann:
That was the first recommendation and the first thing we have to have right out of the gate. The second one is United States should lead by example and execute a sustained, aggressive whole of government intelligence driven anti-ransomware campaign. The whole of government anti-ransomware campaign coordinated by the White House must include inter-agency working group led by national security council and the coordination with the nascent National Cyber Director, internal US government joint ransomware task force, and a collaborative private industry led informal ransomware threat focused hub.

Dan Lohrmann:
That was two. We just need to five. Number three was, government should establish cyber response and recovery funds to support ransomware response and other cybersecurity activities. Mandate that organizations report ransomware payments. We'll talk about this. I think there's a lot of controversy around this. Do you have to mandate? Is it shaming a lot of pushback on this one? But we'll talk about that. Require organizations to consider alternatives before making payments.

Dan Lohrmann:
Talk to a number of different people on the task force personally, and that was a big debate. Do you outlaw ransomware payments? Do you not? Is that helpful? Is that not helpful? We can talk about that. Number four, internationally coordinated efforts should develop a clear, accessible and a broadly adopted framework to help organizations prepare for and respond to ransomware attacks. In some under-resourced and more critical sectors, incentives such as find relief and funding or regulations may be required to drive adoption.

Dan Lohrmann:
And then last but not least, this top five. It is like over 50 recommendations, but these are the top five. The cryptocurrency sector that enables ransomware crimes should be more closely regulated. Governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter trading desks to comply with existing laws including know your customer, KYC, anti-money laundering, AML, and combating financial financing of terrorism laws.

Dan Lohrmann:
Again, there's a sense that cryptocurrencies maybe not be the cause of the problem, but they're certainly enabling the problem or basically causing a growth. Stop there.

Joseph Carson:
Absolutely. I think definitely for me, it's a good starting point. I think there's a lot more that needs to be done definitely around that transparency. One thing, you definitely honed in on the making payments side of things and mandating reporting. It doesn't need to be public reporting. It should be to at least law enforcement, so at least they're keeping track and records off the victims and providing at least...

Joseph Carson:
The good thing is that once you know a lot about who the victims are and you find out more about the techniques that was used, you can typically associate that to a specific criminal group, which is important. It's important to know who's the biggest act. A lot of these ransomware guys, probably a large portion of them, are probably making up about 80%. That's a handful of the criminal groups. They're probably just in a few groups specifically that's causing a large, especially the ones that's turned into affiliate programs like we've seen in recent times with the Dark Side. They were an affiliate program.

Joseph Carson:
They were not distributing the ransomware themselves. They were making it available to other criminals who would actually use it and they would receive payments in regards. They're loyalty payments, almost like a partner program, and that's what's really accelerated a lot of this ransomware as a service scenario. So absolutely. I think they had some type of ethics saying we don't want to target hospitals or critical infrastructure. But when you're doing an affiliate program and you're not controlling significant who becomes the victims, that's going to get out of control.

Joseph Carson:
That's where you have some type of loyalty between criminals sometimes, a code of conduct between criminals of who you attack and who you don't attack. For me, I think getting into the transparency, getting into the reporting, I think it's really important and making sure, should ransomware payments be permitted? Because I think when you think about it, it is funding a terrorist group, that is, these are terrorist groups. They're cyber terrorism.

Joseph Carson:
They're using ransomware as a cyber weapon, which is a significant impact for organizations, and therefore this should be really classified in terrorism. I think that's what NATO had mentioned, that this is terrorism, and that's why they were looking at it to hold those countries accountable and trigger Article 5. What this really brings a big question into, quickly of course the Dark Side quickly disappeared. Of course, the latest one with JBS or REvil depending on how you want to call it. They didn't disappear.

Joseph Carson:
They're continuing to. REvil is what they do call themselves, but it really gets into, what happens in the next one? Are actions going to be really taken? Because it is only a matter of time. I think almost in a... Every day, there's a ransomware victim. It just comes into someone, the next victim being, let's say a supply chain or a critical infrastructure. What actions? What do you think the government's going to take in the next one? Do you think they're really going to take a significant action when it does happen again?

Dan Lohrmann:
There's a lot of debate about that, and there's a whole chain, Mike and I were talking earlier, related to what can the government.

Joseph Carson:
What can they do?

Dan Lohrmann:
And on the one extreme, people actually saying, "Let's have a cruise missile," almost like in Libya and the bombing of Pan Am. Just go back in history again, learning from history when the Pan Am 103 went down or Reagan bombing Libya, that's an extreme, but some people say the physical worlds and cyber worlds are coming together. At some point, will there be a physical? We know where they live and we know the apartment they're in. Will there be a cruise missile going into somebody's apartment complex?

Dan Lohrmann:
Somewhere in the future, that probably is going to happen on the extreme. Now, if that's in downtown Moscow, I don't think so because that's now an act of war now the US is launching missiles into Russia. I don't see that happening in the future. Now, the hacking back question, again, you've got a lot of issues around attribution. Joe, you probably know way more about this than I do, but attribution is hard, and there's still a lot of people pointing at, was it China? Was it Russia or different events?

Dan Lohrmann:
Or was it somebody else? Or was it launched right here in the United States by somebody in some other part of the world? And so, there's all these different themes around that, what people say. I think hacking back for sure is happening now. Will that become legalized? Will that become some kind of self-defense law in the United States where you have the ability to... Again, there's different levels of this.

Dan Lohrmann:
I think we talked about this in a previous show. What level of... Is it defense? Is it, you can go after the IP address that attacked you but no further? There's all kinds of different implications to that, but I do think that when this happens and when there's a perceived crossing of the line, there's going to be at some point, probably in the next six months or a year, I don't know, and it's hard to put timelines on this.

Dan Lohrmann:
But soon enough, there's going to have to be a show that, hey, we're not going tolerate this and we're going to do something in response. I think there's a range of options all the way from military, all the way to Stuxnet. We know what happened with that. Could you bring down the capabilities of the terrorist organization of the cyber criminals? I think all of that is on the table, and I think those kind of scenarios and contingency plans are being put in place right now.

Joseph Carson:
Yeah, absolutely. I think for me, going back to your point, attribution is the most difficult thing in our industry. Cyber attacks can be launched from any where at any time automated. A lot of the cyber criminals out there, they use what's called a misdirection. They will basically, you've got attackers basically repurposing other nation states code and repurposing it, making it look like it came from another country, and therefore misdirection and attribution is one of the most difficult things. Well, the last thing you want to be doing in a cyber scenario is attacking the wrong victim, is attacking another victim.

Mike Gruen:
The other thing is they hopscotch. Where they're attacking from isn't necessarily-

Joseph Carson:
The country...

Mike Gruen:
...attacking you. They may themselves have been compromised by-

Joseph Carson:
Correct.

Mike Gruen:
... an attacker, and so now you're just attacking another victim as opposed to the actual group. And so, I think that's another part of attribution. It makes it very, very difficult.

Joseph Carson:
Absolutely. And then-

Dan Lohrmann:
So Joe, what do you think? What do you think would be-

Joseph Carson:
... I think this really comes down to... Say it again.

Dan Lohrmann:
I'm sorry, go ahead. What do you think would be the action if-

Joseph Carson:
What did you ask, Dan?

Dan Lohrmann:
If they had a major infrastructure utility, what do you think the action would be that the US would respond with?

Joseph Carson:
I think right now, if a critical infrastructure is hit, I think one, the most important thing is confirmation of attribution, at leastto the origin as most as you possibly can. Before you do any action, you want to make sure you take all political types of actions. Before you get into taking let's say a kinetic type of attack back, you want to make sure that basically you have verified and with high confidence that you've got the origin. If you know what's in a certain country, then you have to hold that country responsible.

Joseph Carson:
You have to basically politically get in touch with the government. If there's multiple countries or let's say this company or the victim is a multinational, then you want to make sure that all of those countries that have been impacted by this corporate together to hold that country responsible and accountable to make sure that they actually provide basically some type of let's say Europol or Interpol type of cooperation to bring the criminals to justice.

Joseph Carson:
Ultimately, if it's difficult. If that cyber attack does cause death or does cause human impact, then of course that really will come up to the determination whether there is a kinetic response to that. But I think the first things we should all be doing is one is definitely silently. You might be doing offensive capabilities back in order to verify, to determine attribution, to get the logs yourselves, to get confirmation who was buying the keyboard.

Joseph Carson:
A lot of that's been happening in the background that we don't see, but I think the first and foremost is always a political response versus a military one. I think that's... The last thing we want to be doing is making things escalate, and it can quickly get out of control if we do take military responses.

Mike Gruen:
I'm curious what you guys think we might be doing rather than in a reactionary way, but more in a preemptive way. What do you think the government could be doing to help defend and protect our own companies and infrastructure and the rest of it from these types of attacks? I'm sure there's actions that they're already taking. I don't know if I can think of some, and I'm curious what you guys think are some things we could be doing or the government could be doing preemptively.

Dan Lohrmann:
I can start.

Joseph Carson:
I think that's definitely-

Dan Lohrmann:
I would say...

Joseph Carson:
Yeah, go ahead. Go ahead, Dan.

Dan Lohrmann:
Okay. I think that there are sector specific plans already that we've been talking about for more than a decade. I remember being in a meeting in '05, so 16 years ago in Michigan where we the original critical infrastructure protection sectors, every sector needs a plan. What do you do if you attack? Obviously one of the first ones was the electric grid, but oil and gas, they have plans. I think the supply chain angle has made it infinitely more complex. A lot of times, you have... In Michigan, we have Consumers Energy, Detroit Edison, and the big, I'll call them wealthy, but the larger utilities maybe had a really good plan.

Dan Lohrmann:
But the scenarios only went so far and it's like, if certain things happen, who are you going to call? And then of course, we had the Target attack a few years back and it was a supplier. In many cases, we had SolarWinds was obviously a supplier to all of these companies that were then hacked via SolarWinds. And so, the issue is covering all the doors and all the exits and all the entrances and all the employees is very, very hard. And so, I think most of these critical sectors, number one, they already had the plants.

Dan Lohrmann:
Many of them thought they were ready five years ago. I've been involved in some of those tours. I've seen the complexes in the auto. Here's all the things we've done since the last time we met, and it was an impressive list. Problem is they didn't generally want to go maybe tier one, tier two, tier three. They didn't want to necessarily get all the different exits. Nobody wanted to go there like, okay, SolarWinds is going to get hacked and it's going to impact thousands of companies around the world because that was off the table, if you will.

Dan Lohrmann:
Nobody formally said that, but no one really... It wasn't in the plan before like all of our key suppliers are going to get hacked, and then what are we going to do about that? I think the challenge we've got is the horses are already out of the barn and we're building a better barn. I mean, it's going to take some time, so I think in every single sector right now, they're meeting with them. They're saying, okay, you used to go this far, wherever that line is. Now you need to go this far.

Dan Lohrmann:
You need to go further, and it's going to take time to say, well, what does that mean? I'm talking about secure code, everything from awareness training and cyber hygiene, making sure patches are applied. And people said, "Oh yeah, we're going to apply critical patches within," I'm making this up, "two weeks." Well, two weeks may not be enough. Maybe it's got to be two hours and going from-

Mike Gruen:
But two hours might leave you vulnerable too because maybe that patch was actually the patch that...

Joseph Carson:
Right.

Dan Lohrmann:
The other thing is to that same point, we had this issue and it's like a question of some people would say this. I'm not going to say in public, but I mean I'm actually sympathetic to this thought. If they really want to get... The Russian government really wants to get your company, will they get them? If they decide they're going to apply enough resources, they're going to fly in university students who are going to get jobs as interns and they're going to be inside and they're going to physically have people on the ground and they're going to...

Dan Lohrmann:
There's all kinds of ways governments and companies can be compromised, is again learning from history. We have the case at NSA. We've got all these espionage cases and we know some of those stories. You can read about them. It's really hard. But I'd say for companies, it's not hopeless because if you're going to be basically do 90, 95% of the cyber hygiene things, you can stop the vast majority of these attacks. The vast majority of attacks are not coming from the Russian military government.

Dan Lohrmann:
I don't believe that. I agree with Joe. It's criminal organizations and they're a cliche of, if you have protections on your house, you just have to be more secure than the house next to you. Because the robber's going to say, "I'm not going to that house. They've got all these alarms and systems and everything else. I'll just go next door." There's some truth to that. And so, if you've got certain protections in place, you're going to be better than the guy next to you. Does that solve all of the problems?

Dan Lohrmann:
We've got years of work, and the bad guys are getting better all the time. So I think this is going to be an ongoing Cold War for the next few years at least.

Joseph Carson:
Yeah.

Mike Gruen:
I'm kind of hoping that there's some government organization that's on the more law enforcement side that's using law enforcement type techniques to infiltrate these criminal. The nice thing is these are organized crime organizations in a way. They're affiliates. There's got to... There's clearly ways to infiltrate and potentially help identify companies that are vulnerable just by being part of that, by having your normal investigation-

Joseph Carson:
Absolutely.

Mike Gruen:
... techniques.

Joseph Carson:
For me, Mike, I completely agree, that's the path that we need to go down because I don't think there's anything we can do defensively to be honest to protect everybody. Some infrastructure, some critical infrastructure or some agencies, some companies can put the best and the brightest security solutions in place, but I think that's... Not everyone's going to be covered by that, and you're going to have many victims. I think the two things we really need to go after. One, when you want to stop these types of crimes, you go back.

Joseph Carson:
Dan, you mentioned you're looking back in history. You can go back into the mafia, the mobsters, the criminal guys that operated 20, 30 years ago, that basically you infiltrate the gangs and you go the money. That's the two methods. I think, Mike, you're alluding that you really need to make sure that you understand who's behind these criminal organizations, that there is a face and a name. That's what you want. You want to make sure who... And if it is a decentralized group working together, you want to bring that visibility.

Joseph Carson:
You want to bring the awareness and knowledge of who's basically behind these organized crime from a criminal perspective? The second point is going after the money, making it impossible for them to get paid. These are the ways that you can actually make sure that it becomes less lucrative, less attractive to become a ransomware criminal. I definitely think what NATO had mentioned and what the US government's alluding to is that this is a national security issue, because I think there's a big difference between... One is, there's the likes of traditional espionage, types of information gathering and finding out about your diversity.

Joseph Carson:
That's one thing. But when you're attacking them on ransomware, ransomware is not information gathering. It's a destructive weapon, and they are two very different approaches. I think that this should be really treated as terrorism. It should be basically going after as much as possible by as many companies, countries as possible to make sure that one is that the money's not going to get paid, and two is that they infiltrate and actually bring those members of the organization, the leaders of those organized crime to the surface, so they can be held accountable.

Joseph Carson:
If they have... They can't stay anonymous. I think the recent sting operation that they did with the ... I think that was very intelligent. It was very targeted. You had to have that phone. Of course it'll lose the privacy and a lot of privacy out there will raise a lot of questions over the methods. But for me, it basically, you had to be given the phone. You had to be an access. It was a very targeted approach, but it did bring a lot of criminals to the surface.

Joseph Carson:
It did actually bring them out of behind those anonymous basically curtains. I think that's techniques. That's where, Mike, I think traditional law enforcement practices, I think they can go to better use in that direction than trying to work on the defensive side. I think that's a much more difficult approach. Yeah.

Mike Gruen:
I'm also curious, Dan, we talked... Joe and I talked a couple episodes ago about the FBI. I'm trying to remember where they went in and they were actually notified people of, "Hey, your server is really-

Joseph Carson:
That's a non-group.

Dan Lohrmann:
Yeah.

Joseph Carson:
The exchange servers, patching the exchange servers was the-

Mike Gruen:
Patching exchange server for you. I'm curious, Dan, what maybe your thoughts are. Should the FBI be going around? Should we have people, law enforcement coming to our doors and shaking them and making sure they're locked and letting us know if they're unlocked? And if they are unlocked on the inside, then locking them for us.

Dan Lohrmann:
That's happening. It's happening now. Joe's got probably more experience with this than me, but I have done some speeches back, even going back 10 years ago in Eastern Europe and the FBI agent stationed right there where the criminal gangs were. We just had a bus I think yesterday within Ukraine about a ransomware gang which was a really good one. I do certainly... To me, I agree with a large part of what Joe said. I think it's going to be all of the above. I think it's like, there's not any one simple answer.

Dan Lohrmann:
Taking the incentives, the cryptocurrency, the payment method, tracing the money. It was interesting this morning talking about some of the other topics from the summit with Putin, president Putin and Biden, president Biden what they thought would be successful, what Russia fears. this gentleman said it was foreign bank accounts, freezing foreign bank accounts of high level Russian officials. They know who they are and they know where the money is. I think it's an all of the above approach.

Dan Lohrmann:
I think if you look at the ransomware task force, there's like 50 recommendations in there, and they've got the top five that we read, but you go read those. The challenge is, it's like so many things in life. Define a good athlete in basketball? Is it, do I need to run? Do I need to run? Do I need to shoot? Do I need to throw? Do I need to catch? Yes, yes, yes, yes, yes. You need to do all of the above. Well, what if I'm a really good hitter, but I can't catch or I'm not very fast and I'm not... And we start getting into, okay, how good of a player is this player?

Dan Lohrmann:
Whatever the sport is, man, or woman, whatever it is. I think the same thing is true in this. I think there's a lot of pieces to this. I think defense is a big piece of it. I think we've got to get better at protecting ourselves in the same way. Again, learning from history, it's making it. The government's got to help with this. It's got to be a public private thing. I do think to your question, Mike, the FBI is doing that now.

Dan Lohrmann:
We used to always say when I was a CSO for Michigan government, and we would see the FBI would knock on doors, thank God not in our situation. We had a very open line with them with InfraGard, so a lot of public private working together, but a lot of times, it was the FBI that would notify companies that they had been hacked. And again, with ransomware, it's more the other way around.

Dan Lohrmann:
They're getting encrypted and then they're calling the FBI. But certainly with data breaches in many cases I know of, it is somebody in law enforcement, Secret Service, FBI, state police, somebody notifying people that their name is on a list, or their credentials have been compromised, or their information is available in the dark web. You need to do this right now because this is coming. I think better intelligence about what's coming next, all of that needs to ratchet up the game so that people, there's a deterrence and then we also need the offensive piece of it as well.

Dan Lohrmann:
I think it's, all of this has got to get better, because now be honest today, we are very vulnerable and we're behind. The cyber criminals are winning, and I think Russia is going to probably take a step back and some other countries that may be hosting these criminal gangs. They want to at least show for a time that they're participating in some kind of international cooperation, but I think quietly, there's going to be other stuff still going on.

Dan Lohrmann:
I don't see this. If guys, I come back in three years, I think we're still going to be talking about cyber criminals in Russia, and I don't think it's just going to end any more than we can say we're going to end crime in American cities.

Joseph Carson:
I completely agree. We're seeing a lot of the gangs being let's say arrested and convicted within Ukraine. Do you think Ukraine is a major hotspot for this? Because a lot of the major arrests around ransomware gangs and criminal gangs have come from Ukraine recently. What role do you think Ukraine has? Or is it just more of a place to operate for Russian criminal gangs?

Dan Lohrmann:
I think it's a cooperation that we have with Ukraine that we don't have with Russia. I think that Ukraine, it's working together. It's like, okay, we're partners. We're going to... And Korea was involved in this latest one and other international. Again, I think I know of FBI agents that, again, it's things I can't share publicly, but that work together. They work together with Russian agents to actually stop certain types of cyber crime.

Dan Lohrmann:
I think there's a level of cooperation we have with different countries where we will cooperate in certain situations when it's in those country's national interests. I don't think it's the same across the board, and I think our level of cooperation with Russia is way, way, way and China, much lower than it is with the Ukraine.

Joseph Carson:
Yes. Do you also mean... One of the things, also my concern is that a lot of these cyber criminal gangs have mercenaries. I tend to call them mercenaries in many cases, is that my concern is, is that, one of the reasons why certain nation states are giving them a blind eye is that on occasion, they do work for the government. This is the challenge, is that they don't want to have that connection or have that let's say attribution tied to the government when they're having these mercenary groups carrying out sometimes government initiatives.

Joseph Carson:
Do you think that this is something that might be a challenge especially for the Russian government to cooperate in those regards, that if we do have mercenaries who have in the past done certain work in order to get that blind eye from the government and to get the ability to continue their criminal operations, what do you think? This might cause some challenges.

Dan Lohrmann:
I totally agree with you, Joe. I think I heard... I forget his name now. I wish I did. I should have. I didn't prepare for this. But a few years back, I heard a journalist from... I think he was either from the BBC or the London Times who gave a fascinating talk. It was like an hour long talk. I sat in on at a major conference and a cyber conference, and he walked through one case. He traveled the world to find that name and find that face.

Dan Lohrmann:
He got cooperation and literally was working with the Russians and chasing these people all around Russia. He was like a flight behind these guys and it got down to... I won't go into the whole spiel, but it's a great presentation. But going back at the history ... wrote a book about it and it was saying exactly what you just said. It's like, they finally are chasing that one city in Russia and it was... Again, this is probably paraphrased. I'm going to get some of these facts wrong.

Dan Lohrmann:
But by and large, the guy's uncle was a general. His cousin was working with the government. He himself wasn't, but he had been in the past and it was like, the bottom line is these guys have different hats and wear them different. Sometimes they're government officials, sometimes they're not. Sometimes they're related to government officials, their brother, their cousin, their friend, the guy across the street, the guy that runs the bar at the corner.

Dan Lohrmann:
They all know each other there. It's all in the family. And bottom line is they got all the way to the end, and it's really fascinating. They finally got the warrant for his arrest. They worked with the Russian government. They got all the way to the point where they were going to do the arrest and they said it was delayed. It was delayed. They're waiting for the warrant or whatever to go in, and they had the delay one day. And then they went in and he was gone. They said he left two hours earlier. And so, somebody tipped him off.

Dan Lohrmann:
Somebody tipped him off, and it's exactly what you just said. It may be the same individual doing multiple jobs or you're in, you're out, you're in, you're out. You're part of the community. You're not part of the community. My brother's in the community. My friend is, my uncle. I'm not saying it's all of it. I do not think it's totally corrupt because I don't believe it is, but I think there's a lot of it.

Dan Lohrmann:
That's when people say, "Putin knows about everything going on in Russia." He may not know about everything, but he allows certain things to happen. Did he know that Dark Side was going to hit the Colonial Pipeline or not? Maybe it's plausible deniability. Maybe he didn't, but he sets the framework in place, their team to allow certain things and not allow certain things. Yeah.

Joseph Carson:
I'm pretty sure that he knows who's behind the group. I don't necessarily believe that he knows who all the targets of those groups are ... is they're probably all somewhat trained in certain areas as well, so it allows them to wear as many hats. Completely, for me, it's, you may not be aware of what all the activities are exactly doing, but you definitely is guaranteed in Russia they know who they are and they're letting them get away.

Mike Gruen:
And I think to Dan's point, they set the framework. If you put the boundaries on who's off limits and who's not, then those groups can operate within that framework not having to say, oh. You're right, there's those guidelines in place essentially.

Joseph Carson:
And there's probably money exchange.

Dan Lohrmann:
And I think the other...

Mike Gruen:
Yeah.

Joseph Carson:
Yeah.

Mike Gruen:
Yeah, a liability, absolutely.

Dan Lohrmann:
The organization can. It works to their interests. Cyber's an area where they feel like they have an advantage. Strategically, we may say, no, you don't. We've got Harvard, Yale, MIT. We've got the best cyber people in the world. Believe me, I don't know all of them, but I know a lot of them in NSA. They are very, very good. So we have a lot of good people on our side fighting for us, but the rest of the world feels like, you don't need to build a $2 billion aircraft carrier.

Dan Lohrmann:
You can just get a PC and you get a laptop and internet connection and hack away. And so, everybody feels like the internet is the big playing field that enables somebody in deep dark Africa to do what they need to do, and so it's a challenge.

Joseph Carson:
Absolutely. I'm really hoping that this ransomware task force does take off. I would definitely want to see this as something as a definitely multiple country, multiple states working group. I don't think it needs to be a US only initiative. I think all countries need to sign up. I think this needs to be-

Mike Gruen:
I don't think it can be US only. It'll fail if it's a US only initiative.

Joseph Carson:
It has to be, potentially even within NATO would be... This probably should be more of a NATO or at least a multiple country initiative. I think it needs to be centralized in regards to the working. We do have the NATO Cyber Defence Centre of Excellence. It's more of a research location I think we really need to have into more of an actionable cyber center that is more about not just the research and the academical side of things, but more focused about basically offensive capabilities or reaction or political.

Joseph Carson:
They need to have some actionable side of things, so I definitely hope that this becomes much more of a centralized global cooperative group that would really make sure that all of these actions that they set up, whether it'd being to do with the transparency and holding countries accountable, to tracking and tracing the money to make it more difficult for criminals to be successful, all of those things that was set up. The five that you mentioned earlier, Dan, I really do hope that they come to really something that does become a concrete working let's say strategy. But definitely, my concern is that ransomware is going to be here to stay and it will evolve.

Mike Gruen:
Yeah, I think it is. I think there's... But hopefully we can minimize it's impact, it's attractiveness, and so on and so forth.

Joseph Carson:
Absolutely.

Dan Lohrmann:
Well, it's evolving too guys. You know that. It's not just, it was about encrypting data. A year ago or two years ago, we were talking about, do data breach laws apply to ransomware? Because they're not actually stealing the data. They're just encrypting it. Those days are long gone. Now they're exfiltrating the data and they're encrypting it and they're holding the exfiltrated data... You know what happened in Ireland with National Health Service.

Dan Lohrmann:
You know what I'm saying? "Well, we're sorry we didn't mean patients to be impacted. Cancel all your appointments and everything. So we'll go ahead and we'll give you the data back, but we still need you to pay the ransomware or we're going to release all that sensitive private data on your health records to the public." And so, it is-

Mike Gruen:
Or the D.C., police, the same thing that happened to the D.C., police, right?

Dan Lohrmann:
Correct.

Mike Gruen:
Sorry, Dan.

Dan Lohrmann:
There's a long list. It's weekly if you follow with stuff. Not everything's making the front page of the Washington Post anymore, but I heard one person say there's a ransomware every three minutes. That seems a little bit too much to me, but I don't know. It's crazy, the numbers. It's happening all the time. And then the other question is, we don't even know how much of it is happening if it's not reported.

Dan Lohrmann:
That there's stuff, that payments are being made and the police never even know about it, so it's not even being reported. I do think it's evolving what we call ransomware today because it was encrypting data and holding you for ransom to pay and then we'll give you the key. That's obviously not even... It's almost like a 2.0 or 3.0 or 4.0. And so, at some point, we may have a different name for it. We'll rename it to something like extortionware or something else.

Mike Gruen:
Extortionware, right.

Dan Lohrmann:
The one that you came up with, Mike.

Joseph Carson:
...But absolutely. I think we're in version two of ransomware evolution where it really is about... It does... When you think about last year, Verizon data breach investigation report did not classify it as a data breach, where previously it was a security incident before that in previous years, but now it's classified as a data breach because it is about data exfiltration. Really when you think about the CIA out of confidentiality, integrity and availability, so all of that has not being impacted. Ransomware impacts all three of those now where it used to be just two.

Joseph Carson:
It used to be about the availability of the systems and the confidentiality. Now it's about the integrity as well. All of those are now being physically impacted by ransomware. I think what I'd like to see with the money that's going into it right now, I'm worried that 3.0 is going to be much more sophisticated and our defenses are probably not going to hold up. And so, we have to be ready and we had to be very diligent about watching how the ransomware is evolving itself in regards to its coding.

Joseph Carson:
We have to stay on top of that so we know what to expect in the future. Otherwise we'll get into another situation where maybe there is no kill a chain in it. We have to be really diligent about when those stories do happen, that how it spreads and how it impacts. We have to be prepared. We can't just be sitting by and waiting for it. We have to be basically ... And that means intelligence gathering.

Joseph Carson:
That means the agencies really do have to be infiltrating these organizations so we can prepare and hopefully prevent it from happening in the first place, preventing from be able to create it and distribute it, we can actually get it at the source and stop it from actually getting out

Dan Lohrmann:
One friend of mine, a CSO from a large state, was saying we've been very fortunate in these incidents, which essentially a war that most people aren't using right now, because you pay 11 million or you pay 5 million in Bitcoin. In the grand scheme of things, it's not a lot of money, but what if ransomware... Again, we get back to this question that we talked about last time, the motives and intentions.

Dan Lohrmann:
If it's just about money and criminals and that, that's one thing. What if it fell in the hands of terrorists who didn't really... It wasn't about money. It's about bringing down the grid or causing harm, or I'm not going to give you the key. You're not going to recover. The intention is not just about, I don't care if you offer me 100 million dollars, I'm not going to do this. My goal is to bring down the banking system. My goal is-

Joseph Carson:
To harm.

Dan Lohrmann:
... to bring down the electric grid. The intention in North Korea, or I don't know who, somebody, a terrorist organization, it's not a money motive. I think that's I think the fear that no one's really talking about publicly right now because most of these people, it's like there's been a dollar figure. We negotiate the price. We offer 50. We could settle for 11, yada, yada yada.

Dan Lohrmann:
It's, I want my child back. Here's the money, and you get your child back, but that's not where it may go. It's hard to know where it's going in the future. I think people will realize that it could be even worse and it's probably going to get worse before it gets better. Although I personally believe one thing optimistically; I think in the short term, we're going to have a little bit of a detente with the big players to see how this plays with Russia.

Dan Lohrmann:
Whether it holds me in the long-term, I'm less optimistic about, but I think that maybe they take a step back from the line and send the boys off to the beach for a little while. I don't know. We'll see. We'll see. We'll see what happens, but I do think that it's a growing issue. We'll probably be talking about this again in a future show.

Mike Gruen:
Yeah. My final thought was actually pretty similar to Dan's but maybe much, much darker, which is, if I'm Iran or North Korea or any of these other countries, why am I putting money into a nuclear program at this point? I should be putting my money into a hacking program. That's the...

Joseph Carson:
And that's what China's doing.

Mike Gruen:
I'm sure they are. I'm not naive to think that they're not trying to do both, but it's scary when you start thinking about it from an ideology perspective and not just a criminal perspective.

Joseph Carson:
Absolutely. If you look at some of the countries that is investing in cyber and China is definitely one of the biggest ones that probably out of investment in security and cyber, China is probably up there in the top, at least top three. When you see where countries are investing, that's where you have to be worried and looking at, is what's the implications of that in the future? So I agree. Hopefully that this is a starting point for the turning of ransomware, and it'll be able to find a good global cooperation.

Joseph Carson:
Because my view is that no country can win this alone. This is not something that you'll win alone as a single country, and therefore it means that we have that strong cooperation. I think the recent summit is a starting point. I think having discussions and having open communication with Russia is a starting point. I think that's things that do have the happen. Hopefully it's a positive direction in the future. It's not to say that we will not see ransomware victims in the near future. It will happen.

Joseph Carson:
These criminal gangs want to make money, and I think, Dan, you're also right, motivation, money. That's why we'll see, continue to see them in the near future. But hopefully we will get to a place where there's actually fewer places that countries will give them safe havens to operate from, and it will actually then become much more difficult from the money perspective and also that they will be convicted and brought to justice and that there will be less places, free places in the world for them to enjoy their luxury from their reward.

Joseph Carson:
Hopefully everyone ... Hopefully it's been educational and enjoyable. Definitely, Dan, it's awesome having you back on the show again. I'm pretty sure I'm hoping this isn't the third prediction come true, that it does become much more of a terrorism weapon. I hope that's... Let's say I'm hoping our intelligence and agencies ...

Dan Lohrmann:
That was from a wise ...who said that. I'm not going to name him. We'll throw him under the bus, but yeah.

Joseph Carson:
Let's hope that the agencies are let's say advanced enough to stop those from actually turning into reality. And so, definitely for our defensive capabilities and offensive. I hope that that's something that we haven't topped off and we have great people to defend and to protect countries around the world. Again, awesome having you on the show. For the audience, definitely hopefully if you do basically have a security program, make sure that ransomware is one of your top basically threat priorities to reduce the risk and become as resilient as possible.

Joseph Carson:
I look forward to having you. Come listen to the show every two weeks. This is 401 Access Denied. It's a bi-weekly podcast, and we're always bringing the latest news, top information, educational awareness to you, so hopefully you enjoy listening. See you as soon and stay safe. Thank you.

Speaker 5:
Learn how your team can get a free trial of Cybrary for Business by going to www.cybrary.it/business. This podcast is also brought to you by Thycotic, the leader in Privileged Access Management. To learn more, visit www.thycotic.com.