Season 3 / Episode 145
Last month, in November of 2021, Cybereason - our show’s sponsor - released a special report titled: “Organizations at Risk: Ransomware Attackers Don’t Take Holidays”, focusing on the threat of ransomware attacks during weekends and holidays. Nate Nelson, our Sr. producer, talked with Ken Westin, Cybereason’s Director of Security Strategy, about why attackers love holidays and weekends, and why ransomware attacks during these times are so effective and dangerous.
The report's URL:
https://www.cybereason.com/blog/cybereason-research-finds-organizations-unprepared-for-ransomware-attacks-on-weekends-and-holidays
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
- Episode 240
- Episode 241
- Episode 242
- Episode 243
- Episode 244
- Episode 245
- Episode 246
- Episode 247
- Episode 248
- Episode 249
- Episode 250
- Episode 251
Hosted By
Ran Levi
Exec. Editor at PI Media
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Ken Westin
Director of Security Strategy @ Cybereason
Ken has won awards and honors from MIT, Oregon Tech Awards, CTIA, SXSW and was named in Entrepreneur Magazine's "100 Brilliant Companies" and the Business Journal's "Forty Under 40". His work has been featured in Wired, Forbes, New York Times, The Economist, Good Morning America and Dateline NBC and many others. He is regularly reached out to as a subject matter expert in security, privacy, and surveillance technologies.
Episode Transcript:
Transcription edited by Craig Zorn
[Ran] Hi, and welcome to Cyber Reason’s Malicious Life B-Sides, I’m Ran Levi. Imagine this, it’s Christmas and your family is celebrating the holiday. Maybe it’s snowing outside, but the house is warm and cozy. The kids are joyfully opening their presents, while you and your spouse are sitting on the sofa, maybe enjoying some hot spicy wine. And then your phone rings.
[Cellphone Rings]
[Ran] Hello? It’s the CEO. Damn, a phone call from the CEO on Christmas? That can’t be good. And it isn’t. Five minutes later, you kiss the kids goodbye as you leave the house, rushing back to the office to handle a ransomware attack. There goes the holiday.
The scenario I’ve described is much more common than we usually think it is. Last month, in November of 2021, Cyber Reason, our show’s sponsor, released a special report titled Organizations At Risk, Ransomware Attacks Don’t Take Holidays, a report focusing on the threat of ransomware attacks during weekends and holidays. According to that research, 86% of responders said they missed a holiday or a weekend activity because of a ransomware attack.
Here’s a real-world example from just a few months back. Kaseya is an IT solutions company catering mainly to managed service providers, MSPs for short, that is, its customers are themselves companies that provide IT management services to other smaller businesses. On July 2, 2021, just two days before Independence Day, Kaseya’s network was breached probably via a vulnerable web interface. The attackers, the notorious Revel Group, used the breach to push an automated, fake and malicious software update to Kaseya’s customers.
Kaseya’s incident response team shut down the company’s servers and pulled its data centers offline, but they were too late. An estimated 800 to 1,500 small to medium-sized businesses downstream were hit by the ransomware. For example, a supermarket chain in Sweden was forced to close 800 of its stores since the cash registers were disabled. Kaseya’s CEO said in an interview quote, “We have about 150 people that have slept probably a grand total of four hours in the last two days, literally, and that will continue until everything is as perfect as can be”. Not a great way to spend the 4th of July holiday, I guess. So with the holidays just around the corner, we’re dedicating this B-side episode to Cyber Reason’s report.
Nate Nelson, our senior producer, talked with Ken Westin, Cyber Reason’s Director of Security Strategy about why attackers love holidays and weekends, and why ransomware attacks during these times are so effective and dangerous. The report itself is available on Cyber Reason’s blog, and we’ll add a link to it in this episode’s post on our website, malicious.life. Enjoy the interview.
—
[Ken] My name is Ken Westin. I am a Director of Security Strategy here at Cyber Reason.
[Nate] First question, why do hackers like holidays?
[Ken] Well, hackers are always trying to go after the easy targets, right? So they realize that on the holidays, that’s when a lot of the companies they’re trying to target have skeleton crews. It’s also when they’re most likely to actually evade detections. There is an actual issue, too it’s going to take these organizations a lot longer to respond. Particularly around the Christmas holidays, it’s particularly a great time to target folks because a lot of times they’re not paying attention. They’re really distracted with the holidays, you know, gift buying. That just makes folks just an easier target.
[Nate] And what major cyber attacks that we know of occurred over some kind of holiday break?
[Ken] A really good example would be with Kaseya, for example, which happened over the Fourth of July weekend. There’s been a number of these types of cases where the organizations that are targeting the criminal organizations that are targeting these companies, they’ve actually gained their foothold well before the holiday. So they actually get their foothold in, they establish persistence, they do some of the reconnaissance that they’re going to need to do. They’ll start to build some of the tools that they’re going to want to do for their attack, and then they’re going to wait. And they’ll wait for these holidays when they know there’s going to be a skeleton crew. Sometimes they may even have access to what the staffing might look like, they may have access to emails, so they’ll have an idea of who’s going to be working, who’s not going to be working in some cases. But this is where they really understand, especially if we look at like Kaseya and things like that, when we look at supply chain, where they’re actually looking at when code gets compiled, they know when to actually initiate some of these particular attacks.
[Nate] All right, so tell me now about the research that you just completed.
[Ken] So we conducted a research study where we asked organizations that have been hit with ransomware. So in order for you to actually participate in the survey, you would have to have actually been hit with ransomware, particularly around the holidays. So we actually found that 49% said that they really didn’t have any sort of security solution in place to actually block the ransomware. Whereas 67 indicated that they didn’t have sort of next level or next antivirus that actually looks at behaviors. Only 46% said they had traditional signature based detections, like your sort of your commoditized antivirus, and 36% that’s actually said they had EDR, which is really troubling because that means that they’re not going to be able to actually respond. I see this all the time where the SIEM ill get lit up telling them that they have ransomware that’s hitting their endpoints. But what I usually say is if it’s the SIEM that’s telling you that and not the endpoint, it’s usually going to be way too late. That attack has already been detonated, a number of systems have already been encrypted, and if you’re not able to actually respond, you’re not going to be able to actually stop that particular outbreak within the organization.
One thing was really surprising too, was that a lot of times when folks have responded to incidents over the holidays, particularly around Christmas, folks admitted that they have actually had something to drink. That was really surprising. It was over 70% of respondents had said that. So I think that’s important to realize, particularly as we had in this holiday season where staffing is already an issue, we already have staffing shortages. So we’re going to have a lot of folks that they’re going to be off, but they might be on call and there might be an incident. And that can actually have an impact and with regards to their decision making capabilities when they’re going to respond to some of these incidents. So this is something organizations really need to be conscious of.
[Nate] I keep thinking that the obvious thing to do to solve these problems is to have employees on the job over the holidays. But of course you can’t force people to be at work during Christmas nor would we want to. So what can companies and people reasonably do to protect themselves if not that?
[Ken] The best time to prepare for this holiday season would be last year. I think that’s one of the challenges here is that it takes a lot of time to get the tooling up. Many organizations are taking advantage of automation. I think that’s really key, whether it’s through a SOAR platform or sometimes it’s just the IT admin, the security analyst actually writing scripts and things like that to automate a lot of the tasks. But you haven’t been able to prepare over the year. You haven’t been able to start to automate some of these tasks. A lot of times some organizations will be leveraging an MDR, so a managed detection response firm. For example, with our MDR team, we’re actually ramping up our staffing for the holidays to kind of help offset some of the staffing shortage we may see with some of our customers. So leveraging an MDR is not something you’re going to be able to do within the next few weeks. However, identifying vulnerabilities within the environment, that is something that can be done. Ensuring the systems are patched. Sometimes there are some challenges too, because a lot of times organizations are heading into sort of a code freeze where no additional configurations or anything can be done just before the holidays to try to help mitigate some of downtime and things like that.
So what organizations can do though is start to actually maybe tabletop exercise, you know, if there is going to be an issue, who’s going to be on deck for this, sort of establishing sort of a game plan. So kind of tabletop this out to see if we are hit, you know, who’s the kind of the first person that we need to contact? Who is the contact going to be for legal if that needs to happen? Like if there’s a ransomware outbreak or something like that. And also, you know, not just in the security team, but also ensure that the IT teams are aware and that there’s a plan there, and as well as communication in case there is an incident.
[Nate] Okay, but how effective are those tabletop exercises? Because you never really know what kinds of hackers you’re dealing with, what their capabilities are until you have to face them, right?
[Ken] Right. Well, one of the challenges, I think even in the, you know, as a vendor, we tend to focus a lot on the technology and we talk a lot about the advantage of the technology. But what we do forget is that there’s two other legs of the stool and that that’s process and people. And so I think those are two really critical aspects and those are things that can be implemented now, right? So in the people side of it, in the communications, those are where a lot of times when there is an incident, that’s where things kind of get caught up in the axle. Things get slowed down because there’s an incident, they don’t know who to contact, they don’t know who’s responsible for this particular business asset, they can’t get a hold of someone, all these sorts of things that those issues really kind of slow down the response process. So establishing those sort of clear lines of communication, sort of a game plan, if you will, with regards to what’s going to happen if there is an incident.
[Nate] So we understand now that hackers like to target holidays for all the reasons we’ve been discussing. Has it always been like this throughout cyber history or do you think as hackers, you know, learn how to better attack people with ransomware and advance their capabilities, this is just one of those more recent things that we’ve just started to discover?
[Ken] I think that there was always a little bit of this, but I think it’s really become much more strategic on the attacker side. We’re starting to see these attackers become much more well resourced. I think ransomware is sort of the blame there, it’s become a bit of a gold rush where, you know, you even see ReEvil who said that they’ve netted over $100 million in revenue. That’s as much as a startup, right? And they’re actually running these like a startup or a good software company.
And with that, they understand their audience. They know what their schedules are going to look like. A lot of times they may even have a better understanding of your infrastructure than you do. They may have a better understanding of your business and your business processes than even the CEO. And that is something that should scare organizations. And that’s where I think a lot of this is coming from is that it’s not like these organizations are going to initiate their attacks now. They’re not going to be doing it during the holidays. A lot of times they’ve already established the foothold within these organizations. They’ve already done the reconnaissance, they already know what tools they have to circumvent. Many times they’ve already escalated their privileges and they’ve expanded within the organization. They’ve also established persistence so that if, you know, they do get blocked by the like the firewall or the connection gets disconnected, they still are able to operate within the environment. Or even seeing some of the malware be sort of self-aware, if it does get disconnected, it still knows to go and crawl through the organization and try to make additional connections out to establish that persistence. So we’re getting into a situation where it’s much more sophisticated, not just on the technology side, but also on the people and process side when it comes to your adversaries. And so we need to plan accordingly.
[Nate] I imagine that when some people out there hear what you just said, their first thought is going to be, oh crap, maybe this has happened to me and I just don’t know it yet. So what can, say, a business owner do if they are worried of or suspect that someone may have already intruded on their network and may strike during the break? Is there anything that could be done between now and when that event would occur?
[Ken] I think it’s about changing mindset. A lot of times people are focused on the prevention side. They’re focused on the signatures and the firewalls and the boundary defenses, but they don’t take the assumption of what if the evil’s already inside the environment? What if the phone calls coming from inside the house? That’s where I’m a huge advocate for threat hunting. I’ve worked with a number of organizations, huge financial institutions, and building out threat hunting programs. The whole tenet of threat hunting is assuming breach, assume that you’ve already been compromised.
How would you go about finding evil within your environment? That’s very different than your traditional detection rules and relying on sensors and things like that on the endpoint. It’s actually looking across multiple data sources to identify a particular anomaly or something that’s not right within the environment. Some of that can also be done leveraging machine learning. Artificial intelligence was sort of, I think they were a little overzealous in some of the marketing. A lot of the security vendors were like, AI is going to solve all your problems. But I feel like the machine learning aspect, which is actually what’s being utilized in the security space, which is a tool within the artificial intelligence arsenal, is incredibly useful for these types of use cases where you’re looking across huge, massive data sets.
You’re trying to identify what’s normal within the environment. Machine learning allows you to establish those baselines of behavior, but it also can look at correlation. You can actually correlate and look across different sources, and you can actually do peer analysis to where, hey, these groups of assets, they look like they’re all folks that are in HR. They usually access these types of applications, and all of a sudden we have an anomaly where this person tried to access a portal that they didn’t have access to. To me, that would be an anomaly, and that would help me to maybe start develop a hypothesis that maybe that particular account is compromised, and then I may do a pivot to look at what other behavior within that account, what other systems does that particular user account access. Then I might be able to build out that, hey, this particular account is compromised. I may reset the password or do a further investigation.
The biggest thing is that threat hunting, also looking across your different assets and things like that. One thing I’ve seen a lot more, particularly in Cyber Reason, I see it with how we approach our ML. We’re not just looking on individual endpoints, but we’re looking across endpoints. That’s like looking for an earthquake, looking for a tremor to predict around something before it actually happens. If you can catch some of these types of incidents before they become a huge problem for the organization, and you can actually mitigate that threat, a lot of times you can avoid a breach. You maybe have a few files that get encrypted, but you can roll those back, you can actually maybe stop some of these attacks before you become front page news of the Wall Street Journal.
[Nate] I’m just curious, how many people do you think would suffice for, say, a large company to have a skeleton crew that can keep up if such an event occurs? Do you need a few people? Do you need a few dozen people? Or are those more passive systems that operate on their own, the machine-driven, sufficient?
[Ken] That’s a tricky question because it really depends on the organization, it really depends on the industry, the vertical, the size of the organization, what they’re trying to protect. But one thing I have seen is actually a lot of SOCs, like the financial institutions, they’re not actually going to a skeleton crew. In some cases, they’re actually ramping up their folks that are going to be working. So what that means with the staffing shortages and things like that is that oftentimes they’re going to be overworked, which is a whole other side of the coin, right? You have folks that maybe they’re upset, they have to work on Christmas, and they’ve already been working long hours. And if there is an incident, they’re going to have to work even longer hours. So they’re not going to be basically operating at their full capacity.
But smaller businesses, or even some industries like in maybe healthcare, or I think like transportation, which we’ve actually seen some of these ransomware groups kind of ramping up to target some of these, they’re going to have folks that are going to be off. They’re not going to have the crews that are going to be there in the SOC, or they may be working part time, they may be working from home and things like that. But usually I would say that they’re probably operating within probably a 45% capacity across the board.
[Nate] Okay, so let’s assume that the worst occurs and something very bad happens over the holiday break. What can companies do? What do you recommend for mediating the situation as Sam Curry, one of our past interview guests like to say, right of bang, after the attack occurs, to mitigate the amount of damage that could be caused from it?
[Ken] You know, one of the challenges we do see with this is if there is an incident in the survey, 50% of the folks said that, you know, it’s going to take them a lot longer to respond or even stop that attack. So that’s a bit of a challenge. So you know, prevention is going to be critically important. You know, if you have various policies trying to escalate some of that, maybe even make things a little bit more paranoid than normal. But for the most part, I think the most important thing is just be vigilant and observe what’s happening within your environment. You may already have your sensors set up, your tooling, but really have that set up and pay attention.
[Nate] So Ken, do you have any parting thought that you could leave with listeners?
[Ken] One thing is, you know, if you are in a company and you do have your defenders within the organization, you know, I think that’s one thing is that a lot of folks don’t realize how many hours that they’re putting in. A lot of cases, we’ve actually seen that like 86% of the respondents in our survey, actually, they saw that, you know, they actually missed a holiday or a weekend because of a ransomware attack, for example. I think just being able to have a little bit of empathy for the folks that are working in the security space, because particularly over like the Thanksgiving holiday, right, a lot of these folks were working hard. Well, you know, everyone else is having a nice dinner with their families and things like that. You have your cyber defenders who are sort of on the front lines and, you know, they’re not getting that break. So I think having a little bit of empathy for the folks that are working in the security field is good. So if you have someone that’s a security analyst, you know, give them a big hug.
[Nate] Actually one last thing. Is there maybe one action item you could give to folks out there who may not have been fully prepared for this holiday season, like one thing that they could do to be slightly better off than they might otherwise be?
[Ken] Yeah, I mean, it might be a little too late for, you know, any sort of silver bullet of what you’re going to do to prevent any of this stuff. But I think with that, maybe the best time to start planning for next year is now. So actually looking at how you can improve your security posture for next year, identify any sort of security incidents or challenges that you do have this year. Make sure that after the holidays that you do conduct a postmortem. Identify what failed in the technology side. How can we improve our processes? What can we do to maybe help on the people side as well? Are there more things that we can automate? Maybe we need to ramp up our hiring for next year. Are we anticipating additional traffic next year? All these sorts of things should go into a sort of a postmortem. So then you can feed this back into the system so that you’re much more secure next year.