Cyber Crime Junkies

How Ransomware Can Kill. Ways To Build Security Resilience.

Cyber Crime Junkies. Host David Mauro. Season 5 Episode 33

We discuss How ransomware can kill and ways to build security resilience with Chris Loehr, SVP of Solis Security. 

Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

How Ransomware Can Kill. Ways To Build Security Resilience.

 We discuss How ransomware can kill and ways to build security resilience with Chris Loehr, SVP of Solis Security. 


Topics: how ransomware can kill, how to respond to ransomware attacks, ways to build security resilience, RANSOMWARE, INCIDIENT RESPONSE, CYBERSECURITY, how to build security resilience, how ransomware can kill, behind scenes cyber criminals, best cybersecurity practices for business, how ransomware kills in real life, how to limit cyber liability, importance of visibility into operational risk, Chris Loehr, Solis security, new ways to limit cyber liability, newest ransomware alerts, supply chain changes in cyber security today


Chapters

00:00    Introduction and Overview

01:51     Chris Lair's Role at Solace and Curie

03:05    The Evolving Threat Landscape of Ransomware Attacks

08:51    The Importance of Practicing and Testing Response Plans

22:14    The Relationship Between Compliance and Security

26:20    Duration of Criminal Adversaries Inside a Network

28:02    Types of Attacks and Dwell Times

28:55    Importance of Data Security

31:13     Challenges of Incident Response

39:59    Cybersecurity Insurance Industry

43:28    Top Recommendations for Best Practices

 

Dino Mauro (00:10.818)
Hey, welcome everybody. I am David Mauro host of CYBER CRIME JUNKIES PODCAST Welcome to the show. We're I'm excited about today's topic in today's discussion. We're to be talking about how to prepare for a data breach incident response from one of the leaders in the industry. We're joined by executive vice president CTO at SOLIS SECURITY Chris Loehr Chris is a brilliant human and a solid guy who also currently serves as

in the role at at Sallison Curie, CFC response, which is a division of CFC underwriting. We'll get into that. He oversees a team of cybersecurity professionals where they handle the firm's incident response and as a whole host of mentoring collaboration with small mid -sized businesses and enterprise organizations across the country. Chris, welcome, sir.

I appreciate being here. It's fantastic opportunity to talk to you guys and your audience. Yeah, we're really excited. a fee, can follow you around and do that same introduction every time you walk in a room. Yeah, I can walk into every meeting. You could just have me on Zoom. I'll just pop in, do that and go, and now Chris Loehr I just need some theme music to go with that. Right. I know. We've got it. It's on a button right here. So that's fine.

So our audience is mixed, right? We've got business owners, we've got people in cybersecurity field, IT, we've got people that are a lot of entrepreneurs, lot of brand experts, marketing. So our audience is all over the place. So what I like to do is kind of explain your role. And when you need to use acronyms and things like that, I'm just going to ask you to just explain it in English for us, right? Is that fair? No, that's the way I do it anyway. yeah, I figured.

I figured. So tell us about your current role. What do you do? And then let's back into kind of how you got there. Yeah. So my current role is I wear a number of hats with Salah. So just to come in. Yeah. So Salah's, you know, half our security, half our business is incident response and half our business is cyber security. So we started doing cyber security for banks 20 years ago and that's all we did. You know, back then it was information security and

Dino Mauro (02:30.497)
a lot of the terms that we use today, fancy terms we didn't have back then. But back then the banks were kind of forced to do security, right? They actually had regulations. Yeah, in terms of all the verticals, right? We see healthcare catching up. Legal is still way behind in a lot of spots. But the banks have been leading the way.

And I've always told people, even if you're not a bank, if you want to reference an industry that's had to do it and do it for a long time, reference the banks. Their regulations and guidance is really good. So anyway, so our instant response business, you know, it's about four to five years we did that. We just kind of stepped into it. had a, I was at a peer group meeting. There was a friend of mine. They had a particular case, ransomware case. just called him out of the blue and he said, Hey, we don't do this. you? And we said, sure.

And we worked that case and it just happened that that particular case had an insurance policy. And behind that insurance policy was a company called CFC and they let us do the work and they like the relationship grew. yeah. Yeah, exactly. Very quickly. So they were like, Hey, you want to take on everything? And we said, sure. And so we quickly did that. And so since then, I have,

had a lot of focus on the incident response side. And I had the team that reports to me out of that group is the business resumption team. And in layman's terms, it's kind of the first responders when somebody gets hit and usually it's a ransomware attack. So, that's what we do. And that's so around the clock, seven days a week. It's crazy. Yeah. And so in a typical scenario now, an organization gets struck live by ransomware. You know, we recently,

spoke with Robert Siaffi who was telling us about his mass. He was part of the massive ransomware. He owns an MSP as you know, you know him and yeah, exactly. And he was telling us how literally he was trying to communicate with some clients during the attack and saw his files be encrypted and go white like live. so when, when that happens, you saw a security as somebody that they can call now.

Dino Mauro (04:50.113)
generally when they call their insurer, they will have somebody that either has cell security or somebody like you guys, right? That is, that is usually correct. Yeah. So most care, there's two ways it kind of works. the carriers themselves, they usually have some method of contacting them, you know, it could be through a website, could be through a web app or a phone number. Sometimes your first call may be a law firm. And then that law firm will engage an incident response firm that they have a relationship with that the insurance carrier is approved.

Or like in our case, in other carriers, the incident response firm calls you first, determines whether or not, you know, what's going on, you know, what the, what the impact is, what kind of degree, and then we bring the law firm in. So that's, that's pretty much the two use cases that can happen. And if you have cyber insurance, it's a good idea to find out how that works at a high level because you don't want to find it out in the middle of a fire. Yeah, that's exactly right. We were talking to,

Lester Chang, was in head of security over at BMO Bank, and he was saying how like to build operational resilience, there's like, practice that, right? Go through least annually, go through, and because if you have policies, that's great, but until it hits the fan, you're not going to be able, you're not going to know, it's almost like a living racy document, right? You're not going to know who needs to.

be aware of something you're going to make errors, right? And it could really cost you. And so doing that. It is as important. And when I talk about this or when I conduct or facilitate tests as well, what we try to do is instead of just running through like a, you know, a monotone script of a scenario and getting it done in 15 minutes, you know, we try to add as many elements into that to determine whether or not the people that are filling those roles,

are the right people during that time. mean, you could have a person that's perfectly cool, calm, you know, during the normal work day, but when they're put in a pressure situation, you may have never seen how that person reacts. And the last thing you want to do is put somebody like that in a critical role in a disaster or incident response situation, and they just flake out or get upset or, you know, teamwork is super key at that point. So really going through the rehearsal is more than just not knowing the stats, but just knowing the people and knowing, hey, do I have the right people in the right seats?

Dino Mauro (07:11.521)
during an incident situation. That's a great point because I think a lot of times organizations overlook that aspect. Like the person can be completely qualified, have the right skill set.

but you don't know how they're going to execute giving the scenario that they're in until you put them in that scenario. So that's a really great piece. I'm glad you shared that. Yeah. And especially not to, I mean, pick on them is if you have, you saw, especially in the small business world, you have, you know, usually single owners and those people, their business life and their life flashes before their eyes when these things happen. mean, they immediately see the bad that could happen out of this. Their business could close down. They may have to lay off.

I mean, there's a number of different things that could be the outcome of one of these attacks. And they usually are the ones that freak out the most. It's amazing. And what I usually say is the first 24 hours after one of these events, it's pretty calm. People are pretty cool. But it's after that first day, of these things set in. And that's where you start to really see those emotions boil up. a lot of times, they take it out on the lawyers or ourselves, which

you know, we didn't put them in that situation. We're trying to help them get out of the situation. So it gets really, really difficult in certain times. mean, I'm not going to say it's every time, but in certain times you really have to deal more with emotions than you ever thought you would have to in these types of situations. Yeah. And it's a tricky scenario if you want to test how somebody does under the time of crisis and severe pressure, right? If you don't practice that,

ahead of time, right? You're really not going to know. Are you finding when you go and you get in that scenario, are you finding organizations that are well equipped and prepared or is it what most people assume? That's what most people assume. Right. So it's interesting because they've of ransomware, they've never really practiced what do we actually do? I have a lawyer, I have an insurance policy.

Dino Mauro (09:19.627)
I'll find that in my file drawer on my PC and call them whoever I'm supposed to call. If that ever happens, they won't hit me. I work in Kansas. Don't worry about it. I'm too small. Right? It's absolutely not true. No, it's absolutely not true. Or, you know, I would say a couple of years ago, the attitude overall was it'll never happen to me. I would say these days that more people now know of someone that has been hit. So at least it's a little better.

But they, you know, so they are somewhat prepared. It's interesting because, you know, we talked about knowing if you have one of these situations who to call and how that kind of process works. We do have policyholders that will call us ahead of time and go, Hey, you know, we really kind of want to understand this. Do you mind getting on the phone and talking us through this, you know, so we can update our plan? Definitely. You know, we'll spend 15 to 30 minutes.

to do that and guess what those people never call clean because they're incredibly prepared and it's the sign of their maturity. So that but most of the time it's not the case. This is their their first, you know, sent a cyber incident and usually it's a bad one. Typically, they're not a minor. It's full blown. You're down dead in the water. What are you going to do type situation and they they're not prepared at all. And if we do find somebody with a plan.

That plan is not reflective of anything that you would do in reality. My personal experience, Chris, has been that ransomware has gotten, and I'm basing this based on conversations with organizations that have gone through ransomware attacks, that the extent and harm that it causes in the last year or two is exponentially worse than it was five years ago.

Is that, is that because of the evolution of the ransomware gangs? There was lock bit 1 .0 now there's lock at 3 .0. Like it's getting more harmful or are you not seeing that it's always been bad? No, it is definitely worse in my opinion in, in different degrees, right? You're seeing more. So when we first started this, there wasn't necessarily a particular type of victim. mean, back even back then small, medium sized large didn't matter.

Dino Mauro (11:36.085)
nonprofit profit, they could care less what business or whatever you're in. If you were a charity and just basically doing everything you can to stay afloat, to do the things that you're supposed to do from a charity perspective, they didn't care. So we've always seen that kind of attitude. think what we have seen is more organization around these groups kind of behind this, more sophistication just with their processes and tools. I mean, these groups recruit people.

They buy tools, they do a number of different things, but I think the marketplace, if you want to call it that, that's this criminal marketplace behind all these things where people are going out stealing credentials and then trying to figure out if they can access a particular network and then turning around, packaging that up and selling it to these groups and they're buying it and going and doing their thing with it, whether it's just going in and stealing data or stealing data and encrypting or whatever attack they're doing, there's just a ton of money.

You know, the phrase I always use, it's the highest reward, lowest risk business you can be in from a criminal perspective because the chances of them actually figuring out who you are and then finding you and then extraditing you and then indicting you and you serve in any kind of meaningful time with the way the laws are written. I mean, why not? If you can make six, seven figures in an attack and not get caught, hey, keep it up. It's easier and better than robbing a convenience store.

Right. Yeah. And, and speaking with people that are affiliates in those ransomware gangs on the dark web, like we've done, or speaking with people that are regular contact with them, it's, there are rules of engagement, right? If they live in a country that doesn't really have extradition in the United States, so long as they don't go after organizations that are tied to that country, they're left alone, right? And it's just about making money. And when we talk money, we're not talking a new car or a new house even.

Right. We're talking buy an island type. I mean, it's people behind those groups are amassing a lot of money. And I've always said it even before the Russian Ukraine conflict and people ask questions. It's like, if you're Russia, let's just, you know, not all these people emanate out of Russia, but let's just say for the, for the argument, say they do for the majority of them do. I mean, if you're Russia,

Dino Mauro (13:52.203)
You have this massive amount of money being transferred out of the United States and other Western countries into Russia. I mean, why are you going to upset that? Right? You're going to. That's great. mean, that's revenue coming in my country that's turning into tax revenue, usually somehow, some way. And so there's really no motivation with law enforcement over there to do much about it. They'll do it. In my opinion, in the past, prior to the conflict, I believe that there were some busts that were, I would call it

primarily symbolic. Like the R evil, like the R evil takedown. Yeah. camera, the lights, had a, you know, the microphone and the guy's space. a 60 minute episode. It's like they called 60 minutes ahead of time. Exactly right. And who knows that that person was low level, medium level. mean, that you never hear anything from that perspective. yeah, but you're right. do. Yeah. But I'll say that's a change. I will say that in the past,

The rules of engagement were better. they were like you, you know, don't know if that's in today's segment, but there was a, there was that children's, I think it was children's hospital, up in, up in Canada and lose lock bit 3 .0. Yeah. So that's an example where they're like, Hey, our bad, here's the decrypter. And they, you know, supposedly fired that affiliate that was in for most, what was an affiliate? Think of affiliate as like a, a contract.

Yeah, it's like an independent contractor salesperson. You go, you go, you eat what you kill. We'll give you a generous portion and they can make millions of dollars. Right. And we don't know you. You don't know us. We, so even if you get taken down, you don't even know who we are. And it's, it's, it's a phenomenal organized crime model. Right. mean, in terms of efficiency. it's, yeah. Some people

kind of chills at their back when I kind of talk about this because they think that I'm actually kind of giving these guys props. I'm not really giving them props. When we use the term organized, they are incredibly organized. mean, they have structure, organizational structure. They have a hierarchy. Like I mentioned earlier, they recruit people. They have campaigns to recruit people. Very similar. I tried to participate. Right. Lock the But 3 .0 has got

Dino Mauro (16:11.895)
tattoo contest. had to hold Mark back from participating. You got a thousand dollars and you got to become an affiliate. Yeah. Like he was like, think of the cool hat I can get, man. There would be like in the story I could tell. I'm like, don't, don't even get off the dark web and let's go to, let's go back to work. Close laptop and back away. So let's back up a little bit, Chris. Where, how did you get to where you are? Like when you were a kid, there, there wasn't cybersecurity. Like at least when I was a kid, there wasn't.

There was, know what There wasn't an internet. did you, how did you first get the taste for it? Like, well, when I was a kid, was so I, you know, back then you had modems and you could dial into places and mess with things. So you might be able to dial into back then sophistication was if their environmental controls were be able to be remote access from a modem. So you could dial in and turn the air conditioner way down and turn the heat up and do that type of stuff. Right. And you can only do so much with a modem. And that was the thing.

I mean, there were people doing other things like getting free long distance and all that kind of cool stuff. yeah. The, the freakers we've, we've spoken with a lot of people that got started doing that black box, blue bar. mean all those kinds of, right. Exactly. So I actually did, I had a BBS and all that kind of stuff and we're getting software, know, and that was, you know, zero day wears was the term, man, if you got that, you know, right. It take you at seven hours and download it, but you got it. And then, you know, really I kind of,

in high school, didn't do anything from a computer perspective that much. Right. I had a job and girlfriend and all that kind of crazy stuff. Right. And so when I got to college, though, as a business major and there was a attorney brother of mine that was two years older. That was in a degree called management of information systems in the business school. He told me about that because I didn't want to program. And I said, all right, I'll do that. That looks pretty cool. So I did that. And then when I got out of college, I went to work for a private company that's big at the time.

the largest privately held collections company, debt collections company started doing real estate collections and got into credit cards. Massive growth, but the he is now passed away, but the founder and CEO of that company, he was incredibly paranoid about security. And I mean, to the point where there were bug sweeps.

Dino Mauro (18:29.013)
our head of security. wow. Yeah. head of security was a guy who was retired for Physical security, paranoia. That's interesting. was incredibly paranoid. He didn't trust anybody, literally. I mean, you learn that in onboarding. you know, he didn't trust It's experience for going into the banking industry. That's exactly right. That thing shut down. That was a whole history lesson, probably. But anyway, then I got into the banking world. He wasn't the guy down in Kansas City, was he? No, he was in Tulsa. Tulsa. Okay.

Yeah. So he was told so, and so it's kind of weird cause that company was CFS. so were three CF acronyms are killing me, but yeah. So then I got into banking and that's where I got my taste of regular regulations. Right. But when I went to that bank, that bank had recently been acquired by a group that took it public. And at the same time, this group, the small group was going to then flip it. And, it was kind of their retirement.

They'd been in banking a long time, a number of them, and they said, we're going to get together. We're going to take this bank is a hundred year old bank. We're going to flip it. And it took a little bit longer, but during that process, we changed out everything in that bank, every application, pretty much everything infrastructure wise. did some acquisitions ourselves and everything, but then we got acquired by a larger regional bank. But, but anyway, that whole point set me up for security. So when I was at that bank, I met a gentleman by the name of Terry O 'Ring.

who worked for a company at the time called S one and S one is an online banking software company and IVR, a phone response, right? And they had started a managed security service practice in MSSP for bank. And, but then the .com bus kind of hit, they sold that book of business off to what is today secure works. And, Terry decided, Hey, I'm going to form my own company. And he came to me and, and, help actually helped him come up with this name.

And, from there we became a client and I was a client of his, from that bank prior to being acquired. And then after acquisition, we were a client and then I worked at that bank for a while, went over and worked over at us. So people that know of us, a, if you've been a member or even seen the commercials, those commercials, I'm not going to comment. They're terrible. anyway, but from a USA perspective, it's based in San Antonio where I'm at. That is.

Dino Mauro (20:53.875)
one of the most secure culture companies that you're ever going to be a part of. it's amazing. But it, but you walk in there. So everything like even getting on campus, you gotta show your driver's license. There's a sticker getting in the door. mean, they have, I mean, you can't tailgate anybody the way the systems work there. mean, it's incredibly secure, but when, but it's incredibly open once you get in there, meaning like it's a very positive culture, but from a security perspective, you know what you're supposed to do and you're not supposed to do.

And so what was interesting about the bank is the bank was very audit focused, regulatory just all the time. You know, by the time I was done at the bank, I think 70 to 80 % of my time I was reviewing reports and signing off on stuff instead of actually doing what I'd signed up to do, which was it. Right. But then when I got to usAA, I kind of saw the other side of it, how you can still get work done. And then in a very secure culture and it was, it was an amazing place.

I'm not going to underscore how amazing and I learned a lot there, but then as a good time to come over at solace and we were going through a period where banking was flat, the economy and changes shifts in the administration kind of put the end to people starting up banks and merging and acquisitions, all that kind of stuff. And so then I went to work for solace and that told you the rest of how we got an IR. So it's, it's a, it's a cool ride. It wasn't one of these things where I decided one day I was going to go get a

both assert and it and switch careers. It's always kind of been part of what I did. And now it's more, cause we don't do any type of IT work. We used to have an MSP, but when we were acquired by CFC a few years ago, we spun that off and then they got acquired and rolled up into a larger MSP. So, yes, we don't do any of that work anymore. So it's just security all the time. So it's fun. Excellent. Excellent. That's a phenomenal background. So

In the banking industry, compliance obviously is key, right? And the federal regulations, et cetera. So how does, there's always a discussion around how does compliance relate to security? Cause they're not the same whatsoever. They're interrelated, but what's your take on that? Like how do you explain the difference? Yeah. So you can be secure. And when I, when I always tell people,

Dino Mauro (23:18.633)
I was speaking to a number of agricultural consultants earlier this week about this. said, okay, one rule about security is if you put something in place, you need to make sure you have evidence and an audit trail behind it to prove that you have it. So if you kind of think of it that way from secure, you're making sure the place is secure, your assets are secure, your data is secure, whatever. And then kind of the compliance part is the evidence that you have it in place. Now it gets a little bit different.

depending on the industry you're in is from a compliance perspective, you may have to to articulate the way you do things in very specific terms. So if you're in healthcare, you're going to want to make sure that your policies and the things that you're doing and the things that you're writing fall in line and use the verbiage and vernacular that are in regulations around healthcare. Same thing goes with banks. You're going to use banking terminology and that stuff. And often you may get into companies that

fall in different industries. So you may have to have one report that looks is the same data, but it's presented two or three different ways to appease whatever you need from a compliance perspective. So that's the big deal. But the other thing, the thing about compliance is, is that you security may security may have its own compliance. At the same time, you may have other areas of the business that have compliance requirements that security is a part of. Right? So you may have, right.

HR, has a security component of it, right? So the bigger you get and the more complex your business gets, you, you know, obviously if you have one focus, that's easy, but when you start to have multiple focus focal areas, then you need to, then you may need to kind of change up your policies and stuff. But the real rule is, just be able to prove, do what you say you're going to do and be able to prove that you're doing it. And I mean, that's an incredibly important lesson. I learned that when I was at the bank.

We got into, you know, just when you get to a certain size, you start to have patent trolls come after you. And one of the things that really helped us was with policies. And when you would have the other parties' attorneys question you about policies, and you could show those policies, you could show a history of those policies being reviewed, and you could show the evidence that you were doing what you said you were doing with the policies, it was very hard for them. And believe me, they're going to try to find out.

Dino Mauro (25:41.759)
a crease, a crack or whatever they can. So that's the real rule. You can do all the right stuff in the world, but if you just don't have the paper trail behind it, when it comes time to prove it, you're going to face a losing battle. Absolutely. So compliance is the proof that you are implementing security policies and systems and tools, right? And you may do a lot more than what compliance requires.

So you rarely, because you can be, is it fair to say you can be sick? You can be compliant, but still not be securing your organization's exactly right. Yeah. Yeah, that's exactly right. I mean, you can take, I'll give you an example when NIST 853 came out for, and yes, the NIST for, for the people that, DOD contractors had handled, controlled unclassified information. That was a compliance deal.

There was, was, it was written from a security perspective, but if you, if you, you, I knew people, that were in that space and they could do things to check those boxes. And then from a security perspective, go, and that's not really, you know, but from a compliance perspective, they could check it. get, they could check the boxes. Right. Yeah. So it's rare that you could say, Hey, I'm this compliant.

And I am secure with a, with a industry regulation or something like that. mean, so yeah. And, then really in, in the course that you're seeing it over there with CMMC now is you want to be audited because you want to be proven. You want to be able to pass an audit time and time again. And if you have a good auditor, they're usually going to bring some benefits to the table and say, Hey, maybe you should do this, do that. You know, maybe next time you do this test, you should bring this other person in that type of stuff.

And so that's really where you're at when it comes to 3D compliance is doing the right thing. Is being able to continue to improve that going forward and continue to be honest. Yeah, so when you guys are doing IR and that's incident response coming in right of boom, right? Meaning after the incident has happened. What are you finding in terms of how long the criminal adversary? What a lot of people just.

Dino Mauro (28:04.205)
and they call hackers, right? But not all hackers are criminal adversaries. How long are they inside? Yeah, threat actors. How long are they usually inside a network undetected before people start noticing or detecting? And it's going to vary, I'm sure, based on what systems they have place.

The groups that are going after the big dollars usually are in there longer amounts of time. So it could be two weeks, it could be a month, you you could see it going longer. And sometimes you even see indications of maybe a prior smaller attack that was kind of what, knowledge was gained there was then turned over and sold to whomever that's doing the larger attack. Right. Selling the access to precipitate.

Another attack, a bigger attack. like IABs, like initial access brokers, people that go in, they don't intend or know how or want or have interest in executing the attack. They just wanted to crack in and they have that, they'll go and sell that on the dark web. We have access to ABC corporations. And for those out there, they actually have money back guarantees in a way. So if that access doesn't work, right. And they then have to return whatever funds were transferred to them.

You know, by the person that bought them. So again, kind of back to this kind of marketplace and the objective, the, the, the, the, the thing about time though, is we do see some groups that get in there very quickly. Right. And we see those types of attacks are like, we've seen these attacks where they just go in and encrypt hard drives. might use BitLocker. did in the past, there was a toolie and they never developed their own tool. They would use some off the shelf.

disk encryption through ransomware as a service, right? Right. they would just go in and encrypt your, encrypt your hard drives. So you can't get into Jack squat. They, you then have to buy whatever the BitLocker keys they set for you. Those guys, that's all they're after. They're just after the lock you up, get paid and get out. But these other guys, the lock bits and these, you know, play and all these other ransomware groups that are out there today, they're, they're,

Dino Mauro (30:22.477)
the amount of data they're taking, right? So it used to be they might take, you know, you know, some hundred, 200 megs, then it got to a couple of gigs, but you're starting to see in the, you know, a terabyte plus, I mean, they even cases have to pin plus terabytes of data. So that's going to take some time. So they're going after not only just, yeah. So they're going after not only the intellectual property, but as much customer information, employee data, everything so that they could blackmail.

The that's exactly what it is. The more and what's interesting about lock bit and this, this was this main news probably a month or two months ago, maybe it's so. when you're dealing with these threat actors, one of the things that you try to do is you say, okay, hey, they go, we took your data. You're like, prove it proof of life. And they would provide you samples of what they took or maybe a snapshot of a directory structure or something of that nature. But they came out and said, Hey, we're not going to do that anymore because they ran the statistics.

They probably had their numbers guy in the back and they were crunching numbers and they found out that the people who ask for the file listings and the proof are the ones that are least likely to pay. So they've taken a stance that we're no longer going to get proof of life. you so now you're not used to be a big, big deal for people to say, well, you know, I'm in this situation. What data did they get? that's meaningless data or my God, that's embarrassing data or whatever. Cause a lot of people miss out on

Hey, it's not just about credit card numbers and social security numbers. It's about data that can potentially embarrass you, embarrass you as a company, maybe as an individual. It could create a strife between customers or vendors or whatever you have contracts with. there's a lot of levers these guys use. And so having that proof of life helped make those decisions. But without it now, people are like, they have to kind of do their best to guess.

because you know back to the early like what do you see how well people are prepared? Right. We rarely get into an organization that's been hacked where they have like good logging in place because if you have good logging in place we can. You're able to spot anomalies right? You're able to see weird stuff people moving around the network that are unauthorized. Exactly we can say man somebody was in your network last Friday and they were in there for the last week and they were doing this stuff and this is exactly what server they were on so we know.

Dino Mauro (32:42.935)
Well, most of the time that doesn't exist. we have to use, we have to go with a more of a, a more difficult and arduous journey through forensics. And that takes time. There's no magic button. There's, you know, there's not something you just cut and paste in Google and gives you an answer. It just doesn't work that way. So that's the point is, is it takes some time. So if you're in these situations, you're not going to get a quick answer anymore. especially depending on what group that's hacked you.

you're not going to get a quick answer of what they took and then you just have to do it. So my point to people is one thing that people seem to still not focus on enough is data security. People just keep too much stuff. they keep ad hoc locations, right? They store it in a bunch of different places all over the place and we don't know all the vulnerabilities, there's shadow IT where people are bringing in.

devices connecting them to the network that the IT team doesn't even know about. Yeah. And it's, Or they, you know, somebody exports a list. mean, this one comes up a lot where like, you know, you know, our HR system, it's hosted. use, you know, role service or whatever, but then you just ask a simple question. what about 401k stuff? And they're like, and you're like, do you guys have like a spreadsheet that has everybody's information for 401k enrollment purposes? yeah, we do have that. Boom. Done.

And then a lot of times, and then they're like, well, we only have 35 employees. Well, how many employees have you had over the last 10 years where that data is in there? that's, that's hundreds. And that's in a small company. get into other situations and they find out they might have a spreadsheet. There are thousands of records, tens of thousands of records in one spreadsheet. And so back to your point with, with either it's, you know, we can argue shadow IT or we can argue just

capabilities in these platforms. You've made it real easy for people to export data and the crunch data and pull in Excel and do all that kind of stuff. Well, there's no management around that data. That data is going to come to bite you if those guys get ahold of it. Yeah. And what are you finding in smaller organizations? Are you finding, is there an issue that you see after the fact, after you guys get involved on, how they were off boarding former employees?

Dino Mauro (35:01.655)
Because when we are engaging with clients, especially in the SMB space, we find that there are hundreds of clients or former employees, we find that there are hundreds of former employees that their access still hasn't been turned off even after they've been terminated or left voluntarily. Are you guys seeing that too? Yeah, we definitely see. That's one of the first things when you get in there and if you just do like a quick just

glance at Active Director as an example. mean, just the, usually the number of accounts that haven't logged in in the last 90 days is greater than the number of accounts that have logged in. that's just employee stuff. And then you have just a bunch of other system or service accounts that have been there forever. And no one knows why that is. Right. I mean, we've, you know, it's no different whether you're just a ordinary Joe business or a technology business. I mean, we've seen it with technology providers too, where

There's accounts set up and they know it was set up for some particular reason. Five, six plus years ago, they just never did anything about it. They just left it alone. You know, maybe somebody glanced across it. It kind of comes back to that compliance piece, right? If you have pieces in place that you have normal reviews and you ensure that those reviews are done, you should be able to catch those things and deal with them. But no, I mean, it's interesting though, those number of those stale accounts, we don't see those stale account. I don't want to say they're not a risk. They're a huge risk. Don't get me wrong.

But we but obviously the bad guys find a an account of an active person through Fishing or whatever and they grab those credentials then once they get in Then they take advantage of maybe some of those other credentials are in there that have admin access and the same thing goes with You know platforms like Microsoft Office or Office 365 Microsoft 365 whatever you want call it Small organizations have the tendency to give everybody or a majority of people global access

It's incredible. And for whatever reason, yeah, we want to make sure they can reset a password or do whatever. And my gosh, that's, that's brutal because all it takes is one mailbox to get popped. And then the whole tenant is popped. And so yeah, it's, it's yeah, small business and account control, whether it's active directory. Yeah. And they're all interrelated, aren't they? Because we see, you know, poor security awareness training happen across the board. And then users have terrible password policies.

Dino Mauro (37:28.105)
So when they become a former employee, right, being able to compromise and they're in a couple other data breaches because of some app that they logged into or whatever and they use the same password, right, then those former employees, those passwords, those usernames, et cetera, could be used to get right into your organization. Yeah, and then once they have that, I mean, it's just too easy for them to move around the network. mean, that's the other thing we see is, and I mean, look, small companies,

you can get too small where this doesn't make any sense. But there's a point where, you know, the access is one thing, just cleaning up your data, getting rid of old data that you don't need. But the other part of it is you need to look at your network and understand if there's areas where you can segment things off, right? I mean, it's amazing how many networks, even larger ones, I mean, in the thousands where it's just one big giant, what we call a flat network. So once an attacker gets in there, it's easy for to go everywhere.

They just run a discovery tool that everybody, you know, it's just an open source download type discovery tool. They're not using anything fancy. They look around the network. They see, they see exactly a server that's called file server or files or FS or whatever. They know that's where they're to focus. And it makes it easy when you segment things, it makes that much and you just segment things correctly. It makes things a lot more difficult for them to do discovery and look around and poke around and that type of stuff. mean, virtualization is a great example.

we see where people have what, you know, the hypervisors, which is kind of the, the command or the management for all of your servers. that's just sits on the same network as everything else. So the attackers find that they get into those, they locked all the people that need access out of those hypervisors. So you can't even get into that to shut down a server, restart a server, whatever you need to do. And so, yeah, it's just people.

You know, I think when phone systems came out, people segmented for phone systems. They just left it alone. And 20 years later, no one's in the small side of things. Enterprise, they're taking it to the micro segmentation. Right. But so yes. And segmentation incredibly important today as well. People would just do that. be in a lot, make it a lot more difficult for these bad guys. Yeah, absolutely. And so outside of ransomware, are you seeing that when the attack doesn't involve ransomware that

Dino Mauro (39:53.453)
threat actors are inside a network for longer or for less time.

so if you take, just curious if you see any difference. Well, not. So there are some, there are some groups that just go in and take data. so would say, just sell it. Right. They just sell it. So they might be in there a little bit shorter of time because they're not worrying about the encryption part of the deal, but it's negligible. It's not that big of a difference. You know, I would say the majority of stuff, ransomware and email compromise cases. And obviously email compromise cases, those guys are just.

lean and mean. get in there and they make their connection and they pull down email and they're off to the races. So they're usually not in there that long. But we also see a number of website breaches where they either take over a website or they access a website to get into the back end. We've seen it where they're accessing a website and they pull everything down to then go create a fictitious form of that website to try to redirect people there.

And so it's on those particular situations, it's, it's, it's a little bit more difficult to ascertain what we call that dwell time, which is the time that they were in there for. but, but, answered it done fast about being in the longest, especially when you focus on data exfiltration, because all that they're trying to stay under the radar. And so the long there, the more data you can kind of slowly leak out and see no one's going to be on

computer, man the internet's slow right now. goes, my god somebody's actually trading data. Those guys are much better trained than that and so that's why they're in there for longer periods of time so they can sit under the radar do what they need to do and then when they're flip the switch and you're dead in the water. That's great. Hey as we wrap up Chris and I really appreciate this, give us some insight on the cybersecurity insurance industry right now.

Dino Mauro (41:51.839)
Is it, you know, we've, we've spoken to people that have said, that unlike several years ago, it is really hardened. It has gotten very difficult for small and mid -sized businesses to even obtain cybersecurity insurance. What are you seeing? Yeah, I would say that, you know, there was a period of time, depending on a particular industry you're in, it really, you size wasn't as important. I mean, size is important, but that's a certain, and I'm not a insurance.

underwriter or anything of that. I know enough of it to kind of speak to it to a certain extent. You know, a lot of it was really kind of came down to the industry that you're in, you know, the size, right? So if you're a certain, you know, because there was sometimes where you might be bigger than they want to write, right? Your revenue size might be to a certain degree where you're too big to write, you're too small to write. So you fit the sweet spot in the middle. Yeah. And the insurance side for, you know, before all this stuff,

Really start popping. mean, they were selling policies and things were going good. Claims were there, but the premiums keep being paid. You know that it's a it's a business, right? And everybody was happy when you start seeing these larger scale attacks in the damages. And then you also have seen laws kick in that require even more legal work and notifications. And there's a lot of expense with notifying people that have been compromised. Yeah, you start to see the insurance carriers say, hey, look, we're going to we're going to

dig deeper now and we're going to look at things a little bit more closely and we are going to not just be so lax when we're writing policies and then hey we're going to have certain requirements and you know I've seen them all over the board I mean I've seen carriers out there that have four or five pages worth of questions that you have to answer some of those questions I'm like I don't even understand why that what that question means but you put it on there okay whatever

probably found some security guy in the corner that wanted to throw a bunch of acronyms. Yeah. Some of those even apply to somebody that's got 10 employees. But anyway, and then you have other carriers that don't have as many questions that are still trying to ascertain. But I think the other key is, is that, Hey, there, can still get it right. I think what I've heard is cyber insurance. Yes. The pricing has gone up, but other forms of insurance have gone up as well. it

Dino Mauro (44:10.263)
bill overall and affordable thing to get. And so you just, you're not getting anywhere with a particular broker, you may talk to another broker to see if they have an another carrier out there that's willing to write you. there's different ways of doing it, but usually when I hear somebody that can't get policy, it's just cause they're either in some kind of super high critical industry or they don't have the things in place that they need to have it.

place. So they just, you know, multi -factor authentication on 365 and admin accounts. just aren't willing to do that. So I don't blame the carrier for saying no. given your experience at Solace and we'll have for the listeners, we'll have the link to Solace security in the show notes and where you can reach out. We'll have your LinkedIn profile as well, Chris, so that people can reach out to you, connect with you.

because the insight you've got is just phenomenal. What advice, what are some of the top five, three, whatever things based on your engagement after the fact, after a massive data breach occurs for a small and mid -sized business, what are the things you're finding that they should have done? Like what would be your top recommendations for best practices?

Yeah, the number one would be just what we talked about with passwords and multi factor authentication. I mean, that's not the silver bullet, but that is so, so important. it's a baseline, right? It's such a baseline. And Microsoft has come up with different ways to implement MFA from a policy perspective. So I would say if you're going to do, you need to do MFA, but you, when you do it, look into it some more. And if you have a technology provider involved, then let them

give you some guidance around that right say hey this is better like you know for example with Microsoft you can do multi -factor just possible on your screen says approve or decline right well the problem is is it's really easy for somebody to say approve and they then they go off and do whatever they do at nine o 'clock at night on the Saturday hit approve I didn't think anything about it next thing you know you come in Monday morning your account was compromised because you weren't paying attention so there are things to that so I'd say that's that's number one number two is remote access is incredibly important

Dino Mauro (46:28.885)
And so when I'm talking about remote access, I'm talking about for employees, I'm talking third parties and that type of thing. We've seen, you know, a number of situations where a business has a piece of software and that vendor supports that, that software is installed on the server there. It's the vendor security, right? Yeah, they're just not paying attention to it. Or they just have a bunch of tools that just have sat around forever. When we get into cases, one of the things we get in there, we're like, Hey, we see this. Do you know what this is for? No.

We have to figure out was it installed there for a legitimate purpose and deleted or should have been deleted or did the bad guys get in there and install that? Cause that's what they do. They just installed a normal remote access that everybody else does. And so that's another big thing to be on top. So that would be number two on the remote access. Number three is really, you need to be very active about being on top of your data, where it goes, where it sits, why it's there, why it needs to be there.

A lot of people goes, well, we need that for research purposes. Well, it doesn't need to be there for everybody to access all the time. Exactly. Who needs access to it? We have stored away somewhere archiving, get it, get it away, you know, if you have to have it, but really you should be convincing yourself to delete it. and that's, that's really key. I would say fourth would be, just, you know, we talked about that remote access. I said, just more around vendor management, right? even if you have, you know, there's great,

great IT providers out there, but you should just not, you should question them. You shouldn't find out what they're doing. You should find out that if they're all the things that they're telling you to do from a security perspective, they're doing themselves. Well, I've seen some of the largest breaches. And when you look at the target breach, they weren't breached directly. They were breached through their HVAC vendor. That's exactly right. And they were doing a lot of things great, but the problem was they didn't have any evidence. they got actually gagged.

hammered even worse because they couldn't prove it back to that earlier point. That gets back to the compliance piece, Exactly right. Like showing the evidence, documenting that you have those things done. Right. And the fifth one would be instant response readiness is what we're calling this now. And so it's a very important term versus just... Like operational resilience, right? Like it's the practice annually of if this happens, who knows what, who says what to whom.

Dino Mauro (48:46.679)
Who is on first? Who's on second? What do we do next? Right? You're right. And don't just think of it as a technical exercise. If you just have IT doing it, you're missing the boat. It needs to involve HR, right? It's got to involve HR. It's got to involve legal. It's got to involve anybody handling social media PR like who's going to communicate. Who's going to do this? a board, you know, we see a lot of times, yeah, especially with nonprofits.

the way things are written, they can't get approval to do Jack squat unless they have a board meeting. And so those are the things you have to take into account because you get an instant response situation. You gotta make decisions quickly. But you're like, man, we legally cannot make that decision. We have to have an emergency board meeting and we got to call board members and they got to have 72 hours. Notice all that stuff. That's the kind of stuff you need to feed in and take into account when you're doing your incident response. So yes, plan instant response, operational resiliency.

Great term there as well as just being able to test it and not only just test it annually. That's good but if you have some material changes in your environment you Acquire somebody you change out some infrastructure you move to the cloud that should trigger you to Revise your incident response plan and test it again So you may find yourself testing it multiple times a year just because of the rate of change in your your organization requires it absolutely, so I'm gonna

As my last question to you, I'm I want to ask you this because I think there should be a number six. I'm just going to throw it in there. How many? Here's my question for you. How many of the organizations when you get brought in after a massive breach and you guys get engaged at Solace Security, how many of those do you find had adequate security awareness integrated into their culture ahead of time? What percentage just roughly? Well, so I think the term adequate is there. We see a lot of people, they

have some, their employees go through some form of training, but I don't think it's enough, if that makes sense. It's not focused on what they should do. It's very generalized. that, mean, there's some great general security awareness training, but that should be more of just kind of a reinforcement, in my opinion. You really need to look at having something that's specific to your policies, specific to your industry, and specific to your culture.

Dino Mauro (51:05.759)
And ongoing, right? Like so many organizations, especially in the small mid -sized space. Well, when we onboard, they have a video that they watch and they sign this form. I would say a lot of them don't have that though. ago. They've been here for three years. What are you, and they get an email on Tech Tuesday on how to spot a fish. I'm like, how do we know if they read it? How do we know that they have absorbed it, understood it, and then modified their behavior? We don't, right? So send in that email. While it's important, it's not.

we don't know that it's again, the compliance versus security, right? We don't have the evidence that it actually sunk in. So having it ongoing test fishing them, testing them, like it gets it, it's the security awareness aspect of operational resilience. You should have, I completely agree. And I also agree when you interview people, you should probably ask them some cybersecurity stuff in there to see, no, who you're getting higher on, right? Yeah, you know, you're right.

I think you're assuming that a lot of people do training on when they onboard employees. First of all, you got to assume that small companies are actually have some kind of onboarding process and they understand, go sit with Nancy over there and see what she does. But even if they do, I don't think they're doing the cybersecurity awareness training on during an onboarding thing. So, you're right for those that do that, they never see it again or they see the same thing year after year. That's not going to be appealing. not going to for that. I, when I do training, I try to relate.

personal stuff as well. I say, absolutely. It's you in the business world, but it's also going to help you in your personal life as well when you're online. And I think that helps. Absolutely. And when we do it, we always focus on what's new and what's relatable to that specific organization. Right. And we do it in a bunch of different ways. We do it interactively. We show video and then we speak with them.

engaged because people learn different ways. We kind of look at it like it's a professional development, right? Well, as such, these employees are students and students learn in different ways. Some are auditory, some are visual, some need to write stuff down. So we do it all those ways and we do it regularly, right? So that it becomes kind of part, part of the culture. Yeah. got to interact. It was a big deal. I think COVID kind of destroyed a lot of that, but you got to give it.

Dino Mauro (53:27.531)
the ability for people to ask questions and say, I saw this or I heard this or I read this. That's important in an educational situation as well. That's phenomenal. Hey, Chris Laird. Thank you so much, man. Great discussion. everybody, Chris is going to be at Right of Boom over in Texas in the coming weeks and we'll have a link to that. And then we'll have a link to solid security. Check them out. These guys are the

best around. So we're really excited. Thank you so much, man. Really appreciate it. was awesome. Good content. Won't be the last time we talk. And yeah, we're just getting started. So, all right. Thanks everybody. Well, that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award winning podcast and downloading on Apple and Spotify.

and subscribing to our YouTube channel. This is Cybercrime Junkies, and we thank you for watching.


People on this episode