Ransom-where? The U.S. Cities Fighting Back Against Hackers

Moving on we're now going to be Switching gears to ransomware U.S cities Are attempting to fight back against Hackers local governments Under Siege by Ransomware more than 200 local Governments schools and hospitals were Targeted by ransomware in 2022 causing U.S public sector millions and millions Of dollars in downtime and damages it's A real ongoing problem so to join us to Discuss this uh real problem is uh Alan Liska intelligence analyst with recorded Future and MK Palmore director of office Of this of ciso Google cloud and they're Going to be discussing how the Government governments and local Governments can fight back and joining Us is our very own TechCrunch iCarly Carly page ladies and gentlemen welcome Them [Music] Thank you Good morning good morning thank you so Much for joining us guys I think Alan Has just put some stickers on the front Tables if anyone wants those but let's Get together to uh come to the talk so Hand out So I'm super excited to get stuck in to This discussion about ransomware but I Think before we get started We kind of need to Define what we're Talking about over the past couple of Years we have seen the ransomware

Industry changed so drastically the Tactics employed by hackers change so Drastically So Alan could you kind of summarize what Are we talking about when we say Ransomware yeah it's funny that you use The term industry because that's really What we're talking about ransomware is a Global business unfortunately that is uh A complex Marketplace but really we're Talking about two different types of Attacks that we now broadly call Ransomware there is what we're used to Which is encrypt and extort so encrypt Files and you extort the company to uh Or organization uh to get a key to get Their files back and then there's also Data theft and that can be combined with Extort but it can also be a separate Attack on its own so you look at Ransomware groups like being lean who Focus entirely on Data Theft so we're Going to steal your data and we're going To publish that data unless you pay us Then we will tell you we'll delete it Even though we won't because we're a Bunch of liars And MK how has this shift in tactics Changed how we deal with the ransomware Problem so it's interesting I've had the Um both the benefit and displeasure of Sort of observing how the ransomware Challenge has evolved over the years I Spent a career in the U.S government I'm

A retired FBI special agent and I still Recall back in 2014 the first Notification of a ransomware incident Incident where we had at the time an Enterprise reach out to the bureau and Ask for help in terms of how to respond To this particular Vector of attack and I am quite frankly amazed that nearly a Decade in we are still talking about This ability that adversaries have to Gain access to environments encrypt Information and then as indicated either Ransom for the information or threatened To release the information and I think What we've seen is frankly a workable Business model by by the adversary that They will continue to take advantage of For as long as Enterprises Fail to sort of meet the blocking and Tackling and guidelines that they need To implement in order to Buttress or or prepare for the types of Attacks that are happening within the Ransomware realm right and it's not just The ransomware actors themselves it's The whole ecosystem that's built up Around that so you have initial access Brokers who make money you have the People that handle the money laundering You have the people that build and Develop the code there's all of these Different groups that have kind of Sprung up in support of the ransomware So it's this huge Marketplace that's

Actually an excellent point I think that We don't talk enough about in the Industry because the adversaries have Figured out how to monetize every aspect Of the Cyber kill chain there's the Access there's the availability of Information there's actually selling Exploits so every aspect of the Cyber Kill chain they figured out a way Essentially to put money and value to it And for as long as that value exists I Think will be continued uh continue to Experience this kind of Challenge and MK You just said it's amazing that a decade On we're still talking about ransomware I think to me what is amazing that This year looks set to be another Record-breaking year these these hackers Are not slowing down and in particular It looks like it's going to be a Record-breaking year for a tax targeting The public sector targeting hospitals Targeting schools For these attackers what is the value in Targeting these entities Yeah I mean initially it's about Information gaining access right we Talked about the monetization piece we Do know that each year public sector Entities remain in the top three Targeted verticals for Adversarial attack and part of the Reason is that there's such a challenge For public sector entities to

Essentially keep Pace with the changes In technology and the capabilities that Most Enterprises have available to them In terms of protecting their digital Assets and the adversary knows this they Know that the public sector essentially Can't keep pace and so they tend to be a Heavily targeted vertical because There's a high degree of success Associated with targeting them and Alan Did you have anything you wanted to add On that you know it's funny you talk About 20 you know 2023 being kind of the Year of ransomware if you go back to January 2017 you'll see headlines that 2016 was the year of ransomware and then Same thing in 2017 in 2018 and and and So on it just because it keeps getting Worse and it keeps building on it but I I think you know to add to what Mk said Is the data that is available in public Sector entities is incredibly valuable Whether you're talking about patient Records or Student Records or Information about houses Um like you know who owns what houses Etc Social Security numbers Etc all of the data that's held in these Public sector entities is incredibly Valuable even if they don't pay a ransom And you add to that the lack of funding That they have for security they make an Easy target absolutely and I think just To paint a picture for the audience here

Of how bad this problem is I think it's Important we talk about the consequences Of these attacks what we've seen over The past year Alan can you talk us Through a bit of the the knock-on Effects we're seeing of these attacks Well sure I mean I I think a great Example of this is what's been going on With Minneapolis US public schools Minneapolis public schools got hit with Ransomware they stole student data Teacher data parent data all of that Data and Minneapolis rightfully didn't Pay the ransom but now all of that data Is fully exposed and and what can Minneapolis do the Minneapolis school System they can offer credit monitoring But that doesn't really help Um you know same thing when we look at The city of Dallas the city of Oakland Both have had you know sensitive Personal data stolen of you know the People that live there and and there's There's nothing that they can do that Data is now out there forever on various Underground forums and markets and being Sold and resold Etc and MK does that track with what You're saying yeah absolutely I mean What we're sort of skirting around here Though is the issue of Technology Adoption without appropriate security Measures and protections and I think It's important certainly in the public

Sector quite frankly for any industry to Understand and that as you lean into and Move forward in terms of Technology Trying to at least glean the insights uh You know Avail yourself of the Opportunities for expanding business Operations and certainly in the public Sector the ability to then deliver Additional stakeholder Services you have To be thinking about what role security Is going to play in that technology Before uh before it's put to use and I Think what we're seeing across the board Is that second part essentially not Being executed appropriately so we're Expanding the digital footprint we're Having organizations essentially Identify technological resources that They would like to use creating a huge Amount of complexity in the environments That the small number of security Practitioners are then responsible for Protecting and it turns out that that Challenge can be relatively Insurmountable the more you grow the Digital assets without thinking about Security right and the rush especially In the case of Municipal paladies to Build the smart city right I mean that's Been the kind of the mantra for the last Decade or so is how are we going to Build smarter cities make things more Accessible online right but to your Point without thinking about the

Security consequences I've been and I Don't know about you but I've been in a Number of Uh incident response cases to cities in Particular that have completely flat Networks so the ransomware actor gets in And say the accounting department and They can also encrypt everything in the Court system and there's no reason for Those two networks right exactly um you Know so even doing some of the basics You know are not being you know carried Out in there yeah I mean the basics Still Rule the Day the fundamentals uh And I think organizations that are Certainly in a position to reevaluate Where they are in terms of how their Networks are architected what do well to Go back to the zero trust principles Principles like those that companies Like Google have espoused over time In adhering to those zero trust Principles will enable Organizations to limit the blast radius Of any one potential event within the Enterprise and to your point about flat Networks I mean it's just what we're Seeing is what we have historically seen And unfortunately seen probably for the Better part of two decades once an Adversary has access ultimately if they Have super admin privileges they Unfortunately have the ability to roam The environment and do all kinds of

Damage based upon their access And I think as well as these systems Themselves not being that secure I think Governments are also at risk of supply Chain security risks they rely heavily On contractors on third parties what can They be doing differently to lessen that Risk and can come to you first yeah so Supply chain is a um you know uh log 4J Came To everybody's front doorstep a couple Of years ago and we all have I'm sure War stories about how our organization Sort of leaned into that in terms of Responsiveness but what it highlighted Was this need for an understanding of The downstream effects of adopting tools And capabilities that aren't checked Aren't based upon security principles Aren't monitored in an effective way to Ensure that they don't all of a sudden Create some kind of open access to your Environment so that the adversary has Been able to travel upstream and do Damage to your network and it's an Ongoing Challenge and so there are Security Frameworks software development Life cycle Frameworks all kinds of Things available to Enterprise now in Order to enable and help them do better At monitoring supply chain challenges But we get back to the point of you know That the increasing responsibility for For the security apparatus now means

That this is an added area where they Have to do due diligence where they have To engage and it gets to be pretty Challenging due to issues like limited Workforce and inability to do these Things via things like automation or the Unwillingness of organizations to adopt Tools that do have an automated Component that would allow them to Expand those capabilities yeah and I'll Add that on top of the supply chain the Way we think about it you also have to Think about your data supply chain and We saw that in particular with move it The the move it breach is how many Organizations that didn't even run move It but some of their Partners or vendors Did that had data exposed because of That breach so you have to think not Just about the technological supply Chain but how where is your data how is Your data being stored Are they following best practices I mean You know move it is supposed to be a Platform that you know is a temporary Platform to transfer data and how many Of those organizations had data that was Sitting in there for years and years and Not actually moved off the platform so Understanding where and how your data is Being stored who has your data and and So on is an additional challenge that Organizations have to deal with and Again when you're having trouble even

Managing your supply chain how are you Going to then manage your data supply Chain as well on top of that yeah I mean Huge challenge we're talking about the Complexity of managing a security Apparatus I I think that you know if we Go back to the issue of public sector Entities having a challenge with this no Organization can hire the number of People they they need to hire there's no Organization that just gets to adopt Every tool that they would like to for Budgetary reasons for risk reasons for Other reasons and I think that what it Ultimately leads to is a desire to Consolidate The security apparatus of Enterprise Because the complexity that is involved With managing the number of tools that Organizations now have access to creates Natural gaps in terms of their ability To protect their environments and I Think what we're going to start seeing Is organizations start to get away from This idea of so many tools in the Environment and really start looking for Vendors that are able to answer the vast Majority of their security use cases Yeah and I do think that that's Something that we as security vendors Have failed are our customers at Our answer to every problem has been Decreed to the tool right exactly and so You wind up with a hundred different

Tools in your organization 100 different Devices with 100 different consoles and You only catch the bad guy if you happen To be looking at the right console the Right day at the right time and that That in and of itself is a problem that Complexity makes things worse often Absolutely and I think that complexity Is a problem that probably a lot of Startups here at disrupt face as well And similarly to governments they Probably have limited resources as well In which they can invest in cyber Security we've spoken about zero trust And supply chain monitoring If they had to prioritize one thing one Thing tomorrow what would you recommend Alan I've never seen a mass ransomware attack In an all Mac Network I'm not saying That Macs are more secure than Windows I'm just saying the ransomware actors Haven't figured it out so throw out all Your PCS adopt Max Um Probably not practical for many Organizations There so I don't like to give a one Answer because it depends on your Capability what do you have the ability To do Um you know for me because of the way a Lot of attacks that I see work I tend to Recommend an EDR or an EDR solution and

Possibly through a third-party Monitoring like an arctic wolf or Red Canary or something like that as you Know building that Baseline but Before anything Know your network know what you have Know what your assets are know who your Partners are know where your data is Going understanding that allows you to Better decide what one tool if you can Only get one tool to use because I can Tell you what I'd recommend your Situation may be completely different I Don't know what are your thoughts yeah So that people are going to be Disappointed it's going to be similar But different Um Chromebooks yeah for large-scale Enterprise Chromebooks have still shown Themselves to be resilient secure device Utilize for Network capable access to SAS applications through the Chrome Browser and such there have been zero Documented instances a ransomware being Able to be proliferated against a Chromebook and so probably not a Surprise to those of you in the room That the recommendation from Google is Heavy use of the Google security stack Um you know use of pixel phones Chromebooks with Chrome OS These are things that organizations Certainly startups should be thinking About because the they have a they're

Concentrating on on getting their Product to market right right so Security is not necessarily the thing That's driving their day-to-day activity And so if you wanted to reduce the risk To the Enterprise start eliminating Natural vectors of attack so that you Can concentrate on business operations And the ability to get business done so If you go through the process of just Sort of hey let's worry about getting Our widget built getting that to Market And and take whatever tool that we can Get and you're not being intentional About that tool adoption you essentially Are opening yourself up to all kinds of Possibilities in terms of security risk And those will grow as the startup and Enterprise grows in terms of size and Complexity and the more and yes the more Devices the more Hardware that gets Added to the development of the business Operations and the tools products and Services that you're trying to develop The more complex your environment is Getting I bet you I could ask every Startup or founder sitting in this room Whether or not they have someone who's Handling security and the number of Identity wide Security Professionals or Practitioners that are part of the Founders I'd I'd be willing to bet it's really It's pretty limited it's one of the last

Things that unfortunately is talked About it's one of the last executive Positions that some that is oftentimes Brought on board uh in the startup Environment and from day one that Security practitioner is playing Catch-up because the business has been Running and operating with some type of Functionality up to that point and so That person then needs to put needs to Backtrack and figure out what all has Been done in the way of uh creating a Security culture a security environment That protects digital assets yeah I mean Uh it's funny so many startups that I Talk to Um exactly what you said they don't have A security program until they get their First contract with a company that Requires them to uh have one of those Dreaded questionnaires and they're like Oh crap and that's you even in startup You see that technical debt suddenly uh Come come to life and it's like Can we take this contract and you don't Want to be stuck having to figure that Out you want to have that ahead of time This realization is coming to light top To bottom I mean there's been I read an Article this week there's there's been So much news about the need for Security Professionals and practitioners at the Top of the Enterprise Boards of Directors and elsewhere in terms of

Playing a key role in operations in the C-suite and governance of the Organization and that need to include Security Professionals early on really Has not been stated or Emphasized as much as it should be it Will yield dividends in the long run and Actually will allow the organization to Move faster when the time comes Absolutely I just want to change gears Quickly and touch a bit on about what The the US government is doing to to Help these public sector organizations Fight this problem so in the past couple Of months we've seen them announce a few Initiatives there's the K-12 resiliency Effort which is looking to help schools Overcome this problem and it's also Announced more funding for state Governments as well trying to fight back Do you think the government is doing Enough do you think these initiatives Are going to have much of an impact in The in the long run So you know my stance on the matter Which is the one way we're going to stop Ransomware attacks is drone strikes Against ransomware actors Um and I know that sounds like a Terrible thing to do but you get one of Those guys with a uh with a drone they All retire very quickly Um At need right you you need to have that

Both you need to have both sides right And I do think that it's a good start That we're adding the funding to schools Adding more funding for States all of That's really important I also think we Should think about like an Americorps For cyber like where where we're taking People out of college and and paying for Their cyber security degree or their Cyber security certifications to go work In state local governments and uh and The public sector to get the experience Uh for a couple of years but I don't Discount the importance of the Ransomware task force that President Biden has set up there's now 47 Countries in there and we've seen a Number of excellent takedowns now it's Whack-a-mole right you take one down They pop back up or you take it down They go on vacation for three months and Then Rebrand this something else But but it acts as it turns it acts as a Disrupter at least temporarily and and Continuing to do that kind of work Across countries Um is going to be just as important we Need to be both going on the offensive Against the ransomware groups as well as Improving our defenses do you agree uh So I'm going to disagree a tad and I'm The marine and former federal law Enforcement officer sitting on the panel But uh I'm not sure drone strikes are

Going to get us exactly where we need to Be in terms of responding to these Attacks we won't know until we try I appreciate the the Vigor Um Government plays a role absolutely it's Important for government to engage and In fact there are some problems that Only government can help to solve but it Is not enough in terms of the Participation from private sector Public private Partnerships have proven To Historically help solve really Intractable problems like the one that We're facing with ransomware and so There needs to be a lot more cooperation From Private sector entities participating With government in terms of running the Ground how it is that we can help Organizations really prepare themselves For the kinds of attacks that they're Experiencing and a lot of it I think has To do with again helping small Organizations do better at security The you know the attacker Experts at return on investment they do What works and what works is attacking Unprepared entities and who's unprepared The smaller entities that can't really Afford uh both the time effort and Resources to invest in security and so If there's anywhere where I think

Public-private Partnerships can be more Helpful in this regard it is in bundling Capabilities and services and sort of Giving them Charged or otherwise two smaller Entities so that we sort of shore up the Foundations of small business Medium-sized business help them get to Where they need to be and I think we Would see probably less of this in terms Of proliferation that same model I think Extends to public sector entities I I I've unfortunately seen over time public Sector entities try and stretch Themselves a bit too much You know when I was in government 32 Years worth of time we always felt like We could just hire to solve problems Hire more people Point them towards a Problem and we'll get it done and we're In an environment where we can't count On just bringing additional Personnel Resources to the table we've got to Leverage technology you know new Advances in you know certainly Google's Posture in terms of AI and generative Ai And its potential impact on the cyber Security realm so we've got to leverage Technology we have to understand that Personnel Resources essentially are are Not going to be there We have annually in this country 650 000 Open cyber security positions were Better than a decade behind filling that

Pipeline with uh viable uh folks that Can step into the breach and we have to Look for Both technological solutions and project Solutions that are going to help close That Gap technology is going to play a Key role government's going to play a Key role but it's an all hands on deck Effort absolutely and Alan you mentioned Briefly the takedowns we've seen the US Government announce Italy which are Impressive But we've also seen them announce Sanctions which Are maybe not so impressive a lot of These ransomware operators that they're Sanctioning are based in Russia are These these have in any impact It does make it you it does make it more Difficult to pay a ransom so Um I I as much as it pains me whenever An organization pays a ransom I'm Against the idea of of banning Ransom Payments I think if you pay a ransom it Should be reported Um but that's a different story Um but it does make It more difficult for those bad guys to Get paid and I think that's really Important you know I talked to a number Of incident response firms that they're Aware of who the threat actors are Behind these campaigns even when they Try and disguise themselves and they

Will tell the victim you can't pay it's Going to be uh you know it's going to be A violation you have to go if you Absolutely have to pay you've got to go Reported and you know and everything Before you make any payment Um and so I do think that there is a Deterrent effect there it doesn't Necessarily stop the attack of course it Doesn't stop the data from being sold or Used for malicious purposes But it does make it less profitable to Be a ransomware actor which is what we Want to do sure MK do you agree with Alan Companies shouldn't shouldn't have paid These demons demand I do Because of something you were touching On Alan I think that needs to be teased Out which is the idea that the reason The attacks keep coming is because There's money on the end for the Adversary in terms of proliferating These attacks and actually accomplishing What they're trying to accomplish uh if You were to cut off the source or the The reward for them at the end I think We would likely see less in the way of Attacks and it's it's a little bit Unfortunate I think that again decade Watching this evolve that we've gotten To the point where paying is such an Automatic Um

Component of the attack cycle and I I Don't know the answer to this I don't Know if it's reporting I don't know if It's you know Um some other kind of regulatory sense Of approaching this but I do know that Organizations can do more to protect Themselves and that's the area where we Feel like we can have the strongest Impact uh and emphasis around helping Organizations prepare themselves taking Prescriptive advice in terms of tooling How it is that they think about things Like use of Cloud public Cloud which can Be a game changer for organizations we Need to sort of get away from the hit if You want to stay with the historical Frameworks we've used in the historical Approach to digital assets expect to Continue to see you know adversarial Success on the landscape yeah and and I Think that that's right we would much Rather take away make it so they never Have to even worry about paying the Ransom because they stopped the attack Early on right however we're going to do That absolutely I'm determined to end This on a bit of a lighter note Um so to the founders in the room what Can these guys be doing to help these Hospitals to help these schools Secure their data in a way that they can Afford to do Alan so I think you hit on It it very much is a partnership and

Partnering with these public sector Entities to help them you know in my Case because data theft's been such Prominent help them better manage and Secure their data if the ransomware Actors can't get their hands on the data Then that takes away one Avenue of Attack so how can you help them better Manage and secure that how can you help Them better secure their environment Secure their networks how can you help Them better understand what a ransomware Attack looks like and and help them Detect it earlier you know there are a Lot of ways that we can help public Sector entities better improve security As you said Google's doing a lot uh you Know in in that area to help out Um you know but but other companies and Startups can fill some of the gaps that A company like Google can't fill and and Help these entities better improve their Security Yeah so I'm going to answer it with some Broad-based answers Um help them reduce toil they don't have Enough people to address their security Issues help them adopt automation Because automation is going to help Close the gap on many of the complex Issues that they have in terms of the Challenge of protecting their Environments and then the last thing Help them increase visibility visibility

Is like the number one challenge for any Security practitioner and when you have A tiny staff dedicated to protecting a Large-scale Enterprise if you can help Them increase visibility and then layer In automation which gives them the Ability to respond to the challenges That they're seeing in their environment You can help them you can help them Immensely close down potential attack Factors to the Enterprise Brilliant well I hope you Hope you did and Thank you thank you [Applause]