Ep. 3 – Insights from a Ransomware Negotiator
Steve Rivera, CRO @ Logically
Kurtis Minder, CEO @ Groupsense
June 19, 2023 | 49 mins
In this episode, Steve speaks with Co-Founder of GroupSense, Kurtis Minder, to delve deep into the world of ransomware. Get exclusive insights from Kurtis as he shares his firsthand experiences as a ransomware negotiator and discover the impact of these trends on businesses like yours to learn how to stay protected.
Listen wherever you podcast and share with your networks.
Key Takeaways from the Episode
- The role of cyber hygiene in mitigating ransomware risks
- How ransomware affects brand perception and employee morale
- AI applications for both attack and defense in the cyber realm
- Preparing for the impact of quantum computing on cybersecurity
- Insights into the evolving landscape of cyber warfare
Ransomware Trends You Need to Know from a Ransomware Negotiator – Episode Transcript
Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to keep your data safe, your operations sound, and your business ready for whatever comes next.
This is Logically Speaking.
STEVE RIVERA
Today’s guest, we have Kurtis Minder, the founder and CEO of GroupSense. It’s a cyber reconnaissance company. They deliver customer specific intelligence. They use a combination of automated and human reconnaissance to create what I’ll call finished intelligence. It’s tailored to each of their customers’ digital risk footprint. Curtis has also successfully raised this company from the ground up. He’s got over 20 years of information security experience that span operations, design, business development. And Kurt’s become one of the industry’s leading ransomware negotiators, which we’ll talk a little bit about, which he had an interesting foray into. But this is going to be an exciting podcast. We’re going to jam a lot in a little bit of time. Kurt, thank you so much for joining us today. You and I can probably do a podcast on food and wine pairings, but we’re here to talk about cybersecurity.
Why don’t you start off by sharing with our listeners what your experience in cybersecurity is and maybe we can start there.
KURTIS MINDER
Sure. Sure. And I actually, I don’t understand why we can’t do both like the food and wine and cybersecurity. This is a new podcast format. I like this. I like this. Yeah. No, thanks, Steven. Thanks for having me. I’m honored to be a guest. So my background, you mentioned I’ve been doing this for over 20 years. Most of that was, was hands-on sort of technical stuff. I was, I did various operational roles, anything from, you know, administration to pen testing to later moved into sort of architecture and design from a security perspective. And I did that at small internet companies, and I did it at the biggest internet companies like SBC and, which is now called AT&T. And then I started doing sort of high-tech startups, did a couple of those. And then the last, the last company I worked at was Fortinet, where I was responsible for their service provider team. I think you and I got connected because of that role. And then I made the questionable life decision to start a company. So that I’ve been doing this for about eight, eight plus years, little over eight years from when I started GroupSense. And just, just to get to that real quick, we started very humbly in a coffee shop. And one customer at a time, one use case at a time, we did not do the Silicon Valley sort of get big or go home route. We did the sort of pragmatic growth approach, which is the hard way, but it also allows you to do pretty creative things that sometimes in a venture environment you wouldn’t be allowed to do or it’d be harder for you to do. And most of those things are focused on, you know, sort of customer outcomes and desires, which I’m pretty proud of.
STEVE RIVERA
So a lot of our listeners are in that mid-market SMB kind of market space. And in your opinion, how does that mid-market handle cybersecurity and that ever-shifting threat landscape that we have? I mean, I know you and I have worked in so many enterprise spaces, but I know that you’ve, that the SMB is kind of dear to your heart.
KURTIS MINDER
Yeah. Yeah, no, that’s a great question. I mean, I think, I think sort of the, well, first of all, the middle market and the SMB space is the backbone of the US economy, right? And these, this is why it’s near and dear to my heart is the, the software companies don’t, don’t tend to focus on that market. It’s a hard market to reach. Venture money that the funds, a lot of the high-tech startups really fund those startups to sell into the early adopter markets, which are the large enterprise and financials, etc. As a result, a lot of the tools that are available to these, to the market are not really consumable easily by, by the broader market, the mid market and SMB. And, you know, so these, I’m very sympathetic to these folks because they have the same challenges as everyone else. They have less resources to address those challenges. The, as you know, there’s a sort of a talent gap in the cybersecurity industry supply and demand is driving that talent gap up market. Those are salaries are just too much for most folks. So it, it, it presents a pretty, you know, pretty strong challenge for those organizations to do, to do all the necessary things to protect themselves and thus the rest of us, right? Because they are the backbone of the economy.
STEVE RIVERA
Yeah, so let’s talk industry, right? So what industries are you seeing that are have the least amount of investment in cybersecurity? Like what industry is really lagging in investment?
KURTIS MINDER
Yeah, it’s always dangerous to generalize these things, but, you know, my, and my sample size is what it is, right? But, but, but there are certain industries that, that kind of stand out. I would say a lot of them, there’s, there’s, there’s a long list. But if you look at some of the more sort of operationally driven industries, things like working in logistics, for example, or manufacturing and things like that seem to be a little bit behind in these areas.
They, they, those industries have sort of unique challenges as well, which I’m also sympathetic to which is, you know, where, where maybe a professional services organization, let’s say accounting firm or something similar, the systems they use are basically commoditized systems, they’re using, you know, Windows and Mac and HP printers and the basic systems that everybody is familiar with. When you start getting into these, these industries like manufacturing and logistics, you start getting into systems that are not the normal systems and you’re talking about things like product lifecycle controllers and things like that, that, that have embedded software. But the security of those systems is also critical and difficult to manage.
STEVE RIVERA
Yeah, I mean, it’s, you bring up a couple of really good points. I mean, when you think about the cyber threats and the threat actors that are out there, what, what are you seeing? What’s your team seeing that that would be unique to the mid-market, maybe more so than anything else? Is there anything that kind of jumps out at you that says this is kind of a new threat vector or this is kind of the same old routine kind of attack pattern?
KURTIS MINDER
🎧 Quick Byte >> Easy Targets: Why Small and Medium Businesses are at Increased Risk
Sure. Well, I think, you know, take, let’s just take nation state activity out of this for a moment and, and, and focus on cybercrime or, or those, those types of attackers for a second. Most of them, you know, for the most part, the best for the, for the listeners, they’re running a business, right? And just like any other business, they, they’re trying to minimize costs while maximizing profit. (07:45) And to do that, many of them have recognized that, you know, spending a lot of time attacking is blue chip companies who have spent ridiculous amounts of money on cybersecurity infrastructure and have a security operation center in house and all of these things is expensive for their time wise and resource wise when they can get access to a lot of the same digital assets, stolen data, et cetera, or similar in value by attacking organizations that are not that well-resourced. So what, where I’m going with this is that, that, you know, that many of the cybercrime syndicates have recognized that their time is better spent on a volume approach attacking as many small to medium businesses as possible. And when I say, when I talk about the data, what we, so we see just ransomware is one of our specialties, right?
So, in ransomware, you know, one of the things that the threat actors do is they take a copy of as much data from the organization as they can before they execute the ransomware. Well, what we’ve seen in those, in those sort of sample data sets is that, you know, these, these SMBs and or mid-market companies that are being attacked have some of the same data or some of the same critical data as the big organizations that they could have attacked because they’re suppliers to those organizations, right? And so they, they’re, they’re actually getting access to the same stuff or cheaper. And they’ve, they’ve recognized this. And that’s, I think that’s something, and then the last thing I’ll say about that is, yes, they occasionally are using some sophisticated tactics, but more often they’re not. They’re using very simple sort of cliche cyber-attacks that, that frankly, with the right education, you know, most of these organizations could, could protect themselves from.
STEVE RIVERA
(09:35) It’s interesting because I, we were, I just saw a buddy of mine post something on LinkedIn about RSA and he said, it was an interesting, it was about hygiene, right? Right. He saw someone leave the bathroom without washing their hands and he thought, you know, that reflects upon your company and their, their own security hygiene, right? Don’t wash your hands after using the bathroom. Right. And I thought that was pretty funny because you’re right. Some of the basic blocking and tackling is oftentimes the, the attack vectors that are used most commonly because hygiene is something that is required, you know, daily. The vigilance that’s required to validate that those things are being done on a continual fashion. People like to focus on the, the next new thing. And so the silver bullet when it comes to cybersecurity. So, hygiene becomes that much more important and, and is there a percentage in your mind that, that would protect people against these attacks if they maintain that vigilant hygiene in their networks and make sure that patching and, you know, their systems were not out of warranty or out of support. Is there a percentage in your mind based on what you’ve seen?
KURTIS MINDER
Yeah, I mean, I, you know, I hesitate to be quantitative about it, but I, you know, in the, in the attack sample sizes that we’ve seen, yeah, 95% or something. It’s so, it’s so pervasive. And this, this term hygiene is a metaphor, right? For, for, for, you know, what you were talking about, like washing your hands, brushing your teeth. And when I do these public speaking engagements, occasionally I’ll get people who ask sort of the, some version of this question where they say, well, you know, is it going to be necessary for all everyone to become cybersecurity experts? And my answer is no, just like it’s, you don’t have to be a doctor to know how not to die. Right. That’s what hygiene is. It’s like basic things that keep you alive and approachable as a human being, I guess. But I think, I think that, you know, adopting a few core things for a lot of these organizations and then maintaining that is one, it’s relatively inexpensive to do. It’s mostly an educational thing. And then two, it would reduce the risk for them, you know, a greater than 90%. And one last thing I’ll say is when you hear on the news about how the bad guys hacked into this company or hacked into that company, I like to remind people that in most cases, the bad guys did not hack it. They just logged in. They just logged in. And so if we can just prevent them from just logging in, that would be a good start, right? And that’s one of those hygiene things, right?
STEVE RIVERA
So, I want to shift gears because, because I did one of the most, you know, interesting things that you and I have always talked about are, are these your introduction into ransomware negotiating. And I know you, you, you can’t mention names, so I want to respect that. But could you walk us through a recent negotiation, you know, lead names out to protect the, the innocent, but, you know, maybe share with our listeners some of the kind of engagements that you’ve been involved in most recently that might help them to either become more aware or protect against – I shared one of your stories recently where, you know, ransomware, a company was attacked with ransomware. They went to activate their incident response playbook and it was on a device on the network that had been encrypted, right? So it’s one of those scenarios where they forgot to print out their incident response playbook so they would have it in the event of an incident. But could you walk us through one of those ransomware negotiations that you’ve done?
KURTIS MINDER
(13:50) Sure. And, and, and just to set a baseline, when we started doing this a few years ago, you know, the primary engagement was that it was what I would say through what I would call threat actor engagement or the negotiation part. Over the years, though, it’s evolved to be a little bit more comprehensive than that. It includes. So, what, what I’ll tell you what happened is, you know, we’d go into these two negotiations and the first question every victim would ask is, should we pay? And the answer is, I don’t know. That’s a business decision, right? Like, I don’t know the answer to that. Let me help you figure that out. And so we, we, in the front end of these cases now we’re, we’re helping the companies sort of fully digest what the rent, what the ransomware impact is, and then helping to the best of our ability, helping them come to a quantitative sort of decision on whether it makes sense to engage the bad guys at all. And then ideally that, that quantitative decision would also drive some kind of number like roughly a range of what they would be willing to pay to, to get out of the situation, right? The, the other part of that is there’s a compliance part. So, we got to, we got to work through that and make sure that, you know, doesn’t make any sense to engage if, if, if it’s against the OFAC sanctions, right? And so, we have a process for that as well. We then, if we go through this process with a company and we decide, yes, this makes sense, we’ll, we’ll engage. Then this meat, that’s the meat of the standards. That’s the negotiation part. That’s where I, or my team engages with the threat actors on the, on the company’s behalf and tries to drive that number down. And then, and also ensure that we’re getting, you know, what we, what we ask for the money. There’s a parallel process that we run, which involves cryptocurrency. So, in the end of this, you’re going to, you know, likely make a payment via cryptocurrency to, to a threat actor. Most companies don’t already have a digital wallet with a, with a balance in it ready to do this. And while, you know, you and I, Steven can open up a Coinbase account and just transfer money from our bank account. Some commercial banks aren’t really cool about that, right? And they, and they, and they actually limit the amounts and or restrict the amounts. So we need to get in front of all of that because at the end of the negotiation, the bad guys don’t care about my banking processes. They just want their money and they get really impatient. So those are, that’s all the components and remind me, because I want to come back to the beginning part with the business impact, because there’s, there’s this thing I call the ransomware blast radius. I want to talk about that, but I’ll come back to that.
(16:33) Just, you know, recent cases. Yeah. So we, I mean, the, one of the things we picked up on in very recent cases, it was, it was particularly egregious is that the threat actors have gotten quite good at their, their casing of the system. So they will, they will break in in this case that I’m about to reference, they broke in a year prior to actually executing the ransomware and they sat in just the medium size, let’s call it a governmental organization, medium size and they, they broke in, they persisted for almost a year before they actually executed the ransomware. And during that period, they, they use that time to slowly case the systems, learn where every single network component was, learn how they did their backups, get access to the backup systems. But here’s the thing that I’ve noticed that they’ve been doing lately and I think there’s been a few articles written about this. They also recognize that a lot of other systems are connected to the network. They got into the phone systems. They got into the HVAC systems. They were in the thermostats of the, of the buildings, right? They had gained access to these systems. And I’m sure that most, you know, of the listeners understand this, but all of these systems are just computers and they run operating systems, right? And they’re connected to the networks. They’re totally candidates for, for being affected by ransomware. And when they did execute the ransomware, the impact was more than, than the typical impact where you usually have the operational impact from a, from a network systems and computer systems perspective. So that, that obviously you can’t send email, you can’t make payroll, maybe you can’t ship product, perhaps things like that. But in this case, they couldn’t climate control their buildings. And those, and those buildings included things like jails. So they got prisoners in jails and they can’t, they can’t climate. You can see how good these guys have gotten at this process. When we did the incident response, you know, component for this, we learned that the main vector for entry was a very old exchange server vulnerability that, that could have been patched some time ago. And so going back to our earlier conversation about sort of basic cyber hygiene and keeping these systems up to date, you know, they, they could have saved themselves a lot of headache by just following a good patch program and process. I’ll pause there and let you ask any questions.
STEVE RIVERA
No, no, that’s really interesting. I mean, I’m, I’m interested in the follow up on the comment you made about blast radius, right? But, but then I have a follow up question, which I’d like for you to give your opinion on whether victims paying the ransom is feeding the problem, feeding the beast, or should there be like a stake in the ground that, that whether it’s the government or someone says that we need to stop paying these pay, you know, these, these ransoms. I mean, so maybe we’ll talk about last radius first or talk about the ransom payment second.
KURTIS MINDER
(19:54) So just a couple of seconds on the blast rates. So we all understand the sort of the, I think we all understand the, the operational impact of a ransomware attack. And we probably understand now at this point, as much has been written about it is sort of the next, you know, concentric circle around that is, is the sort of extortion data exfiltration impact, which includes things like brand trust in your brand, you know, customer confidence, maybe, maybe employee morale, because, because if they took PII and they’re dumping employee data, things like that. So I think we understand those, the more complicated things that sometimes like outlast the actual attack and sometimes have a longer lasting and sometimes more expensive impact or things like, well, what if you can’t make payroll for two weeks and 25% of your staff just quits. How much does it cost you to recruit, retrain and rehire for those roles? These are things that people aren’t thinking about. Intellectual property. So if you’re working in the manufacturing space, you have a product. I mean, I had a conversation with a victim at one point that really illuminated this for me. They were a manufacturer, they, they got hit and they just like we talked about the bad guys took a copy of as much of their data as possible. And in that was a, let’s call it a recipe that for their, for their manufacturing product and in that data set. And at the end, when we were kind of doing our post mortem and talking about, you know, the go forward plan, the CISO told me that his, while this was painful and expensive, the actual ransomware attack itself, his biggest concern was if that intellectual property ends up in the hands of my competitor in China in five years, I have a bigger problem. And it’s in the smaller, the company and the more critical that that sort of trade secret is the bigger impact it might have, right? And on their business specifically. So these are just things that we want people to think about when prioritizing protecting themselves from a ransomware attack. It’s more than just your stuff doesn’t work for a couple of days. It’s more than that. That’s a lot more than that. Right. Yeah. So I’ll stop there.
STEVE RIVERA
Oh, no, that’s, that’s really good. I think I was having a conversation with the client just the other day and they were not thinking about the cascading, like the ripple effect of, you know, some type of outage. And what we talked about was not just a ransomware attack or a cyber-attack, but anything catastrophic to their from an environmental standpoint. And this was a manufacturing plant around, you know, the food industry and they had a major operation in, in, you know, making sure that the integrity of what they were mixing and, and the food that they were dealing with at various levels, right? So there’s a physical level, there’s a logical level, there’s a cyber level. So it, yeah, I mean, you’re absolutely right. The cascading effects are, can sometimes be disastrous. In this case, they would have to shut down the entire plant if they had some challenges and then eliminate all of their inventory food wise and, and ensure that, those things were to the, you know, the regulatory levels. So, it’s, you’re right. There are so many layers. And I think that oftentimes most people are just thinking operations, making sure that things are continuing to go, but there’s brand protection and others. So that’s really good.
What about like, you know, what’s your team seeing that, that could possibly give our listeners that look over the horizon? Is there anything that you could, I know you don’t have a crystal ball. But like, is there anything that you’re seeing that are new kind of attack patterns that might be uniquely different from what you’ve seen in the past?
KURTIS MINDER
You know, other than the threat actors continue to innovate on, on the kinds of systems. Again, going back to my original comment, which was the running a business and they’re trying to figure out how to do this more quickly and more cheaply. You’ll find, you know, some articles written about some of the new attack vectors around things like virtualization, things like that. And so the, you know, the threat actually recognize, hey, we can impact more systems by attacking the bare metal sort of virtual machine operating systems, which have virtually no protection on them to begin with. And yeah, so they’re getting smarter about that. I think, you know, if I was going to say something positive, I think, you know, awareness is up. You know, the White House just released the cybersecurity strategy doctor document. I don’t know if you’ve got a chance to review that, but you know, there’s some encouraging things in there, although, you know, government doesn’t exactly move at our pace, Stephen, but I’m encouraged that it’s getting visibility at that level. And I think, you know, we’ve seen where, you know, federal law enforcement has been able to disrupt some of these folks. Unfortunately, you know, not very many bad guys are actually getting arrested. So, they just stand a new one up, but it makes it expensive for them. And as long as we can continue to raise the bar from a protection and prevention standpoint on our side and have the law enforcement doing their part, I think, you know, it makes it harder for the bad guys.
STEVE RIVERA
(25:40) I want to, I want to tap your, you know, kind of experience when it comes to artificial intelligence, because that’s been something that’s, you know, everyone’s talking about AI, chat, GBT, spoke to someone in the industry recently about fishing attacks that are becoming highly scripted and very like almost spearfishing using things like chat, GBT that are really hard to determine whether or not it’s a fishing attack or not. But I mean, how are you seeing AI on the threat actor side, but then also being used for good to combat those types of attacks?
KURTIS MINDER
Yeah, I mean, you, you, you had some of the use cases. I mean, the very first application, you know, that the threat actors jumped on with the AI is was were the fishing campaigns. We did some experiments early on too, with, with tools like chat, GBT, where we, you know, he said, Hey, look, here’s my profile. I’m a 46-year-old male. I live in Colorado. I, you know, just describe, I’m a CEO of this company. This, you know, this is anything that you could find out about me on LinkedIn, I guess. And then we just asked chat BT, how would you send me a fishing email, an effective fishing email, and it was good. It was real good. I would click on that. It was really good. And so what it does is it adds a level of scale and customization to those fishing attacks that are kind of scary, the kind of scary.
Now, the second part of your question is, can we combat that? I think so. You know, that same AI technology can be used to learn about those attack tactics and automatically create protection mechanisms inside our, our male appliances and things like that. I think those are, those are useful tools. It also helps with, you know, just general knowledge transfer for, for folks. Our analyst team uses the AI technology for explaining mitigation techniques when we send an advisory and to do that more quickly and at scale and with more detail is useful.
STEVE RIVERA
Yeah, I know that that’s, that’s interesting. And I think that the speed with which these things are being created, which used to be marked in like weeks and months are now marked in hours or minutes, right? And that’s to me, the most concerning because our ability to react to them, you know, it’s always this cat and mouse, right? Our ability to react to that, we have to be that, that much faster.
Let me ask you kind of a forward thinking, how do you think the cybersecurity landscape is going to change over the next five to 10 years, right? You and I are, I hate to say it, but we’re some of the older guys in the industry. But I mean, how do you see it changing in the next five to 10 years? I mean, you and I have probably, you know, we were in this when all the rage were firewalls and that was like, ooh, that’s, that’s so new. And then IDS came out, then IPS and then, you know, so now we’re talking next gen things and leveraging AI and machine learning. What do you think is kind of the next wave that if you had kind of let that time machine and go out 10 years, what do you think will be that next wave?
KURTIS MINDER
(29:15) Yeah, I think you could do a whole talk just on that. I mean, there’s so many things in play right now that, and you’re right, you know, I remember the first firewall that I ever installed in the state of Illinois and it was a checkpoint, it was running on a sun, no, it was running on an HP, I forget the name of that server. It was a cool bladed server that we installed. And I remember when they told me, you know, the purpose and I was like, why do you want to block traffic? Why would you want to block traffic? It’s the internet. Why would you buy something that stops the traffic? I don’t understand. Yeah, we’ve come a long way from that, right?
I think, you know, on the positive side, the technologies like AI are going to make our software smarter and make it more difficult for the threat actors to get creative and hopefully, you know, when used in the development process itself, maybe prevent us from making some of the development mistakes that create these vulnerabilities to begin with, which also the White House strategy document talked a little bit about, you know, sort of some taking some ownership, the software manufacturers taking some ownership of that. And I think AI will help with that.
(30:33) Quantum throws a whole wrench in this thing, you know, when that becomes, and it will, when that becomes a thing, encryption is going to be a whole new, there’s going to be a weird flip from today’s encryption to quantum encryption, and it’s going to have to happen quick. And there’s already a bunch of companies working on this. And so that’s going to be fascinating.
I think just from a macro level sort of cybersecurity discipline standpoint, I do think that, you know, we’re an industry that sort of, you know, accidentally appeared with the quick adoption of technology, and in for the longest time, you know, you know, it has been an afterthought from both the people writing the software and the people consuming it and so on, which has made our job frustrating at times, as you might recall, you know, like people just not getting it. But I do think, you know, in the next, you know, five years that that shift is going to happen, cybersecurity and information security is going to be, you know, part of the fundamental operations of a company.
People are going to recognize this is the new, this is the new risk landscape. And I think ransomware in some ways has a pretty profound impact on this, because if you think about, you know what’s a cyber-attack, we’ve almost forgotten about this, right? But a cyber-attack was, I don’t know, seven years ago, you know, cyber-attack was somebody broken, and they took something, and it was embarrassing. Right? That was it. They took something and you’re like, oh, man, I got to pay a fine. I got to notify somebody, you know, that’s embarrassing. And so you kind of designed your cyber strategy around not being embarrassed, you know, that’s not what this is. This is like complete operational interruption. This is like your stuff does not work, right? Like nothing works. And so that I think that’s forcing an issue where companies like, hey, this, you probably got to prioritize this from a budget and operation standpoint. I think in the next few years, that’s going to continue and grow and become part of our fundamental business process.
STEVE RIVERA
(32:41) Yeah, it’s interesting. I think that cyber insurers are starting to get wiser about how they insure against these types of attacks. In your space, how do you view that kind of playing out over the next few years? Like I just spoke to a client that said their premiums were going up, you know, by two, three times unless they adhere to some base level countermeasures that they did not have. So do they invest or do they pay the insurer? Do they rely on cyber insurance as that net? I mean, do you have an opinion on how that’s going to evolve and whether or not the cyber insurers are going to remain in this market?
KURTIS MINDER
(33:30) Well, as long as there’s money, you know, I think they will. And I do think, I think I’ve seen the same thing you’re seeing where, you know, you used to when you signed up for cyber insurance, you got a questionnaire and you just filled it out. Yeah, yeah, yeah, yeah, yeah, yeah. And then it is underwrote based on your answers to the question. Now they check. Now they’re starting to like, oh, do you really have that? Let’s see it. Right. I think that’s good. I think that’s going to drive good cyber hygiene. And I think that the equation that you just spelled out at least most reasonable folks are going to go, I probably should make this investment anyway. You know, I think the challenge is, and I could see why someone would be hesitant to, is that the operational sort of maintenance of those things can be cumbersome. But this is why you partner with service providers. And we probably should talk about that in the front end of this. And I fundamentally also believe that for the broader market, you know, the sort of security operations component is a utility. Companies are not going to be able to hire and retain the talent to run this stuff in house and they shouldn’t. That’s not their core competency. You know, they should not do those things. There are companies like Logically that can help these companies with that. And you know, that’s just going to have to be part of the go forward future.
STEVE RIVERA
(34:50) Yeah, thanks for the plug. No, I, I absolutely agree. The customers that I’ve been meeting with are, are, are exactly struggling with that same kind of resource constraint. Do we find, do we hire, do we partner? And in the middle market, they’re competing with the larger companies who pay better, who are, you know, basically snapping up these resources as quickly as they can with, with minimal experience, one, two years experience and they’re paying premium for them.
KURTIS MINDER
That’s what I was going to say. And I’m sure you’ve, you’ve, you’ve probably cautioned some of your, your, your prospects about this is like, can you find somebody out of college who will, who will run your, you know, your security operations for you? Yep. And you’ll, you’ll, you’ll send them to classes and you’ll train them and 12 to 24 months, they’re going to get a job offer that’s 3x what you can afford and they will leave. And then you’re going to have to do it again and then you’re going to have to do it again and you’re going to have to do it again. And so, you know, that’s why I think the service provider model is the best way to go.
STEVE RIVERA
Yeah. You know, part of, part of our listenership is in the state, local educational marketplace. Do they have any unique in your experience unique challenges outside of like private companies in your opinion? Is there anything unique about that? Or should they view things the same way that private organizations are viewing it?
KURTIS MINDER
Um, so yeah, I think there is some unique challenges and I think they’re different for the different categories too. So, you know, state and local and municipal. Um, obviously one of the similar challenges they have is they have, um, few resources to deal with this. Um, and, you know, it’s sort of driven by, by politics sometimes rather than those budgets are driven by politics rather than, than, you know, the more pragmatic approach to viewing risk. Um, so I think those are, those are unique challenges. They can’t, in a lot of cases, like we talked about ransomware, they cannot pay ransom or at least on the books, they can’t officially pay ransoms, right?
I’ve seen cases where they, there’s workarounds for that that they’ve used, but that puts them in a bad spot and, you know, their constituents are different. Like, you know, your employees are different than, than your taxpayers. And so, you know, those, those things, it’s nuanced, but those things can be very, um, what’s the word, incendiary when, when there’s an event, right? When you start talking about taxpayers information, taxpayers dollars going toward, you know, sort of cyber event response and things like that. Um, and so they, it is unique for them. Education is even, you know, even more challenge because, you know, one of the things about education, one of the good things and bad things is that it’s a very open environment. They, they’re not, um, the, you know, information sharing is a big part of education and they don’t lock things down the way, uh, a normal institution would buy design. Um, and, you know, striking that balance for, especially for the larger institutions is pretty hard.
STEVE RIVERA
Yeah. Yeah. That’s good. I want to shift a little bit and talk about your opinion on cyber warfare and, and how that will evolve over the next few years, right? With the conflict in the Ukraine, we saw that there was a, an aspect of, um, cyber warfare in that kind of initial attacks, any, anything, any thoughts on that on, on how that’s going to evolve? You know, we, we got the alerts from the government that said, be aware, we’re at a heightened state of possible cyber attacks from Russia and, and then it never really materialized…
… or did it, or did it?
KURTIS MINDER
🎧 Quick Byte >> Nation-state Cyberattacks
That’s good. So that’s, that’s, you know, I mean, I could, again, I could talk, we do an hour talk on this alone. Um, you know, there’s, and actually there’s been some pretty good books written recently on these topics. Actually, there’s one on behind me here, The Art of Cyber Warfare by, John DiMaggio. You should read that book. It’s a good book. Um, so, uh, the, our adversaries, I won’t name the specific countries right now, but our adversaries have four years been successfully infiltrating our power grids and, um, our networks, you know, the nation state components of these countries, primarily Russia, North Korea and Iran are the, and China are kind of the ones we’re talking about. China’s been doing it primarily for industrial espionage, less cyber warfare, but they’re, they’re similar, um, in that some of the stuff that they’re stealing is military. Um, I, I do think, so again, I’m going to try to make a short version of this thing, but like we, we, we created an amazing cyber weapon when we did Stuckstand. Yeah, it’s amazing. Remarkable that when we went in for the listeners, this is where we went. We sent software to basically go mess up and ran, Iran’s nuclear enrichment program and it worked. And I just think like in the military, like, let’s say you create a new weapon that nobody else has, which is what we did. You created this new amazing weapon that nobody else has. And it can, let’s say, for example, this is just hypothetical. This weapon can shoot through any kind of, uh, surface. What’s the next thing you do? You make a surface that that thing can’t shoot through. Right. That’s the next thing you should do. We didn’t do that.
So, we created – we created industrial espionage slash, you know, a malware that can destroy a ICS control systems, you know, from a remote, whatever. And when that got loose, it was used against us and it was used against Ukraine and we weren’t ready for it. And so, I think, you know, going back to, to the cyber security document to the government, they’re now recognizing, Hey, we’re, we probably should have done this before, but we need to shore this stuff up. I live in Western Colorado tomorrow. Actually, I’m speaking, uh, at a, at a, um, a meeting where I’m, I’m trying to get grand dollars to help with this. Like it’s no secret to Russia that one quarter of the US population is fed by a single river that runs through my town. And what have we done to make sure that all of the industrial control systems that, that control that water are secure, probably not enough, right? Probably not enough. I think we’re behind and I think that, um, I think that, that we’re finally getting, uh, you know, I think we’re finally getting wise to the fact that we’re at risk here. If there were a larger kinetic impact that this could be used against us. Um, and the, the, the, the, I’ll tie it to, to the, the role that everyone plays, including our customers and our constituents. And that is that this basic cyber hygiene thing that we talked about is in my mind, and I’ve done talks on this is in my mind a civic and national security issue. Um, and it’s a form of patriotism.
You, and so what the threat actors are doing, remember the threat actors are operating out of Russia, but let’s say 85% are operating out of Russia or a Russian friendly country like Belarus, Moldova, et cetera. They, the first, what is the first thing they do? They take a copy of as much of our data as they can. Those threat actors in that country are, are not nation state actors necessarily, but they’re afforded a sort of unofficial amnesty for that activity. They’re, nobody’s putting them in jail in Russia for doing this. There’s a quid pro quo for that amnesty, right? The government gets a copy of that data. Right. Now Russia has exabytes and exabytes and exabytes of our data that they can use against us in these cyber warfare attacks. And I don’t think that that’s getting talked about enough.
So, I keep saying it over and over.
STEVE RIVERA
You’re, you’re, you make a really, you make a frightening and great point there is that when these ransomware attacks are successful in encrypting the data, no one’s really thinking about that data exfiltration. No one’s, that, that copy of that data where, you know, there’s no guarantee that the threat actor is going to actually destroy the data like they say.
KURTIS MINDER
Yeah. Let’s assume they don’t. Okay. I mean, they say they do, but let’s assume they don’t. The storage is cheap. Yeah. And so I think that’s something that we need to consider and it will, it will be used against this and it probably already is being used against this.
STEVE RIVERA
🎧 Quick Byte >> Insider Threats
Yeah. Yeah. So really quick, you know, I just wanted to touch on this topic of the insider threat and I know we’re running out of time, but yeah, and I appreciate, I appreciate your comment that we could probably have podcasts on each of these topics.
You know, there was the recent news of the Pentagon leak, right, of the classified documents, the National Guardsmen, the 21 year old who had access to all these documents. Government still kind of uncovering the secrets that were shared in this, this chat room, right. And, and now it’s, they’re just widespread, right. It’s spreading wildfire. Everyone’s got them now. Yeah. I mean, they were briefings. They were maps of the Ukrainian military positions, how, how and when Vladimir Putin would use nuclear weapons, under what scenarios, you know – how does someone protect from that insider trusted threat? I mean, that’s a, I mean, that’s something that every organization has to face. Yep. You know, trust your employees to make the right decision. What can be done about that? Or is that an acceptable risk?
KURTIS MINDER
Well, I mean, I don’t, I don’t know if it’s acceptable, but I think it’s inevitable. Like I don’t think you have a, you have a choice. You’re going to have to trust your employees at some level.
You know, having the thing is, the example you gave is should, should have been protected by these systems that I’m about to mention that the government basically invented, which is, you know, compartmentalized information, least privileged access to that information, need to know basis, all of this stuff. And I, you know, the sort of the zero-trust technology stack kind of right is built around that concept. And so yeah, I think, and actually when you go back to some of the larger attacks, and I’m not going to, I don’t want to get sued. So, I’m not going to bring them up again, but some of the larger attacks have made in the news, right? That have been in the news were things like the employees credentials weren’t deprovisioned after they were, after they were let go, right? So, they could still log back in.
And so just some business process stuff, but it really is to manage its route around least privilege and compartmentalized information. But you still have to have the, well, how do I know if that’s not working, right? Because they’re not going to tell you that they did, right? Which is why companies like group sense exist to do digital risk protection monitoring for that data surfacing in places it shouldn’t be. The whole purpose behind that is, you know, most of the cyber-attacks, the successful cyber-attacks, if you read the, your, your, your, you know, former employers DBIR report, you know, it was the bad guys had access to data that they shouldn’t have had access to that as the predicated most of the successful attacks. So looking for that data showing up in places it shouldn’t be, and then cleaning that up and or mitigating for that should be part of your process.
STEVE RIVERA
Yeah. So, you just gave one of them, but did you give two more things that you would advise our listeners that they should do like today? And you just talked about one of them. We talked about data hygiene, but maybe you have a couple of others that you would say, this is what I would do today to prevent becoming a victim.
KURTIS MINDER
(46:06) Yeah. So, I’ll do a policy one and a technology one. So, a policy one is what I, what I call credential policy. That would include things like password policy, right? So, you know, having a strong password, et cetera, changing it on some occasion. But as part of that credential policy, just making it very clear to your staff that they’re not to use their corporate email credentials or the corporate login credentials on anything unrelated to the business. And this most of these attacks where I made the joke about where they logged in were a result of that screw up where they, the person uses their corporate credentials on I love knitting.com and they use the same password or similar. And you know, the lovely lady that runs, runs I love knitting.com is not a security expert. She gets popped. All those credentials are pulled, and they use automated tools to try to find remote access entries like RDP or VPN and they just log in. And so that one right there is a very simple one. It doesn’t cost you anything other than creating a policy and making sure your employees adhere to that policy. Now you have to make sure that that policy is working. The way you do that is you couple it with something like digital risk protection services, which says, I then I would, my tools would be telling you, Hey, look, your employee used their credentials on I love knitting.com and they showed up in this, in this breach, you need to tell them that they violated policy and reset their password.
Right. The, the, the other one is in everybody’s going to roll their eyes, but multi factor authentication. Just do those two things and you’re going to be a lot better off, in everywhere possible. Right.
STEVE RIVERA
No, that’s fantastic. You’re absolutely right. It’s, it’s the basic blocking and tackling that I think, you know, often times gets missed.
Yeah. Kurt, look, I appreciate your time. This has been a very provocative conversation. I’m sure that our listeners are thinking about ways that they can use some of the information you shared. I appreciate it very much for your time. As always, always a pleasure.
Well, that’s, that’s all for this episode. Make sure you tune in next time for logically speaking and stay cyber first and future ready.