Nations have to stop sheltering bad actors in order to stop them, expert says.
TechRepublic’s Karen Roby spoke with Adam Flatley, director of threat intelligence for Redacted, a cybersecurity company, about the future of cybersecurity. The following is an edited transcript of their conversation.
SEE: Security incident response policy (TechRepublic Premium)
Adam Flatley: I think what really needs to be done, and what has started to happen recently, is that we need to bring all of the components of the private industry and the government together to combat this threat in an organized, intel-driven campaign that is targeting the actors behind these ransomware operations and working to dismantle those organizations through using all the tools available to the private industry and governments around the world.
Karen Roby: Adam, it used to be, we would talk about the bad guys. It was a couple of guys, maybe hackers, that were committing these criminal acts. But now we’re talking about very sophisticated organizations with amazing technology at their fingertips, and some really smart people behind today’s criminal acts.
Adam Flatley: Absolutely. And the playing field is very broad. There are still some of those smaller actors out there who are doing this, but the vast majority of the high-impactful ransomware operations that we’ve seen have been conducted by large organized crime units.
They are incredibly sophisticated, very organized. They have development organizations that are building their tools. They have customer service groups that are helping people learn how to pay the ransom by using cryptocurrency. I mean, they’re very, very sophisticated criminal operations.
Karen Roby: Adam, I will say one time I was so shocked. I was interviewing a gentleman who, his company, he had a small company, and they fell victim to a ransomware attack. And he said that when it was over that they were offered a 1800 number from the criminals who said, “Here, here’s how you can exchange the money. Here’s how this all works.” It’s pretty amazing that that’s how organized these groups are.
Adam Flatley: Yeah, absolutely. I mean, they want to make it as easy as possible for people to pay them. And so you see that with a lot of the sophisticated groups. They will offer all kinds of assistance, they’ll teach you what cryptocurrency is and how to buy it and where to do it and how to do the transfer. It’s funny, I wish we had that kind of customer service in a lot of the other things that we buy.
Karen Roby: Adam, I know you have many, many years of cybersecurity experience there under your belt, and also part of a very specific Ransomware Task Force. Tell us more about that.
Adam Flatley: It was a really big honor to be part of the Ransomware Task Force that IST put together. They pulled together people from all across the industry, people from security companies, people from hosting providers, from telecom providers, law enforcement was involved, other parts of the government were involved.
They really took a good, holistic look at what is the nature of the problem, and then how do we build a no-kidding-strategy to combat this. That takes on making the defensive side of things better, dealing with the business model of this. How can we have an impact on cryptocurrency to be able to make that more trackable and harder for criminals to hide within and make it easier to seize payments that were illegitimate? All the way to the part that was really missing is really driving an aggressive operation, targeting the actors behind them and putting pressure on governments that are sheltering these actors, to be able to start bringing these organizations down. That was the piece that was really missing.
Karen Roby: And Adam, do you think that some of these high-profile cases that are making the headlines these days, is that what’s helping to further this discussion about cybersecurity, and to make more people aware and to move the ball down the line?
Adam Flatley: I think it was a combination of things. Definitely the public attention that was brought to the issue by Colonial Pipeline and the meat packing plant, etc. That definitely helped. But I will say that the governments of the world were already starting to move in the right direction before that happened. It was really dawning on everybody that what we were doing wasn’t working, things were compounding. And really what we think they needed was, they needed a framework that they could hang up on the wall and look at how we can build a campaign to deal with this problem.
That’s what IST provided, was a really comprehensive framework for how to tackle this. And I think that really helped kickstart, not only what the U.S. government was going to do in response, but also lots of allied governments around the world. Because this is a worldwide problem, this is not just a U.S. problem, and we can’t solve it ourselves. We need to work with partner nations, anybody who’s willing to work with us, to go after this issue.
Karen Roby: I’m going to backtrack just a little bit here. If a company is in a specific situation where they have found themselves to be held hostage because of a ransomware attack, what do you say to them? I mean, as far as giving them advice one way or the other to pay or not pay, I mean, what do you even say?
SEE: Top 5 ransomware operators by income (TechRepublic)
Adam Flatley: I think the best way to look at it is to view paying the ransom as a last resort. I’ve heard a lot of arguments that they should make ransomware payments illegal, force people to not pay. But I think that that’s really impractical, because there are going to be some victims that paying the ransom is literally their only way out of the trouble that they’re in.
They’re either not going to have been prepared, they’re maybe not a sophisticated technical company. Or it’s also possible that because of the double-extortion schemes that we’re seeing now, the threat actors are getting in the network, swimming around, stealing their intellectual property first. Maybe finding some embarrassing information in chats or emails. And then they’re threatening to publish that if the ransom isn’t paid. So, it’s getting a lot more complex and the decision to pay the ransom or not. So even if you’re able to completely reconstitute your network, they could still publish your precious intellectual property on the internet and completely devalue your company if you don’t pay them.
So, the decision is very complex, it’s very hard. And my advice is really to make that your last choice. Do everything else first, if you can. Restoring from backups is a really critical thing. Having good offline backups is really critical for making that restoration. And then, if you’re caught in a double extortion scheme, you really got to think about is it worth paying the ransom, or would it be better to just take the hit and not be funding these organizations?
There are some companies that can make that decision. They can be like, “Fine, publish whatever,” because they’re not going to give into blackmail and they may be in a position that even if it is released, their company will be fine. But then there are others that could really be ruined by it, and we shouldn’t prevent them from paying the ransom if that’s what they have you do.
Karen Roby: This year, last year to 18 months, has been especially difficult for IT teams as they’re stretched so thin and CISOs are spending so many more hours, just trying to keep things in check and in line here. But the supply and the demand we know is a real problem when it comes to all of these open positions for people who are really trained in cybersecurity, and there’s just not enough numbers to fill those jobs. What do we do about that?
SEE: Tech skills gaps continue: Bootcamps can help those looking for a new career (TechRepublic)
Adam Flatley: I think that solving the security problem in America specifically, where we are so incredibly vulnerable to cyber intrusions of many kinds, from just the most simple email schemes, all the way to sophisticated nation-state attacks. We are extremely vulnerable right now. And that problem is going to take years, maybe decades to really fix.
So, I think that what we need to do is, while we’re working on these programs for training people and for upping our security posture and helping companies get better, we also have to have this targeting campaign that’s going after the bad guys. Because you’ve got to keep them on the run so that they can conduct fewer operations per year, because they’re basically out there trying to stay out of jail. And if you keep them focused on trying to stay out of jail instead of conducting these operations, you buy time for these other things to happen that are going to take years and years to permeate our entire culture. So, I think that that is a really key piece is, you’ve got to have that offense being played while your defense is being strengthened.