S2 E24: Geopolitical Ransomware – The Growing Threat and Defense Strategies

Geopolitical Ransomware – The Growing Threat and Defense Strategies

Transcript

Jordan Eisner: So welcome to today’s podcast, everybody. Thank you for listening. I am Jordan Eisner, VP of Sales at CompliancePoint, and this is CompliancePointers, where we cover topics in information security, cybersecurity, data privacy, and anything in the vicinity of that arena.

So I’m very excited about the podcast today. We’re going to be talking about ransomware, specifically the emergence of geopolitical ransomware and the impact it’s having here in the United States.

We’re fortunate enough to have Steve Hahn on from BullWall. I’m going to talk more about Steve, but hey, Steve, good to have you on.

Steve Hahn: Thanks so much for having me.

Jordan Eisner: Absolutely. We’ve got another Steve, Steve Haley from CompliancePoint, and Steve has been on the podcast prior, but I’m really looking forward to a conversation with the two of them today. Steve Haley, thanks for joining.

Steve Haley: You’re welcome. Glad to be back.

Jordan Eisner: And congratulations on just closing on your home.

Steve Haley: Oh, yeah. Just really exciting stuff.

Jordan Eisner: Living the dream. There must be a lot of cybersecurity need out there.

Steve Haley: I certainly hope so after closing on the house today.

Jordan Eisner: Oh, hey, let’s be careful. We don’t necessarily want it to happen, but we’re here to help if it does.

Steve Haley: That’s right. We’re here to mitigate risk first.

Jordan Eisner: So for the sake of this podcast, since we do have two Steve’s on, I’m going to refer to Steve Hahn as BullWall Steve. I’ve gotten his blessing on that. And then I’m going to refer to Steve Haley as CompliancePoint Steve. And I’ve gotten his blessing on that.

And this is exciting for many reasons. Steve has a I don’t know how many years CP Steve, CompliancePoint Steve, and IT and information security has been quite a bit, but he’s worked with IBM. He’s worked with software organizations, basically running information security. He was a Marine. Still is a Marine, right?

Steve Haley: Always a Marine.

Jordan Eisner: Very tactical, very experienced and knowledgeable in all things IT and information security. So I think the resume speaks for itself.

And then Steve Hahn, Executive Vice President of Sales, another military man, right? Navy man.

Over a decade in cybersecurity and I think, you know, what, 20 to 30 years in IT services, right? So very well versed with niche companies all the way to a lot of time with Fortune 500 organizations. So very excited to have the two of them on and start this QA session today. So let’s get started.

First one, and you know, we’ll kind of roundtable this. I don’t know that I’ll necessarily cue BullWall Steve or CompliancePoint Steve. I think both of you are going to have contacts and color to add to each and probably maybe even question and collaborate with each other on it. But I’m just going to put them out there and you guys go, hey, I want to answer this or hey, let me take this one first and I’d be interested.

What you’re going to get as an audience today is I think more of a technology feel from BullWall Steve, but not only, right? He’s got the IT services background and then more of a professional services, policies, procedures, process from CompliancePoint Steve, but not always because he also has a big technology background, right? So we’re going to get a good mix here.

So let’s start with how has ransomware changed in the last couple of years, right? It’s still around, it doesn’t seem we’re getting much better at stopping it. Maybe you guys have different thoughts on that. But how has it changed in the last couple of years and maybe specifically since the Russian-Ukraine war started?

Steve Haley: BullWall Steve, if you’re okay, I’ll take this one first. I want to kind of lead into kind of the foundational components of how, you know, from a professional services perspective, you know, what we’re seeing out there as it relates to, you know, how ransomware has changed over time and then the impact of the Ukraine war and really lead into how your technology helps, you know, facilitate mitigating some of that risk.

And so, you know, what we’re seeing out there with our customer base is really more sophistication, you know, in the way the attacks are coming in, right? There are still multiple entry points. You know, the sophistication, though, is really where we hone in on.

You know, the attacks are more rapid and, you know, the threats are more severe or higher risk to an organization from our perspective.

When we look from our perspective, we’re really dealing with companies and setting up appropriate incident response and planning as we look at how to respond to a cyber event, which obviously everybody knows ransomware falls underneath that, right?

So dealing with policy first, the organizational policy, then we want to design, you know, the incident response plan and the critical incident response teams associated with the organization should an event happen.

And then, you know, building that layered approach within the organization and the culture in the organization, right? So, you know, security awareness training, being able to identify, you know, those entry points, i.e. malware, phishing attacks, those types of things.

And then, you know, running through those exercises like tabletops, which is a very cost-effective way for an organization, you know, to do dry runs, you know, it’s like anything, you know, the Olympics are going on, right? So kind of tie it to that where, you know, they’re training all the time. So when it becomes showtime, it’s muscle memory, right?

And we treat cyber incidents very much in the same way where, you know, you’re going to react the same way you train.

But nevertheless, you know, you can take all of those precautionary measures to reduce risk. But, you know, still, as we see in the news almost every day, you know, there’s significant ransomware attacks still happening. And you know, speed is extremely important, meaning that, you know, we’re still relying on the human element, right, to be able to react quick enough. And you know, unfortunately, cyber attacks don’t happen during the day, right? They happen at all hours of the day. And so being able to react to that, you know, is critical.

But, you know, BullWall, you know, offers a very unique solution in the marketplace. Could you kind of give us an overview of what that is and how we help mitigate some of the risks associated with that?

Steve Hahn: Yeah, and just if I could, just a quick point also on the changing element as well. We’ve seen in the last two years, the numbers are pretty evident that they’re growing. The number of successful attacks is growing tremendously. So Google it yourself. You don’t have to take my word for it. But we’ve seen about a 200% increase in the last couple of years of successful attacks.

Now, some of that’s going to be related just to new techniques that seem to outpace the prevention layers. And some of that is certainly because these are almost exclusively in the ransomware space, Russian-based threat actors, former KGB people that all disbanded and formed criminal enterprises after the fall of the Soviet Union. That’s kind of who’s behind this. Who was the head of the KGB? Well, that was Vladimir Putin back in the Soviet Union era.

So there’s kind of a quasi-nation state element and quasi-financial element to this where, yes, they’re after the money, but also they’re taking orders from Putin in a lot of ways. So we’ve seen their targets shift to things that will impact the U.S. and hurt us more there.

But we’ve also seen, frankly, right now, their success is incredibly high. It’s higher than it’s ever been. So their techniques have evolved. So what we really say is a lot along the lines of what you said there, Steve, is that it’s really a when-not-if world.

Most companies are going to be hit by ransomware. We’ve seen just last week the largest payment ever. It was double the previous largest payment of $75 million. That’s a huge amount of money that these threat actors can put into essentially research and development. It well surpassed $1 billion last year in total known payments. So these are incredibly well-funded organizations. As a matter of fact, they have more revenue than most cybersecurity companies, so they’re incredibly well-funded.

So if you treat this as a when-not-if world, you have to do more than just prevention. You can’t rely on your prevention being 100% effective, 100% of the time against every attack that will ever exist. You have to say, well, what do I do should my prevention fail? Should they get lucky just that one time?

And for us, it’s all about rapid containment. We look at an active ransomware attack, and we look at how the file shares are going to be encrypted. That is impossible to hide.

The payload can be delivered through a lot of obfuscation techniques into an environment, but you can’t obfuscate what ransomware does. What it does is it encrypts the file shares, and it encrypts really fast. So that’s what we’re monitoring. We’re monitoring the file shares for that non-human-type encryption.

Steve Haley: Yeah, sorry to interrupt you.

That goes to the point that the human element can’t respond as quickly as we would like them to. In the middle of the night, they’ve got to get called. They’ve got to engage, log on to the laptop. I mean, there’s a lot of things that can happen very quickly in that.

Steve Hahn: Absolutely. And the numbers speak for themselves there as well. They’re using scheduled task managers to deploy their attacks in off hours and holidays. Holidays in the middle of the night are the most common times for these ransomware attacks. About 80% of them are going to occur in off hours where you have less time to respond.

Steve Haley: What do you think is the biggest motivation?

Jordan Eisner: That’s what I was going to say. That’s what I was going to ask next. You said it’s not necessarily all about money. There’s a geopolitical side. You mentioned Vladimir Putin.

What would you categorize the motivation as?

Steve Hahn: Yeah, so I’ll start with the primary motivation is still money. They have double extortion techniques now as well. So they’ll extort you for the decryption of the data that they just encrypted. And they’ll also extort you one more time for the data they stole.

So they’re going to try to release very sensitive information about your company, emails that you don’t want leaked. And even a hospital in the Northeast was hit. It was a breast cancer hospital. And they threatened to release actual pictures of patients in undress. So it’s pretty horrifying what they’re willing to do to extort companies.

But the secondary element to that is because they’re Russian-based, we’ve seen the shift occur where they’re now attacking things that could exacerbate inflation. So supply chain, logistics, and manufacturing to a very high level.

They’re also going after hospitals to a higher degree to cause loss of life. Just today, a blood provider in the Northeast that feeds 300 hospitals, I believe they’re called Blood One, was taken down. And that’s going to affect vital blood supplies that they need to deliver to these hospitals. So they’re really trying to cause loss of life, which they’re doing, and exacerbate anything that could impact our material goods being either produced or gotten to consumers. So lower supply means prices go up. That hurts our inflation even more.

Steve Haley: Yeah, those are good points. From a boots-on-the-ground perspective that we see with our client base, obviously, we deal with government entities. We’re seeing ramp up in the government entities as well, any way to disrupt the government. And I think I wanted to tie in the Israeli war that’s going on too. We’re seeing any disruption that can occur to that, to the United States as that political kind of component to it.

Again, the healthcare, but we’re also seeing increased attacks to critical infrastructure. We do deal with some critical infrastructure companies as well, and we are definitely seeing an uptick on that. But my understanding is your metrics in the space that you’re in are a little bit broader than what we’re seeing and what we’re relied upon for basic threat hunting and things of that nature. So I’m glad that you tied it into the areas that you saw.

Steve Hahn: Yeah, if I could make a point on cities too, that’s a great observation. Yeah, cities without question, every week we’re seeing new cities hit. And when they get hit, they often have to declare a state of emergency because 911 services go down. They literally can’t deploy, help aid police to the scene because their 911 services are inoperable.

We’ve seen court cases with violent felons. All of that data has been locked up. It’s been encrypted and their infrastructure is down.

Steve Haley: Yeah, it was extremely impactful for Fulton County, Georgia. I think that event is still going on in some instances where not all agencies are up and running as they were prior to the attack. And it’s been a few months now.

Steve Hahn: Yeah, that one got a lot of press. But I’ll tell you, there is one just about every week. The city of Dallas was hit not too long ago. They’re one of our great customers now that we can reference. A lot of folks come to us kind of after the fact, unfortunately. But we would have contained that event most certainly.

We saw the city of Oakland had to declare a state of emergency after they were hit. They had systems down for almost six months. You literally had a call a switchboard is how they switched it over to get emergency services. But even aid to the needy people in those counties is impacted.

So again, loss of life is a good one. They know that they’ll get the payments if they hit certain sectors. And also the black eye that it gives the United States. If they can take down the government, they can take down them. Then they’re better than us.

Jordan Eisner: Yeah, I think that’s a good overview. There’s some current events in there, kind of current state of things, some of the why, when.

What about patterns, right? What are the similarities you’re seeing in the attacks or the organization behind them? BullWall Steve, that might be more so for you. This is about 100% of what you guys do. You probably have a lot of knowledge on this.

What do you see in there?

Steve Hah: I absolutely do. We’re brought into hundreds and hundreds and hundreds of post-event companies. So they’ve been hit by ransomware and we come in.

And frankly, we’re in with thousands of customers already. And every year we contain hundreds and hundreds of ransomware events. We contain them within milliseconds. So only a few files were impacted, but we can see the techniques that the threat actor used.

So even if you’re not going to use our tools, just know that 95% of all attacks are using a command and control element. So they’re coming into your organization. They’re getting low level credentials. That could be a phishing email, could be some sort of social engineering, but they get Bob and Accounting’s credentials.

Once they have those, they use Mimikatz or Cobalt Strike, these red team tools, to extract admin credentials.

Now, this is all leading up to their attack. They don’t just throw ransomware at your endpoints. They come in and slowly circumvent your security controls. Again, 95% of the attacks we’ve seen in Sophos had a very similar statistic to about 95% that they’ve seen as well.

So they get the admin credentials. Once they have admin credentials, they RDP into servers. Most servers, believe it or not, do not have MFA to every session. They then shut down all your security products. Maybe they spin up their own VM, and they launch their ransomware payload from that fresh VM that has no security on it, or they whitelist their application.

Now, even if you say, OK, yeah, but I have MFA to every server every session, they have ways around it. There are lots of ways from SIM swapping where they can get your phone routed over to theirs, keyboard capture, keyboard logging. But also, they don’t even need to RDP in. Therefore, they won’t get an MFA challenge. If they have admin credentials, they will simply use scheduled task managers and hijack some of those tasks to then deploy their payload to shut down your security products, maybe take out your ESXi layer prior to their attack to really disable you and your ability to respond. And then they launch their attack.

And this is prescribed in a workflow by the ransomware as a service providers like BlackCat. So this is exactly, they say, OK, I’m going to use ransomware as a service for BlackCat. They give you the payload. They give you the workflow. And this is that workflow. This is precisely how they get in and do it. And this is why we’ve seen such an explosion in their success rate. You may think you can stop it, but if your tools aren’t up and running, you can’t stop anything. So that’s their goal is to shut down those products.

Steve Haley: What we’re seeing, Jordan, before you go to the next question, but what we’re seeing also is they’ll lay dormant once they’re in for a long time. You may get on their trail for just a little bit, and then they’ll just go dormant. They’ll stay there. They’ll wait for the coast to be clear. And they’re opportunistic. So they’ll strike when least expecting.

Steve Hahn: I’ll expand on that, too. Absolutely. I agree with that.

It’s not like they’re just emailing you a ransomware link and you’re hitting it. That’s not how they do it. They really are coming in and being very quiet, very dormant for a while as they slowly and methodically lay their traps.

And even they use scheduled task managers so much these days because they can hijack any process that you have that you have scheduled to your servers. They may include software that you push to those servers. Well, they just replace that software with their software. So you never even can detect that one of your scheduled tasks has been changed. You can’t see that one’s been added. They simply just changed one. And they’re also deleting their trail through those scheduled task managers every time they do something that deletes the previous incident of that. So it’s very hard to detect.

And one of the things that we’re seeing in the trends, I think everyone’s kind of sick of maybe hearing about AI, but you have to be ready for it. In the old days, there were two types of phishing attacks. There was spear phishing where somebody would sit and really plot their email to you. They would research your LinkedIn and craft a very careful message where they’re impersonating somebody you interact with.

And then there was commodity phishing or bulk phishing where it just goes out. It’s just spam. It’s the same Nigerian kind of letter that you see to 100 different people. It’s from known bad infrastructure, super easy to stop. Now the benefit of the commodity ones is I can send a million of them. The benefit of the spear phishing is it has a much higher success rate.

Well, AI can do the spear phishing for them at the scale of the commodity. So I can use my AI tools to gather all the information I need on a recipient, craft a human sounding email to them that is coming from not known bad infrastructure. So no two emails are even alike, which is another way we pick up on phishing campaigns. So now you get at scale spear phishing attack in the millions that can hit your company. We’re just at the tip of that iceberg and it’s going to explode ransomware to another level if we’re not careful.

Steve Haley: It’s a huge concern out there as far as the sheer volume that they can turn and overwhelm the defenses of an organization. It is very concerning the AI component when it comes to cyber security as well.

Jordan Eisner: Every time I hear this stuff, I just get more and more nervous.

Steve Haley: You’re going to unplug your internet now, Jordan?

Jordan Haley: Sometimes I feel like it, Steve. Sometimes I feel like it. Go off the grid, right? But then of course I would starve because I don’t have any skills.

You talk about loss of life, right? I think a lot of times it’s going to be something indirectly or directly tied with the healthcare industry. A lot of times, not always. Government sector being targeted.

What are some other top targets that we’re seeing for ransomware attacks in the industry? Maybe it’s just anything and everything. Maybe there are some additions beyond that.

Steve Hahn: Other than the ones we talked about, another big one is schools. Their primary mission is educating students. That’s where most of the budget is supposed to go. They don’t have the people. A lot of them have just one or two IT people for thousands and thousands of devices that they’re trying to secure and manage.

The threat actors used to take, say, sick people and kids are off limits. We’re not going to target those kinds of companies or organizations. Now since the Ukraine War, we’ve seen all bets are off. They’ll go after the hospitals to shut them down and go after schools.

The thing that’s really… I don’t want to use the word frightening. I guess I just find it disturbing is what they’re doing with schools. They’ll go in and, of course, encrypt all the data, but they’ll also exfiltrate all the data on the students. It could be everything from a kid’s school records to their grades to the medications they take to their sexual orientation or identity or whatever the school has. That could be incredibly harmful for that child’s psychology or just their wellbeing if it was leaked. They’ll start leaking that stuff unless the school pays up.

As a parent of two children myself, that is something that we actively want to prevent. As a matter of fact, we treat schools. We have our most preferential pricing because it is the softest and most sensitive of targets.

Steve Haley: I have some knowledge in this area as well as a great husband to a special educating teacher. I see it every day. They struggle with training. There’s a lot of staff that have to be trained. They’re focusing on trying to teach their students and not a lot of them are technologists. There’s something different and that’s what we want from them. However, I’m glad you brought up the school threat because we are seeing upticks on that as well.

Jorday Eisner: Good to know. Well, I guess diving further then into the government and healthcare awards, any further impacts? I think you’ve called out a lot of it even just in what we’ve talked about here, but anything additional you would add on those industries for our listeners, especially if they’re in those?

Steve Hahn: We’ve seen the other effects in the healthcare space. We saw the most consequential or most important, most financially devastating attack recently was on United Healthcare. Again, in the healthcare industry. Most folks don’t realize this, but it wasn’t on United Healthcare, the parent organization. If it was, it would have been far more devastating. It was actually on just one small little group, just a few hundred employees is how I understand it, but it’s the Change group. Even that impact cost them billions of dollars, literally billions.

They paid out billions to their downstream healthcare facilities because those healthcare facilities couldn’t bill for medication as they relied on change healthcare for that. The hospitals were literally at risk of going bankrupt overnight because of this. Some of them have actually filed for bankruptcy because of this. United Healthcare had to put out billions of dollars to these organizations as they tried to write the ship and get prescriptions flowing, but also prescriptions are life-saving.

We don’t know since the proxy war with Ukraine between essentially the West and Russia, we don’t know how many people have died as a result of their attacks, but it’s in the thousands for sure. People aren’t getting their medications, hospitals down, blood transfusions and the like. That’s a massively impactful one.

The difficulty of securing a healthcare organization is probably the biggest challenge in the world in terms of all the industries. They have thousands and thousands of internet-connected devices that are attack vectors. They have doctors that use their own personal devices to access patient records, which I’m married to a doctor, so I see her and how she works and it’s necessary for them to do their job, but it also again provides an attack vector that IT can’t control. They don’t have endpoint security on her device. That’s another attack vector.

On top of that, they have the most sensitive records. When healthcare records get leaked, everything happens. There’s impersonation where people start refilling narcotics that are prescribed to a different person by impersonating them once they see those prescriptions. Healthcare records also provide just a wealth of information about that person, everything from their social security number to their height and weight and even things that they can blackmail patients on if they’re embarrassing medications that maybe are for some psychiatric purpose or frankly, we’ve even seen people that have had abortions that have been threatened or blackmailed.

They hit the parent organization, but they also go after the patients after they get those records. We’re seeing that’s maybe the softest target with the biggest attack surface out there.

Again, there’s a lot we can do about it. I know I’m saying a lot of things that maybe are alarming if you’re not too into this industry, but the good guys are doing a lot here too.

Jordan Eisner: I think that’s a perfect segue there because the next thing I was going to say is, all right, I think we made it clear. It’s not if, it’s when. There’s probably no way to completely eliminate the possibility of being a victim of a ransomware attack, but this is probably a good platform to talk more about BullWall. That was part of what we wanted to do on the podcast today. Prevention strategies. What do you guys recommend?

I know that your tool is a little different, that it’s not necessarily preventing it, but it’s responding, containing, responding, containing.

I know CompliancePoint Steve, you’re going to have some ideas from preventing it, but let’s start with BullWall Steve.

What are you guys recommending right even before your technology?

Steve Hahn: Yeah, I know every security system can be beaten. It’s just the nature of the game. Our solution is remarkably effective. We have thousands of customers. Our customers are successfully hit with ransomware in the hundreds per year, and we’ve contained every single one of those events to no more than 50 files being encrypted before our solution jumps into place.

We’re not the only tool that they should be looking at, but we are an incredibly unique tool. They can call Gartner and get Gartner’s recommendation on us. They recommend us highly. They’ll also tell you there’s no one doing anything like what we’re doing.

We came at it from a different angle. We said rather than trying to prevent these things, which is very easy to trick, if I’m in EDR, I have to look at the processes on an endpoint and see if those processes, which in a binary code way looks very benign, it’s very hard to spot what is bad and what is good.

Beyond that, they really rely on signatures and things like that, so they’re doing their best, but they have to have seen that piece of malware before. There are thousands of new zero-day ransomware attacks they haven’t seen that hit these environments very rapidly. They’re all doing really good stuff, but we need to do a lot more.

With our tool, what we say is forget the endpoint. That’s not what they’re after. They encrypt one of your endpoints. They’re not getting a ransom.

What are they really after? They’re after the file shares. They’re after your database servers, even taking down things like your domain controllers. We don’t live on the endpoint. We don’t have an agent on the endpoint. We have nothing on the endpoint whatsoever. We live on a server in the customer’s environment. That server can be physical or virtual, but they control it.

There’s not even a cloud services element. We don’t deliver our service from the cloud. It’s all contained within a server that they own in their environment. Doesn’t even need an internet connection out. What we do is we’re monitoring the file shares. When I say file shares, I mean every file share. 0365, OneDrive, G Drive, SharePoint, your on-prem file shares as well.

But we’re monitoring those, and we’re monitoring specifically the SMB traffic on those. SMB traffic is essentially file event notifications. Anytime a file is added, changed, removed, deleted, encrypted, any type of event at those file shares kicks off a file event notification first before that activity even begins.

We have read-only access to those file shares, so we can see those SMB event notifications. When those events that are coming in are indicative of a ransomware attack, we spring into action with a PowerShell script that remote force shut down the device that’s doing the encrypting, because the file event notification tells us what device, what user, what file share they’re accessing. We shut down that device.

We also send a command to the EDR product that’s on there, the endpoint agent, so CrowdStrike, Sentinel One, whatever. We send a command to isolate that system as well, and then we also disable that user in Active Directory. Their connection is severed. They can no longer log in.

Now, their machine that they began the encryption event from isn’t going to be encrypted and will need to be restored. But the file shares themselves, very few files, if any, will ever be encrypted before we spring into action. We can spot it quick.

If you think about it, it’s pretty easy to spot a ransomware event versus normal file activity. Humans don’t encrypt 50,000 files per minute.

Steve Haley: No, they do not.

Steve Hahn: Humans don’t start encrypting at the top of file structures in the bottom and work their way to the middle. That’s not human behavior. They don’t leave ransomware notes. We can detect a ransomware event just on the thousands of ransomware notes that they have to leave. So you have to know how to pay them. They have to leave your ransomware notes. They don’t change extensions to lockbit thousands at a time.

There’s lots and lots of ways to tell when encryption is happening at your file shares. But historically, security always looked at that as, well, we’re prevention, we’re prevention, we’re prevention. We’ve got to stop it before it happens. We said, yeah, but you’re not. You’re not going to stop it before it happens. It’s still going to happen very small percentage of the time. So could we contain it rapidly? The answer is, yeah, you can.

Steve Haley: Yeah, I think, yeah, I’m going to chime in here for a minute or two. I think that BullWall is a great tool in the repertoire of tools that are required for a defense in-depth program that most organizations should be employing.

You’ve got your, and I know you’re not an endpoint type of component, but I want our audience to understand that to defense in depth, there are good best practices that still need to be adhered to.

Make sure you’re doing EDR, XDR, whatever your organization selects. Make sure you’re doing your due diligence on vetting those vendors. Third-party risk management, supplier risk management, very important in one facet of that defense. Continue with the testing of your incident response plans at minimum yearly. It is a cost-effective way to ensure that your team knows how to react when that happens.

Make sure that you have a good backup solution and encrypted backups. They’re stored in a different physical or logical location than AWS. If you’ve got AWS, put it in a different region. If you’ve got Azure, put it in a different region. If you’re physical, put it up there or copy off-site. Those are still good protective measures.

Steve Hahn: Even air gap them if you can, those backups, because if they get admin credentials, which is what they do before their attack, they’re going after your backups too.

Steve Haley: That’s right. Any way that they can disrupt you to make you have to pay that ransom.

Again, it’s a great compliment to a lot of the best practices that organizations should look to instill in a defense in depth program.

But again, being able to have a product like yours to quickly stop the encryptions, a human just can’t get there that quickly. That is really the risk that remains out there.

Steve Hahn: Yeah, that’s such a good point. Defense in depth is absolutely crucial. One technique may help them circumnavigate your email gateway or down the line, there are all these ways, but they have to have a different technique for every layer of security that you have.

What we provide is an entirely new layer that looks really a lot like an EDR protects an endpoint. We’re doing that same type of thing. Instead of endpoint detection and response, we’re looking at the file shares and then detecting and responding within milliseconds. All of those other things are crucially important.

On top of what you mentioned there, Steve, I’d also say make sure you have MFA to every single server, every single session. It’s so critical. Don’t rely on single sign-on, don’t rely on jump servers in my opinion, but have it direct from the server to the machine being authenticated. Hugely important.

Make sure that those single sign-on says, okay, you’re in, you’re trusted. You have to move to a zero-trust network architecture at some point as well. Again, that’s not a silver bullet, but it’s a great strong, those are a couple of really strong things you can do right out of the gate.

Also micro-segmentation. If you have these types of events, micro-segmentation is going to reduce your blast radius on anything and limit the amount of impact.

Steve, one thing you said I love not enough companies do also is you have to treat it as what happens if. You can’t just say, oh, we’re good, bury our head in the sand. We have to say what happens if. What happens if this fails, this fails, this fails?

Even let’s say you don’t have our solution or even if you do, you should plan on what happens if we’re hit with ransomware. Those tabletop exercises you mentioned are so important to know how legal is going to respond and marketing and engineering. Everyone has to know how they respond to message to customers and to the media and to legislative bodies and how you quickly react and recover as a business.

Steve Haley: Yeah, and I would go on to say that the business’s reputation is at stake when these events happen. Unfortunately, statistics prove that not only is it costly, but a lot of businesses do not recover from a very substantial ransomware attack.

Steve Hahn: That’s right. Even if you pay the ransom, let’s say, you don’t often get about the average is about 78% of your data back. Some of it’s just going to be corrupt and lost.

Steve Haley: That’s a good point. I don’t think people realize that you’re not getting it all back. You’re getting maybe snippets of it and some of the most critical data may not be retrievable.

Steve Hahn: Yeah, even with backups, right? You have to understand, well, I got backups, well, yeah, it’s going to take you a long time to recover from backups to get your business up and running. Don’t rely on that as a single strategy.

Steve Haley: When I was the director of infrastructure of technical operations for our parent company, every time somebody asked for a restore, I can tell you my stomach hurt.

We would test them quarterly, but when you really need it, do you trust it?

Steve Hahn: Yeah, and even recovering from backups, you’re going to lose a lot of data and you’re going to have downtime. It’s not ideal. Of course, you absolutely need it. I’m not discounting that, but you do want to try to contain it really fast too so you don’t have to go to backups.

I look at our solution as a sprinkler in your house. The second a fire starts, it shuts it down. Your backups are quick blueprints to rebuild the house, but you are rebuilding the house. You need all of those things.

Even when you’re air gapped, you’re missing lots of data in between when the data is created and then when you actually close the air gap and start backing up the files. You’re always going to miss a little bit of data. It’s not a solution you can rely on.

Jordan Eisner: Well, guys, I think you’ve given our listeners quite a bit. There’s a wealth of knowledge here on both sides, and I think this is a good opportunity actually to inform our listeners how they can get a hold of you. If they’re regularly listening to Compliance Pointers, they know how to get a hold of most of us at CompliancePoint, but we’ll reiterate that issue. But BullWall, Steve, you first.

How can somebody get in touch with you? How can somebody see more and learn more about BullWall?

Steve Hahn: Yeah, first, through CompliancePoint, is it going to be the best way to reach us? I have a team of people all across the country in just every region that are there to assist. But also, you can email me directly. My simple email is sh@BullWall.com. I’ll connect you to the right person on my team.

But I’ll just say, I’m really passionate about this. Ex-military guy, I kind of see this as nation state and kind of still part of a bigger war, maybe cyber warfare, but it’s still warfare. I’m really interested in helping companies increase their security posture on this outside of just our solution. So if there’s any kind of expertise that I can help bring, any questions they have, even outside of our products, I’m happy to help.

Jordan Eisner: And you’re on LinkedIn as well, I’m sure, right, if people want to reach out to you there.

Steve Hahn: I absolutely am. Yes, Steven M. Hahn is the name there.

Steve Haley: Wow, we have the exact same initials. I’m Steven M. Haley.

Jordan Eisner: And we’re just discovering this now.

Steve Haley: And we’re both veterans. So, you know, and we both take that, you know, what we do passionately, right?

You know, it’s that cloak and dagger game. You know, Steve takes it from a different perspective. You know, I’m trying to, you know, help organizations either implement, you know, secure security programs or mature their current security programs, you know, mitigate risk throughout the organization and allow and actually help them understand the why they do certain things.

I think, you know, not a lot of people, you know, always understand why they’re clicking a button or why they’re putting something in place.

So, you know, definitely enjoy our conversation today.

Jordan Eisner: You guys are cut from the same cloth. So both of your initials are S M H. Like shaking my head when somebody doesn’t have BullWall or someone doesn’t have proper cyber defense.

Steve Hahn: Good one.

Jordan Eisner: That’s a dad joke. I’m a dad of three now. So I’m getting ridiculed all the time by friends, family and coworkers about my stupid dad jokes. So I had to throw that out there.

Steve Haley: You could be a Geico commercial soon.

Jordan Eisner: Oh, geez. That’s getting bad.

Well, thank you guys so much for joining. We’ll probably have to do this again sometime in the future.

It’s been great having you on for our listeners.

You know how to get a hold of him and for us at CompliancePoint. We are both on LinkedIn CompliancePoint, Steve and myself. You can email us directly at connect@CompliancePoint.com. Our website is a great resource for a lot of content, published blogs, articles, webinars, podcasts, you name it. Follow us on LinkedIn. Follow us anywhere.

And keep listening to these and subscribe and tell your friends. Until next time, everyone.