A Healthy Respect for Ransomware

March 16, 2020 • Monica Todros

Despite the cybersecurity industry’s best efforts, ransomware continues to affect individuals and organizations of just about every shape and size — from mom-and-pop shops, to global organizations, and even municipalities. As the developers of ransomware continue to bring in their ill-gotten gains, they’ve invested in infrastructure and customer service to keep it easy to deploy their wares and collect their loot.

Lorne Hazlewood is a senior information security analyst at BKD LLP. He joins us to share his insights on ransomware, where he thinks it’s headed, and what we all can do to best protect ourselves against it.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 150 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Despite the cybersecurity industry’s best efforts, ransomware continues to affect individuals and organizations of just about every shape and size — from mom-and-pop shops, to global organizations, and even municipalities. As the developers of ransomware continue to bring in their ill-gotten gains, they’ve invested in infrastructure and customer service to keep it easy to deploy their wares and collect their loot.

Lorne Hazlewood is a senior information security analyst at BKD LLP. He joins us to share his insights on ransomware, where he thinks it’s headed, and what we all can do to best protect ourselves against it. Stay with us.

Lorne Hazlewood:

I started out as almost every IT guy does — in philosophy. From there, no, I started working for my college in their IT department and during our time the library was hit by a bad actor, who utilized our computers to attack Russian missile silos.

I’m pretty sure that we weren’t the favorite department on campus for a while, and that really catapulted me into looking at security and asking, “How does something like this happen?” So I started pursuing the more intellectual aspects of IT, how does data move, where does it move, and why is someone using my computer to attack Russia?

Dave Bittner:

Now, were you someone who had an interest in all things tech from a young age?

Lorne Hazlewood:

Probably from the time I was about 13, 14, when I took apart the family TV.

Dave Bittner:

Yeah. I did the same thing. I always just hoped that I wouldn’t end up with leftovers screws or parts when I was done putting it back together and then it would still work.

Lorne Hazlewood:

Absolutely. I find a great motivator is when your father walks in and says, “My show’s on at 7:00.”

Dave Bittner:

Right, right, yeah. That’ll do it.

Lorne Hazlewood:

Absolutely.

Dave Bittner:

After school and that experience at the library, where did you go next?

Lorne Hazlewood:

Next, I bounced around quite a bit. I never really found my niche, as it were. I was a general IT technician doing everything from crawling under desks to crawling through ceilings, running cable, standing up servers for small businesses and just anything to fill the gaps. I even spent time as the technical manager at Chuck E. Cheese fixing their games, but-

Dave Bittner:

That’s interesting.

Lorne Hazlewood:

It wasn’t until I started working at a hospital back where I grew up that security became a driving goal.

Dave Bittner:

In what era would this have been? I mean, where were we in terms of the broader journey and engagement with security? Was it the early days, and how far along were we then?

Lorne Hazlewood:

This would have been back in 2010. I had dealt with great things, like the Melissa virus or Anna Kournikova virus, which is always a fun call when the CEO says, “I’ve got a problem.”

But about 2010, I really set my sights on becoming a security professional. Unfortunately, where I worked security was something that you only did if regulated by compliance, such as HIPAA, or you were forced to by other regulatory bodies or to get clients.

Dave Bittner:

Now, describe to me, I mean, your background in philosophy and your interest in security, what is the overlap there? I would imagine that the experience you have learning about philosophy, there must be some good useful crossover there.

Lorne Hazlewood:

Mostly, philosophy taught me how to look at things from different angles, to consider other people’s hypotheses or to wrap my mind around how someone else would come at an issue. So in philosophy, we are taught to build a logical argument and make it as bulletproof as possible, much like we think of security. Many of my peers in philosophy would present their ideas without considering the counterpoints, or how someone who disagreed with them might attack their argument.

What improved my philosophy scores is the same thing that improves my look at security, I take my hypothesis and then I pivot and say, “How would someone who disagrees with me attack my argument?” In the world of cybersecurity, I believe my business, my enterprise to be secure. How would I go about attacking my network? How would I go about phishing my employees? So it’s really those mental gymnastics that I think philosophy plays a critical role in my ability to do my job.

Dave Bittner:

Yeah. That’s a really interesting insight. I mean, I think particularly on the security side of things, when we’re dealing with so much technology and ones and zeros and so on and so forth, it’s easy to overlook or discount the human side of things. But from your point of view, that’s not a good path.

Lorne Hazlewood:

Absolutely. One of the things that I think the entire security realm is coming to understand is, no matter what the technical advantage of your adversary is, at the end of the day, there’s a human sitting behind every keyboard, every attack, every phishing email, and it’s their motivations and their thought processes that allow you to trip them up or to prevent them.

Dave Bittner:

What is your day-to-day like now, the work that you’re doing these days?

Lorne Hazlewood:

My primary duties revolve around incident response and threat intelligence, and really operationalizing those to improve our defenses or streamline where we look during an incident or how we respond.

Dave Bittner:

What is your take on threat intelligence from a broad point of view, what part do you think it plays in your defenses?

Lorne Hazlewood:

Broadly speaking, it’s hard to fit threat intelligence into the mindset of your average IT workspace until you see the payoff. I personally think that threat intelligence can inform everything from operations to planning and every facet within.

Dave Bittner:

How does that play out from a practical point of view, and drilling down to the specific, how do you implement it?

Lorne Hazlewood:

For me and my company, what we look at when we think of threat intelligence is, what can we take action on to improve our defensive stands? In our research and drawing out that intelligence, I’ll look at where we deploy our servers, how those servers communicate, how our known attackers from a historical standpoint have tried to pivot through our environment, and we’ll build in safeguards that allow us to detect our known attackers and make sure we have all of our hygiene questions answered. From there, we will set up specific monitoring around data types or actors that we know have moved in towards the goal.

While we’re planning out our deployment of a new server or our new solutions or systems, we like to take a look at all of our attackers’ previous history and make sure that whatever controls we have in place answer those tactics, techniques, and procedures before moving on to additional controls and making sure all of our hygiene steps have been taken, such as the low hanging fruit, like antivirus and access control that we tend to get busy and forget about. We try and make that specific to the system and our historical attackers.

Dave Bittner:

You mentioned incident response and I’m curious for your insights on preparing for incident response ahead of time. In other words, the work that an organization can do ahead of time for when the inevitable incident occurs and you’re in an incident response mode. What are the things you can do ahead of time so that when that time comes, you’re as prepared as you can possibly be?

Lorne Hazlewood:

Everyone will tell you that you need an incident response plan, and that is absolutely true, but to inform that incident response plan, you have to look historically at your environment. We get logs from our firewalls, from our email gateways, from our endpoints and servers, and that all sits on a shelf until we need it for an incident. But odds are you’ve had near incidents in your environment, attacks on your firewall that are more than just some script kitty scanning you, email attacks that have come to your environment that you can start building a profile of your attacker. Once you have that profile, you can then begin planning an incident response for what you know is most likely to occur, rather than some abstract thought about your favorite nation-state breaking into your cloud environment and ruining your day.

Dave Bittner:

Yeah, that’s interesting. You can see how people are coming at you and build your responsive tool set based on that.

Lorne Hazlewood:

Absolutely. Once you have what you know is attacking you handled, or what you believe to be handled as best you can, you can start tackling those more edge cases.

Dave Bittner:

I want to switch gears a little bit and talk about ransomware. I know that’s an area of interest for you. I think for a lot of folks, they were surprised to see ransomware maintain its popularity. I think there was a notion that perhaps we were going to switch to cryptomining and that sort of thing. But it seems as though if anything, the pace of ransomware has increased.

Lorne Hazlewood:

I began my love of ransomware in 2016, which was a great time to love ransomware. It’s actually what got me my position at BKD, but ransomware to me has always been on the forefront of improvements. Their software development life cycle is amazing. If you look at the major actors, like GandCrab before they release the private keys, you had this thriving ecosystem around them, around their distribution and help centers to get your ransom paid. Ransomware, since it started paying off, has constantly been improving. If you look at the flip side to cryptomining, cryptomining had a hard limit.

The pace of your average user, who would click on your link and install cryptomining software, wasn’t the high enduser with a discrete GPU in their laptop. They were grandma, surfing around for cat pictures and pictures of their grandchildren. So you had a hard hardware limit on how effective you could be, and even if you got a million machines, you’re still not competing with the major cryptomining enterprises. Ransomware, on the other hand, if you get lucky and you get one computer in a, I don’t know, local government and can spread across and start impacting billing or the way the city works, they’re more likely to pay. The upper limit is, how much?

Dave Bittner:

Where do you suppose we’re going to see ransomware going? Where are the areas where you see the people who create that are going to make improvements to their own abilities, and then also, how are we going to fight it?

Lorne Hazlewood:

That’s a really great question and a tough one. Right now, ransomware as it exists is very profitable and there’s a low barrier to entry and, to be honest, probably not a high risk if you’re completely truthful with yourself. We don’t tend to catch most of these ransomware authors, so I think it’ll hit its stride in the space it’s in currently.

But as far as improvements, I can see ransomware branching out to mobile devices more. If you look at our day-to-day, we tend to rely more and more on our phones. I left my phone at home one day this week, had to turn around and get it because we use MFA almost everywhere, so I can’t log in, I can’t do anything without my phone. If someone encrypts that, I’m out of business. I can’t respond to incidents, I can’t do anything. More and more of us are going to soft cards on our phone for payment, so I really think that if you want steady pay out, you’ll move to the mobile area.

As far as fighting or responding to ransomware, patching is always going to be number one, because we can’t get our users trained to not click on anything or we shut down the internet. Beyond that, we’ve got to train them how to notice little clues or to just think through a few more seconds than, “I need to get this document from someone I’ve not spoken to in 18 years immediately.”

Beyond that, backups are nice, but more and more you’re seeing ransomwares that will go out to your network backup or you’ll not have checked your backup tapes and they’ll be worthless. I would also add in that personally, if there’s something I can’t lose, I’ll password-protect it because most ransomware will ignore a file it can’t access. So if I slap even a simple password on it, the ransomware skips that file and it’s saved a couple of friends from losing their taxes or the files they can’t reproduce.

Dave Bittner:

Now, what is your advice for folks who are considering a career in cybersecurity? I’m thinking of that student who’s coming up or maybe somebody considering a career change, what sort of tips would you have for them?

Lorne Hazlewood:

The biggest tip that I have is, set up a home lab. If you’re really interested in cybersecurity, the best way to get experience, since most companies aren’t going to hire you with little to no keyboard experience, is to set up a lab. VMs are cheap. You can throw it in AWS, Azure, Google, whatever cloud hosting provider you want to use and just play with it. See how the data moves, see what it’d take for you to attack that environment. But even more importantly, see what it’d take for you to defend that environment. Additionally, anytime you can get a mentor in the space that you want to be in, it is invaluable. A mentor can help shape where you want to be and help you sidestep those pitfalls that we all encounter along our journeys.

Dave Bittner:

Our thanks to Lorne Hazelwood for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

Defending MacOS Against Sophisticated Attacks

Defending MacOS Against Sophisticated Attacks

August 10, 2020 • Caitlin Mattingly

Our guest today is Phil Stokes He’s a security researcher at SentinelOne, where he specializes in...

Making Security Real in the Context of Business

Making Security Real in the Context of Business

August 3, 2020 • Caitlin Mattingly

Our guest today is Shamla Naidoo, a managing partner at IBM Security With a career spanning over...

Ransomware Negotiations and Original Hacker Culture

Ransomware Negotiations and Original Hacker Culture

July 27, 2020 • Caitlin Mattingly

Our guest today is Sherri Davidoff She’s the founder and CEO of LMG Security, a cybersecurity and...