Ransomware Concept

Spotlight: When Ransomware Comes Calling

In this Spotlight Podcast, Pondurance Manager of Incident Response Max Henderson joins me to talk about the ongoing ransomware epidemic and some of the emerging trends in ransomware attacks. We also talk about and what companies get right- and wrong in their response. Max gives us some tips about how best to respond to ransomware threats and attacks.

Max Henderson is the Manager of Incident Response at Pondurance

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google PodcastsStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 


Ransomware attacks have become a mainstay of the cyber threat landscape -and among the most dreaded forms of cyber crime. While exact numbers are hard to come by, large scale studies of companies found that more than a third had been hit by ransomware in the past year, with the retail, government and education sectors particularly hard hit.

With the attention given to the threats posed by ransomware, why do organizations still fall victim to these attacks? There are many contributing factors, but one of the most important is the shortage of cyber security talent in the trenches of modern organizations. Without properly trained personnel, organizations are missing the early signs of a compromise that might otherwise allow them to cut short a malicious campaign. And even when internal teams do get wind of a cyber attack in process, a lack of experience can hamper their response: tipping off attackers in ways that worsen the damage and disruption they cause or allow them to cover their tracks, denying victims a full understanding of the scope of the incident.

Getting Incident Response Right

So what should companies worried about ransomware do? In this episode of the podcast we’re joined by Max Henderson, the Manager of Incident Response at the endpoint detection and response firm Pondurance. Max is a seasoned cyber security and incident response professional who has led hundreds of investigations including complete network, cloud, and Active Directory compromises of entities with annual revenues in the multi-billion dollar range. Hiss investigations and presentations have been featured on CBS 60 Minutes, National Infragard, and International ISSA conferences.


Disclosure: This podcast and blog post were sponsored by Pondurance. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.


Episode Transcript

[START OF RECORDING]

PAUL: This episode of the Security Ledger podcast is sponsored by Pondurance. Pondurance delivers world class managed detection and response services to industries facing today’s most pressing and dynamic cybersecurity challenges, including ransomware, complex compliance requirements and digital transformation accelerated by a distributed workforce. Pondurance experts include seasoned security operations analysts, digital forensics, and incident response professionals, and compliance and security strategists who provide always on services to customers seeking broader visibility, faster response and containment, and more unified risk management for their organizations. To learn more, visit them at pondurance.com, that’s P-O-N-D-U-R-A-N-C-E dot com.

PAUL: Hello, and welcome to the Security Ledger Podcast. I’m your host, Paul Roberts, Editor in Chief at the Security Ledger. In this spotlight edition of the podcast sponsored by Pondurance…

MAX: And if you make the mistake of letting the threat actor know that you’re on to them, they’re going to start to have their knee jerk reactions, and they’re going to quickly escalate their attack. So if you think about their goal is to encrypt systems with ransomware or to exfiltrate data, you may speed them up in that process.

PAUL: Ransomware attacks have become a mainstay of the cyber threat landscape and among the most dreaded forms of cyber crime. While exact numbers are hard to come by, a recent large scale survey found that more than a third of companies had been hit by ransomware in the past year, with the retail, government, and education sectors particularly hard hit. But with all the attention that’s been given to the threat posed by ransomware, why do organizations still fall victim to these attacks? There are many contributing factors, but one of the most important is the shortage of cybersecurity talent in the trenches of modern organizations. Without properly trained personnel, organizations are missing the early signs of a compromise that might otherwise allow them to cut short a malicious campaign. And even when internal teams do get wind of a cyber attack, that’s in process, a lack of experience and good guidance can hamper their response, maybe tipping off attackers in ways that worsen the damage and disruption they cause or allow them to cover their tracks, denying victims a full understanding of the scope of the incident. What should companies worried about ransomware do? In this episode of the podcast were joined by Max Henderson, the manager of Incident Response, at the endpoint, detection and response firm Pondurance. Max is a seasoned cybersecurity and incident response professional who has led hundreds of investigations, including complete network cloud and active directory compromises of entities with annual revenues in the multibillion dollar range. In this conversation, Max and I talk about some of the root causes of the current ransomware pandemic and why it is the company so often miss the tell tale signs of growing compromises within their environment. Finally, we talk about what companies should and shouldn’t do once they detect cyber incident in their environment.

MAX: Max Henderson, manager of Incident Response Pondurance.

PAUL: Max, for folks who aren’t familiar with Pondurance, tell us a little bit about what Pondurance does.

MAX: Sure. Pondurance is a full service security firm. So everything from manage detection response to business continuity compliance to incident response to pen testing, you name it. So I myself then within the incident response team of Pondurance.

PAUL: And could you tell us a little bit about what your role is at Pondurance? What do you do?

MAX: So I manage the incident response team. And our day to day consists of various investigations, ranging from ransomware to email compromises to insider threats. And generally, our focus is everything from how they got into a network and email what they may have accessed within that and the responsibilities to actually eradicate a threat actor from that situation.

PAUL: What are you guys seeing? A lot of what is the kind of state of play right now with your customers in terms of the threats they’re dealing with. Obviously, we read a lot about ransomware. Is ransomware really a big part of what you’re seeing? Or there are other trends that are maybe a little bit more under the radar.

MAX: Yes. Ransomware.

PAUL: Nope, it’s that big.

MAX: Yeah. I think, though, what’s changing is kind of the techniques that we see within it. So you talk about ransomware and it all gets clumped into this one group. But if you start to look at the different teams and organizations, the evil organizations that are doing this, you see a lot of different capabilities between them. Some are extremely advanced. And some are…

PAUL: Are we talking literally about REvil the group? Or you’re just referring to them. Generally, their business model is evil, which I agree.

MAX: Yeah. Well…

PAUL: And there’s evil corp.

MAX: Exactly. And it’s tough to track them because that’s the name under the hood. But over and over again, just new attributions saying, oh, no. This is just them again in a different form.

PAUL: So we’ve seen a Pivot, maybe in the last few years from kind of single function ransomware we come in and encrypt all your stuff and ransom it to kind of double extortion. They’re talking about where we steal your data and threaten to leak it on a dock site and we encrypt your data and hold it for ransom. And now I’m hearing about kind of triple extortion where they’re actually kind of going to your customers and threatening them. Or sometimes it refers to combining denial of service attacks with ransomware. Is that the type of stuff you guys are encountering as well?

MAX: Yeah. I’m glad you sewed in the DDoS part with the denial service and that’s one that we started to see in Q1 of this year, it’s kind of falling off a little bit. But the contacting, the reporters that’s definitely been going on, at least back to October, November of last year, there was one group who was really, really active in that Department. So the trend is shifting that way. Not every group necessarily is exhibiting all of that.

PAUL: We reporters are lazy bunch. We’re happy to have that kind of news drop into our laps, so that’s still ongoing, in other words?

MAX: Oh, it’s ongoing. It is amplifying you name it. And it just it brings a lot of issues about we talk about sensitive data, hippo TCI, you name it. And really the whole component of did they access this data or did the ransomware open files that’s now just so far gone with this focus on actually taking the data and actually posting the data, and it’s just nightmares from a regulatory standpoint.

PAUL: Ransomware is such a well established phenomena, and yet so many companies continue to fall victim to it. Why is that? I think what message? Either what message is the private sector or organizations not getting about preparedness and prevention or is this really… We had Josh Corman on from CISA, he talks a lot about kind of the security poverty line, that many companies just don’t have the resources and the talent on staff to really be able to keep these types of pretty sophisticated cyber criminal groups at bay.

MAX: There are so many contributing factors. You talk about not having the actual products in place, to not having the people to monitor those products, to having the people, but not having the 24/7 coverage to monitor that it could be that you have the products, you’re not looking at it, or it could be that you just don’t have the proper configurations and hardening in place for the environment. There’s just so many different contributing factors.

PAUL: So you’ve got the technology, you got the staff, you just haven’t deployed it, right?

MAX: Or you may have even deployed it, right. You’re not monitoring it right with that staff, or it’s just such an advanced and fast moving attack. It’s really difficult and you could catch it and you just catch it too late and you don’t properly respond to it and contain it in the right way and that you escalate that attack and make it worse even though you caught it rather early.

PAUL: So we tend to read about the victims of ransomware attacks for obvious reasons. Their name is being thrown around up there. But obviously many ransomware attacks are spotted and thwarted, including by Pondurance. So for the attacks that you are able to detect and stop, what are some of the signals that are useful to you in preventing these outbreaks?

MAX: Yeah, I think you have to look at security in kind of two measures. Number one, on the automated front and kind of within that hardening the environment, so making it difficult to get in. I think that that’s pretty straightforward. Where it gets a little more difficult is on the detection side of things, and a lot of people can detect an attack, but at what stage can you detect it? And how can you apply context to that detection? One common mistake that I see people make is that you watch your antivirus, you watch your EDR solution, your endpoint detection and response, and you say, oh, great. This quarantine something. It prevented something fantastic. It did its job. Now I’m going to go back to my day. And what they don’t do is they don’t apply context to what that actually saw. You may only see the tip of the iceberg of that attack, and you are not properly containing it, scoping it and realizing how much bigger that scenario is and not much longer, you’re probably going to have ransomware and exfiltration and you name it present on the environment.

PAUL: You’re listening to a spotlight edition of the Security Ledger podcast sponsored by Pondurance.

PAUL: So you talk a lot about both full long term and short term changes that you see in the ransomware space, sort of like strategy and tactics and short term tactical changes. What are you seeing there in terms of how ransomware groups are behaving once they’ve got a foothold within organizations to kind of expand their reach, move laterally and stuff like that?

MAX: Traditionally, when we used to see them bring in these very blatant tools, Mimi Cats, for example, it was very easy for antiviruses, EDRs to get a quick win there. And just because it’s such a low false positive ratio for them, and as they’ve shifted into these new modern techniques, you start getting into the living off the land where these files that are already present within windows, they have legitimate functionality. They have to operate for Windows to run correctly. And when you start to abuse those tools, you start moving beyond that. Okay. This is 95% malicious. You start moving into that 50/50 range. And so for these EDR endpoint detection response systems, they have to alert on it, but not always prevent it. And so being able to rapidly spot that and apply that context is really critical. I think short term, though, especially when you respond to that type of scenario we’re talking about not the way that the actor has access into the environment. And if you make the mistake of letting the threat actor know that you’re on to them, if you tip off your hand that you’re responding to them, they’re going to start to have their knee jerk reactions, and they’re going to quickly escalate their attack. So that would be kind of a short term escalation rather. So if you think about their goal is to encrypt systems with ransomware or to exfiltrate data, you may speed them up in that process. They may say, okay, I fear that somebody’s on to me right now. Let’s just encrypt what I can now or let’s just take this data now. On the contrary, they could just lay low and they could just diversify how they’re present and just goes silent. And now you don’t know how to find them.

PAUL: And strategically longer term, what are some of the changes that you’re seeing?

MAX: Sure, so I think long term kind of the evolution. If we think about how these groups are made out, these ransomware groups. The person who’s moving throughout the network is probably not the person who had the mental capacity to create the ransomware itself. Right? The actual author of that code. We know that because we’re starting to see these playbooks released. Somebody, a very talented group of individuals has created this repeatable process and they’re passing it off the people who may not already know those techniques. So the evolution of that is we see originally network shifted from physical to virtual machines. Now we see these playbooks starting to update until these recruits rather how to get into these virtual machines, we see it tell them how to get into Microsoft 365. So as we update long term into new Windows operating systems into the cloud, we’re seeing this select group of individuals start to document these procedures and processes and be able to provide that out for repeatable processes for those to follow.

PAUL: Sure. And I mean, we’ve seen attacks recently like Cosmos DB. I mean, it seems like you’re starting to see a real focus on some of these common components of these cloud environments. Hack once steal many type model. I guess so. Obviously, there have been a bunch of big stories recently related to kind of third party attacks, Solar Winds, and then the Kaseya attack as well. Do you hear this from your customers as well? And what is your advice to them if they’re worried about that type of supply chain attack in Kaseya, a managed service provider? A managed security service provider, was themselves a provider to manage service providers. So that poses a real risk to their downstream customers because it’s technology that their supplier relies on. What can you really do about that type of risk? Given that, as you said, bad actors are going to start looking at some of the pillars of these cloud environments to target.

MAX: It’s not good. If you look at all the different ways that these ransomware actors are getting into an environment. If you look at email, for example, when you click on an email and you infect that one system, you usually have this process of escalating privileges and then learning the network and moving throughout it. When you do a supply chain where that software is deployed throughout the environment already and probably has system level privileges on every system that it’s on, you take away that whole need that whole process. So instead of weeks long of learning the environment and escalating privileges and remaining stealthy, you can just execute straight through it. If you take over EDR solution endpoint detection response, you are the antivirus. You can log into the cloud, some of those you can execute through, so there’s no need to bypass and disable when you already have those privileges and you can just pull it off right away.

PAUL: What would your advice be for organizations that say we want to get in front of these? You want to get out of the sort of reactive mode we want to start getting in front of these threats. What would your advice be? Obviously, as you’re saying, just simply move everything to the cloud is not, is too simplistic and doesn’t necessarily solve your security problems. But is there a way, what would you recommend?

MAX: We’ll move everything to the cloud may introduce new problems, and it often does, especially when it’s a quick change based on the vulnerability, especially back to the exchange vulnerabilities. Recently we saw a lot of migrations prematurely and new security vulnerabilities were introduced in the environment. But I think that you have to know security on the blue side, on the defensive side is reactive by nature. We create these signatures, we create these alerts because it’s already happened somewhere. And so there’s this ongoing battle where we’re seeing vulnerabilities found, or we’re seeing zero days introduced where you’re seeing this new supply chain attack, where you then have to develop those alerts and you have to learn how to detect them. You have to have people who know how to recognize it, how to apply that context, and then how to properly react to it. And so I don’t think that there will ever be a total prevention mechanism just because by nature, we are a reactive defense catering to the offense, the evil that is trying to generate these new styles of attacks.

PAUL: Going back to your example earlier about kind of the EDR and organizations that are sort of like oh yeah, we need to stop that attack and problem solve. What would your advice to organizations? Let’s say you’re an organization that has some hits from their EDR systems on particular clients. There’s kind of the early signs of an emerging attack. Obviously, as you said, the proper response is not to say a few. We Dodge Applet. So what should they do? How should they escalate it in a situation like that where they’ve got some red flags that are popping up, but they’re not exactly sure whether there is actually an attack going on or if so, how widespread it is. What would your advice be?

MAX: I think my advice is what not to do. If you ever have a scenario where you think an attack on going, do not restore that system, do not wipe that system. You want to isolate it. If you’re confident that it’s the sole cause, the sole infected system, you want to isolate that, but you want to be able to answer those questions definitively with forensics with incident response. If you walk into more than one system and you may have very privileged credentials on the loose, that’s a situation where more drastic measures need to be taken. We talked about you could speed up an attack if you let that threat actor know that you’re on to them. So if you start locking usernames, if you start taking workstations off, the threat actor is going to recognize that and they’re going to escalate their attack, they’re going to speed it up. So it does get to drastic areas where you do have to bring in an incident response firm. Some of those actions may be to take the entire network offline. It just depends how early can you detect that? How confident can you be that’s isolated to what you believe it’s isolated to.

PAUL: To the point, obviously, many organizations are not in the business of doing security. They’re in the business of doing other things, and security is just kind of necessary, necessary evil. When should companies look for third party help with some of these problems versus saying, you know what? We can handle this internally with our own staff. What would you say on that?

MAX: And it is kind of tough because there’s a lot of different attacks out there. There’s a lot of different ways that you can walk into these scenarios. I think that if you don’t have confidence and what it is and your ability to respond, then you do need outside help. If it’s not definitively answered on what you’re up against and that it’s contained, you probably need outside help. And the risk of waiting on that starts to grow exponentially as you allow more time.

PAUL: One of the things that’s really common these days is for companies or even employees to have data that’s involved in data breaches. Maybe a company or an organization is a victim of a third party breach. So their data was part of a big trove of data that a supplier to them let loose on the Internet either fail to protect or had hacked and stolen. I think we all understand that that increases your risk posture generally as an organization. But what should they do to say they have knowledge, affirmative knowledge that their data was part of some, let’s say, third party breach? Should that change anything in terms of their security? I’m thinking of actually, I’m in Massachusetts here, and we had a GIS software provider that left a Amazon S three storage bucket exposed, like something like a thousand local communities in New England area that use them had a whole bunch of really sensitive data that was left exposed. It was found by a white hat firm, but of course, you never know if they were the first person to find it. I wonder. Well, how does that change the risk posture for those communities? Should they be out there looking for signals or threats in a different way, given that a whole bunch of their sensitive information was basically exposed to the public Internet or not.

MAX: Yeah. And it really depends on what was leaked. I think one uptick that we’ve really seen lately is a lot of unemployment fraud. But I think that when you start talking about Social Security numbers and sensitive information, you get into classic credit fraud that’s been around kind of forever, right? It’s just the same type of information. But I think that it really signals the due diligence for those investigations on the organization side. So when you do have that type of data leak, you may be able to determine what is actually accessed, or do we have no logs for that? Which is a common thing that we see. Beyond just a exposed bucket, we see in these ransomware exfiltration cases where, you know, the ransom or actor may not have access some specific database, but because they don’t have logs, I can’t give them the confidence that that didn’t happen. So you may have a data breach from that when it was never accessed, all because you don’t have those auditing mechanisms in place to even make the determination.

PAUL: So is that your advice to companies when you start out getting them situated to be able to respond to these types of incidents? First of all, what are you logging? What are you tracking? What data do you have about your security posture?

MAX: Exactly. I think that a lot of firms can’t have their own in house forensics team can’t have their own in house incident response team. And so what you have to do, though, is you have to prepare yourself to bring in that outside team, and that outside team needs data to analyze. And so you talk about retention. You talk about procedures to not wipe systems or revert systems. A big issue is that when ransomware happens, people start restoring right away, they say, well, we have these great new backups. Let’s restore to that. But you just restore your sequel database. And within that, I can’t tell you if it was accessed potentially and how that may be part of a data breach because you just reverted it to a backup. We can’t give confidence to it.

PAUL: Really interesting. So I guess what I’m hearing you say is even if you don’t have the need or the funds to have an IR firm on retainer, basically, it’s worthwhile at least doing some consulting work or getting some consultative help to say, okay, if we’re going to have a firm parachute in an emergency situation, what do we need to have done up front so that they can kind of hit the ground running when they get here and have the information that they’re going to need and to at least be aware of that type of preparatory work that you need to do as an organization.

MAX: Exactly. And a lot of organizations just don’t know what that entails. And it’s easy to say, oh, audit the bucket access in the cloud. But one pain that some don’t know is that Microsoft 365, it requires a certain license to audit whether or not emails were opened. So if you don’t have that and you have an email breach of that user who has tons of sensitive information over email for whatever reason, you can’t answer those questions.

PAUL: And I’m going to go out on a whim and suggest that that license is more expensive than other licenses. Am I right?

MAX: I believe you’re in the right direction there.

PAUL: Okay. Final question, Max. When you’re looking out there, what is on your radar? What are you worried about these days? What has grabbed your attention in terms of risks and threats?

MAX: Yeah, and it goes back to the maintaining the data. So the worst thing for me is walking into an incident and trying to figure out how far the access went, but not having the data. And it really inhibits us both from a data access piece to figuring out how they got into the network. We’re really successful at figuring that out. But whenever we can’t, it’s because that data doesn’t exist anymore.

PAUL: Max, really great conversation. Is there anything I didn’t ask you that you wanted to say.

MAX: Yes, so again, just kind of circling back. Pondurance, of course, does have managed detection response. We have incident response. But I think that there’s a lot of great solutions out there. And I think the most important component is having eyes on screen to actually monitor that 24/7. And, of course, for Pondurance, if you’re interested in us, visit pondurance.com, we’d be happy to give a demo. But again, that 24/7 coverage getting into the hours. If those actors are actually active. Russia, what is it 12 hours away. Different time zone. It’s overnight. 24/7 coverage it’s on, very, very important.

PAUL: Max Henderson of Pondurance. Thank you so much for coming on and joining us on the Security Ledger podcast.

MAX: Thank you. It’s been a pleasure.

PAUL: Max Henderson is the manager of Incident Response at Pondurance, an Endpoint Detection and Response Firm. You’ve been listening to a Spotlight edition of the Security Ledger podcast. Sponsored by Pondurance. Pondurance delivers world-class managed detection and response services to industries facing today’s most pressing and dynamic cybersecurity challenges, including ransomware, complex compliance requirements and digital transformation accelerated by a distributed workforce. Pondurance experts include seasoned security operations analysts, digital forensics, and incident response professionals and compliance and security strategists who provide always on services to customers seeking broader visibility, faster response and containment, and more unified risk management for their organizations. To learn more, visit them at pondurance.com, that’s P-O-N-D-U-R-A-N-C-E dot com.

[END OF RECORDING]