Detecting Ransomware Before It's Too Late
In this eye-opening episode of The Backup Wrap-up, we delve into the critical topic of detecting ransomware. Joined by cybersecurity expert Dr. Mike Sailor, we explore the subtle signs that could indicate a ransomware attack in progress. From slight performance degradation to unusual network behavior, we cover the early warning signs that every IT professional and digital asset owner should be aware of.
Our discussion goes beyond just identifying threats. We examine the role of advanced security tools like SIEM and XDR in early ransomware detection, and why integrating these with endpoint protection is crucial for an effective defense strategy. We also stress the importance of having a solid incident response plan and the benefits of virtualization in recovery efforts. Whether you're looking to bolster your organization's cybersecurity or simply protect your personal data, this episode provides invaluable insights into detecting ransomware before it's too late.
Speaker:
You found the backup wrap up your go-to podcast for all things
Speaker:
backup recovery and cyber recovery.
Speaker:
In this episode, we talk about detecting ransomware with cyber
Speaker:
threats evolving at a breakneck speed.
Speaker:
Understanding how to spot the early signs of a ransomware
Speaker:
attack is more crucial than ever.
Speaker:
We're once again joined by cybersecurity expert Dr.
Speaker:
Mike Sailor, who shares invaluable insights on the subtle indicators of
Speaker:
ransomware activity from performance degradation to unusual network behavior.
Speaker:
We'll explore the role of SIM and XDR tools in early detection.
Speaker:
And discuss why a rapid response is your best defense against
Speaker:
these malicious attacks.
Speaker:
By the way, if you have no idea who I am, welcome to the podcast.
Speaker:
I'm w Curtis Preston, AKA, Mr.
Speaker:
Backup, and I've been specializing in backup and recovery all the way back to
Speaker:
30 years ago when I could not restore a database because our backups were broken.
Speaker:
I, I hated having to tell that to my boss, and I don't want you to have to tell that
Speaker:
to your boss, so that's why I do this.
Speaker:
On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.
Speaker:
This is the backup wrap up.
Speaker:
Welcome to the show.
Speaker:
If I could ask you to take a quick second to press that subscribe or
Speaker:
follow button so that you can always get our content, that would be great.
Speaker:
I am w Curtis Preston, otherwise known as Mr.
Speaker:
Backup, and have with me a guy who almost lost his head today.
Speaker:
Prasanna Malaiyandi guys are going.
Speaker:
Persona, we're we're glad that you're alive.
Speaker:
Yeah, I, uh, I escaped without an losing any fingers or my head,
Speaker:
you know, so that's a, it's a good day, you know, I'll take that
Speaker:
anytime of the day.
Speaker:
so why don't you tell the listeners why we had to delay this recording?
Speaker:
What happened to you?
Speaker:
so I was walking by and getting tea before the podcast and I was like, oh.
Speaker:
And I looked up at the ceiling and we have in our kitchen, we have a ceiling fan.
Speaker:
And I was like, huh, that's weird.
Speaker:
What's that blue piece and why does it look a little tilted?
Speaker:
So luckily I got a chair a step stool and I was like, huh, lemme take a closer look.
Speaker:
And I literally touched it.
Speaker:
And then the thing like fell down and was just dangling by the three wires, right?
Speaker:
The ground, the hot, and uh.
Speaker:
I was like, uh, then I had to quickly call my wife and it's very awkward.
Speaker:
Like these are like 30 pounds, right?
Speaker:
And it's hanging above you.
Speaker:
And I was on a short step stool and I was like, how do
Speaker:
I actually unclip these wires?
Speaker:
And it was a whole fiasco with, uh, ladders and step stools and
Speaker:
all sorts of things in order
Speaker:
to be able to do it.
Speaker:
But I have it down, which is good.
Speaker:
Yeah.
Speaker:
And an anxious wife hanging over to the side.
Speaker:
Uh, do, do you think you're gonna be replacing the fan?
Speaker:
Well, like with the new fan or just
Speaker:
it's, it's gone.
Speaker:
It's gone.
Speaker:
It's
Speaker:
Okay.
Speaker:
going to just put a normal like, 'cause honestly lived here for 11 years
Speaker:
now, 10 years, something like that.
Speaker:
And I think we've only used that fan once
Speaker:
Yeah.
Speaker:
It, it, it's funny, you know, it's funny, you, you know, I recently
Speaker:
replaced my ceiling fan with, in the kitchen with a, with just a light.
Speaker:
And what I remember was I, when I wanted to take it off,
Speaker:
I just could not figure out, I.
Speaker:
How to get it out, like what I was supposed to do to get
Speaker:
it out of there properly.
Speaker:
Um, and I wish that it was just hanging by the three wires.
Speaker:
It was like, it was just, I, I just remember that a saal,
Speaker:
uh, was involved at one point.
Speaker:
Yeah.
Speaker:
Well, and the hard part with that is like, it's like it's bulky and then
Speaker:
I saw the fan blades attached and like you can't see anything, right?
Speaker:
Because they hide all the things and it's like, okay, how do
Speaker:
Yeah.
Speaker:
off this trim piece so then I can get to the screws to unscrew it?
Speaker:
But like you said, luckily because my outlet box head basically
Speaker:
detached itself from its support, it was just kind of hanging there.
Speaker:
And so it made work a little easier.
Speaker:
'cause yeah,
Speaker:
Well, we're.
Speaker:
attached, I don't think I could have figured that out.
Speaker:
I am glad that you survived, and I'm glad that for once it's one of the stories from
Speaker:
your house rather than stories from my house that we're featuring on the episode.
Speaker:
Yeah.
Speaker:
So, speaking of stories, we once again have Dr.
Speaker:
Mike Sailor with us.
Speaker:
Our, our, at this point, resident cyber expert.
Speaker:
How's it going, Mike?
Speaker:
That's going well guys.
Speaker:
How are y'all?
Speaker:
Well, we're alive.
Speaker:
But, uh, this week I wanted to jump right into this idea of
Speaker:
ransomware detection, right?
Speaker:
So we, we, we tell people that they should assume breach, right?
Speaker:
That they should assume they're going to be attacked, and, uh,
Speaker:
because statistically speaking, they, they probably will be.
Speaker:
And you've dealt with a lot of these attacks.
Speaker:
So, so, um, I, I, I wanna understand, you know, what, what does.
Speaker:
What does a ransomware attack look like?
Speaker:
Right?
Speaker:
Like, what are the things that people see that are going on that don't like?
Speaker:
If, obviously if you get a, you know, a big thing on your screen that
Speaker:
says, Hey, give us a million dollars.
Speaker:
We're gonna get your, you know, get your files back.
Speaker:
That's one way to know you have ransomware attack, but what other
Speaker:
things happen before that that tell you that you have a ransomware attack?
Speaker:
Is it is a ceiling fan if a ceiling fan starts to fall?
Speaker:
Is that, is that,
Speaker:
I think,
Speaker:
is that.
Speaker:
I think before Mike, before you jump into that, Curtis, maybe it might be a
Speaker:
good idea just 'cause I think listeners may not be listening to every episode
Speaker:
in order, it might be a good idea to say like, why Mike is on the podcast
Speaker:
and why he's the expert in this area.
Speaker:
Right.
Speaker:
Well,
Speaker:
talking about ransomware detection, or Mike, maybe you wanna cover that.
Speaker:
yeah, go ahead, Mike.
Speaker:
Uh, certainly, so happy to, happy to, uh, comment on all of those things.
Speaker:
Uh, I think my experience over the last probably at least 20 years, uh, responding
Speaker:
to incidents both at, know, uh, personal, uh, at the personal level, uh, whether
Speaker:
it's a family member or somebody referred.
Speaker:
someone to us to, to help with a, a problem, uh, or a corporate, uh, level.
Speaker:
And, and that's, you know, school districts, banks, um, normal business
Speaker:
enterprise that, uh, have incurred some, uh, some cyber incident.
Speaker:
Uh.
Speaker:
We, we've seen quite a bit of, uh, variety of incidents, uh,
Speaker:
especially around ransomware.
Speaker:
There's, there's a hundreds of different variants of ransomware.
Speaker:
Uh, there's the more popular ones that we've probably seen more often
Speaker:
than the others, and there are some consistent themes and, uh, you
Speaker:
know, potholes and lessons learned.
Speaker:
And, and, uh, when, when someone that's seen it before, uh, shows up
Speaker:
to help put out the fire, we know where to where to put the water first.
Speaker:
Uh, what not to put water on, uh, when to ask for help and who else
Speaker:
to, uh, who else to involve in that.
Speaker:
So,
Speaker:
So, so
Speaker:
happy
Speaker:
know?
Speaker:
of.
Speaker:
Go ahead.
Speaker:
Finish.
Speaker:
Yeah.
Speaker:
to share, to share my experience and some stories.
Speaker:
Yeah.
Speaker:
So unlike me who's a YouTube person, you're actually
Speaker:
like, grounds on the boots.
Speaker:
Someone who's actually lived and does, does this on a like day to day basis
Speaker:
Uh, absolutely.
Speaker:
And, uh, you said grounds on the boots.
Speaker:
And the first, the
Speaker:
Yeah.
Speaker:
I
Speaker:
on the
Speaker:
thought.
Speaker:
Boots on the ground.
Speaker:
Yeah.
Speaker:
Uh, well, and, and first thing I thought of is that needs to
Speaker:
be a t-shirt at a coffee shop.
Speaker:
I think that would be good, uh, because I'm a, I'm an avid coffee
Speaker:
person, so that made sense to me, even though you said it that way.
Speaker:
But absolutely.
Speaker:
I've, I'm, uh.
Speaker:
Uh, in addition to being hands-on, you know, years ago in, in rebuilding
Speaker:
machines and actually, you know, type it in commands and running
Speaker:
tools, uh, to today, I'm more of what they consider a, a breach coach.
Speaker:
Uh, so you've had an incident, uh, and I'm just there to, to try and herd the
Speaker:
cats and give up updates in a, in a correct and, and less stressful manner.
Speaker:
Uh, be the one there that, that's already had my hair burned off while
Speaker:
everybody else is running around on fire.
Speaker:
Uh.
Speaker:
So d uh, Mike, uh, during the pre-call, you uh, had mentioned how different.
Speaker:
Like a ran like ransom, how different ransomware is from other malware,
Speaker:
and I think that's probably a good place to start before we talk about
Speaker:
what an attack actually looks like.
Speaker:
Sure.
Speaker:
Well, you know, malware in general, just bad software.
Speaker:
Uh, you know, it's, it's intended to do nefarious things or,
Speaker:
or trick us or steal from us.
Speaker:
Um, and, and there are elements of, of malware that are consistent
Speaker:
across different types of malware.
Speaker:
It's like info Steeler, malware.
Speaker:
Uh, harvesting malware that, you know, captures your keystrokes
Speaker:
or looks for certain things.
Speaker:
There's malware that just does reconnaissance.
Speaker:
Uh, and so when you think of really bad malware, it has the worst of
Speaker:
all these elements, uh, combined.
Speaker:
And effective ransomware these days really does.
Speaker:
Uh.
Speaker:
Perform in different phases.
Speaker:
So the first phase is it wants to gain access to, to whatever it's infected.
Speaker:
So that computer, your, your smartphone, that server, whatever it might be.
Speaker:
And then it wants to figure out, well, what do I have access to?
Speaker:
so was it a, a particular user, user account that.
Speaker:
Allowed it to infect this device.
Speaker:
Uh, what does this device then, and, and that user profile have
Speaker:
access to across a network?
Speaker:
Uh, what type of, um, software or files are on this machine?
Speaker:
For example, there is a specific ransomware that only
Speaker:
targets point of sale systems.
Speaker:
And so if, if it infects my laptop, it's gonna determine whether my
Speaker:
laptop is a point of sale system.
Speaker:
And if it is not.
Speaker:
It's gonna look for a way to spread to the next system, and once it does,
Speaker:
it will clean itself off of my laptop.
Speaker:
So as if it were never there.
Speaker:
And then it will continue doing so until it finds a point of sale
Speaker:
system and then it will deploy.
Speaker:
Its, its ransomware, you know, whatever, additional software
Speaker:
and, capabilities it has.
Speaker:
But there's those first few phases of what, what do I have access to?
Speaker:
And what, um, what can I, you know, what value, uh, aligned with my
Speaker:
ransomware campaign, uh, does that bring me, that then, uh, triggers
Speaker:
a whole slew of other things.
Speaker:
Like, okay, so I found I found a point of sale system.
Speaker:
Do I still have internet access?
Speaker:
And if I do, I'm gonna reach out and download the next, the next
Speaker:
piece of malware I need specific to the point of sale system I found.
Speaker:
And so.
Speaker:
A lot of times that initial malware, ransomware infection is a very, what we,
Speaker:
we call a thin or light, uh, payload.
Speaker:
It's not very large.
Speaker:
It doesn't draw a lot of attention.
Speaker:
It doesn't do a whole lot other than determine whether it, it,
Speaker:
it has access to whatever this ransomware actor is interested in.
Speaker:
And then it'll phone home and say, Hey, I've got, I've got the goods.
Speaker:
Send the, send the next, send the next payload and we'll get started.
Speaker:
For that first phase, I know we're talking about ransomware detection.
Speaker:
Is there anything you could really do to detect, I know you said it's a
Speaker:
very lightweight, thin shim, right?
Speaker:
That gets installed, deployed.
Speaker:
Are there things people can do to detect at that phase?
Speaker:
There are and, and there are some symptoms, uh, ransom.
Speaker:
These, these first few phases are different from, uh, one ransomware
Speaker:
variant to, or even just malware in general, from one variant to another.
Speaker:
But they're, they do consume resources and, you know, to, to do reconnaissance,
Speaker:
to, to do a system inventory.
Speaker:
There will be a change in resource utilization.
Speaker:
CPU may go up, memory may go up, drive io may go up, network IO may go up.
Speaker:
And so if you have the ability to monitor those things, uh, and, and it
Speaker:
may not be much, but you know, set some thresholds that say if my system resources
Speaker:
go above whatever it is, let me know.
Speaker:
That may be because you're watching a movie, but at least you know it's because
Speaker:
you're watching a movie I'm typing, you know, a new chapter to my book,
Speaker:
and then all of a sudden my CPU spikes.
Speaker:
Well, I'm not doing anything that would justify that.
Speaker:
So let me go look at what processes are running and, and so on.
Speaker:
Well, for the normal person or even the normal technical person, you know, I
Speaker:
could go look at Windows processes and not know what 95% of those are, but I
Speaker:
could potentially kill that process.
Speaker:
maybe dig into where, where, well, what spawned that process?
Speaker:
Where's that file and what folder is it in?
Speaker:
And when did, what's the time and date stamp that, that that happened?
Speaker:
And was that something I did?
Speaker:
some things you can do, um, investigatively and you'll, it's
Speaker:
probably a learning process as you do it.
Speaker:
But then there are other tools, like that's, that's kind of what
Speaker:
Black Swan Cybersecurity does.
Speaker:
We monitor environments and in, in our monitoring, we create a.
Speaker:
Behavioral baseline by user, by device, by network segment.
Speaker:
And as weird stuff happens, it flags to us.
Speaker:
Because it's simply deviated from normal behavior before
Speaker:
it becomes a security problem.
Speaker:
So then we can call the client or the tech support person or the whoever
Speaker:
it is and say, let's dig into this and figure out, uh, if this is, uh,
Speaker:
if this is legitimate activity or, or what can we tie it to from a user.
Speaker:
Maybe some user clicked on a link or downloaded a file, and
Speaker:
that's what led up to this.
Speaker:
And so there, there are, there are tools out there and it ranges from.
Speaker:
You know, put your toolbox together and run, run script one and look at,
Speaker:
you know, report B and tie all that stuff together, which is kind of time
Speaker:
consuming, but low cost, no cost, uh, to, to more of the elaborate
Speaker:
capabilities of hiring a, a managed service to, watch over all that stuff.
Speaker:
Hang on.
Speaker:
I'm not sure where I wanted to go from there.
Speaker:
Nevermind.
Speaker:
Nevermind.
Speaker:
I'll um,
Speaker:
Well, well back
Speaker:
uh,
Speaker:
back to the kind of the, the, the attack progression and this, this lines
Speaker:
up with the Mitre attack framework.
Speaker:
You know, reconnaissance is always first, and then how do we, I.
Speaker:
Maintain our access.
Speaker:
'cause that's, that's second part.
Speaker:
Once I've infected you, I wanna make sure that if you've determined I've
Speaker:
infected you and you try to clean me off, I'm still infecting you.
Speaker:
so once you reboot, I'm, I'm still there, and I'm gonna be there until
Speaker:
you throw this computer out the window.
Speaker:
Uh, and so persistence is next.
Speaker:
And then, uh, you know, some of the other, other phases.
Speaker:
And as, as that.
Speaker:
Attack progresses through the Mitre attack framework, and it, it's
Speaker:
all mapped out regardless of, of the attack who's doing the attack.
Speaker:
It, it falls into these categories, these phases, and as that phase progresses,
Speaker:
resource and network and, um, symptomatic, uh, identifiers will always increase.
Speaker:
So the more activity, the further along that attack framework they get,
Speaker:
the more identifiable, uh, it is.
Speaker:
And so.
Speaker:
Um,
Speaker:
Hey Mike, you, you threw out the Mitre Attack framework.
Speaker:
Not everybody, uh, is gonna be familiar with that.
Speaker:
You want to talk about that?
Speaker:
so Mitre, which is an organization, um, a framework within which, and there, and
Speaker:
there's like seven phases, within which every attack sequence can be mapped.
Speaker:
And so almost every attack starts with reconnaissance.
Speaker:
Uh, what do, what did they gain access to?
Speaker:
All the way through, like data exfiltration.
Speaker:
Uh, so they've, they've got access to your stuff and they're stealing it.
Speaker:
and so the, the attack framework is simply a way of, of identifying not only,
Speaker:
uh, where an attack is, but how far did it go, and based on those attributes,
Speaker:
then how big of a problem did we just.
Speaker:
you know, how big of a, how big of a, a, an issue is this.
Speaker:
Um, but it also then allows you to align your response to those
Speaker:
different phases of the framework.
Speaker:
So in reconnaissance, what's my response?
Speaker:
Well, maybe just passive for now.
Speaker:
What is doing this reconnaissance?
Speaker:
Is it normal like internet, uh, pings just to see if a website's
Speaker:
alive that could be reconnaissance.
Speaker:
or is it something a lot more active, uh, where they're doing port scans and.
Speaker:
some active enumeration.
Speaker:
What, you know what, um, I, I pinged this IP and I've, I've
Speaker:
determined these ports are open and they're responding a certain way.
Speaker:
So now I know it's a Windows seven or, or Windows 2018 server, uh, running,
Speaker:
you know, whichever patch level.
Speaker:
And so that's active reconnaissance and that's a no-no.
Speaker:
so what's doing that and can we address it now versus, uh.
Speaker:
Waiting until that progre, that attack progresses into one of the other phases,
Speaker:
which could get a little more, uh, complicated as far as responding to it.
Speaker:
But then you would have kinda your playbook lined up with what phase of the
Speaker:
framework, what phase of the attack are we in, and here are the tools and things
Speaker:
we should, be applying at this point.
Speaker:
Uh, and some of those are management decisions, like cut the hard
Speaker:
wire, you know, uh, it's that bad.
Speaker:
Uh.
Speaker:
But you would want all that stuff kind of mapped out and
Speaker:
planned out, uh, ahead of time.
Speaker:
And that's kind of, you know, I think we touch on that in a different episode
Speaker:
and being prepared for, for game day and having your, having your team on
Speaker:
the same page and, and knowing what to do when certain things happen.
Speaker:
Do you ever see, like, this is fascinating to me, by the way.
Speaker:
I haven't dealt a lot into the security side, so it's kind of cool and it reminds
Speaker:
me a lot of TV shows to some extent.
Speaker:
Uh, the question I had though is I know that you could try to stop an
Speaker:
attack early on, like you said, right?
Speaker:
If you detect it early on, you could probably stop it before harm comes.
Speaker:
But at the same time, if you don't know what they're after, isn't that also
Speaker:
kind of a downside because they might figure out a different attack vector to
Speaker:
come back back at you through, right.
Speaker:
So is that some of the risk trade-offs that happens at like a
Speaker:
business level that the business sort of needs to make that decision?
Speaker:
Absolutely.
Speaker:
And that's the, so there's, there's value in, in exactly what you said.
Speaker:
Um, you know, if I had, if I had a thousand things to protect.
Speaker:
And I only had a thousand dollars to protect them then without knowing
Speaker:
the value of all that stuff and what I really need to protect,
Speaker:
and I'm gonna give a dollar of a protection to all thousand things.
Speaker:
if business says out of these thousand things, 10 of them are the most
Speaker:
critical for us to maintain business operations and continue making money
Speaker:
and make sure the lights are on tomorrow, then I'm gonna reallocate.
Speaker:
Proportionately that a thousand dollars of security funding to
Speaker:
protect primarily these 10 things.
Speaker:
And then some, maybe, uh, diluted version of, you know, decent cyber
Speaker:
hygiene to the other, you know, 990, uh, because they are layers between
Speaker:
bad guys in the outside world and these 10 things that we care about.
Speaker:
So we need some tools and, and capabilities on those other 990 things.
Speaker:
But I'm gonna focus most of my, my resources on the,
Speaker:
the, the jewels, if you will.
Speaker:
Yeah.
Speaker:
and that's just part of what we would consider a business impact analysis.
Speaker:
Where's the, where's the critical stuff?
Speaker:
Well, the other part of that analysis would be what is the financial impact?
Speaker:
What is the business and operational impact if these things are infected
Speaker:
or, or compromised or unavailable?
Speaker:
Is that a thousand dollars an hour?
Speaker:
Is it a million dollars a day?
Speaker:
I.
Speaker:
How, and then how many, how fast do I have to to get things back up and running?
Speaker:
Because, you know, let's say we, we, we lose those 10 things to
Speaker:
ransomware and the bad guys want $7 million, uh, to help you recover that.
Speaker:
Well, the business could go, all right, so they want 7 million.
Speaker:
We've got 5 million in insurance.
Speaker:
Um, insurance says they'll cover it.
Speaker:
So we're out 2 million.
Speaker:
If we don't recover this within a week, we're out 10 million because
Speaker:
that's how much money we're gonna lose.
Speaker:
then the IT guys and, and all of our subject matter experts are telling me
Speaker:
that we can rebuild this whole thing for 10 million or maybe 9 million.
Speaker:
So do we do it on our own and invest in X, Y, Z?
Speaker:
Do we pay the bad guys who.
Speaker:
no guarantee there either.
Speaker:
or do we just suffer through it for a week and we're out X dollars while we
Speaker:
try to rebuild it and recover on our own?
Speaker:
So that's, that's the business side of ransomware and some of these
Speaker:
cyber breaches that it, and subject matter experts like my, we're just
Speaker:
giving business intelligence for them to then make the decision.
Speaker:
Paying the ransom should never be an IT decision.
Speaker:
I.
Speaker:
guy, the
Speaker:
Yeah,
Speaker:
said, we're not the one going.
Speaker:
Yeah, pay the ransom.
Speaker:
We're giving the business, the executive team, the information
Speaker:
they need to make that decision.
Speaker:
Yeah.
Speaker:
Sorry
Speaker:
agreed.
Speaker:
we went off on a tangent, but.
Speaker:
That's all right.
Speaker:
That's all right.
Speaker:
Um.
Speaker:
So, so, so let's, let me get a sort of what I, what I think would be an
Speaker:
interesting part of this episode.
Speaker:
Not saying this, this wasn't interesting, but a, a, a fascinating part is you,
Speaker:
you, you've seen a bunch of attacks.
Speaker:
What are some of the like, weird things that we're going on that ultimately, um.
Speaker:
You know, ended up being ransomware attacks, right?
Speaker:
It's like they see this weird thing going on, and then eventually what
Speaker:
they figured out was, oh, well, it's because we have ransomware.
Speaker:
because always what I hear, sorry Mike, before you continue, always what I hear
Speaker:
is like, oh, all of a sudden I couldn't access files because they were all
Speaker:
encrypted, or things like that, which is like way, I'm guessing further downstream.
Speaker:
Right?
Speaker:
And I'm sure you have a lot of interesting stories about, hey, this, this, or this.
Speaker:
Uh, you are right.
Speaker:
It, it, it's, it's usually never, uh, a phone call with someone saying, I was
Speaker:
in the middle of doing X, Y, and Z and all of a sudden I, I, things changed.
Speaker:
It's, it's rarely ever that.
Speaker:
And bad guys know this, so if, if bad guys tip their, their hand
Speaker:
when people are at the console,
Speaker:
the response to that is, is gonna be pretty immediate.
Speaker:
Right.
Speaker:
want, don't want that.
Speaker:
They want, they want your response to be delayed to some degree, hours, days.
Speaker:
they also want to be conscious and even considerate in some cases.
Speaker:
sure that you can, some to some degree have the ability to recover with minimal
Speaker:
impact because they want you to, they want to, they want to be your friend.
Speaker:
They want, Hey, I did this on a Friday.
Speaker:
So you've got the weekend to recover, and so if by Monday you decide to
Speaker:
pay the ransom, everything's fine.
Speaker:
Right?
Speaker:
So ransomware attacks usually trigger Thursday, Friday,
Speaker:
Yeah.
Speaker:
It's usually not in the middle of the day.
Speaker:
It's usually first thing in the morning or in the middle of the night.
Speaker:
it's when you come to work and you notice your computer's useless.
Speaker:
It's when the middle of the night, uh, your, your batch
Speaker:
processes, your batch jobs fail.
Speaker:
And they know that a lot of organizations, well, I'll just check
Speaker:
on it in the morning when I get there.
Speaker:
Right.
Speaker:
so they've had hours to, to de to plan and deploy their ransomware
Speaker:
to do as much damage as they can.
Speaker:
Uh, so there's that part.
Speaker:
And then Curtis asked about some of the things that we've seen and
Speaker:
we've seen, we've seen quite a, a few different interesting things.
Speaker:
Uh, and one of the things I'll touch on too is, uh, initially
Speaker:
you asked, well, how do we notice?
Speaker:
Notice these things?
Speaker:
How do we know if we have ransomware?
Speaker:
Well, you'll notice, uh, a small degradation in performance.
Speaker:
If you are watching a movie as an example, if you're streaming
Speaker:
something, you might see some glitches.
Speaker:
and you're like, that's weird.
Speaker:
I've got fiber to my house.
Speaker:
Why?
Speaker:
Why is it glitching?
Speaker:
well, it's not the internet.
Speaker:
It's, it's, it's the resources on your computer being consumed by other stuff.
Speaker:
So there's some symptomatic stuff that, that's observable.
Speaker:
Well, then on the, um.
Speaker:
Network behavior side, especially if you're a, uh,
Speaker:
a public sector entity, like a school district.
Speaker:
are information sharing and analysis centers called ISACs.
Speaker:
There's a multi-state There's, uh, the state of Texas has its own called DIR.
Speaker:
if you're in a specific sector like financial sector, there's
Speaker:
a finance, a finance isac.
Speaker:
There's one for healthcare credit unions.
Speaker:
Auto dealerships and they all monitor the organizations that belong to their isac.
Speaker:
And so in the state of Texas as an example, they might call a school district
Speaker:
and say, Hey, we are seeing ransomware traffic coming out of your network.
Speaker:
You need to
Speaker:
Hmm.
Speaker:
Just a heads up.
Speaker:
Well, and that's, that's pretty common.
Speaker:
Uh, the majority of.
Speaker:
The majority of notifications to the help desk about something weird going wrong,
Speaker:
going on is usually made by a third party.
Speaker:
It's just the way it's, uh, we're so focused on operations, uh, and, and
Speaker:
keeping the lights on and the fires out.
Speaker:
very rarely do we see these weird things.
Speaker:
And so those, those third parties, whether it's law enforcement or an ISAC or a
Speaker:
customer or somebody working from home, it's usually somebody else notifying
Speaker:
us that weird things are happening.
Speaker:
And so as ransomware progresses, uh, and there's different, and we
Speaker:
touched on this initially too, there's different types of ransomware attacks.
Speaker:
There's the type that attacks just you as a user.
Speaker:
Whether you're, you know, grandma at home or you're just working from home and
Speaker:
you've got this, this hybrid workstation where it's business and some personal
Speaker:
stuff, uh, or just business, but.
Speaker:
We're working from home as kind of as an individual, and so we get infected
Speaker:
outside of the, the normal organizational network, the corporate network.
Speaker:
We're, we're working off of a wifi at the library or a coffee shop or
Speaker:
at home, and so we don't have the same network perimeter protections
Speaker:
that we might have at, at, at work.
Speaker:
Well, those, those attacks focus primarily just on this laptop, this endpoint.
Speaker:
And it's, it's kind of a one dimensional attack.
Speaker:
You're not connected to anything else.
Speaker:
It's just gonna do what it does here, and there's something valuable that
Speaker:
you're willing to pay a ransom for.
Speaker:
Well, then the, the attacks at work on the corporate network, the organizational
Speaker:
network, are a bit different in that the bad guys want to do enough
Speaker:
reconnaissance first to see what they have access to, and then make that,
Speaker:
that ransomware, that infection as broad as possible all at the same time.
Speaker:
So in most cases, they will compromise an account, try to es elevate to a, an admin,
Speaker:
uh, or equivalent account power user.
Speaker:
find your domain controllers and then script a deployment package to put
Speaker:
malware on all your computers, all your endpoints, all at the same time
Speaker:
with a trigger to start infecting and encrypting all at the same time.
Speaker:
And so we had, we had one, uh, it was a, it was a pretty large company,
Speaker:
uh, headquartered in Dallas that has projects all over the country.
Speaker:
dollar projects, multimillion dollar projects.
Speaker:
And, um, they infected 2,800 machines all at the same time, within four hours.
Speaker:
Hmm.
Speaker:
So Friday morning, I
Speaker:
Wow.
Speaker:
think it kicked off at 4:00 AM And so by the time people
Speaker:
came to the corporate office.
Speaker:
machine, 80% of their environment was encrypted in four hours.
Speaker:
And they didn't notice anything before that the 2,800 machines were encrypted.
Speaker:
And even though this is a pretty large environment, they only
Speaker:
had three or four full-time.
Speaker:
IT staff, had a, an executive it.
Speaker:
I'm not sure if he was the CIO or director of what his title was.
Speaker:
Uh, but in this particular case, and then, you know, kind of working backwards, you,
Speaker:
you get the phone call, we need help, you show up, assess the current situation, and
Speaker:
you work backwards to how did this happen?
Speaker:
And we're, so we're starting to piece together, you know,
Speaker:
that was the domain controller.
Speaker:
You know, there was a script, there was all this stuff.
Speaker:
Well, how did they get to the domain controller?
Speaker:
Will they use this account?
Speaker:
Well, how'd they get that account?
Speaker:
And so you're working backwards to patient zero.
Speaker:
And it was actually the, uh, the backup administrator.
Speaker:
Uh, who,
Speaker:
backup Bob.
Speaker:
who, who had worked at this company forever and never taken a vacation
Speaker:
some three or four months ago, uh, while he was looking for vacation
Speaker:
stuff, got infected and they had
Speaker:
Hmm.
Speaker:
to his account for months while also watching him plan his vacation, which
Speaker:
then they lined up their attack with, so he left for vacation Wednesday night.
Speaker:
They, they conducted this attack, uh, Friday morning, and so we actually
Speaker:
were considering him as a suspect as part of this, uh, ransomware.
Speaker:
Right.
Speaker:
we started seeing, uh, several years ago threat actors have been propositioning
Speaker:
internal privileged users to help them their ransomware in exchange for a,
Speaker:
a percentage of the, the monies paid.
Speaker:
But in this
Speaker:
Yeah.
Speaker:
case, they, they had access through a, a network vulnerability,
Speaker:
um, several months prior.
Speaker:
Um, that, uh, um, additional access through the backup administrator account.
Speaker:
And then in this case, the business decided to pay the ransom because
Speaker:
they, these large multimillion dollar projects were at stake and they
Speaker:
wanted to make sure that they got their data back and could continue.
Speaker:
Uh, working on these things.
Speaker:
Uh, so they paid the ransom on a Monday and the very next day, the threat
Speaker:
actors, uh, messaged them back and said, you know, for another $80,000,
Speaker:
we promised to leave you alone.
Speaker:
And it was because they had, they had, you know, I talked about persistence.
Speaker:
Well, they knew that we were gonna clean all the ransomware off, but they
Speaker:
had also configured, um, two dormant back doors that would've allowed
Speaker:
them to regain access to the network.
Speaker:
At a future date.
Speaker:
Well, we had found those over the weekend and made sure everything
Speaker:
was, was clean and tight.
Speaker:
Um, no, no ability to get back in.
Speaker:
So we told them, you know, we told them not to pay the ransom
Speaker:
to begin with, but did it anyway.
Speaker:
And then the, the next day when they said, you know, you pay some more money, we,
Speaker:
we, we will promise to leave you alone.
Speaker:
We told them that we took care of all that and they didn't need to do it.
Speaker:
So.
Speaker:
So a, a question that I have, uh, Mike, is with all of these things,
Speaker:
especially during this reconnaissance phase, surely a good SEIM tool
Speaker:
Mm-Hmm.
Speaker:
see this stuff going on.
Speaker:
Right, and, and can detect it.
Speaker:
Surely that's the case.
Speaker:
Tell me, I'm, and I know that nobody installs them.
Speaker:
Right.
Speaker:
I understand that.
Speaker:
Like, it, it's a, it's an expense for that, that a lot
Speaker:
of companies don't install them and that, and it doesn't matter.
Speaker:
But my question is, what's that?
Speaker:
Or configure them properly.
Speaker:
Right?
Speaker:
Or they've configured 'em because they got too many false positives
Speaker:
and they've, they've ified it right.
Speaker:
You, you're, you're right.
Speaker:
Uh, and, but I think there's a misconception there, uh, that,
Speaker:
that these tools are too expensive.
Speaker:
They, they used to be very expensive.
Speaker:
And really it's, it's the labor that's the most expensive part.
Speaker:
And that's why working with a managed security service provider
Speaker:
is a much better approach.
Speaker:
you're not paying one for one labor, you're, you're paying a,
Speaker:
a disproportionate amount of, of labor because their labor is
Speaker:
spread across all their clients.
Speaker:
And so, SEIM products back in the day for sure, uh, and there were open, they're
Speaker:
still open source SEIM products, but, uh.
Speaker:
to, to you guys' point you, you've gotta configure those, uh, well then
Speaker:
if, if you're not in the, the sim, if you're not experienced in, in how
Speaker:
to configure a sim, then you could be missing the, the, the point there too.
Speaker:
You could be missing a lot.
Speaker:
So, back to the experience and expertise of an MSSP, uh, to do all that for you.
Speaker:
So I think there's a misconception about price.
Speaker:
Uh, I, it's very affordable.
Speaker:
today than more affordable than it have ever has been.
Speaker:
And whether the client wants to own the license or or not,
Speaker:
that's a different conversation.
Speaker:
But to your point, yes.
Speaker:
new next gen security incident and event management tools, sims, um, are
Speaker:
capable of identifying weird stuff.
Speaker:
Uh, and so our sim, as an example, does use, it's UEBA user
Speaker:
and event behavior analytics.
Speaker:
it uses machine learning to develop a behavioral baseline
Speaker:
by user, by asset, by network,
Speaker:
And so for example, if Curtis does something 10 times a day, or his machine
Speaker:
does, and tomorrow it does 10 or a thousand, get flagged as the behavioral
Speaker:
anomaly before whatever that activity is evolves into a security incident.
Speaker:
So if you got ransomware.
Speaker:
That new file or even a file that maybe it, it, it looks like it's, uh,
Speaker:
something that's been ed on your machine forever, but it starts doing something
Speaker:
that your machine isn't normally doing.
Speaker:
get, we'll see a flag for that and.
Speaker:
In our experience, we'll also be able to determine, well, is that behavior
Speaker:
consistent with symptoms of ransomware or, or some other type of malware?
Speaker:
and then we can get on the phone and talk about, well, what did
Speaker:
you just do or what have you done?
Speaker:
On that note too, uh, I mentioned how organizations are typically, how
Speaker:
they identify ransomware or malware.
Speaker:
One of them is.
Speaker:
You get a call at the help desk today that a user says, Hey, about two weeks
Speaker:
ago, I, it, it just kind of occurred to me, it's really been bothering me, but
Speaker:
about two weeks ago I did this thing and you know, it's really been bothering me.
Speaker:
So I just thought I'd tell you now.
Speaker:
happens quite a bit too.
Speaker:
And so when you start looking at that user's machine and, and their,
Speaker:
their email and yep, sure enough you clicked on ransomware and it's
Speaker:
somewhere in this environment now.
Speaker:
So now we gotta go track it down.
Speaker:
Uh.
Speaker:
Yeah, there's any number of things and a SEIM tool too, you can populate
Speaker:
with, for example, if, if, if Mike got ransomware and we can determine the
Speaker:
type of ransomware it is, we can then go do research on the, the, the, at
Speaker:
the characteristics of that ransomware.
Speaker:
I can now put that in the SEIM tool and it can look across your entire
Speaker:
environment for other, um, other occurrences of those things during, to
Speaker:
try and get ahead of the next infection.
Speaker:
Um.
Speaker:
But really SEIM is just part of the solution.
Speaker:
You've also have, you also have to have a good protection, anti-malware,
Speaker:
and those two things need to play well together the SEIM can identify the weird
Speaker:
stuff, but then it has to be capable of telling the anti-malware on the, the,
Speaker:
the computer what to quarantine and clean and, and do all this automatically
Speaker:
because I've been preaching this forever.
Speaker:
Response is the most important thing.
Speaker:
You're gonna get attacked, you're gonna get infected, it's gonna happen.
Speaker:
The only thing that's gonna save you, or at least mitigate the impact is how fast
Speaker:
you can identify it and respond to it.
Speaker:
Is
Speaker:
so
Speaker:
Is it.
Speaker:
making sure that your tech stack really plays well together so that your response
Speaker:
is, is as effective as it can be.
Speaker:
Is it too soon to bring up the C company, the company whose name starts with the C?
Speaker:
CrowdStrike.
Speaker:
Yeah.
Speaker:
It is not,
Speaker:
too soon.
Speaker:
it's not
Speaker:
I, I, well, I will say, well, we don't have, we don't have much
Speaker:
time left, but uh, if we can cover them quickly, I suppose.
Speaker:
so CrowdStrike's a great, uh, endpoint protection tool and it, it has some
Speaker:
really good capabilities as far as interacting with Sims as an example
Speaker:
where the SEIM says weird stuff.
Speaker:
Hey, CrowdStrike, go do this thing, clean that, that, uh, that machine.
Speaker:
But I think it's also an interesting time to add that those endpoint, uh, that, that
Speaker:
anti-malware stuff, that, that system, that, that software that's running on
Speaker:
your system, it's collecting all this contextual data that's then feeding up to
Speaker:
a SEIM and it's, it's the ability of that.
Speaker:
That software on the endpoint, that CrowdStrike as an example.
Speaker:
It's the, it's the, it's the ability of CrowdStrike to collect this good
Speaker:
contextual data then gonna allow the SEIM to, to build a good baseline
Speaker:
and, and really quickly determine where the deviations from normal are.
Speaker:
in a lot of cases, the sim.
Speaker:
Is gonna detect that behavioral anoma anomaly before CrowdStrike will,
Speaker:
because CrowdStrike is still kind of, is very rules based when this
Speaker:
and this and this and this happened.
Speaker:
That's a security problem.
Speaker:
CrowdStrike does really good at addressing security problems.
Speaker:
CrowdStrike does not currently do really good at saying, Hey, that's never
Speaker:
happened before, or That's happened a heck of a lot more often than it used to.
Speaker:
That's what the SEIM does.
Speaker:
But then the SEIM and the, and and CrowdStrike, as in this case,
Speaker:
have to play really well together.
Speaker:
So when the SEIM says That's weird, Hey, CrowdStrike.
Speaker:
Put a pause on that, put a pin in that, put it, put it in
Speaker:
quarantine, put it in timeout until we figure out what's going on.
Speaker:
And we see that a lot in, um, organizations, especially it
Speaker:
where we're rolling out updates.
Speaker:
We're installing new software or third party things like your
Speaker:
financial system or your dealer management software needs to update
Speaker:
something that the SEIM is gonna go.
Speaker:
No.
Speaker:
Oh, that's weird.
Speaker:
And you're gonna hear it from it or, or the end user going, Hey, my, my install
Speaker:
paused, or it didn't work, or whatever.
Speaker:
And Well, that's good.
Speaker:
It's, it's working the way it should.
Speaker:
Yeah.
Speaker:
Yep.
Speaker:
Yeah, it would've, it would've been nice if, if a, if a SEIM tool had
Speaker:
said, Hey, uh, uh, that file you just pushed out is zero length.
Speaker:
Uh, you might might wanna take a look at that.
Speaker:
right.
Speaker:
And so, well that's a whole other story and a whole other ball of wax.
Speaker:
But that's right.
Speaker:
yeah.
Speaker:
um.
Speaker:
In this case, it was an involuntary patch.
Speaker:
You, you didn't have a choice of, of not
Speaker:
Yeah.
Speaker:
installing
Speaker:
Yeah,
Speaker:
it, it, it messed things up.
Speaker:
But if you had a good incident response plan with a playbook that says when
Speaker:
these certain types of things happen, and they can be categoric things
Speaker:
like, my machine stopped working.
Speaker:
I've got this blue screen of death.
Speaker:
I don't know what to do with it.
Speaker:
Uh, well, there's a playbook for that
Speaker:
Throwing
Speaker:
we.
Speaker:
so, so if you're not.
Speaker:
and,
Speaker:
So if you're,
Speaker:
to call and, and here's where the, the extra machines are or the images
Speaker:
that we need to re, re-image machines with or whatever the case was.
Speaker:
We've thought through this and here's our playbook for it.
Speaker:
And that needs to be part of your incident response plan.
Speaker:
so basically not Delta Airlines apparently.
Speaker:
Yep.
Speaker:
Oh.
Speaker:
Uh,
Speaker:
But
Speaker:
anyway.
Speaker:
By, by the way, it's funny.
Speaker:
Yeah.
Speaker:
What was that?
Speaker:
credit, having a good virtual environment with your snapshots
Speaker:
and all those things that
Speaker:
Yeah,
Speaker:
that saved the other airlines,
Speaker:
yeah,
Speaker:
or, or in some cases, some of the airlines had different operating
Speaker:
system environments and all that too.
Speaker:
But the, the virtual
Speaker:
yeah.
Speaker:
able to, to, uh,
Speaker:
It was just,
Speaker:
snapshots
Speaker:
it was funny, I, I, last week I flew to Atlanta for, you know, the company that
Speaker:
I worked for and for the first time.
Speaker:
No one asked me, why didn't you fly Delta?
Speaker:
Well at.
Speaker:
Oh.
Speaker:
Anyway, well, well listen, we gotta finish up here.
Speaker:
Um, so what I'm, what I'm hearing from you is it does sound like a, a good SEIM
Speaker:
tool is, um, SEIM tool versus XDR tool.
Speaker:
Uh, just a quick thought there.
Speaker:
Um, you know, 'cause I know there's both.
Speaker:
so, SEIM is a little limited in, in its traditional ability.
Speaker:
It's a, it's traditional ability to ingest data.
Speaker:
So, uh, in SEIM tools typically don't have that automated response.
Speaker:
They call it soar.
Speaker:
The, the, the orchestration of automated response.
Speaker:
So SEIM tools, that's usually a bolt-on a third party or, or extra.
Speaker:
But SEIM also does just tra traditional SIS log and.
Speaker:
firewall log, you know, that kind of thing.
Speaker:
Open XDR or XDR, uh, XDR is better because it's, it's primarily,
Speaker:
it's, it's more of an open source approach, but XDR is that extra.
Speaker:
Well, now I can adjust, uh, cloud and third party tools and I OT devices and OT
Speaker:
device scada, uh, you know, smart stuff.
Speaker:
Um, so it's, it's the evolution of sim, um, not just in its ability,
Speaker:
but it's also, its its scope.
Speaker:
Uh, so in in cyber uh, ingestion, we talk about north,
Speaker:
south, east, and west traffic.
Speaker:
So North and south is in and out of your environment, and east and
Speaker:
west is, is within your environment.
Speaker:
And as we, as, as a lot of environments start to migrate, either, either totally
Speaker:
to the cloud or some hybrid on-premise cloud architecture, it's really
Speaker:
important to to, to have a, a platform that's capable of, of expanding with
Speaker:
you, uh, both in scope and capability.
Speaker:
And, uh, so our platform is actually an open XDR platform.
Speaker:
Um, it connects to just about anything that has a data, uh, a data feed.
Speaker:
Cool.
Speaker:
All right.
Speaker:
Well thank you again, um, Mike, for joining us.
Speaker:
As always, anytime happy to be here
Speaker:
Persona, I, I am still glad to see you alive and not decapitated or
Speaker:
or
Speaker:
any, um,
Speaker:
you were gonna make fun of me too.
Speaker:
I know that you were like, ah, excuses, excuses.
Speaker:
because again, normally this is me, not you that's doing the stupid stuff.
Speaker:
Um, why am I seeing the outlet box for my thing at least?
Speaker:
Did you, did you install this fan?
Speaker:
Nope.
Speaker:
Okay, well then, well you guys, because that would be me.
Speaker:
Yeah.
Speaker:
the one who installed the fan improperly 20 years ago, and
Speaker:
then the fan is coming down.
Speaker:
Um, and as I look at the air conditioner that I've installed up over there.
Speaker:
Um, all right, well, thanks again to our listeners.
Speaker:
We would be nothing without you.
Speaker:
Uh, that is a wrap.
Speaker:
The backup wrap up is written, recorded, and produced by me w Curtis Preston.
Speaker:
If you need backup or Dr.
Speaker:
Consulting content generation or expert witness work,
Speaker:
check out backup central.com.
Speaker:
You can also find links from my O'Reilly Books on the same website.
Speaker:
Remember, this is an independent podcast and any opinions that
Speaker:
you hear are those of the speaker and not necessarily an employer.
Speaker:
Thanks for listening.
Listen On
