John Anthony Smith (11:39)

Foreign.

Dave Bittner (11:46)

Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. Threat Locker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.

John Anthony Smith (13:29)

Foreign.

Dave Bittner (13:38)

Anthony Smith is founder and Chief security officer at Phoenix 24. In today's sponsored Industry Voices segment, we discuss why backups are your most important security control.

John Anthony Smith (13:51)

Well, what's top of mind for me is I believe that what we've seen in the past will actually continue into this current year, and it will only get worse. What we see threat actors commonly doing is having an increasing willingness to not only target backups, but also target production systems both for mass encryption and mass deletion. And so I believe that what's going to dominate 2025 is frankly more of the same, but in an amplified fashion. What we also see is threat actors are now commonly willing to even target what I would say more sensitive industries like nonprofits and healthcare organizations. Organizations providing very critical life Saving infrastructure. I believe that we will continue to see a heightened willingness of threat actor groups to even target these industries with destructive acts.

Dave Bittner (14:46)

Can we do a little level setting together here? I mean, when it comes to cyber resiliency and recovery strategies, what is the current state of things? What is considered sort of the, you know, the baseline standard that people should achieve?

John Anthony Smith (15:06)

Yeah, that's an interesting question. Actually, in working breaches, which is what Phoenix24 does, we help organizations recover from their worst day in their career. What we see is that most companies, while they commonly do believe that their backup and recovery mechanisms will hold in the event of threat act or destructive acts, they commonly do not. Matter of fact, depending on when we look at our recovery sample of clients, 80 to 92% of the time, the recovery capabilities that organizations believe will allow them to timely recover simply do not survive. And so what I believe will continue to dominate, what we'll continue to see bluntly is that organizations simply aren't orchestrating their backups in a survivable fashion, despite what they believe to be true. Not only that, not only are backups not commonly survivable, they're also, when they do survive, they commonly cannot provide a timely recovery. And this is for a variety of reasons. Obviously, recovery from a mass destruction or mass encryption event is complex, but things like Dr. Mechanisms, right? Business continuity, disaster recovery systems, things that organizations depend on from, for our act of God type recoveries. Commonly orgs believe that these things will work in the event of a mass destruction event, but this simply isn't true. Most of these systems, these secondary environments, these replicated systems, they too get destroyed by threat actor behaviors. And so survival and timely recoverability, I believe are essential. And what we see is most orgs simply aren't prepared.

Dave Bittner (16:58)

That gap that you describe really fascinates me. Can you help me understand that? I mean, to me, it's not like people are trying to fool themselves when it comes to their backup strategies. They believe that the things that they've done are going to be effective. And yet the data doesn't reflect that that's correct.

John Anthony Smith (17:22)

And the reason why really boils down to what we call breach context. The fact of the matter is, most of the technical details of breach largely get locked up. They do not get publicly disclosed. And so defenders, in essence, are making guesses about how to orchestrate bluntly their most important security control, which is their backups, in our opinion. Therefore, they don't commonly orchestrate these things Aligned to the realities of breach. Breach context to us are what are threat actors? Able and willing to do. And unfortunately this data is not commonly made public and therefore most defenders, most organizations are not orchestrating their backups in a survivable manner because bluntly they don't have the data to do so, nor do the manufacturers that actually make the underlying backup tooling that organizations have come to depend on. Actually you can follow some of the most prominent backup tooling providers direct guidance on how to orchestrate immutable backups and it will be wrong. From a breach context perspective, threat actors will still commonly be able to delete organizations ability to recover even when aligned to the best practices of the vendor.

Dave Bittner (18:42)

Are there any high profile incidents that folks would know about where there's some take home lessons that you can share from them, things that folks in your line of work had some good takeaways from?

John Anthony Smith (18:57)

Yeah, I mean so there are many high profile breaches, some of which have had some of their technical details disclosed. I would say key takeaways are, and obviously it's what we started the conversation on is that most orgs simply are not orchestrating their recovery capabilities. Well. And so what I would say is number one key takeaway is that you should be absolutely confident, assured if you will, that your recovery capabilities will hold in the event of modern threat actor behaviors. And so you cannot and should not be depending on upon your backup tooling manufacturer's guidance solely in this regard because they will steer you incorrectly. You need experts in recovery to advise on the survivability of your backup and recovery facility, period. So that's learning number one. Learning number two is that the organization should be ready for mass recovery and they should be rigorously testing it. So not only should you have a survivable capability facility that you're confident in, you should also have confidence in your rehydration time. Right. Essentially you should know how long it's going to take your org to get your tier 0 and tier 1 data rehydrated and you should have absolute confidence in that technical rehydration time through rigorous and regular testing. And I will say in practice literally no one is doing this. At least that's what we've seen in our assessment.

Dave Bittner (20:41)

That was going to be my next question. It seems to me like that is the easiest can in the world to kick down the road.

John Anthony Smith (20:47)

Yes. And essentially it's funny actually Dave, many orcs are very focused on their act of God protection, right? Fire, flood, earthquake. But in many cases, now again it probably depends on where you are on the planet, but in many cases that's your Lowest risk, it is highly more likely that a threat group will gain initial access into some point of entry into your org, attempt lateral movement, and therefore then attempt some form of destruction. That is a much more likely risk, yet largely no one is prepared for it.

Dave Bittner (21:30)

What's your advice in terms of kind of steering folks toward particular technologies or solutions when we're talking about best bang for their buck, you know, being most effective in achieving these optimal outcomes?

John Anthony Smith (21:45)

Yeah, that's a great question. And so this is not product decisioning. I commonly say that it's a three part orchestration problem and a one part product decision problem. Orchestration, in other words, how you orchestrate your tools, how you configure your tools, the processes you wrapped around them, the testing you do with rigor, those things are what is leading to destruction. And here's the fundamental problem, which is why our company has been so successful. If you're going to do this with absolute assurance that your backup facility, your recovery facility will hold, you need breach context. You need someone who can technically guide you on the orchestration of those controls such that they can and will survive and provide a timely recovery with confidence. So you need a partner. Most orgs simply do not have the data, have no path to the data, and therefore cannot ever achieve success in this regard without a partner. Right. So, and that's really where our organization has comes in for many, many companies in the world is, and which is why we've had so much success is because we work breach, we have breach context. Therefore we know how to orchestrate recovery in a survivable and timely, recoverable fashion.

Dave Bittner (23:20)

You mentioned earlier that the bad guys are broadening their scope of the folks that they go after here. I'm curious what you're tracking in terms of the threat landscape, cyber resiliency, when it comes to different industries, to what degree are there haves and have nots out there?

John Anthony Smith (23:41)

Generally speaking, from what we see, both from recovery and from assessment, because we do assess organizations against breach context, there seems to be consistently true across all industries that they are not prepared for mass recovery. I don't know that there's any delineation, if you will, between industries that are less prepared versus more prepared. It seems to be all industries, all scales, all, all revenue sizes. Largely, largely every industry is getting this wrong. I wish I could name one that's going to have positive outcomes from the recovery capability. I believe in my career I have only assessed one organization to date out of hundreds that I would argue will have a survivable backup or does have a survivable backup facility and therefore will likely have a survivable recovery. Only one, most organizations who have some form of a survivable backup, it's got some significant risks imposed upon it because the orchestration that surrounds the immutability algorithm being employed is in some way significantly flawed.

Dave Bittner (25:10)

Is there a risk though of the perfect being the enemy of the good? I mean, people have to, they have to dial in their appetite for risk, right?

John Anthony Smith (25:20)

They do. But here's what I would say, actually a breach counselor recently said this quote to us. He said, essentially every organization within the United States has leadership, responsibility or fiduciary responsibility of cyber resiliency. He said to us, cyber resiliency essentially can be summed up with two pillars, resistance to a breach or prevention, as many call it, and recovery. He said essentially all organizations are over investing in resistance and largely ignoring recovery. So to your point, your question is perfect the enemy of the good? What I would say to you is this is one security control you can't get wrong. We need to be investing more in recovery and less in resistance, essentially. Dave, you've probably heard many security professionals say you can't prevent all breaches. It's essentially a matter of when, not if, all organizations will have a breach. If we truly believed this statement, then we would be doubling down on our investments in recovery and spending maybe a little less time on resistance. I'm not saying all those things aren't important. I'm just saying we need to be investing in an assured recovery. And yes, I do believe it is possible to have confidence in your ability to recover. I do fervently believe, as a matter of fact, we have a model for this that works. We call it Secura Tsuma. Where recovery can be assured. It absolutely can be assured.

Dave Bittner (27:05)

That's John Anthony Smith, Founder and Chief security officer at Phoenix 24. And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust AI stops attackers by hiding your attack surface. Making apps and IPs invisible. Eliminating lateral movement. Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context, simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at Zscaler.com Security exclusively on ESPN. UFC 312 Saturday Reigning middleweight champion Dricus Du Plessis defends his title in a rematch against Sean Strickland and Zhang Weili defends her strawweight title against undefeated tatiana Suarez. UFC 312 Saturday at 10pm Eastern. Buy it on espnplus.com ppb and finally, our London fog desk reports the UK just launched the Cyber Monitoring Centre, a first of its kind system that ranks cyber incidents like Hurricanes from Category 1 annoying drizzle to Category 5 cyber apocalypse. LED by former NCSC chief KIERAN MARTIN, the CMC's job is to determine whether a cyber attack is a systemic event or one so massive it ripples across industries like NotPetya or CrowdStrike's recent meltdown. The scale is based on financial losses and the number of affected organizations. Test runs well move it barely registered Synovus NHS fiasco hit category two and CrowdStrike's self inflicted chaos landed at category three. While initially designed for cyber insurers, the CMC hopes to inform policymakers, businesses and even the UK government. Skeptics question its long term impact, but as Martin put it, if this was easy, somebody would have done it already. And that's the Cyberwire. Be sure to check out this weekend's research Saturday and my conversation with Mark Manglikmot from Arctic Wolf. Their research is titled Cleopatra's Shadow, A mass exploitation campaign deploying a Java backdoor through zero day exploitation of Clio MFT software. That's research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback is ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next week. SA.