Dave Buettner (9:09)

Foreign I'm Ben Yellen, co host of the Caveat podcast. Each Thursday we sit down and talk about the biggest legal and policy developments affecting technology that are shaping our world. Whether it be sitting down with experts or government officials, or breaking down the latest political developments, we talk about the stories that will have tangible impacts on businesses and people around the world. If you are looking to stay informed on what is happening and how it.

Sean Dube (9:38)

Could impact you, make sure to listen.

Dave Buettner (9:41)

To the Caveat podcast.

Sean Dube (9:52)

Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty Impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's v a n-t a.com cyber Sean Dube is principal technologist at Sempras. In today's sponsored Industry Voices segment, I catch up with him for the latest insights on the global state of ransomware.

Dave Buettner (11:46)

Well, it's been a couple of years since we've done this and that was actually last year. And it's always good to see where the trends are going because this is something that never stays still. I think it's very important to see that. And specifically our report tends to focus on identity, which has been getting more and more attention but has been previously underserved. So it's always good to make sure that it gets the attention it deserves.

Sean Dube (12:21)

Well, let's dig in together. What were some of the most significant findings here from your point of view?

Dave Buettner (12:27)

Well, from my point of view, and different people in the organization have different takes on it, there is a little bit of talk about the modest decrease in ransomware success, but to my mind it's an almost statistically insignificant. And it's human nature to say, yay, we're winning and we're doing a good job. But the reality is that easing off the throttle based on a modest trend in the direction you want to see, it's a mistake. It's human nature, but it's a mistake. The underlying motivations for cybercrime and nation state espionage haven't gone away. And one of the things, of course, that this is no surprise is that the tools, for example, AI, they're making attacks both easier and they're making them more sophisticated. So this means, among many things, is that it lowers the bar to success for other for organizations or threat actors. So it's not as hard to do as it was to be successful.

Sean Dube (13:38)

Well, let's talk about that. I mean, what are you all seeing here in your research? When it comes to AI driven ransomware.

Dave Buettner (13:45)

Attacks, sometimes the details are hard to find. And our study doesn't dive deep into the details. But what we're hearing is reporting from these organizations is that they are rapidly increasing in sophistication.

Sean Dube (14:02)

Are there any particular escalation tactics that you all tracked in this year's report? Any anything new or innovative that you're seeing?

Dave Buettner (14:12)

What we tend to see is the ability to do tried and true attacks. So one of the principles that I always espouse here is if you're looking at in particular cybercrime, the goal for cybercriminals is to make as much money as possible as quickly as possible with as little interference as possible. And so pretty much not everything, but most of what happens you can trace back to those goals. So with those goals in mind, they don't necessarily have to go for novel attacks. What they'll do is they'll find though, because there's a, you know, essentially a universe of organizations out there that are vulnerable. And so what this does is this makes the ability to generate those attacks and to execute those attacks faster. So the dwell time decreases, but the attacks themselves may be. Again, I'm an identity person, so I tend to focus on the identity aspects of IT against identity systems such as Active Directory and Entra id. And many of the attacks are, when it comes right down to it, are using the same tactics. They're just executed in a more automated manner or more quickly.

Sean Dube (15:41)

Why is identity infrastructure a top focus for these attackers?

Dave Buettner (15:47)

Well, I've said for many years the, you know, the mathematics for this is pretty simple. If I, if we focus specifically on the Microsoft Identity system, that is that what has become recognized as, number one, that identity is the core of security. Nowadays the NIST zero Trust framework says that and many other frameworks say that number two, it is highly vulnerable and the threat actors know that. So they go after identity. Jen Easterly had a great statement a few months ago at a conference. She said, identity isn't a security problem. Identity is the security problem. And of course, Jenny Sterling is the former director of cisa. So we have, everybody has, everybody depends on identity. Security is centered around identity. The bad guys know this and they attack identity. And the identity systems that everybody uses, the Microsoft identity systems, the on prem is very, is old. It's a quarter of a century old. And it has lots of vulnerabilities for many, many reasons, but it's a, it's a highly vulnerable environment. So if you take that and you plug that into the goals of making as much money as possible as quickly as possible and the traction that it gives threat actors once they've compromised that identity environment, it's logical. And what we've seen and what Mandiant and Microsoft Incident Response has stated is that the vast majority, 90, 95% of organizations that have been attacked, the identity system is a core component of what is attacked and what is owned for the threat actors to then do whatever they have in mind, whether it's encrypting the environment or whether it's exfiltrating data or whatever method that they're using to get revenue out of the victims.

Sean Dube (17:54)

What sort of gaps did the study reveal? When we're talking about how organizations handle both identity resilience and recovery, One of.

Dave Buettner (18:04)

The statistics that really stood out for me was the gap between in industries of paying ransom, what industry vertical, who paid more ransom and who paid less ransom. So the highest percentage of paying ransom industry was the energy industry and the lowest was healthcare. So if you had to read between the lines, and this is my speculation, is this might be reflecting the speed at which these two industries, which are both critical infrastructure, the speed at which they're making progress in building resilience in their organizations. We are going through this evolution at an uncomfortably quick pace, I believe, but that's the reality of it, of what I say for both security and for IT professionals, of, let's start with, oh, people are being attacked by threat actors, by cybercrime. That hasn't happened before. Oh, that won't happen to us. And then you're seeing, as an organization, you see it happen all around you and you start to human nature go, oh, well, I think we're probably okay. And then you see that organizations that, you know, you know, people in the organizations that may be equal or better than you in cybersecurity being attacked. And so then you go, oh, gosh, I. Gosh, I guess we really have to face the fact that we may be attacked. And so you really, you know, you, you build out your crisis management for cyber that many organizations have never had before, and you're still just getting your feet wet on how to do that. And now we're talking about resilience, as in, guess what, you're going to be attacked. You're going to have to work on resilience. I feel that there is this great stress of organizations having to adapt to this philosophy culturally. And again, as we know, this is about people, process and technology. It's not just technology, it's how does a culture adapt to this. So going back to your question about the significant findings, so what this says to me when I hear about energy sector versus the healthcare sector, you could speculate that on one side, the energy sector, it doesn't just represent the big oil and gas companies, but also the small municipal agencies that are generally highly vulnerable to cybercrime. They don't have the capabilities, they don't have the big security teams, they have old infrastructure that was not designed for security on one side, and so they're having to pay more ransom because they're more thoroughly compromised. But on the other side and is healthcare, they know that service interruption could mean harm or even death to their patients. So they're very focused on resilience in the face of attack. And in my conversations with healthcare security professionals, that is absolutely the case. So the more resilient you are, the less likely you are to pay a ransom to get your service back.

Sean Dube (21:26)

So in light of everything in the report here, what are your recommendations? What should organizations be doing to better prepare themselves here?

Dave Buettner (21:36)

Well, as a former technology journalist, I recognize what makes the press is what gets clicks and it's always interesting and drives traffic to report about new and novel attacks. And so I often get the question how do I deal with the newest and the most novel attacks? And the reality is I call it, I summarize it down to eat your vegetables, which is go back and look at your security. Look at your basic security principles and how well are you executing those basic security principles. What does your attack surface look like? As I said, I'm an identity guy. And the attack surface for your hybrid identity systems, Active directory on premises and enter ID in the cloud or perhaps it's okta in the cloud or ping one in the cloud. Look at your attack surface and how do you, how do you minimize your attack surface as you can't, you can't be perfect on it and it's a, and it's very difficult to do that. But as Rachel Wilson, who is a risk manager now for a risk director for it's not JP Morgan Chase. I'm sorry, I'm spacing this out. It's the other big Morgan Stanley in New York, but she used to be the, the NSA's cyber offense director. And she had her, her way of stating it is don't be the slowest gazelle in the herd.

Sean Dube (23:19)

Right.

Dave Buettner (23:20)

So you may not be able to make your security perfect, but if you can make it, you can make it a sufficient bar to make it harder to, to increase the time to revenue for a cybercrime, then you have helped yourself because if it takes too long, then it's simple enough to buy another set of credentials and go to the next organization. So it so often goes back down to basics. There's all sorts of advanced things that you can do, but I'm always about preaching the basics. And for example, our free utilities like Purple Knight and Forest Druid are designed to help you minimize your attack surface and make you less of a target or make you a harder target.

Sean Dube (24:10)

That's Sean Dube, principal technologist at Cempress. And finally, at defcon, researchers Qao Lin Yu and Kai Xing Wang revealed that Taiwan's smart buses are perhaps a bit too smart for their own good. The trouble began innocently enough with free passenger WI fi, only to discover the same router also controlled the bus driver assistance and transport management systems. With no network segmentation and default passwords that might as well have been password123, the pair waltzed in, digitally uncovering command injections, MQTT backdoors and zero encryption. From there, a hacker could track buses, spy via onboard cameras, falsify GPS data, or even flash out of service signs mid route. Vendors contacted politely apparently preferred the ignore and hope patching strategy. The vulnerabilities Yu noted, may not be confined to Taiwan. Bad news for any smart bus with global ambitions. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey. To learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show. Notes, please. Please do. Check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Dave Buettner (26:39)

Sam.