NEW ORLEANS — Ransomware isn't going to get better!
That bold statement kicked off the day-two keynote of Semperis' Hybrid Identity Protection (HIP) conference Thursday. Jeff Wichman, director of Incident Response at Semperis, made the remark based on statistics, experience and getting to know the ransomware thugs behind years of attacks.
Wichman, a veteran ransomware negotiator, said that when he first haggled with attackers, they would often begin by just throwing out a random figure for the ransom amount. But that changed.
(Note: Video above is Mickey Bresman, CEO co-founder of Semperis interviewed by SC Media's Paul Wagenseil at the Semperis 2024 Hybrid Identity Protection (HIP) conference.)
By the time he wrapped up his professional negotiating career years later, the attackers had become much better informed. They had read the targeted company's financial statements and knew exactly how much it could afford to pay.
"When you first learn you've been hit by ransomware, don't contact or threaten the attacker," said Wichman. "Let the professionals handle it. Typically, we can do about a 50% negotiation drop, but not if you reach out and piss off the attacker."
Marty Momdjian, general manager and executive vice president of Ready1 at Semperis, joined Wichman on stage to warn IT security professionals to watch their p's and q's in the heat of a ransomware attack.
"When you contact your legal team, you don't get confidential privilege just because they're in the room," Momdjian said. "It's all discoverable — especially evidence of gross negligence. Be very careful."
He also counseled against trying to improve your security posture during the recovery process.
"The incident-response team, the legal team and your IT staff all have one goal: Put things back the way they were," Momdjian said. "Don't try to change things."
"Do not do an assessment during recovery," piped in Wichman. "Insurance may then decide that it's no longer an IR case."
The assessment and improvements will come later, said Momdjian.
"Be prepared for extended downtime, even after the recovery is complete," he said. "That’s when you need to go back in and change things, so it doesn't happen again. The insurance company will require that anyway."
Wichman had several tips for organizations who have just discovered evidence of a ransomware attack.
"Protect what's still available," he said. "Remember that recovery and IR firms want to help, but they are paid for their time, so they may drag out the process. Contact your insurance company — and make sure that the insurance info has been kept someplace safe that ransomware can't reach."
"But get an IR or forensics firm engaged early," Momdjian added. "Don't try to recover too quickly, because you'll destroy evidence."
"And engage a professional negotiator," Wichman said. "But again, don't contact the attacker, please. It will make the negotiator's job a million times harder."
Bouncing back to business
The ransomware talk was followed on the main stage by a panel discussion about business resilience, what exactly it is and how much priority cybersecurity defenders should place on it.
"Should resilience be the goal?" asked the moderator, Allan Alford, president and CISO of Allan Alford Consulting.
"It should be a goal, but maybe not the goal," replied Johnny Brister, CISO of Alchemy Technology Group.
"I don't think resilience is about giving up anything," countered Heather Costa, director of Technology Resilience at the Mayo Clinic.
"We cannot begin to think that there is perfection in anything we do," she added. "It's not about stopping the things, because you can't stop them all. Our measure of success is that we minimized the impact to the business."
"Resilience is about making disasters anticlimactic," said Augusto Barros, vice president of product marketing at Securonix. That was a definition that all the panelists could agree on.
Costa pointed out that unlike cybersecurity resilience, business resilience should be steered by the business side of the company.
"This is not a cybersecurity or IT issue," she said. "This is a business issue. This has to be a business-led process. Decisions should be made by people who have the business' core mission in mind."
"The goal is not to be back to normal," Costa added. "The goal is to be better tomorrow than we are today."
Identity is everywhere, and budgets need to catch up
In a lunchtime address, Henrique Teixeira, senior vice president of strategy at Saviynt and a former vice president of research, identity and access management at Gartner, walked the audience through a history of identity security — and why it’s important for the future.
"Back in the '80s, we had one job in identity. Everything was centralized on the mainframe," he said. "Then, next, you had to provision accounts on thousands of machines. That's where user provisioning came from."
With the collapse of Enron in 2000 and the resulting Sarbanes-Oxley Act, Teixeira said, identity became "not just about business enablement, but compliance as well."
At the same time, he pointed out, the cloud began to permeate North American business in the form of Salesforce. Yet only in 2022, Teixeira said, did spending on cloud and SaaS surpass spending on on-premises assets.
"In 2022, ChatGPT arrived," he said. "My mom called me — she's a pediatrician — and her mind was blown. When you see doctors, factory workers, taxi drivers talking about AI, then it's mainstream. And it's also mainstream for attackers to be attacking Entra and Okta."
But, he said, AI will not be the last big wave of technology. And, Teixeira said, we also need to take care of identity as a security problem.
"Identity security is more than IAM, more than IGA, more than PAM," he said. "It's a new way of doing cybersecurity."
Citing figures that said while 64% of attacks are identity-related, 47% of IAM teams are understaffed, Teixeira stressed that organizations needed to beef up their identity efforts.
"Give the checkbook to the IAM leaders," he said. "They want to hire people. And they need to have the budget to do that."
