The bad guys like to attack over holidays, so it's really not fun for me.
That's Curtis Minder, a renowned ransomware negotiator, telling me about a time when he picked up an emergency call on a major holiday.
The initial call is always very emotional, as you can imagine, even in the large companies, you know, you may have a boardroom of people with it's very emotional.
On the other end of the call was a chemical manufacturing company who'd been locked out of their own assembly line.
They had a complete operational interruption, so they couldn't manufacture their product.
Costs can add up quickly when a cyber attack delays at game studio's next release or leads to a data breach at a bank. But when attackers shut down a manufacturing line that's part of a global supply chain, you can almost see the money circling the drain.
They were losing millions of dollars a day in revenue.
And for this chemical manufacturer, like with any business shut down by ransomware, the losses went way beyond a few days of missing shipments.
I call it the ransomware blast radius. It's like we know the base impact. It's operational interruption, But what about these other things? And so that's cost of goods going bad, supplier confidence, that's hey, wait, you didn't make payroll for two weeks, the attrition that just occurred, wuldn't that cost you?
Those are all part.
Of the fairly complex equation on total cost of impact. That formula, if you will, kind of helps his decide on whether to pay a bad guy or not, or to engage a bad guy or not.
In this case, after finishing this exhausting analysis with Curtis, the company decided to pay the ransom.
And my job as a negotiators to make sure we don't pay the price on the window.
On the sticker.
Before long, the systems were back online, products were going out the door again, and Curtis was helping the company recover. But when he sat down with the companies see so, he heard something that changed how he thought about the industry.
He said, Curtis, here's my biggest concern. We have been the manufacturer of this particular product for almost one hundred years, and the way that we manufacture this product and the materials we use to manufacture this product are our trade secret. I am concerned that that information has left the building, and I won't know about that risk for some time until a competitor of mine makes the exact same product in five years from now and puts me out of business.
From Bloomberg Media Studios and Chrome Enterprise, this is Security Bookmarked. I'm your host, Kate Fazzini. I've been a cybersecurity professional and journalist for over twenty years, and on this podcast, I'm talking with leaders in gaming, finance, and manufacturing about what security looks like in a workplace that's moved to
the cloud. In twenty twenty three, ransomware attacks against manufacturers and other industrial companies increased by fifty percent, and since twenty nineteen, cybersecurity incidents targeting operational technology have risen exponentially. So today I'm speaking with Curtis about why manufacturs are facing more ransomware attacks than ever and how AI is amplifying threats and offering new defenses for cybersecurity leaders.
I'm the founder of Group Sense, which is a digital risk protection company. I'm also the lead ransomware negotiator at group Sense, and I have about thirty years in what's now just called cyber.
Then i'll chat with David Adrian security product manager for Chrome about how a web focused strategy can help manufacturers secure the connection between their IT and their OT. The job title of ransomware negotiator is still fairly new, but Curtis has been dealing with cyber attackers since the early nineties when he worked on systems for an Internet service provider. He's seen pretty much every kind of ransomware scenario you could imagine.
Incidence where the victim has started the negotiation before we showed up and has made some very very novice mistakes.
We've also had incidents.
Where we're in the middle of the negotiation and the thread actors get back in and do more damage, where there's some confidence from the victim that hey, we've got the doors locked, they can't get back in, and they were wrong about that, and that causes issues.
Going back to his ransomware story, Curtis couldn't reveal exactly how the attacker got in, but he told me they didn't have to be very creative.
One of the things that is frustrating for us is that at the end of this we're taking stock on how the thread actors gained access, and it can be distilled down into like seven to eight sort of preventable things.
Strong passwords, multi factor authentication, staying on top of your updates and patches, securing remote access. These are just a few of the things Curtis considers low hanging fruit for any company.
They're trying to gain access to your systems as cheaply and as efficiently as possible, and so they're not buying zero days on the dark web to break into your to break into your network because they don't have to. They can use some very simple mistakes and so fiber hygiene or processes to gain access, and often that is the case. It is something fairly simple to gain the initial access, and then once they're in, they're very good at expanding their access and pivoting.
Later in the episode, i'll chat with David Adriene at Chrome about how a web focused strategy can secure that point of access.
But first i'll hear.
More from Curtis about his experiences helping manufacturers recover from ransomware attacks and what he sees in the near future for enterprise cybersecurity.
You know, when you talk about partners or constituents who lose confidence in the manufacturing and supply chain space, a lot of these companies have a fairly robust supply chain resiliency strategy, right, and if one of your manufacturers in your supply chain stops producing, you've got a backup or two or three, and you might not never ever go
back to that manufacturer. When I'm talking to companies about how to prepare and respond to this in ants of an attack, I tell them that when the dust settles on an attack, you're going to need a tremendous amount of goodwill from your community, and the quickest way to make that go away is to lie to them or make them think you're lying to them or withholding information. And so their ability to address this quickly and also communicate transparently is so important.
Yes, I am so kind. You're saying that I've seen the communication piece goes so wrong, both as a practitioner and then as a reporter, even though that doesn't have to be the case. So thank you for emphasizing that. Now, going back to the start of your ransomware story, I want to ask something more simple. Why are manufacturers and in particular, operating technology itself a target? To begin with?
Yeah, I think increasingly, like everywhere else in the world, the devices and manufacturing are connected, and the reason why we're connecting them is data. We want to manage them, we want to optimize them, we want to look for errors and mist and things like that. And so as we've implemented technology to manage those manufacturing devices and connected those systems to the network, we've introduced a new attack vector for the bad guys.
And it's not just one attack vector, right, there's this whole Internet of things now, lots of new devices attached to the network.
They're all targets. Yeah.
So in a manufacturing environment that is dealing with something that is sensitive to temperature control, the HVAC system is very important. So the thread actors obviously have gotten better at this. They know that impacting those devices and those systems makes a bigger impact operationally. And so HVAC systems and IP phone systems and product life cycle devices.
You lock one of those up.
In manufacturing stops, things stop getting built.
It's just devastating. And when you think about the kind of leverage that an attacker can get when they deploy ransomware on these operational devices, it's astonished.
Yeah, I mean, the thread actors have gotten better at learning how to disrupt our businesses and ot or ICs devices industrial control devices. They are computers, they are running an operating system. It is typically not a normal operating system, and so one of the challenges for organizations is how do you secure those And on top of that, those devices are often not managed by the IT staff or
even the organization itself. Sometimes whoever's making these devices have a maintenance contract to manage those devices inside the network. So you've got a third party who's responsible for keeping that device up to date and secure, et cetera. And then you've got an IT staff who's responsible for the
overall organization. And it makes for an interesting dynamic that creates a sort of a paradox for the IT security folks in those organizations as far as protecting those devices, and they are connected, so that connected he needs to be closely monitored and managed and also be minimalistic, so it only the things that need to talk need to talk, and that is it right, and keep it very very tight.
That's great advice, Thank you so much, Curtis. Now you're constantly reminding business leaders that they don't want to have low hanging fruit, that attackers have plenty of old tricks that still work so, and I know you also do reconnaissance on thread actors. So looking to the future, do you see it change happening in the way cyber attackers are approaching their attacks?
You know, I think having done quite a bit analysis on this, and my core company does a lot of work around intelligence, I think right now our biggest concern is synthetic content. So the phishing campaigns are more effective, the landing pages that they send you to to carvesture credentials are more real. I'll just give you a quick
example of one of those. The thread actors will go to your management page of your company and they'll pick out all the names of your board members, and then they will have AI generate a fake email threat between those people on a particular topic, and it looks very very real.
Okay, that's a new one. That's new. I haven't heard that before.
Yeah, you're a mid level finance person and then suddenly you're looped in on this email thread by a board member and they say, hey, we need you to do this, and you scroll back and you look at Oh my gosh, it's the board they need you know, I feel important. I'm going to do this thing right away. I'm not
going to ask any questions. We've seen evidence of that, and the AI makes that very easy for the bad guys to do, to create the sort of synthetic content that looks very very real to the average person and create sort of a social pressure in the email chains and things like that. And I say that in lieu of are the bad guys using AI to write custom malware? Not yet, we haven't seen any in the wild yet, but it is plausible that AI can write, you know,
polymorphic malware for bad guys. But primarily they're not doing that because they don't have.
To exactly, it's just totally unnecessary.
Yeah, they're running a business, and this is it's just easier to trick you into giving your credentials or wiring money.
That's easier and cheaper for them.
Where I do think AI will play a risk, if it hasn't already, is the volumes and volumes and volumes of data that have been collected, you know, prior to generative AI, finding the needle in the proverbial haystack in
that data was difficult and time consuming. So in some ways we were sort of protected by the fact that they have too much data right, But now AI, they can train a model in AI and say this is the kind of information that I'm looking for in this haystack, and it will go find it for them in seconds.
And that is dangerous. Now on the.
Flip side, you could say the same On the defense, one of the biggest challenges the security teams have is log data.
It's just huge. They can find they're finding a needle in a haystack too.
AI can also help with that, right, AI can help them find the bad guys quicker.
So I'm just thinking that what we know about technology and how it's always part of this race between attackers and their targets, what do you say to CISOs who maybe feel like they're losing this race, especially when it comes to AI, or maybe to put this another way, we often know the first steps in attacker will take to compromise your business. What's the first step a cybersecurity leader needs to take so their operation can stand up to that risk.
Yeah, So cyber risk, in mitigating cyber risk is a top down thing for organizations. I think that it does start with culture and education for the greater staff. That is step one is understanding that you know cybersecurity is not an overhead. It is a fundamental operational part of the business. When we start talking about how to mitigate these risks, there's this very well known set of cyber
risk practices that all companies should use. That said, you should also assume that that's not always going to work. What organizations can do, and manufacturers specifically can do, is put in place a response in mitigations strategy that contains these things quickly.
The AI assisted phishing emails that Curtis told me about, the warning that attackers will eventually breach your perimeter, these reminded me that the first step of so many cyber attacks is using your own accounts against you.
Step one is like, if an employee doesn't have access to something, they can't leak it right, whether intentionally or because their account was taken over by an attacker or otherwise, so strong access control sort of limits the problem down.
That's David Adrian and the security product manager for Chrome. When I brought up the equipment that attackers can target after they gain account access, David took a step back and looked at the overall posture. He explained how the network connections that make them vulnerable could be transformed into points of defense.
I saw some research recently about we'll call it industrial control systems or ICs systems, these sort of factory floor management systems, and it was saying that the core sort of ICs protocols, you weren't really seeing them online as much anymore, which is good because these protocols don't really have any security in them, but they do expose a web interface HTTP configuration pages for this equipment for managing factories or other industrial control systems or other manufacturing processes.
It's bad if these administration pages are accessible, but it's good because it kind of shapes the problem from how do I secure this old protocol that wasn't built for security, that's confusing, that's used for somewhat niche applications for like managing centrifuges or whatever it is that you're using in your manufacturing process, And instead it just boils down to limiting access to websites on the front end and then
sort of strong network segmentation on the backside. And then you can build access controls on top of a system that was never built for this in the first place, right by just routing all of the traffic and all of that access through an enterprise browser.
I think if you were talking ten years ago, you might say you wanted the OT and IT systems to be not connected at all, or that you would want an OT system never to connect to the Internet. Talk to me a little bit about why, with the way that we work today, that's not as realistic.
Yeah, air gappening sounds nice in practice, but in reality, systems end up needing to be connected directly to the Internet or to some other network that is then connected to the Internet, and so it makes way more sense to adopt these sort of zero trust approaches where each device is behind its own sort of authentication proxy, and then you access the configuration pages through the web browser, through the enterprise browser, and you leverage everything that's built
into the enterprise browser, and then you can do that without any of these devices actually needed to be updated to understand all of these sort of modern authentication and device authentication protocols.
That's the point that I think is really important because it's many conversations about OT developments while you can't keep updating all of these different operating systems all of the time, and you know it's just never going to get better. But then another layer of security on top is what's helpful.
Absolutely or alternatively, if you somehow made a mistake and there is a way to access sort of the configuration or the management of some ot device that doesn't go through the browser, then hopefully that's a lot more obvious than the sign of like immediate concern because commands are getting sent or configuration is being pushed to some device on the manufacturing floor and isn't corresponding with some sort of known employee log in, like this is a red flag, and.
It's an instantaneous red flag too.
Absolutely, So one thing you get from Chrome Enterprise is sort of real time reporting and analytics of what all of your users are doing. And if you have strong authentication of all of your users, you know they're your employees. Then if you have you know, corresponding visibility on the say factory floor manufacturing floor that isn't aligned with what you're seeing out of the Chrome braan houser, then you know, well,
something is wrong. Something is accessing something on the manufacturing floor and is not going through one of my managed browsers, and that's an immediate red flag.
So David, just looking forward as technology improves, we've seen a lot of new approaches by attackers using that technology and making it more sophisticated, so particularly attackers using AI to their advantage. One example, which I had never heard before was an attacker using generative AI to create a very realistic email chain that included basically spoofs of the target's bosses and even board members, and then after that they looped the target into the email.
In this type of situation, with this sort of AI phishing email, it sounds more like they're trying to trick the user to go to a legitimate site and do the wrong thing. And I think the best way to defend against that is to make sure that your organization has processes in place for doing things that are sensitive.
And then once you have those sort of processes in place, these sort of steps in your workflow that get pushed to some sort of application in the browser is then another opportunity to have someone else verify that yes, this
is actually the business process we expected. And so as you start to route these business processes through web apps through the browser, then every single step in the process where you do that is a step where you can secure it in the sense that you can make sure that the people participating in it are actually your employees and give more people an opportunity to identify when something is going wrong.
This is a really cool way of looking at it too, I think from a security person's point of view, where you have this visibility now that we didn't have before. You can see each step of a compromise or each step of an attempted breach. Now you can also see each step of the pre breach, the pre boom scenario in a way that's really systematic. That's actually really exciting.
Yeah, in the modern web based workplace that we've all become accustomed to, there's a ton of opportunities to solve enterprise caity problems that have plagued companies for years. Using a managed browser like Chrome enterprise can be a critical component of these solutions. But I think we're really understanding that there's a leadership aspect to cybersecurity that's absolutely critical
as well. So I hope that we've been able to help leaders understand the direction that cybersecurity is headed in and demonstrate how much companies can benefit from setting up their teams with protections that take into account the way that we all work on the web.
To learn more about how the most trusted enterprise browser can help protect your organization, visit Chrome Enterprise dot Google.
Security.
Bookmark does a podcast from Bloomberg Media Studios and Chrome Enterprise. Check out our other episodes about cybersecurity and finance and gaming in your podcast app. I'm Kate Fazzini. Thanks for listening.