This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.
Learn more at fortifiedhealthsecurity. com
Today on Unhack the News. (Intro) 📍
It is an organized crime. It is a business, and in their eyes, they operate as such.
📍 📍
Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.
. And now, this episode of Unhack the News.
(Main) Welcome to Unhack the News. This is always a good time because I have Russell Teague from Fortified Health Security here. We were just together recently in Florida at a 229 CISO Summit and had a great time there.
And so I'm always happy to talk to you on the news because you've always got a lot of insights that all the places that you go and all the things that you see. You have insights that most people just can only dream of, so I'm glad you're here.
I appreciate it, Drex. It's always a good time.
Really enjoyed the 229 event down in Southern Florida. Look forward to today's conversation.
Yeah. Thanks. A few stories on the docket today, and I think we can certainly knock through some of these and maybe even Some of the associated topics, if you'd like. The first one that I want to talk about is the sad reality that the bad guys always come back for more, right?
The McLaren hospital attack. They are in the process now of recovering from a ransomware attack, and I would say another ransomware attack. This is the second time they've been attacked in the past year or so and that's a real challenge. Do you see that kind of stuff happening, not only in healthcare, but other critical infrastructure where the bad guys come back around for a second bite?
Yeah, absolutely. An indication that you've been attacked previously is definitely not an indication that that you won't be attacked again or that they won't come back. We have seen instances of re attacks or the attempt to try to come back and get additional information. They may not be able to get everything they want in the first pass, depending on how far they take the attack.
And then, and obviously the other thing that's important is may not always be the same group. It may be the same brand, or the same brand, but you got to understand there are parts these threat organizations that will focus on gaining footholds and gaining access. And then they sell that access to a different part of the group that will focus on data exfil, data data breach.
And then you'll get others that'll focus on the ransomware aspects of it. Typically, it's multiple parts of the same organization underneath the same brand. But separate entities, right? Operating independently of one another. And so sometimes the re attack is by a different part of the same organization coming back in to get more money, coming back in to get more data to sell to a different data broker.
it really does reemphasize this idea that these folks are a lot more like giant technology companies than they are like, a bunch of thugs working out of their mom's basement or something. They're very well organized. It may be the same company and subcomponents in that company that are doing this work, but just as often it seems like there's lots of independent consultants out there who do these individual pieces of work very well.
Somebody breaks in, somebody else comes in and finds the crown jewels and documents how to get to them. Somebody else comes in And documents all the vulnerabilities. They build that portfolio and then they sell it to somebody who's really good at data exfiltration and doing it really quietly, launching the ransomware.
And then they hand the rest of the deal off to the negotiators, right? Some world class negotiators who can actually pull the deal through to the end. And everybody gets paid by some percentage. It's really. That I didn't really think about that with McLaren, but it may have very well been, you never know, but it could be something like that where somebody went in to have their first pass at it, then sold whatever else they knew to somebody else and they're taking a shot at it now.
That's exactly right. Because the data is being sold and transacted multiple different ways. Just because you've worked with the ransom negotiator and you may have either paid your ransom and they committed to delete their data. They may delete the data that they have and that they purchased.
It doesn't mean that the data theft entity, or the one that actually owns the data now that actually did the deed, doesn't mean they're not selling it to other entities, right? Yeah, there's no Different part of the organization.
There's no great chain of custody documentation necessarily, especially from a legal perspective.
There's no chain of custody to make sure things get deleted. So do you pay the bad guy? Should you pay the bad guy? That's always a question.
Yeah. I'm a believer that you don't pay them unless you find yourself in an extreme situation where you do not have backups and you have no other recourse.
And then obviously, engaging with appropriate ransom negotiator. getting proof of data to confirm that it actually they actually have your data and proof of decryption. You send them something that is encrypted and they prove that they can decrypt it and send it back to you. In those situations where you don't have backups and you don't have ways to recover, then you're caught in a situation where your only path forward is to pay them and to buy the decryption keys.
And so in those situations, obviously an operational availability and recovery, that very well often is the case where you have to go ahead and pay them. But in general rule, to pay them to not delete or pay them to not disclose doesn't earn you any value, doesn't earn you any data points. right?
You're just throwing money after bad, right? And yeah and there's no guarantee that they're going to stay truthful and honest to their agreement on their side. All right. They're criminals to begin with. Yeah. Oftentimes that we still see the data leaks still occur. And and to your previous point around, these threat organizations being, formal big corporations and operating corporations.
I'll point back to APT1, which is China, right? APT1, which was reported on first by Mandiant, and I was at Mandiant at the time. We went through and discovered and we learned based upon the patterns that we can confirmly say that they're coming from this location, this building, which was a multi, multi story high rise building in China where it was a known government entity operating out of.
But when we follow the traffic patterns, you can actually see when they arrived at work their morning coffee breaks, their lunch breaks, their afternoon. Based on their activity. Yeah, and then when they went home, right? And so you could literally see the work day playing out in that time zone as if every other corporation, you and I go to work, we work our emails, we have our business meetings, we write things up on the pretty whiteboard behind us.
The difference in their whiteboard is targeted accounts that they're focusing on breaching and the data that they want to steal and their spreadsheets are focused on their goals and objectives on what they're trying to accomplish. It is an organized crime. It is a business, and in their eyes, they operate as such.
Yeah, I'm going to skip down to another story that you and I had talked about just briefly before we started and it's the story about a ransomware gang formerly known as Royal Ransomware, who's now rebranded as Black Suit. And, it's the same folks, it's the same thugs.
a CISA notice out on this, it has a list of all the Tactics, Techniques, and Procedures or TTPs as you hear people talk about them. So it's one of those things to go out and look at and read and make sure that you have yourself covered. But these guys are out there pulling down tens of millions of dollars in every one of their heists.
, it's not uncommon to see threat actors rebrand and change not only their infrastructure, because they will go for a period of time and then as that infrastructure becomes known and discovered and obviously traffic is blocked, they will spin up another infrastructure.
It's not uncommon. You see those
announcements from the FBI from time to time that we've had a major success and we've torn down the infrastructure for this crew, but they don't really. Doesn't really end the deal.
No, they don't go away, right? They just spin up more infrastructure, and sometimes they'll change brands.
We've also seen as the kind of leaders of these groups emerge as some of them get older. And made their money they want to get out of the game before they get caught before they find themselves in prison. And as one steps down, another one steps up, and they often want to change their name or rebrand themselves as another entity, indicating it's now under my control, right?
Okay. It will take over. We see a lot of that happening as well. Because, might, you and I are both prior military, right? And so you have to be careful. You take out a dictator of a country, you never know who's going to fill the slot. You have to be careful around who,
the evil that you know, versus
the, yeah, exactly.
That's exactly it. And similarly in the bad guys, we find very similar playing out where the previous leaders of some of these. Law enforcement and organizations like Mandiant and us and many others had known existing relationships. We understand the TTPs. We knew exactly what they were going to do, how they would negotiate, and whether they were truthful and honest, and whether they would actually help you out in bad situations.
Because a lot of times they run it as a business, and if they get a bad name, then people won't do business with them, or they won't pay them the ransom, right? And so I can tell you the new leaders that have taken over many of these groups, that's changed, right? They are much more aggressive and at times tend to be much more disruptive and destructive, right?
Disrupting the operations through ransomware and truly taking you down. And then destructive in a way that they destroy the data so that it can't be recovered. You have the encryption, the decryption keys to bring the data back, right? So those two things are starting to play out. And I think it has to do with a lot of the new leadership in the new groups that are always emerging.
One of the other things that I think I've read about, heard about in the past too, is that sometimes these cyber thug gangs there's some disruption or some disagreement inside the company inside the gang and they will split. I think I remember reading about something like this that happened right after Russia invaded Ukraine and the leader of the company, the bad guys said that he was all for the Russians and there were people inside the gang that said, Oh no, we're not.
And they basically split off and created their own gang. Now they also took all the TTPs and everything with them. All the tools, all the capabilities with them, because there's no intellectual property protection on the dark web. And these folks were off doing their own thing, and they look a lot alike.
That's part of the reason the attribution problem is difficult too, right?
Exactly right.
Yeah,
that's exactly right. They get disagreements just like business people here in the U. S. get disagreements and they split. But, they're all generally, they still have developed the same tools, techniques, and procedures, and that's what they're comfortable using.
And you'll generally see them using the same techniques, but now you see it coming from a different infrastructure, from a different attack vector, right? And does make attribution extremely difficult, right? And so usually you can. associate the activity with the same known threat group, but it may be different factions of the same threat group.
📍 📍 📍 📍
th,:Join us for dynamic sessions, interactive workshops, and keynotes from trailblazing women in the industry. This event offers actionable strategies and fosters genuine connections. Whether you're a health system employee or a vendor partner, SOAR provides unique networking and growth opportunities.
at bluebirdleaders. org slash:📍 I'm going to skip to the last story. I was at Black Hat last week, and jen Easterly, the director of CISA, she talked about a lot of different things. One of those, of course, was Secure by Design, which is the pledge that she's asked software developers, who do any kind of business with the government or really any kind of business in the US or around the world to sign, meaning that you're going to build more secure software.
She also put a lot of pressure into the conversation about secure by demand, right? That there's a supply side and a buying side and that we should take more responsibility as buyers to ask for more secure software. What did you think of those comments
I think it's the next evolutional step in terms of holding software 📍 manufacturers accountable, right?
Not only is it, making sure the S Bomb is there, but also are they willing to sign up to really design and build secure software, bring technology? If you look at some of the major breaches that where it has all been exposed, it's been part of the tool. And the design of that tool.
And some of the testing, around the efficacy of it, whether it be in the core feature functionality, whether it be in an update that you get. And so the testing of that is critical. The impacts to those that are using that tool when not tested properly as significant as we've seen in recent weeks.
2024 has just been like. It's been after another.
Yeah, it's been bad and a lot of third party focus. So this goes hand in hand with third party developers and third party manufacturers really signing up and being part of it. They're a critical part to healthcare ecosystem, right?
We can't do what we do without them. And them bringing secure technology and understanding that availability of operations. Continuity of care is the most critical aspect of the triad when you think about Yeah, confidence about integrity and availability. Availability. Being able to take care of our patients is the most important aspect of it, and we rely a lot on our third party vendors to to bring that availability in their code
but when things go wrong, they go wrong badly.
And they go wrong. Because I think we've also I've been harping a little bit on this lately and some of the podcasts that I've done, but the idea that the interest of better economics and being able to centralize and standardize, I'm a Toyota production guy, so I love this stuff and it makes great sense until there's a problem and then you find yourself really stuck.
So there's. It's ultimately figuring out that balance between how much money can we save by standardizing and using the software that everybody else is using and then we can exchange data more easily and all the good things that come with that versus also the, back to our military experience, what we would call a center of gravity from a war fighting experience that if you actually can nail that target, you can take down a big part of the economy, a big part of the country.
And that's. Even unintentionally, some of the things that have happened recently. I think the secure by demand thing is a big move. And I think we do have the responsibility to ask our partners to sign the pledge and do better and Yeah.
Yeah. And I think, to your point around kind of disruption of the court, right?
operations, which causes the whole thing to to cave in on itself. Some of these attacks, recently the stuff that was caused through change or even extension. The end result is not what I think the threat actor was going after.
I think the end result is something that, was created by the threat actor activity, obviously, right? By impacting the operational stability capability. But the downstream impacts and how broad it went, I don't think anybody predicted that.
I don't think, I definitely don't think we predicted it.
I think the users of the software, I don't think that we would have predicted something like that. Cause we've gone through this whole drill of what are the other things that are like that, that we should be paying more attention to? I wonder, it is interesting to think about where the bad guys actually intentional in finding that one right domino to tip over, or were they just happened to tip over the right domino.
I
find it difficult without insider knowledge that they would be able to anticipate the, mass outage which ended up being obviously a revenue recognition and processing issue for change but don't think But the threat actors really planned that far out.
I think they took advantage of an opportunity to gain access and didn't really realize the domino they were knocking over and the downstream impacts. But I can tell you boards do recognize it now, and more often than not I'm hearing as I meet with,
Yeah, you're briefing a lot of boards.
Yeah, senior leaders, if I'm meeting with them, number one thing I'm being asked right now is how do we get a handle on our third party risk and the business impact of those third parties in terms of critical business processes, where we've relied on, whether it be clinical, ambulatory, ED, we've relied on a third party, right?
And if that third party service goes down, what's the impact to the business? Do we have downtime procedures to offer, and how long can we operate in those downtime procedures, right? Many people had two camps, those that were single processing, and so they had no alternative processor, so they were hard down, and those that had dual processing, so they could just revert over and process the stuff through another clearinghouse.
Boards are asking more around where do we have those single points of failure, and how do we build workarounds? Protections to make sure that we don't have hard downs. We don't have single points of failure with them. So that's a big focus of I would imagine many people listening to this was going to be, the head's going to be nodding going, this is exactly the question I've been getting.
So
lot of
questions about resilience, a lot of questions about business continuity and how that's supposed to work and who's responsible for it and all of that. Russell, we could go on for hours. We do sometimes. When it's just the two of us hanging out, I appreciate you being on the show today. It always brings a lot of insight, I think, for everybody who listens. And I know I learn something every time I'm with you. So thanks for being on.
Same here. I appreciate what you're doing, Drex, and keep everybody secure. Have a good one. 📍
Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.
Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you around campus.