Artwork for podcast Razorwire Cyber Security
The Real Impact of the Lockbit Ransomware Takedown
Episode 4220th March 2024 • Razorwire Cyber Security • Razorthorn Security
00:00:00 00:51:17

Share Episode

Shownotes

Welcome to Razorwire, the cutting-edge podcast for cybersecurity professionals, where we unravel the world of information security and peek into the future of technology. I'm your host, Jim, and in today's episode, we're joined by our esteemed guests, Richard Cassidy and Oliver Rochford. We’re taking a deep dive into the recent Lockbit takedown, dissecting the movements in the global cybercrime landscape, and analysing the ongoing conflicts within the commercial industry. 

Our guests, both veterans in the field, share their insight on the takedown of the notorious Lockbit ransomware group, raising critical questions about the efficacy of such law enforcement actions. We explore the pervasive issues of ransomware as a service, the evolving role of threat intelligence, and the significance of industry collaboration. 


Additionally, we take a look at the challenges of finding your niche within the hyper-competitive tech market, dissect the misconceptions surrounding threat intelligence and confront the stark realities of the cybersecurity industry's marketing frontlines. 


Whether you're well into your cybersecurity career or contemplating your next move in the field, this episode of Razorwire is tailored for you.


Key Talking Points:

1. Inside the Lockbit Takedown: What the headlines don't tell you about the resilience of ransomware groups and why we should remain cautious post-takedown efforts.

2. Navigating Cyber Misinformation: Our guests tear apart the misleading marketing tactics in cybersecurity and advocate for a truth-centric industry approach.

3. Collaborate to Fortify: Discover the vital importance of cross-organisation intelligence sharing in combating sophisticated cyber threats and promoting stronger defences across the board.


Don’t miss out on this candid and informative discussion. 


"There's a cultural problem when half the industry beats up on someone who discloses a breach. There's a disincentive to disclose breaches or intelligence. And so we need a cultural change there."

Oliver Rochford


Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen


In this episode, we covered the following topics:


- Education and Skills Gap: outdated courses and underscores the necessity for ongoing training and adaptability in the information security domain.

- Misleading Marketing: the impact of hyperbolic marketing which often overstates the novelty and effectiveness of cybersecurity solutions.

- Threat Intelligence: the significance of deriving context from intelligence data and promoting its exchange within the sector.

- Cybersecurity Community Strength: the information-sharing culture and reciprocal support among information security professionals.

- Understanding Ransomware Complexities: a general lack of awareness around ransomware intricacies, including legal repercussions of ransom payment refusals

- Emphasis on Threat Modelling: the importance of businesses understanding their unique threat landscapes and preparing for worst-case scenarios.

- Cybersecurity Startups Proliferation: the sheer number of startups entering the cybersecurity space and the concerns about their effectiveness.


- Ransomware's Robust Ecosystem: the professional network that underpins ransomware operations, which includes a mix of criminals and nation-state involvement.


Resources Mentioned

- Lockbit Ransomware Group

- Cyber Volunteer Group (mentioned in relation to COVID-19)


Other episodes you'll enjoy


The Rise of Cyber Mercenaries: Governments’ Secret Weapons in Cyber Warfare

https://www.razorthorn.com/the-rise-of-cyber-mercenaries-governments-secret-weapons-in-cyber-warfare/


Cybersecurity in 2024: Expert Predictions You Need to Know

https://www.razorthorn.com/cybersecurity-in-2024-expert-predictions-you-need-to-know/


Connect with your host James Rees


Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cyber security professionals who dedicate their careers to making a hacker’s life that much more difficult.


Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.

With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.

For more information about us or if you have any questions you would like us to discuss email podcast@razorthorn.com.

If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.


Linkedin: Razorthorn Security

Youtube: Razorthorn Security

Twitter:   @RazorThornLTD

Website: www.razorthorn.com


Loved this episode? Leave us a review and rating here


All rights reserved. © Razorthorn Security LTD 2024



This podcast uses the following third-party services for analysis:

OP3 - https://op3.dev/privacy

Transcripts

Jim [:

Hello, and welcome to another edition of Razor Wire. And today we have what has commonly become our quarterly podcast, where I sit down with both Richard Cassidy and Oliver Rochford, and we discuss future tech, current situations, how that might change the future of technology within the information security space, and sometimes the technological space as well. So sit down, buckle up and listen, because it's certainly going to be lively conversation. Welcome to the Razor Wire podcast, where we discuss all things in the information security and cybersecurity world, from current events and trends through to commentary from experts in the field, providing vital advisory on what it is to work in the information security and cybersecurity space. So, as usual, for our quarterly look at what is going on in the security industry, the technology, sometimes we talk about AI, sometimes we talk about issues in the industry. Sometimes we talk about marketing, which we were just doing before we came on camera. We're going to be talking about predominantly this whole kind of lockbit take down, backup, what it means for the industry, what it means for technology moving forwards, and things like threat intelligence, that kind of thing. And as per usual, I have the two most fantastic co hosts for this particular piece, Richard Cassidy and Oliver Rochford.

Jim [:

Do you want to say hi, guys, and kind of do a little intro? Richard, do you want to take this one first? Sure.

Richard Cassidy [:

Good to be back, especially with Oliver. Thank you very much, as always. So, Richard Cassidy done a few of these now. I'm currently field CISO at a major cyber resilience and data security company. This is year 24 overall in the industry. Most of that's been spent in deep cybersecurity, threat intelligence, threat Persona mapping, things like this, advising businesses on how to do that stuff. Beth, no doubt we'll cover some of it in this podcast.

Jim [:

Absolutely. And Oliver.

Richard Cassidy [:

Yeah.

Oliver Rochford [:

Oliver Rochford. You know, I'm the chief futurist at the cyberfuturist. It's my own advisory company. I do technology advisory for technology buyers, sellers, investors around cybersecurity, mainly like security operations focus. Yeah.

Jim [:

Some of the biggest news recently is that the whole lock bit takedown, and we all saw the announcement and all the collaborative people who were involved, all proudly showing their flags and institution logos and what have you, and everybody was very proud that lockbit had finally been taken down. I mean, how did you feel when you first sort of saw mean?

Oliver Rochford [:

I was relieved that now we can talk about something other than AI. That was my first impulse.

Jim [:

Our last podcast on AI got some really good coverage, but.

Oliver Rochford [:

Okay, I'm sure it has. But overall, at some point, you've just flogged that horse too much. I thought it was quite intriguing, but to be honest with you, I saw a lot of people immediately on social media say, yay, we've done it, we've done it. But immediately there were also people saying, okay, unless there's arrests, it's not going to take long for them to come back up. And then the guesswork started coming at how long will it take for them to get back up. So I think it was like this feeling that it was a little win. A little win?

Jim [:

Yeah, a little win.

Richard Cassidy [:

As soon as the news broke for me, I had decided, yeah, this is not what the industry thinks it is. I mean, first of all, you have to call out the fact that the reason that they got breached themselves because of a PHP vulnerability, which just goes to show you, patch management is a problem on whatever side of the fence you're on. So I found that kind of funny. But my opinion is the way that I believe that law enforcement agencies handled it was incorrect because they decided to gamify back what they had discovered and found. And they created this website with countdowns for releasing the name of various individuals and then other details, including decryption keys. I don't know. It shows the Persona of some of the people that revolve in this. If you really have infiltrated to the depth that you said, you have a group of that propensity in the ransomware world, great threat intelligence tells you, keep your mouth shut, monitor them for as long as you possibly can, and see how deep the rabbit hole goes, because I can't imagine they exhausted every possible lead that they have found.

Richard Cassidy [:

And I don't know how much of it's bravado versus really having, taking down lockbit and the whole taking down lockbit thing. Well, to Oliver's point, it didn't happen. I was asked in interviews, I spoke to some analysts and so on and so forth. I said, look, this is not then finished. They will be back, and I predict in a magnitude of weeks at most. And lo and behold, they were within four to five days. And so good to see. And I think the goodness from this for me is I haven't seen such a concerted effort amongst so many agencies as I have for the lockbit takedown before.

Richard Cassidy [:

So it goes to show that as an international law enforcement collaboration, we've definitely found a way to make that work, because I do believe we've been far too siloed in the past, which is the anthesis of good cyber threat intelligence and capabilities so it's an interesting move. And then the badness from this is, okay, Php vulnerability was the initial entry point. The people behind this, the groups, will learn, and they will learn what they did wrong. They will look at how the data was used against them to be able to release decryption keys for various customers, and that will only help them to mature their operations even more in future campaigns. So I do think we've probably got some progress. But equally made, I say we. The way this was handled, I believe, probably wasn't the best way I would have handled it had I been leading an operation like this personally anyway, so that's my initial thought on it.

Jim [:

Yeah, I kind of fall in line with that one. When the news first broke, I thought, oh, we're being a little bit loud about this, aren't we? And then I had a good laugh when they said, oh, 100 million. That's the 100 million, allegedly, that they'd ransomware. I went, really? You really think it's only 100 million? Oh, no. And then lo and behold, a couple of days later, it's like, oh, it's actually over 1 trillion. It's like now you're kind of getting close to the number that this has probably been. And I had a number of conversations with customers and people that I know in the industry, and they were like, oh, it's really good. They've kind of been taken down and said, no, these guys have still got all that money.

Jim [:

They'll still have a large percentage of it, and this won't stop them. They'll be back. And then, lo and behold, they came back. And then there was that announcement. It was quite funny because one of the key figures behind it said, yeah, I got a little bit kind of like sitting on my heels, really. I wasn't really keeping an eye on the PHP vulnerabilities, so I've learned a lesson there. But I was just focusing on the money we were making. I think what this has kind of shown, I think most infosec people looked at it and went, that amount is just the tip of the iceberg, and these guys are going to be back pretty quick.

Jim [:

And I must admit, I thought it would be a few weeks. I didn't think it would be five days. But it just kind of goes to show that with that amount of money comes quite a significant ability to recover. And maybe some organizations should learn that if you invest in cybersecurity a little bit more, maybe you two can kind of come back from these kinds of events a little bit faster than what history has.

Oliver Rochford [:

I mean, their infrastructure seems highly resilient, and it seems very quick to spin up. Right. You can see the professionalization there, cybercrime as a service. But at the same time, it's interesting you mentioned the gamification, Richard, because I thought that too. Taunting them, is that really a good investment of police? I know it feels satisfying and we can all laugh about it, but was that really the best investment of that time? At the same time, without the arrests? I don't know. All you've done is pre warned them now. Right? And that's the interesting thing. They took down the infrastructure.

Oliver Rochford [:

They didn't take down the group. There's a fundamental difference there.

Jim [:

They did do some arrests, didn't they? Looking back through the. But I mean, it wouldn't have been anybody of any significance, I'm guessing.

Oliver Rochford [:

Keep in mind the main ringleaders behind these things. They are sat in safe harbor countries from their point of view, places where who. Adversaries who have no intention of handing them over.

Jim [:

Right.

Richard Cassidy [:

Yeah, but look, let's not underestimate the resilience of the Vance awareness of service model. Recently, black hat ALPHP apparently are staging their own takedown for whatever reason. There's reports that state that they've recycled the FBI seizure page from last year and re published it on their site for whatever reason. It's as if they're trying to play a game back and dictate that they're seizing operations, potentially. Think maybe they take some heat off them. I don't know. Maybe they were spooked by what's happened with lockbit. But the other point that I wanted to try to make here was there are other groups.

Richard Cassidy [:

I mean, if you just do a little bit of homework into the ransomware as a service model and all of the groups that support each other, you've got to understand that all this data is shared openly and it's a commission basis based upon who does the breach versus who provides the data that supports the breach. And there's various commission structures amongst them. And there are even groups that work as second line. Right. If the lock bit tool sets don't work, let's go to the 03:00 a.m. Group and use other tool sets and other coding languages. So again, the point is, yes, great to say that international law enforcement has the capability to collaborate, to really track what these groups are doing, but in the long run, you're only going to disrupt and you're not going to destroy. And I think for those watching the podcast, keep that mindset.

Richard Cassidy [:

When you're thinking about how you're going to stand up to the evolving landscape and ransomware, you don't think law enforcement is going to save your day. It won't. And as showed in this, they just like to play around with these groups and gamify it. I don't think we've had any serious results.

Oliver Rochford [:

I wouldn't say it has no impact because it does keep the pressure on the groups. Right. It sets them back a little bit for a while. But ultimately, unless we can agree on actually arresting women internationally, it's hard. There's a difference between shutting down an operation and shutting down a group.

Jim [:

At the end of the day, there's a lot that goes into this, and I think this is where that kind of the cyber intelligence side comes in. I mean, last few years we've seen a number of kind of tool sets and organizations coming out who are starting to tote themselves as like threat intelligence, that kind of thing. And it's now becoming, I mean, I'm doing a talk on it in a couple of weeks time, actually, depending upon, obviously, when this podcast come out. It's, it's an interesting landscape to look at because you're absolutely right. I mean, law enforcement, I'm going to be really unfair to law enforcement guys. So I apologize to any law enforcement people out there, but in this case, you are pretty useless. As Oliver said, you can take down and you could disrupt and you can put pressure on, but ultimately, it's not going to stop a thing.

Oliver Rochford [:

Well, I wouldn't say useless. They don't have the means.

Jim [:

No, that's why I say it's pretty useless. As you said, these people are all hiding away various different parts of the world that you're not going to have a reach to. As much as certain countries like to say how they police the universe, nobody cares. And even then, most of the really good people who you know what you're doing, they're probably part of organized crime anyway. Organized crime are not going to be sat there looking at this going, oh, this is a really interesting new way of making money. No, they're going to be as deep into it as they feasibly can be. And these people have been invading law enforcement for more years than you can account.

Oliver Rochford [:

It does beg the question whether there's actually almost like a founder ecosystem now for cybercrime as a service. Are they actually starting new groups, that kind of thing, like Dragon stand. There are certain tech ecosystems as well, where before you get these initial, like the first successful people to kind of invest and pass on that knowledge, it's hard to do, but I get the feeling that there are multiple generations that work now. And of course, at that point, it's something where they're just popping up like mushrooms whenever you put them down. It's fairly easy to spin up the infrastructure as we've just seen. They just basically move it from one provider or to another. So it's very repeatable as a process. They didn't need to build all of this manually by the looks of it.

Oliver Rochford [:

And so I think it's interesting the fact that it's professionalized to such a strong degree within about last time I looked at this market was about five or six years ago, and back then the focus was still very much on zero days. There were a couple of ransomwares or service operators just starting, but they've come a long way in a short.

Richard Cassidy [:

I mean, I've always said in industry that you have, don't underestimate the power of progress from an adversary perspective for the reason, I mean, we did a podcast, I think it was last year, James, around the psychology. These are individuals that some of them are politically motivated, no doubt. Others are backed by government agencies. We know who they are. And then some are just saying, look, you know what? It may be easier to do this if I join a group, if I become a part of an ecosystem, I'm a data miner or I'm a malware writer or whatever it is, and I'll get a very small percentage of any attack. And we haven't yet tackled the ability to de anonymize a lot of the payments that are making their way through the various cryptocurrency environments. So there's so many fundamental problems in the industry that supports ransomware, and ransomware as a service that we've got to look there, you've got to look at the infrastructure they use to monetize what they do. I'm not saying understanding how they operate from a malware perspective, from the actual code, is not important.

Richard Cassidy [:

Yes it is. But at the end of the day, they're only doing it because they can monetize it, and they're already able to monetize it because of two things. And all of you mentioned one of them. We don't really have extradition capabilities at the level we need them globally. And that's not going to change. We don't have a solution to that because we're not going to see Russia and China jump on that bandwagon anytime soon. And the second is yes, they can move money pretty easily and anonymously.

Oliver Rochford [:

You mentioned the politically motivated element. One of the things which is driving the professionalization is that there are nation states involved to bypass sanctions. North Korea is a prime example. Russia is a very good example of that, increasingly. And of course, that can frame the taunting in a different light. If you're basically taunting someone's secret agents, I could see that make for a simple mistake. I think there's been an uptick since the geopolitical situation has heated up as well.

Jim [:

I think a lot of people out there have realized that they can probably earn more money on the dark side of the force than they can do on the light side of the force. I mean, let's face mean. In the last couple of months, there's been this whole bit longer than know. The economy in the west has been in a bit of a bit of a panic. You've been seeing a lot of people being let go, made redundant, and all the rest of it. Some of them are citing AI. I don't think that's it. I think a lot of it is.

Jim [:

The economy is just generally in a pretty. Going down a pretty nasty route. And a lot of these people are saying, right, I can earn more working on that side than I can do ever working on the other side, or I'll just do both. There's this whole big thing about overworking at the moment. There's no reason why one programmer can work working on one side of the fence during the day and then on the other side of the fence in the evening and get double bubble. In fact, probably more than double bubble. They'll probably get paid more for working for the malware guys, and there's very little chance they're going to get caught because they're developers. So all they're doing is releasing code.

Jim [:

Somebody else is dealing with it, somebody else is handling what goes on with it. So as long as they're kind of not doing anything dumb with the code, then it's very unlikely it's going to get back to them. And I think both of you are very much correct. The nation states haven't helped the matter because I'm guessing what the nation states are doing is saying, right, I don't want you to attack us. What I want you to attack is these guys over here. We consider them an enemy state, and if you do that, then we'll leave you alone. We won't touch you, we won't go near you, and we'll maybe even help you a little bit with a bit of monetary value and make sure that if anybody gets arrested, then you get arrested for short periods of time. Let's face it, when Abignail the guy from catch me, if you know, or the film was based off of his life, okay, it's very highly stylized.

Jim [:

But he got caught, put away, and they literally, shortly after he got put away, turned around and said, oh, do you want to come and work for us and work out your prison sentence? Kind of doing the same thing for us. It's an attractive route to go down, especially if you're part of a country where you don't get support. You don't have the support that sometimes you get into more western countries like the UK. If you're having to feed your family and you're a talented coder, then why the hell wouldn't you do that? People follow the money.

Oliver Rochford [:

You're right. On the one hand, to the nation of state, if you look at the wirecard scandal, I think the COO, he's still missing, they reckon he was turned in 2014 by russian intelligence. If you look at the big one MB scandal from Malaysia, where they basically stole a whole lot of money from the malaysian government, there was an operative there who's fled to China. And then of course, we have the Edward Snowden example, which is, I think, the prime example. Right, but you're right about the monetary aspect. But when I was doing research into this, back at tenable into the kind of economics behind it, we have a lot of countries who have an oversupply of educated technical people. If you think of India, Pakistan, if you think of Brazil, they don't really have the jobs available to them. And if there's no expedition treaty, you can set this up pretty legitimate looking, right? If you think of some of those tech support scammers, they're operating out of companies that look very much like a call center.

Oliver Rochford [:

They're employed.

Jim [:

I've seen the videos of the takedown of those, actually, which, I mean, anybody listening, go on YouTube and do a search on the takedown of some of those sort of scam phone things. It's really interesting the way that it works, and it's a bit of a laugh as well, some of the fun that the guys have against them. But you're absolutely right, of course.

Oliver Rochford [:

Once you put a nationalistic or an adversarial taint on it, that's for your justification. If you're at war or if you're in opposition to another country, you can justify doing it to their people. It's okay. It's just part of. So I think there's a whole element there, but I think for a lot of the operatives, it's financially motivated, but it's about who's pulling the strings, who's financing it, who's driving it. And there's good examples there coming out of China, even going back as far back as about 2012, 2013, that different government agencies had their own sponsored hacking groups in opposition, competing with one another.

Richard Cassidy [:

Right.

Oliver Rochford [:

That's the interesting thing, that it wasn't just one nation sponsored group, there were several.

Richard Cassidy [:

I always like to be the pragmatist in industry when it comes to, okay, so what? So what? For the businesses, I don't mean so what. It's valid information. If you're sitting there as a leader in whatever part of the business you work in, and I'm talking more to kind of ciso cybersecurity leads. So all of this is scary stuff. So what do you do about it? Well, you understand that the capability in these groups is far greater than you've probably ever realized. And it's getting better. And more blood is coming into that industry for various reasons of psychology and macroeconomics. And what you're doing, what the industry is doing to protect and detect is not working right.

Richard Cassidy [:

We know that you have to almost embrace the fact the breach is going to occur. And that comes just down to knowing what's going to be your worst nightmare, what would turn the lights off in your business, where it to be breached or extorted. And you've got to do the best you possibly can around their protection mechanisms and around the capabilities of resilience and stuff like this. And I think one of the most underserved things that people drive, I mean, threat intelligence, something we'll talk about in a moment, I'm sure. But hey, using the right threat intelligence for who you are, I mean, a lot of conversations I have, I was with a very large government agency only last week that are responsible for some very big elements of the UK economy. And I asked them these questions, okay, what data are you protecting? And it was a tumbleweed moment, right? This government department had no idea of what data silos represented operation for those. For that organization. I said, okay, forget that.

Richard Cassidy [:

Who do you believe in partnership with the NTSC and other agencies are you up against based upon what you do as a government entity? And they had no idea either. They hadn't done the homework on the types of incidents they would see, the types of apt groups they'd be up against. And gosh, if that's the state I'm not saying that I'm surprised by that. I've been in industry long enough to know that that's half the course. But it just goes to show we're still banging ahead off the stone wall. We're reliving Einstein's definition of insanity day in, day out in this industry. And what we've learned from lockbet takedown is they're just as capable of recovery and operationalization and as quicker than I thought. I didn't think it was going to be two or three days.

Richard Cassidy [:

My goodness. I got at least a couple of weeks. So what are we doing that isn't working and how do we change it?

Jim [:

You've got to look at that in some respects. You also have to look at it and say, what lessons can we learn from it? And it's like they are so well funded now, the first time they got the 100 million, 10 million, 50 million, that buys you a hell of a lot of security. And it also pays a lot of good developers to give you really good security. They're not going for the commercial stuff that we use. They'll be going for their own versions. And some of them may even be, I mean, I know they buy licenses for all the standard kind of protective technologies at the moment and they actually kind of unleash of people on them in a similar fashion that we have bug bounty and the rest of it. And even the guy at lockbit turned around and gave a bug bounty out. Did you see that bit?

Richard Cassidy [:

Yeah.

Jim [:

He turned around and said, if you can give over the details, what does he say? He said, if you can give over the details of lockbit Sup's real name over a direct match, they give him a million quid or a million dollars, possibly a few bullets.

Oliver Rochford [:

But it's very much a mirror. It's a mirror of the legitimate supply chain, right?

Jim [:

I mean, this is the difficult thing. We'll go into threat intelligence, we have morals, they do not. And they have, they've done their risk management. It's like, okay, so if we don't invest in security and protecting ourselves and our identities, then we're toasts. We get arrested. And it's horrible to get arrested. I mean, assuming you're in a place where you can get arrested or large group, parts of our group will get taken down. And similar to any organization, you take down a large chunk of, say, their access brokers.

Jim [:

You target access brokers, all of a sudden you're in their economy anyway. It's going to get a lot harder for them to generate money because that's where they get a lot of their access. So they do support one another better. They do spend far better on protecting themselves. And as Richard said, they came back up in five days. I don't know any company, even mid sized company, that could get back in five. You know, it takes.

Oliver Rochford [:

Mean. But what Richard said about the threat modeling, I found really interesting as well, because if I look at developments of ransomware, and I still speak to people who think that, well, we have disaster recovery, so they haven't heard of double or triple extortion. They don't understand that recently a company, so I don't know if you heard about this ransomware group actually notified a regulator about a company about a breach to get them into trouble because they.

Richard Cassidy [:

Refused to pay the ransom.

Oliver Rochford [:

All of these means that they haven't. And so once you start understanding that actually it's not just about restoring the encrypted data, it's about stopping data exfiltration, you have all of these threat scenarios that you can model. And what's the worst case scenario? And what Richard said about identifying your data, what's the worst case if somebody publishes that? What's the worst case if somebody contacts your customers with this data? All of these things that people where you can put a business angle to it, I think is something where. But if you get a good consultancy, you should be doing that, to be fair.

Jim [:

Well, we do a lot of analysis on our customers and how the business runs and what have you, what their key assets are, all the usual stuff that you need to do to build the security and the defense in depth around that, rather than kind of like a one peg fits all. I always say to customers, don't believe what the vendors tell you. Sit down and analyze your own environment first. Don't drink the Kool Aid until you've actually seen what it's made of. And I say, I put that into as a significant part of my book, which I just thought I'd put in a little plug there. But ultimately, you've got to understand your environment and so on and so forth, and you've got to look at your defense in depth as part of that. But I mean, a large chunk of defense in depth now is threat intelligence, because Richard put it quite right earlier on. Law enforcement haven't got bloody clue what they're know.

Jim [:

He was in a government organization, sorry, not law enforcement, government organization. And saying, so what are you protecting? And they didn't know. They didn't know what data they've got. Probably got lots of data on lots of things. And if you believe Snowden, in certain parts of the world, they've got even more data that they probably shouldn't have, and they're still not securing that particularly well, because all it took was one guy to find it and go, oh, look at what these guys have got on ulot. I don't know. I mean, threat intelligence, what tools have we got available to us? I mean, the last section of this, we should probably talk about that. Where are we currently with that? I mean, there's a couple of firms out there that do threat intelligence, but, I mean, how effective are they? Have they rooted down into the deep, dark depths of the dark web and really know what they're talking about, or are they just skimming the surface?

Richard Cassidy [:

Yeah, it's an interesting one. I find it genuinely fascinating in industry that we have the blueprints for thousands upon thousands of attacks in every form of version you can think of. And so as an organization, we already know what's going to happen. We can already play the book that says, here's how you're going to get phished. Someone's going to click on something they shouldn't or download a piece of malware, or it's going to be a zero day in an application you use, which gives reverse shell access or whatever it is, which ultimately ends up in dropping something to take control of privileges to escalate if needed, and then to go and find data and exfiltrate it, preferably. But if not, hackers can take screenshots of things if they don't want to actually send data and bits away. And so why are we still in a scenario where we seem to be surprised every time there's another ransomware breach, there's another malware breach. It's like, oh, wow, gosh, it's still happening.

Richard Cassidy [:

Yeah, it is still happening. But come on, let's learn from what we've seen. I mean, look at it. Whatever your role is in business, risk compliance, cybersecurity, learn from the lessons of the past. Wisdom is knowledge without pain. Now, I'll caveat that with, of course you can't fix things that users are going to do. You can't mitigate every zero day threat capability. But to Oliver's point, what you can do is say, okay, let's assume all that's going to go bang.

Richard Cassidy [:

What is most important to my business, and what risk can I accept in terms of data breach or data mean, really, we want zero risk around that, but that's just not possible. So we have to limit the blast radius, as I call it. And so to come on to your question, James, the industry doesn't help the poor customers. The amount of startups we're seeing year on year offering the latest widget, no wonder CISOs and decision makers are like, oh my God, what do I do about this? It's just insane. The investment in startups is slightly down. I think it's a 451,000,000,000. Oh gosh, I think it might be no million. It's got to be less than that.

Richard Cassidy [:

It's down 31% from 2023. Sorry. The figures last year are down 31%. Apologies. I'll get that out.

Jim [:

Right, yeah, I just add to that. Yeah, I saw 450,000,000 million.

Richard Cassidy [:

There you go. Yes. Interestingly, the countries that the USA, 71,000 startups already, sorry, in last year, India, second place with 13,000. And then if we break that down into its constituent parts, fintech represents the highest percentage of that. Then life sciences and healthcare, which is no surprise, we're seeing some really good innovation there. And then artificial intelligence, unfortunately. And then you've got gaming and a few others, but say cybersecurity, oh my God, how many new companies? I mean, now that I have CISO in my title, if I just showed you my LinkedIn day in, day out, the amount of products that I tried to get sold to go to, and they all do something similar, I really don't know how industry decision makers are navigating this at the moment. There's just too much noise.

Oliver Rochford [:

But it's interesting you say that, because I've discovered that AI is a very good example. In our industry, we have something I call AI poverty. And you can say the same thing for intelligence, because if you're a well funded, mature company, you have a sock. You're Fang, you're maybe a tech provider, you might be a Fortune 1000. You can get a lot of value out of threat intelligence. If you're a mid sized business, you have a deficit, you don't want another source of alerts, you don't want another thing to review. You need something to help you automate stuff. And the quality of EVA is not high enough.

Oliver Rochford [:

Not for the anomaly detection, not for the threat intelligence. You can do the low value, machine readable stuff where you have a list of IOCs, but that is for lowest value you can derive out of threat intelligence. So if you don't have the means to be able to use all of this, you're basically disadvantaged, massively disadvantaged. And we do have a cut off across companies where. And you're right, I spoke to maybe 20 startups over the past six months. One of them out of 20 said they weren't going after the Fortune X. They're driven a bit by investor demands, but ultimately a lot of it is to do with deal sizes. It's hard to grow on very small bite sizes, and more importantly, it's hard to compete when you're trying to do that.

Oliver Rochford [:

So I don't think it's an easy thing in our industry to actually thrive, at least from a VC's point of view. At least from a large money place point of view. If you want to do an IPO or something based on going after the middle market, I don't know how we improve those economics, but it's a problem both sides.

Jim [:

Maybe you should go to the ransomware guys. I mean, those guys are turning some serious dough.

Oliver Rochford [:

Yeah, some people have decided that, I'll be honest, I joke sometimes, if bitcoin would have been around 25 years ago, I would not be working for a vendor. Right.

Richard Cassidy [:

You made a great point which serves that. Even though it's tongue in cheek, James, it serves what I'm about to say. To get into the industry today, into the commercial industry, is bloody difficult, harder than I think it's ever been. And thank God I've been around long enough that people seem to take my experience as gospel, and that's a good thing. So these poor women and men, teenagers more than likely are probably looking at this thinking, oh my God, I've got to get all these tick boxes, all these certifications, or I could just join that group here and maybe look at learning stuff like this, because that's an easier path into it. And then before they know it, they're sucked into something. They're making easy money, and there's a relative level of anonymity, so we're not doing ourselves any favors. We're making it difficult for these relatively talented people to get onto the light side of their force, rather than being enticed by the dark side.

Oliver Rochford [:

But that's what I meant about some countries basically having this oversupply of technical people. If you have the skill set, but you can get a good legitimate job, it's an attractive avenue. What are you going to do? Not work? And in some countries, it is sometimes the best option that people have available. Another thing where we have to change the economic incentives, right?

Jim [:

I mean, in all honesty, I think the best defense that we can have threat intelligence is in the people that we have looking after our organizations, it's experienced, well rounded, well trained individuals, trained from the community, not from some arbitrary, I'll be honest guys, university course, which is like seven years out of date. I mean, okay, you can learn a few things, I'm not saying you can't, but this market moves so bleeding quick. 1 minute you're all up to date, five minutes later you go on holiday and something else happens and you have no idea what's going on. And it takes you a bit of time to catch up. You can't rest in this kind of industry, us on the light side as we keep terming it. We're constrained by budgetary problems, by ethics, morals and all the rest of it.

Oliver Rochford [:

And stupid, a lot of it is just held back by stupid, let's be honest.

Jim [:

I didn't want to say that. But yeah, there are certainly some interesting people who have interesting opinions who aren't in the information security community or don't have any idea what they're talking about. I think this is the dangerous thing. And I think the only answer to the criminal industry in cybersecurity is by trying to outperform them from a protective view through the people that we have. Yes, you'll need tools, you'll need all kinds of stuff. I'm not saying that vendors don't have their place. I do wish vendors marketing, and I know you do a lot of marketing, Oliver, so I apologize. I do wish they didn't say that whatever their product was, was the be all and end all and will save the whole universe if you buy it.

Jim [:

If you'll invest the quarter of a million dollars in their product and then you spend the quarter of a million, you realize it doesn't actually do anything that it said on the tin. And now you're quarter of a million out of your budget and your boss is saying, well, why did we buy this useless pile of rubbish that sat there in the corner?

Oliver Rochford [:

I hate that marketing. I die on that hill on almost every job. But I get outvoted. I'm sorry, I get outvoted. I don't understand it either, but apparently it's all revolutionary and game changing, so let's just move on. Honestly, I said this, that's my test for marketers to hire them. If they write a press release where it says revolutionary and game changing, I will not hire them. Honestly, it's so meaningless at this point, but you will see it at almost every second press release and it's lost any form of meaning at this juncture.

Oliver Rochford [:

We've had so many revolutions we've changed the game so many times. Wow, no wonder nobody knows what's going on.

Richard Cassidy [:

Listen, it's been trial by fire, having worked in marketing as well, and technically I suppose I still do a little bit. I had no idea just how much crap people in my position got and the crap that I was sending the very same people only a few years ago. So I'm a convert. I haven't been converted. We need to stop the FUD. But I don't think it's going to stop, I'm being honest with you. But back to a point of threat intelligence. So I talked about something podcast ages ago as well, James, or something about kind of the tribal knowledge or the tribal security awareness kind of model.

Richard Cassidy [:

What I was referring to was what has now become regulation. So a good example of that is NIST two and Dora both have very specific articles related to threat intelligence information sharing, not just up to the ESAs. So therefore the regulator assessors themselves, but amongst your peer organizations. And I think that's the kind of right shift we've needed. Because in my opinion, even if you subscribe to threat intelligence as a service models, the issue that you tend to find is deriving context of those threat intel fees to your organization. And you typically need a full time team internally just to derive that context. And by the way, AI is not the answer there because there's a long way to go and that's probably another podcast. But it's good to see that regulations are making companies think about this.

Richard Cassidy [:

How do I gather threat intel? What's the context of it? How do I share it? When do I know how to share? This is the right shift, I think, because it's great that we all consume threat intelligence, but what we've got to do is make sense of it and then share that sense laterally, in my opinion.

Oliver Rochford [:

But there's a cultural problem when half the industry beats up on someone who discloses a breach, there's a disincentive to disclose breaches or intelligence. And so we need a cultural change there. I remember a survey that Gartner did, I think it was in 2014, 2015, and they asked Cesos would they share threat intelligence to receive it for free or rather pay and not share. And it was like 60 something percent in Europe said they'd rather pay and not share. And of course the whole logic there falls apart. Share what? Like if you're not sharing, what are you buying? Where's this intelligence supposed to come from? And so there's a cultural issue there, but at the same time. As long as a competitor is willing to beat you up with it publicly, as long as vendors are willing to use it for FUD, people are not going to want to share that information. There has to be a better understanding that you're going to get breached.

Oliver Rochford [:

It's going to happen. And we've been trying to put that across, but it hasn't stuck. There's still a lot of ambulance chasing going.

Jim [:

Mean, I know we're coming to the end of our time rapidly. I'd just say the information security community at large, not the vendors, not the organizations, the OS organizations like Microsoft and Google, who big tech and so on and so forth, information security people and individuals on the whole, okay, we've got a few lunatics in here, a few weirdos, but we can work miracles when we actually get together, let's be honest, because we're all in the same role and we all understand how difficult it is. I don't think other than a few very interesting personalities who have obviously got very large egos, most conversations I have with any other infosec professional in this industry is really positive and they're willing to share info. It's like, oh, yeah, no, we had that problem. It was absolute nightmare. This is how we fixed it. Yeah, they won't do it publicly, but they will talk amongst one another. And it's just a shame we can't continue to do that because you're right, you get demonized by your competitors.

Jim [:

But I don't think it's not the infosec professional that's demonizing anybody, it's the marketing team. But saying, oh, look, they had that big problem. Don't use them, use us. We didn't have that problem. And it's the business trying to capitalize on somebody else's misfortune where it should. I mean, wanna cry? Let's look at that. That was a good time when loads of people got together and they went, right, we've got this problem, ok, how do we fix it? What have we found? What can we do? And I think it was like Microsoft had to put a load of patching into their browsers and Google was involved. A number of other people were involved as well.

Jim [:

We can, as community, come together to work really well. But I don't know how this Dora information share thing is going to, to, who's going to create the forum for that? Who's going to regulate that forum? Who's going to incentivize companies to join that forum?

Richard Cassidy [:

Yeah, well, that's a deeper conversation on the Dora side, which I think we will do at some point. Jenks.

Jim [:

But we have that coming up. I believe.

Richard Cassidy [:

Yeah, there are some really good prescriptive capabilities, but directives as well, and mechanisms that you'll be able to bake into. And some of the data is anonymized as well, which is good. All of this point, companies don't want to say, hey, this is what happened. Here's how I messed up. It's not good for business and not good for consumer confidence. But just back on the point about the industry, we proved you both might remember the red Goat group that spun up during COVID-19 the cyber volunteers. I believe Lisa was one of the leaders of that. I hope I'm right.

Richard Cassidy [:

I'm pretty sure it was Lisa that was a great example. And listen, I was a part of that group as well. And I was involved in some reverse engineering of malware activities with people that I know were not always on the light side of the fence because of the skills that they add and the way they referred to themselves and some of the tools I was watching them use. So we do have the ability to, and I'm not saying good at light and good are going to come together and balance the force here, but when there's the need arising assessing the motival invention, we showed in COVID-19 that we could bring threat intelligence community together to better serve health care in this case. So there are lessons we can learn lessons from these good initiatives that occurred in the last two or three years. And I think that's largely what some of the DOR and NIST two directives are doing. They're saying, we know we can do this, we know we can do it in a way that's safe and pseudonymizes some of the source data. And by the way, forget that.

Richard Cassidy [:

We know we have to do it, we have to do it. It's one of the most underserved elements of threat intelligence is this tribal knowledge capability. And the NCSC in the UK can't even handle the amount of data they've got. They said themselves, we have too much data to disseminate out to third parties that we can't do. And so they're struggling. So the only way to solve the problem, I think, in industry terms, is for the customers to kind of come together and share that data in a way that is possibly not going to expose them, of course, to Oliver's point. But it's the only way to really tackle this, because siloed operations have failed us for the last 30 years.

Jim [:

I could build an AI for that.

Richard Cassidy [:

Yeah, chat GPT. Off we go.

Jim [:

You can see Oliver dying a little bit inside there. If you're watching the video, I'm about.

Oliver Rochford [:

To write you a check. Matt.

Jim [:

That'D be very nice. Thank you very much. But no, I think there's definitely more to discuss out of this one. Obviously the whole door and kind of like this stuff as well. I know we've got something planned coming up for that. Obviously, AI has been beaten around the head quite a bit, but no doubt that will come back as well. It's going to be interesting to see how things pan out. And I always say this at the end of these types of things, because we do tend to talk about current events and future technology, that kind of stuff, where we think it's going.

Jim [:

And I think at the moment, security is so moving in such a kind of not strange direction, but I can't see where it's going to go. For the first time in my career, I'm finding it really difficult to predict where we're going to be in five years time. I normally have a pretty good view, okay? You get blindsided and there's new things that come out that you didn't expect and what have you. But anyone in Infosec can normally kind of see where the track record is kind of going. I can't see it anymore. I see too many vendors, too many companies buying other vendors and turning these random products into some random technology. We're seeing ransomware getting worse and worse and worse. And because it's worth so much money, I don't think it's going to change anytime soon.

Jim [:

I don't know where we're going to be in five years. It's weird. Maybe it's just me. Maybe other people out there have a much better review. But it's okay.

Richard Cassidy [:

We'll have agi by then. We'll be fine.

Jim [:

Yeah. And I can have it in my chip, in my brain.

Richard Cassidy [:

Oliver, I'm surprised you didn't jump in immediately.

Oliver Rochford [:

Given a long enough time. Know, maybe. I don't know.

Jim [:

Yeah, one day you'll embrace the AI, Oliver. You'll let it brain.

Richard Cassidy [:

You'll become an ascensionist like me. He'll do it.

Oliver Rochford [:

I'm waiting for all of you lot to upload yourself and then pieces, then.

Jim [:

Lord it all over us with your biological form.

Oliver Rochford [:

Just quiet.

Jim [:

Absolutely fantastic talking to you guys. And I hope all of you out there had some good laughs and some good insights as to kind of what we're seeing in the market and threat intelligence and the whole lockbit thing. It's important that we have these discussions and we continue to kind of generate content that makes you think as well. So if there's anything out there that you guys want to hear us discuss or you want us to kind of maybe add a little bit more information to or debate, obviously we like a good debate. The AI debate went on for quite well. It was one of the most downloaded episodes. So just let us know and we will cover these points. We've got all kinds of content that we're going to be covering going forward.

Jim [:

So to my co hosts, Oliver and Richard, thank you ever so much, as per usual, for coming in and talking complete weird technology and jibing one another about whether or not we're going to have an AI in our brain for the last, like 50 od minutes. It's always a pleasure, and I'll let you get back to your normal day to day jobs now.

Richard Cassidy [:

Awesome. Thanks as always. Awesome. Great to be with you, Oliver, pleasure. Yeah, awesome.

Jim [:

Just Oliver, not me. That's okay. That's all right. So, to all of you out there watching, thank you ever so much. We will be speaking to you again soon. Please feel free to click the notification and if you're on YouTube, like share and subscribe. If you're on Spotify equally, please feel free to sign up and get your regular notifications when new content comes out. And we will be speaking to you again soon.

Jim [:

Thank you very much and goodbye. Thank you for listening to the Rosewire podcast. If you like the podcast, if you love the podcast, please feel free to subscribe and if you have any questions, please get in touch. Thank you very much and have a great day.

Links

Chapters

Video

More from YouTube