Lessons From Real-World Threat Intel, IR for RansomwarePalo Alto Networks' Wendi Whitmore Shares Insights on the Evolution of Ransomware
As ransomware attacks keep growing around the globe at a brisk pace, threat intelligence and incident response plans are now vital for enterprises. After a ransomware attack, being curious, asking more questions and figuring out if there are more pieces to the puzzle that need to be put together are all important skills. But keeping calm and engaging external reinforcements with more experience are equally important and therapeutic, said Wendi Whitmore, senior vice president and head of Unit 42 at Palo Alto Networks.
Responding to ransomware attacks not only requires technical expertise but also can be extremely exhausting for IT teams, causing chaos within the organization. Therefore, it is crucial for organizations to have a comprehensive plan in place, according to Whitmore.
Many ransomware operators "are moving just toward extortion," Whitmore said. "So I'm going to steal the data, and then I'm going to ask you to pay me so that I don't release it on the internet. What they're not doing as much is encrypting the data because it takes a lot of time, money and effort."
Attackers are also contacting CEOs, their spouses and children to put pressure on decision makers. “Attackers are continuing to leverage time as a pressure value to essentially try to get to decisions faster," Whitmore said.
In this video interview with Information Security Media Group at RSA Conference 2023, Whitmore also discusses:
- What ransomware victims should never do;
- New tools and strategies of ransomware operators;
- The need to have partnerships for defending against ransomware.
Whitmore is a globally recognized cybersecurity leader with two decades of experience building incident response and threat intelligence teams that have helped clients solve some of the world's largest and most complex breaches.
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information Security Media Group. It's my pleasure to welcome back to the ISMG studio, Wendi Whitmore, senior vice president, Unit 42, Palo Alto Networks. Thank you so much for returning to our studios to share your insights into threat intelligence, ransomware, other things with us today.
Wendi Whitmore: I'm excited to be here. Thank you.
Schwartz: So ransomware and threat intelligence and what the cybercriminals are up to. I want to start with a little session you did at RSA Conference 2023. It was on real-world threat intelligence and incident response - lessons learned. What are some of the themes and takeaways that you highlighted from that session?
Whitmore: I have to say that was one of my favorite sessions that I've probably ever participated in, in large part because we gave the audience a lot of homework. And so, in particular, we gave them homework related to them being more prepared for incident response. We also got tweeted as the calmest panel at RSA in a very complimentary way, because we were talking about pretty chaotic times. So we focus a lot on what are the first 24 hours like during an incident response investigation? What are you trying to figure out? And what do you need to avoid doing? So things like being skeptical of the information that you're presented with - equal parts looking to prove and disprove the information. So not going in with a bias of data that you feel like you already know what the answer is. Being curious and curiosity being such a skill in our field. So being able to take a piece of data, not only be skeptical, but turn it on its head, ask more questions, figure out, are there more pieces of this puzzle that we need to be able to put it all together? And what are they? And then I also recommended one of I think our core strengths at Unit 42, which is being calm. A lot of these times you're going into a situation, it's a Friday night, you've got people who have been awake for 24 hours plus, because by the time they decide to engage an outside team, they're often at their wits' end. We've been trying to figure out these solutions, and now we can't, we need reinforcements. And it's chaotic. And so coming in with essentially a bit of a therapeutic angle of, we've done this before, here's what we need to do. Here's that specific game plan we need to follow over the next 12 to 24 to 72 hours, and then establishing that credibility, but bringing a sense of calm to the situation.
Schwartz: That need to think critically about what you're being presented with, chase it down to prove or disprove it, and also not denying it. It's almost like a stages of guilting - not denying it from the outset. But saying, what if and then interrogating that. Is that something you've seen? When you look at incidents often happen with people saying, no, this can't be true. And then 24 hours or 48 hours later, oh, it is true!
Whitmore: Absolutely. So whether it's a big multi-nation kind of situation, for example, a Log4j or SolarWinds, or whether it's confined to one organization, the challenge I mentioned, it's chaotic. And it's not only because of the emotions running through, it's because the data is changing. It's so dynamic during that time period. The worst thing an organization can do are two things. One, what you mentioned, which was deny that there's a situation occurring and not look into it. Conversely though what they can do is share too much data too quickly before they have the facts. I mentioned that this data is dynamic, especially during that first 24 hours. So what you want to do is share the information needed to protect clients, in needed to make regulatory obligations, for example, to abide by laws. But what you don't want to do is share information that you're then going to backtrack, because you've now found new information and everything's changed.
Schwartz: So practice, I think, would maybe be a takeaway here. Plan for how you're going to respond so that you can have this calm demeanor that you clearly evinced during the panel today.
Whitmore: Absolutely. And with regard to practice, we gave the audience some specific homework in particular, Lesley Carhart, who I presented with gave them the specific action. I had talked about when you're in these type of situations, you need to think and plan for people who need to go home at some point; who need to get some sleep; who maybe after a week onsite, need to rotate out with another team member so that they can go home and spend some time with their family. And Lesley challenged the audience to make that part of your incident response playbook, like have this documented. These are the actions we're going to take, here's the shifts that people are going to work, here are the escalation paths toward that, and here's how we're going to get through this crisis because it's not just the first 24 or 48 hours. Oftentimes, these can last for weeks, and in big cases even months. So we've got to be able to plan for that.
Schwartz: It's great to hear takeaways from the incident response engagements you've worked on. I think that dovetails so nicely with threat intelligence - just because you're getting the intelligence doesn't mean you got the processes and procedures in place, so that your people know what they're supposed to do. And so I want to shift now to ransomware. Because I think it's not the only threat facing organizations, but it's clearly a very innovative one on the part of criminals, and points to a lot of the challenges that they're having to deal with these days. So if you will fill me in just a bit on what you're seeing on the ransomware front in terms of trends or new tool used, for example, or strategies by groups that the organizations that you advise are having to respond to now.
Whitmore: So in regard to ransomware, it continues to be super prevalent. It is still everywhere. And I think many organizations have experienced ransomware. The good news is they're being more effective at dealing with it. One of the interesting trends is a move toward extortion combined with threats. And so I'll explain what I mean there. It used to be that attackers were encrypting data and asking to be paid for that to have it restored back. And then they might threaten to extort you, they might threaten to wage a DDoS attack against you. They might threaten to share that information with your most sensitive clients. Today, what they're by and large doing is moving just toward that second stream, which is extortion. So I'm going to steal the data, and then I'm going to ask you to pay me so that I don't release it on the internet. What they're not doing as much is encrypting the data, because it takes a lot of time, money and effort. So they're looking to say, I'm going to steal it, and then ask you to pay me and force you to pay me in many cases - money on the back end. So we're also seeing in combination with that, though, is this threatening element. So it is not uncommon today for a CEO to be initially reached out to directly, for example. A CEO, CISO, a CFO, maybe the head legal counsel for our company to be reached out through initially via company email and other types of communication means. But if those responses go unanswered, then attackers often will go to the CEO's spouse. Find their social media account, figure out who they are, and message them directly. And same with children and other family members of executive staff. So it's become an interesting element, you can imagine going home and having your spouse ask you, why haven't you dealt with this situation yet? At work, for example, that's probably not something that many executives want to hear. And so, attackers are continuing to leverage time as a pressure valve in order to essentially try to get to decisions faster.
Schwartz: They are such experts, unfortunately, at the psychology of pressure. I hadn't heard of this before - going after the spouse or the kids, having them come to you and say, what do I need to ask you about a ransomware attack, mom, dad?
Whitmore: Having to deal with this at home now too.
Schwartz: I know on top of everything else. So there's been a change. I know Cobalt Strike, for example, has been a widely used legitimate tool, but widely abused tool by ransomware groups. I'm hearing there's been a shift toward some other tools. I think to help complicate their attacks. What have you been seeing on this front? Is it the Brute Ratel, I believe, that they're trying to use now?
Whitmore: So we absolutely continue to see Cobalt Strike. But Brute Ratel is a newer tool that's been released, similar capabilities to Cobalt Strike, but also has more ability to obfuscate their traffic and slack, for example, Microsoft Teams and other types of social media applications, which makes it pretty challenging to detect it. I think what we're also seeing are the reality, it could be a nation-state actor that's using that tool. It could be a legitimate red team or a pen tester using that tool. And it also could be a cybercriminal actor. So we're seeing a huge convergence of the tool sets. And this mentality, and I talked in the previous comment about attacker saying, I'm not going to encrypt the data, because that's just a lot of effort will in the same sense, moving toward efficiencies. And so using whatever tool is available to get the job done, regardless of who created it.
Schwartz: And not the first time we've seen nation-state attackers using common tooling or tactics in order to try to obfuscate their identity, I suppose.
Whitmore: Absolutely. It makes the defender's job more difficult to determine who's responsible, and it's a good thing for the attackers.
Schwartz: And how concerning or not that sort of incident may have been. Well, I'd like to shift then as a final question to the role of partnerships in advancing cyber diplomacy. Another panel, you were very busy at RSA this year on which you participated. Partnerships have been, are being and will be key, I think, to combating such things as ransomware. What were some of the takeaways you might highlight from that panel or advice that you have based on it?
Whitmore: I think what I would leave you with is there's no one tool in the toolkit. There's no one source of data that's going to be the silver bullet for solving this problem. And so what it takes is technology working in tandem and in heavy alignment with diplomacy with sharing of information, not only between public and private partnerships, but private and private competitors, for example. And within the government sharing that not only within interagency collaboration, but with allies throughout the world. So all of that is responsible for us to drive the ball forward.
Schwartz: And we've been seeing that, I believe, with a number of initiatives on the government level, increasing private initiatives as well as to share more in the way of the threats that are being seen. It's been a long-standing thing. I think security researchers have done, but I believe it's being done more programmatically now. Calls for hope here?
Whitmore: I'm optimistic about it. No doubt about it.
Schwartz: Excellent. Well, Wendi, it's always a pleasure to have you in our studios. Thank you so much for your time and insights today.
Whitmore: Thank you. Have a great time.
Schwartz: Thank you. I'm Mathew Schwartz with Information Security Media Group. Thank you for joining us.