Podcast: Are You Prepared to Respond to a Destructive Malware Attack?

August 6, 2019
| |
25 min read

Listen to this podcast on Apple Podcasts, SoundCloud or wherever you find your favorite audio content.

On this week’s episode of the SecurityIntelligence podcast, Pam Cobb digs into the dangers of destructive malware with the help of IBM experts Wendi Whitmore, director of the X-Force Threat Intelligence team, and Charles DeBeck, senior threat intelligence researcher at IBM Incident Response and Intelligence Services (IRIS).

What Is Destructive Malware?

As DeBeck notes, destructive malware differs from more familiar ransomware variants because it “has the capability to render an effective system inoperable and also challenges reconstitution.” Instead of using cryptographic techniques to block file access without damaging functions at large, destructive malware strains are designed to break corporate systems by deleting critical files or overriding master boot records.

According to Whitmore, destructive strains have broadened their horizons over time. In 2012, the Shamoon malware targeted Middle Eastern oil and gas companies. By 2014, Sony was under attack and, more recently, NotPetya and LockerGoga threatened systems worldwide.

DeBeck also points to evolving use cases. Five years ago, this threat “was all nation-states all the time.” Today, cybercriminal groups are targeting private enterprises with destructive tools, “which really expands the potential for harm.”

Minimize the Impact of Destructive Attacks

While the cost of a data breach climbed to $3.92 million in 2019, dealing with a destructive malware deluge is 61 times more expensive, coming in at $239 million on average. In many cases, systems must be rebuilt from scratch, users retrained and new security measures put in place — in addition to dealing with the long-term psychological impact these attacks have on both staff and the C-suite.

So, how can companies boost their defenses against destructive malware? DeBeck recommends creating a wide-ranging incident response plan to handle destructive attacks and pairing it with artificial intelligence (AI) solutions to identify critical assets and risks. Another key element is multifactor authentication (MFA). “A lot of times, we saw destructive malware … using credential compromise to get in initially,” DeBeck explains, “in which case MFA would help prevent the initial infection.”

Whitmore highlights the need to test incident response plans under pressure rather than simply having plans “on the books.” Also critical are external communications: “How do we communicate to the world about what’s going on — especially if our normal communications mechanisms are not operable at the time?”

Continuously Evolve Your Incident Response Plan

No response is perfect. As noted by DeBeck, “An organization really needs to take a step back and think very long and hard about what went well, what didn’t, and discover what they can do to improve not only their response process in general, but also what they can do to improve their network defenses.”

This includes identifying how attackers gained access, what they targeted and how they moved within the system itself. He also highlights the need “to hunt for attackers within your network to make sure that they’re gone.” Cleaning and remediation does no good if attackers are lurking just out of sight to compromise systems again. Specifically, this means ensuring that any backup images used to restore data are clean and critical vulnerabilities have been addressed.

Whitmore notes the role of improved communications in both pre- and post-attack planning. The right statement can go a long way toward assuaging user concerns and giving IT teams time to identify and eliminate critical issues.

Destructive malware is diversifying, targeting industries worldwide with the threat of complete system failure and massive file loss. Effective protection demands proactive defense, improved communications and continuously evolving incident response plans.

Download the report: “Combating Destructive Malware: Lessons from the Front Line”

Episode Transcript

Pam: Hey, David, do you know the difference between ransomware and destructive malware?

David: I have a feeling you’re going to school me on this a little bit. I think ransomware is something that comes in, encrypts, and you pay to get your data unlocked if you paid a ransom. Destructive kind of suggests to me that it doesn’t have an option to pay, like things get broken. What is the difference, Pam?

Pam: Well, you’re exactly right. I love correcting people. I’m fortunate to be in a job where I get paid to do that. So the key distinction between destructive malware and ransomware is that, with ransomware, there’s a chance you can get it back if you unencrypt your data. With destructive malware, it is like ravaging the field and lighting it on fire. Not only can you not access the system, you also can’t get the operating system back.

David: Whoa. So, who uses that?

Pam: Bad guys.

David: Yeah, that seems like it.

Pam: This is the “Security Intelligence Podcast,” where we discuss cybersecurity industry analysis, tips, and success stories. I’m Pam Cobb.

David: And I’m David Moulton.

Pam: We were lucky to have two experts from the IBM X-Force IRIS team. They joined us on this episode to really break down the evolution of destructive malware, the impact of these kinds of attacks, and how organizations can take precautions. Here’s our conversation.

Okay. So, I’m excited today to be joined today by Wendi Whitmore and Charles DeBeck from our X-Force IRIS organization. Wendi, would you take a moment to introduce yourself?

Wendi: Hi, Pam. Yes, I’m the director of our X-Force Threat Intelligence team and that team is made up of researchers and analysts coming from all over the globe that specialize in cyber threat intelligence and really understanding what the attackers are doing, why they’re doing it, you know, what their objectives are, and then ultimately how we can use that knowledge to improve and help out our clients across the globe.

Pam: Great, and in addition to Wendi we’re pleased to welcome back Charles DeBeck. Charles, would you give the audience a refresher on your role?

Charles: Absolutely. Thanks, Pam. My name’s Charles DeBeck. I’m a senior cyber threat intelligence researcher here at IBM IRIS. I have experience both in the public and private sectors and I’m excited to look into cyber threat intelligence today as part of the IBM team.

Pam: Great. So we’re here today to talk about destructive malware. So could one of you please give us an overview of what is destructive malware and how is that different from just regular old vanilla malware?

Charles: The way we define it here at IBM is that destructive malware is malicious software that has the capability to render an effective system inoperable and also challenges reconstitution. Now, both parts of that definition are important. Destructive malware renders it inoperable, so what that means is a system is taken offline. You can’t get it back online. But, in addition, it also makes it difficult for the affected entity to reconstitute. It’s tough to get the system back online after it’s affected.

This is what differentiates destructive malware a little bit from traditional ransomware. With traditional ransomware, it’s a cryptographic thing. It’s something where you encrypt a bunch of systems and in theory, you could reconstitute but simply using a decryption key. Destructive malware is on the far side of that, where not only does it make it that you can’t access the system but also you can’t get the system back. There’s no master key that makes it so you can just turn things back on.

Oftentimes, we see destructive malware causing destruction through the deletion of files that are critical to the operating system from being run and sometimes we see them overriding the master boot record. This is something we’ve seen in a more traditional variant of destructive malware like Shamoon. Once that master boot record is overwritten, it corrupts the device’s hard drive partition code and renders it completely ineffective. So that’s destructive malware at a high level.

Pam: So you mentioned Shamoon. What are some other well-known examples that the audience may be familiar with and how have those changed over time?

Wendi: That’s a great question. I think we see a lot of changes over time. One of the first, kind of most public examples of destructive malware occurred in 2012 with the Shamoon attacks, and what we saw is that a Middle Eastern oil and gas company was targeted and specifically had over 30,000 workstations within their environment that were essentially destroyed. So as Charles mentioned, had their master boot records wiped, written over and ultimately made an investigation and a quick recovery very difficult.

Since then, we’ve seen a wide variety of these attacks. Another really prominent attack occurred against Sony in late 2014 and we saw, again, the impact that that had on that organization. That was coming from a different nation-state actor, if you will. And then since then, we’ve seen multiple further variants of Shamoon. So we’ve seen Shamoon 2, we’ve seen Shamoon 3. Again, really targeting that Middle Eastern oil and gas sector but then we’ve seen ransomware repurposed as destructive malware, and specifically in 2017 with the Not Petya attacks. Those occurred throughout the globe, right.

So, again, a fairly nation-state or geopolitical objective that it turned out to be in terms of organizations doing business in the Ukraine and having Ukranian tax and accounting software compromised. When updates were sent out for businesses, again, throughout the globe that use that software, they essentially downloaded and installed an update that ultimately went in and wiped thousands of computer systems throughout companies across the globe.

And then most recently, we’ve seen attacks with the LockerGoga ransomware, which also had wiper capabilities and those attacks really targeted toward manufacturing industries. So across the board, while this might have started in one sector we’ve really seen it broaden across the board to different sectors and different types of organizations.

Charles: I think the really interesting change here that we’ve seen in destructive malware over time is I think if you had asked me this question five years ago, I would have said destructive malware is used by nation-states against nation-states to further nation-state interests. It was all very nation-state focused. And it also was very clear what destructive malware was. There was a category for it. It was destructive malware found in this nice, convenient bin.

But over the last five years, we’ve really seen this categorization expand and, sort of, branch out into other categories of malware that we wouldn’t have historically classified as destructive malware. And the reason for that is we’re seeing a lot more overlap with these destructive capabilities in ransomware variants. In these other groups of malware that have another purpose but in addition, can be used as destructive malware.

We’ve also seen a branching out of who’s using this type of malware. Again, historically it was all nation-states all the time. Nowadays, we’re seeing criminals using destructive malware, as well, which really expands the potential for harm as a result of this particular type of malware being used. So I think that’s where a trend of moving from just nation-states to a broader use and a broader purpose of destructive malware really heightens the risk this particular type of malware has for organizations.

Pam: And from my perspective, knowing that one of the earliest examples is Stuxnet and it’s kind of the oh, this is the physical manifestation of cybersecurity in Hollywood terms where you see a piece of, you know, cybersecurity lore suddenly is affecting the real world. It’s no longer just only happening on computers. It’s legitimately shutting down businesses.

Charles: Right, there’s still the capability that we’re seeing out there for malware to be used to cause physical impact and physical ramifications, but the vast majority of malicious actors, which constitute criminals, those folks are much more interested in, “How can we use this to make money?” And we’re seeing that for a long time they sort of ignored destructive malware and said, “No, there’s no real profit motive there.”

But now we’re starting to see that they can use these wipers to be a very effective threat and really effectively blackmail their victims into convincing them to give them money, and I think this is where we’re going to start seeing more change in this space is as threat actors realize the potential profit motive that can drive destructive malware, we might potentially see more of this activity in the future.

Pam: Okay, so you’re seeing more of a shift from public sector into the private sector [00:10:00] is what it sounds like.

Charles: I think public sector has always been there. I think private sector is just starting to catch up if that makes sense.

Pam: What are the impacts of this beyond some of the physical repercussions?

Wendi: So one of the biggest impacts, and I think Charles really led into it well in talking about the financial aspects, not only do the attackers want to leverage these to potentially make money for their objective, but ultimately the impact to the victims of these attacks is pretty remarkable.

What we see is on average, the average cost of one of these attacks — a destructive incident versus a traditional breach — is actually 61 times higher. We see that number being for destructive attacks, on average, costing almost $240 million U.S. dollars, so coming in at $239 million versus just under $4 million for the cost of a more traditional breach. So, again, 61 times that cost, pretty massive.

The reason for that is a variety of factors. Probably one of the most prominent is just the reality that there are more systems on average impacted during a destructive malware event. So from our research and the places we’ve responded to, we’ve seen that being over 12,000 machines on average that are involved in a destructive malware attack. So that not only means that you need to look at, you know, rebuilding each of those systems. Those are usually a pretty wide variety of work stations. They also include servers and a lot of times infrastructure.

So if an organization not only has to, kind of, get their employees up and running so that they can get back to business and start, you know, essentially doing their job to make money for the organization, there’s actually a real time cost to rebuilding an infrastructure and that’s what we’ve seen, you know, when you look at quantifying the impact of the NotPetya attacks, which were quite public and you saw an organization like Maersk, who came out and has shared a lot of details about the cost of that. And they’re now in the hundreds of millions of dollars that that impact costed. That that breach costed and had an impact in their environment.

And it’s also…you know, one of the stats that we track really frequently, both in the cost of a data breach study as well as just in responding to our clients is, you know, the fact that time is money. So we know that the shorter time an organization takes to respond to an event, to investigate it, and to remediate and contain it then the more money that they’re going to save. And for these smaller breaches, that’s on average over $1 million. Meaning if an organization can investigate and remediate a breach within 30 days or less, they’re going to save on average $1 million out of that just under $4 million cost.

That’s significant but when you look at these type of destructive breaches where, you know, it could take weeks in a good circumstance, right, weeks to rebuild infrastructure, from rebuilding SharePoint servers and domain controllers and active directory, and in some cases, if these numbers get large it will take months. And so it’s not only that, you know, kind of cost of lost business or redirected efforts for the team from their primary jobs, but it’s legitimately not being able to, you know, service their existing clients because they are focused on just getting back to the basics. So, you know, these numbers, again, when we look at destructive impact versus regular impact of a breach, highly significant when it comes to destructive attacks.

Charles: One other element that we came across in our research when we were looking into what are the impacts of destructive malware was the sort of quality of understanding that in addition to all the numbers that we just threw at you in terms of the impact of destructive malware, there’s also a loss of hope. There’s a psychological impact on the affected organization because unlike other forms of malware where there’s some hope of reconstitution. You sort of think, “Well, this is bad but we can figure out a way to get back to it.” Destructive malware is partially intended to really hammer psychologically at the organization and oftentimes that harm can be long-lasting in terms of the impact across the organization. So that was another element that we’ve found that was a significant impact for destructive malware.

Pam: So knowing this long tail of fact, you know, beyond the immediate, “Oh, no. Our business shut down.” What are some things that organizations can do to protect themselves against destructive malware?

Charles: So one thing that was interesting that we came across in our research was that the destructive malware attack that we found tended to follow very standard-issue initial inspection vectors. We saw things like phishing, credential compromise, watering hole attacks, compromise of third parties to get into an organization. These sorts of initial infection vectors aren’t new and are not novel and they’re not really unique to destructive malware. A lot of times these are things you’d see associated with all sorts of malware groups.

So in terms of what you can do to preemptively protect yourself, a lot of these recommendations are going to be very similar to what you’d see for other malware types. But from a strategic level, I think the number one takeaway that we had was that you need to make sure you have a response plan for what you’re going to do for a wide-ranging destructive attack, and then you need to test that plan under pressure. You can’t just have a plan, sort of, on the books and then never test it without knowing how it’s going to be effective. And you have to test it under pressure to know what will the organization do when a significant attack is actively affecting the organization and you’re finding yourself suddenly underwater with a number of machines that are going down.

In addition, we also recommend using threat intelligence to understand the risks to your organization. What are the critical assets? Where do you need to build your defenses intelligently so that you can make sure that you have things protected effectively based on the different risk profiles for your organization?

One general good recommendation that we have for protecting yourself proactively is implementing multi-factor authentication. A lot of times we saw destructive malware either being used using credential compromise to get in initially, in which case MFA would help prevent the initial infection, or alternatively, we saw destructive malware being spread by leveraging credentials to move to other machines laterally, which would also be prevented using multi-factor authentication. So in both instances, multi-factor authentication implementation is a critical component to effectively protecting against destructive malware.

And the final recommendation I’d have is very standard-issue for a lot of malware groups but especially important for destructive malware and that’s patching and hunting. Doing a good job of patching your systems, making sure that all of your systems are protected and up-to-date to prevent that rapid, widespread attack of destructive malware. So once it’s within the boundary, making sure it can’t laterally move so quickly you can’t contain it and also engaging in hunting activity to try and determine if threat actors are already within the environment and where they might be hiding so that you can stop them before they could unleash destructive malware within the organization.

Wendi: And, Pam, I think to add to Charles’ point, so specifically testing the response plan under pressure and we see that with a lot of organizations, where they’ll create playbooks, right, and run books and have an idea of how they may respond but a lot of times those can be fairly isolated. Where they may be for one division, for example. The security division or the IT division versus really having them be multi-stakeholder type of playbooks, right.

So if an event like this happens, especially in the case of a destructive malware attack, communications from that company to their internal employees are absolutely critical, as well as their communications to the outside world. So we see the ability to need to be able to know how to get ahold of employees offline. For example, if you don’t have access to, you know, the internet directory or some sort of an internal yellow pages type of functionality because computer systems are rendered useless, can you figure out how to get ahold of employees via, you know, phone? Do you have home phone numbers, for example? Do you have offline communications and an ability to set that up?

And then, you know, equally as important, I would say, are those external communications. So how do we communicate to the world about what’s going on? Especially if our normal communications mechanisms are not operable at the time. And we saw an example of this done very well with that Merck case with NotPetya, where the CEO actually used Twitter as a platform to communicate that, you know, “We are under this type of attack.

I’ve instructed all of my employees to do what’s right by the customer so that we get your goods to you.” For example, in the case of a shipping company. “We get them to you and we will incur the costs and deal with that later.” And that gave the world a lot of confidence that, you know, “Hey, these guys are really operating under a crisis mode right now but they’re doing what’s best for their customers. They’re putting us first and foremost.” And we saw, actually, a lot of really popular sentiment and very positive sentiment being directed towards Maersk, and that really gives us an example of how other companies can successfully respond to one of these attacks.

Pam: So what else can an organization do if they find themselves in the middle of one of these incidents? We talked about some of the PR pieces but from the actual technological standpoint, what are some things they could do?

Wendi: So the biggest challenge that we see with both destructive attacks, as well as ransomware attacks, is the fact that the organization loses access to data. Right? So when you have a ransomware attack, maybe that information was taken offline or it’s encrypted and you don’t have the ability to access it, and then in a destructive attack, it’s actually destroyed. But the real challenge when it comes to boiling it down to the technical challenge is how do we maintain access to this sensitive data?

And so for most environments, it’s not practical from a cost perspective to say, “Well, we’re going to have every single piece of data in the environment backed up and have it available offline. Right? There’s voluminous amounts of data in most organizations that’s just maybe not economically feasible. So the problem that we see many companies challenged to work with is that when these event occur, then they realize, “Uh oh, well, some of my most sensitive data was the one that was either encrypted or destroyed and now I don’t have access to it.” So the first thing I would say from a technical capacity is really for every department to really understand, ultimately, what is the most sensitive data that your organization is responsible for? Where is it located? Who has access to it? And do we have the ability to have offline backup of that data?

If every organization we worked with could do that, then these attacks would be less destructive. So further going on that is when we look at backups, and specifically, in the cases of the NotPetya attacks and the Shamoon attacks, we saw that these organizations actually did have great backups in place, but what they also did was had…some of those backups were always connected to the network and so that meant when the malware propagates, whether it, again, is ransomware or destructive malware, it is going to propagate to those backup systems, as well, and then ultimately make them useless.

Another really important comment here is with segregated account control and so I’ll give you kind of an example of that and then break down what that actually means. So when we saw the WannaCry attacks, for example, that happened a few years ago, you know, organizations were…it was kind of widely thought that, well, if you had the ability to patch your infrastructure then these attacks can’t be successful, but then when we moved to the NotPetya attacks, which were essentially another variant of that WannaCry software, we saw that, you know, these attackers liked to use traditional mechanisms. Things like PsExec, for example, that you would use in an environment to administrate it to move quickly through an environment, and what that means is that when those attackers are using those type of capabilities, they’re also counting on the fact that certain credentials are going to be widely used within an environment. And that’s what allows this type of attack to spread really quickly.

So if we can work with organizations to make sure that their domain admin accounts, for example, only work on the main controller server accounts, only on servers and workstation user accounts, only on workstations, just doing that alone really stops a lot of the widespread propagation of these attacks. And the faster they occur means the more cost is incurred, right, in an environment by the victim. So if we can make an attack [inaudible 00:26:02] to do an attack versus hours or minutes, that gives the victim organization a lot better chance at stopping and lowering the impact.

The other thing would be with those elevated account credentials, ideally, if we can look at time limiting them so that you would have to check out an elevated credential, only use it, for example, maybe once you do it’s only valid for four hours, and then if an administrator needed to continue doing those tasks, they would have to check out another credential. That makes it so that the attackers have to work very quickly and it also buys time for the organization to try and defend against those. So all of it, you know, this kind of theme of, like, time equals money and the more time that we force the attacker to take, the more time they give the good guys to respond to it and detect it. All of those things start making us able to limit the impact of the cost and the destruction of these attacks.

And then last technical recommendation would be hardcoded passwords in applications. Time and again we see attackers leveraging oftentimes legacy applications or other applications in an environment where they know that the password is hardcoded in it. That means it’s really difficult for the organization to go in and kind of remove their access quickly, because a lot of times legacy applications are legacy because they’re very important. Right? They provide some sort of functionality that the organization needs. Otherwise, they would have, you know, upgraded and not had the legacy application. Right? So we need to make sure that moving forward, we tell business leaders to make sure that as they bring new applications into their environment that they don’t have hardcoded passwords and that every application has the ability to change a password at least once per year.

Charles: And with the challenges to reconstitution that we already talked about with destructive malware, I think for a small to medium-sized organization, if you don’t have the resources internally to do this, this is one of those rare circumstances where I’d say, “It’s not a bad idea to bring in outside help.” Just because it’s something where you may not have the capabilities, the resources to deal with a destructive malware attack. It can be very costly, as we’ve said, but it is something where if you don’t deal with it effectively and efficiently, it could cause a lot more harm later on down the line. And so bringing in someone from the outside may make more sense, especially for smaller organizations. Otherwise, I think you covered it wonderfully.

Pam: Yes. Let’s talk a little bit about what happens after things have been remediated. What should organizations do to follow up after an incident?

Charles: I think it’s absolutely critical that after an incident of destructive malware attacks, an organization really needs to take a step back and think very long and hard about what went well, what didn’t, and what they can do to improve not only their response process in general but also what they can do to improve their network defenses.

So with any incident, it’s a good idea to take a step back afterwards and say, “Okay, how did they get in and how can we prevent somebody else from getting in in the same way? And how did they spread around and what can we do to prevent that sort of movement in the future?” I think those are, sort of, low hanging fruit for any incident but especially for destructive malware. After an incident of this magnitude, it’s important to understand what went well in the response process. What went well in the response process? What changes do we need to make so if we get affected by another destructive malware variant in the future, we’re better prepared this time than we were last time to respond to it efficiently and quickly?

It’s also very valuable and important to hunt for attackers within your network to make sure that they’re gone. A lot of times attackers with destructive malware will tend to be very sophisticated actors and making 100{30bfbf8d9f2833f0337133e196b4dc87825dfb7d33a3602d05ee876ecd6f1178} sure that they’re out of your network is absolutely critical because if you clean up your networks, if you reconstitute effectively, you get business operations back online, and they’re still in your network they could just shut you down again the next day, which would amplify the negative effects and make it so that you have to incur even more costs dealing with the same mess all over again. So doing a good, thorough hunting is important.

One component of this, as well, is confirming that the backup images that you’re using are clean. A lot of times issues might arise where you have a backup image that you’re using that a threat actor has actually infected, so then you restore from this backup and they’re still back on the system just the way they were before. And you say to yourself, “Well, wait a second, I just restored this from a clean image.” But if that clean image is in fact infected, you’re going to have a problem until you get a new image setup.

Wendi: I think from the communications perspective, this is something that we can do both as a follow-up, as well as a precursor. We talked about the importance of the communications, right, in the wake of the event but one thing that many organizations we see, kind of, time and again is that organizations haven’t actually prepared statements for that. In the case this happens.

And so you can imagine it’s much easier if you have time on your hands to start thinking about those and preparing them in advance for a few different scenarios, and that’s usually a combination of PR and communications teams working potentially with an outside firm or working internal to their organization and saying, “Hey, what is our statement going to be if we see something along the lines of this type of an attack? How are we going to respond to it?”

And if you’ve already got, kind of, the shell and the format listed down prior to an event happening, when it does occur you can quickly make, you know, a modification or two and have it ready to go. And that’s much more effective than if you’re caught on your heels, you know, during the wake of an incident and you’re trying to respond to a wide variety of challenges and then also craft statements at the same time.

Pam: Okay. Let’s look a little bit into the future. Do you all have insights into maybe how the targets for these types of attacks are changing or even how the activity itself of destructive malware is going to be changing?

Wendi: Well, so, you know, we’ve seen the manufacturing with oil and gas be really the most prominent attacks. Right? They’re making up over 50{30bfbf8d9f2833f0337133e196b4dc87825dfb7d33a3602d05ee876ecd6f1178} of the type of attacks that we’ve seen but what we also predict, you know, and the trend we’ve seen is that the attacks are on the rise and then we’re seeing them spread to different types of industries. And so I think the example of the NotPetya attacks was a great one from the perspective of that wasn’t targeted towards any particular industry, but it was targeted towards organizations who did business with a certain country or sector, for example.

Charles mentioned earlier that, you know, these have traditionally been nation-state attackers and objectives. I think we’ll continue to see more of that but I think we’re going to see some convergence on where the attacks are targeted and how they’re used, as well. So one of the interesting trends I think we’re also seeing is that in the wake of some financial services sector attacks, we’re actually seeing attackers want to destroy systems so that it’s much more difficult to conduct the forensic analysis and to quickly identify where the money went and who took it. So you can imagine that if it’s effective in that sector and, you know, that’s a good way of kind of covering tracks and, again, increasing the time it takes for an organization to respond, then we imagine we’re going to continue to see this used in new and creative ways moving forward.

Charles: I also wanted to tack on the element of the geography that we’ve been seeing. Destructive malware, at this point, is a global phenomenon. It’s not just limited to a small geography but really, we’re seeing it expand in terms of affecting companies across the globe. So this is something that everybody really needs to be worried about or at least needs to be taking efforts to protect against because it’s not just limited to a limited subset of geography anymore. It’s really a global effect that we’re observing.

Wendi: The reality is that, with that taken kind of as a fact, I think more organizations…I’d encourage them to realize that this could happen in their organization. It’s no longer an isolated event towards a particular industry and with that said, increasing the understanding of what you can do to effectively detect these attacks and respond to them.

From a detection perspective, I’d say, you know, increasing the ability to have visibility into the environment. So understanding what actions are being conducted on your computer systems but most important is really that capability to practice in advance. [00:45:00] Right? To have an incident response plan no matter how small it is when you start, but to have it and to practice it frequently. To identify gaps and then to really increase the communication and visibility between different departments in an organization. Also, creating holding statements. So, again, things we can do to prepare in advance, we can have communications ready to go so in the event that one of these events does occur, we are not caught, you know, flat-footed and we’re ready to communicate what’s going on.

And then lastly is really looking at if this were to occur, how would you communicate with employees within your own organization so that you can effectively move quickly to resolve the situation? So things like having offline contact lists and preparing in advance for the event that, you know, something shuts down your environment and you need to find a way to operate without your primary computer system.

Organizations who do those types of things in advance are going to be tremendously more well-prepared for these types of attacks and they’re gonna be able to effectively limit the negative impact that these have within their organization.

Pam: Okay, well thank you both so much for joining us. You’ve really given us a lot to think about.

Wendi: Thanks for your time today, Pam. We appreciate it.

Charles: Thanks so much for having us.

David: Pam, that was a really interesting conversation. And the technical aspects, some of the discoveries, some of the clients, certainly something that we’ve read about quite a bit or at least has been in the news. But maybe for me, the thing that really stood out was this idea that part of the attack isn’t just a technical piece. It’s this loss of hope, the psychological battle that’s going on. And I wondered what your take listening there and thinking about that after the conversation, what your take on this idea of loss of hope is?

Pam: It reminds me of the internet meme, which is actually based on a cartoon, and it’s the cartoon dog sitting at a table and everything around him is on fire, and the caption is, “This is fine.” Like, this is how it is, everything’s on fire, we need to get through it, put some flames out, try to rebuild. But I can see definitely in the process of “Holy moly, everything is on fire around us,” and, “Oh no, we’re never going to make it out of this.”

And I do think that psychological impact is so much more of a thing that you need to prepare for mentally as well. That’s why we’ve really talked a lot about the need to run exercises on drill so you’re emotionally prepared for when that moment comes. Because that’s when the training kicks in, and we’ve talked about that with J.C. Vega. Like, we covered that on so many of these podcasts that we’ve done. But I think, yeah, loss of hope is like one of the hardest to quantify and hardest to overcome, I think.

David: Yeah. And you know, as I listen to that, one of the things that I’ve learned as a part of the industry is that security is this team sport, right. It’s not to be done alone. And as you’re looking around at your peers or other organizations that are going through, you know, a tough time, it’s an opportunity to maybe even reach out and offer a bit of support, check in on your friends, your competition maybe, but realize that, you know, we’re all looking for that good outcome. And every once in a while, you could use a little support. And destructive malware doesn’t leave a lot of wiggle room for feeling positive about the world, so let’s change that. Individually, you know, and as an industry, I think we can support one another.

Pam: Do you think it ties back to the idea of data breach fatigue and that there are so many data breaches and so many announcements that we’re all just kind of humdrum about it now? Like, “Oh, good. Well, my Social Security number is out there again. Oh, well.”

David: Maybe. Certainly, as you become numb, right, you become numb to the big numbers, they’re hard to contextualize. I would even go so far with like data breaches where it gets to the point where you’re going, “I don’t quite know what that means for me. A thing happened, it’s somewhat abstract, I don’t know exactly what information was potentially lost. That’s always the little bit of the gray zone, and I don’t know what to do about it.”

Part of that can be to encourage better laws to be passed, to ask for the companies that you work with to have better hygiene, you know, just to push for those things. Tough but, you know, and as a group, I think, you know, consumers and customers have ability to vote that way.

Pam: Well, let’s snap out of these doldrums, David. Do you have any good news for us this week?

David: I do. Honestly, the one that really stood out when I was looking around for those cybersecurity wins, and there were quite a few that we could pick from, but the big one for me was the Girl Scouts. And you know, I’d been hearing about them for a little while, I saw that they were doing something where they were pairing Girl Scouts with elderly folks and teaching them how to use their phone. And I love that pairing, that cross-generational interaction, I thought that was really neat.

So yeah, good on the Girl Scouts for, you know, that program, but specifically, they’ve got new badges for cybersecurity skills, that they’ve come up 42 new badges. And this is going to be something that’s available for girls between 5 and 18. I think that just the fact that they’re acknowledging that this is an area that the Girl Scouts is going to go in and put their, you know, ferocious focus on, that’s awesome. And you know, we’ve got a cybersecurity skills gap. So, how do you get more people interested? We’ll introduce these ideas or these challenges young and bring, you know, smart and curious kids, curious girls into the fold and see what they can come up with. And I’m just really interested to watch this program [00:10:00] evolve and see what some of the outcomes are.

Pam: There’s a really good interview with the current leader of the Girl Scout organization on the “Freakonomics Podcast.” And I can’t let this go without making a reference to “Hitchhiker’s Guide to the Galaxy,” because that’s how we roll here, that of course, there’s 42 badges because that is the answer to life, the universe, and everything.

David: Right, 42. Yeah. So I think that more cybersecurity awareness and opportunities like this to contextualize solutions and to bring people in in a curious way. Maybe as you’re listening, go make a comment in our SoundCloud comment section on the episode and let us know what you’re seeing and drive us to those positive stories. We’ll talk about them, put a bit of a light on them as we can. But you know, go Girl Scouts. Way to be impressive. I’m loving it.

Pam: Well, that’s all we’ve got for this episode. Thanks to Charles DeBeck and Wendi Whitmore for joining us as guests. And thanks to our producers, Ted and Megan, who tried to remove that from our outro.

David: I noticed that, too. Subscribe to this podcast on Apple Podcasts or SoundCloud to make sure you never miss an episode. You can also find our episodes archived on securityintelligence.com/media, M-E-D-I-A, which happens to have a fresh new look. Check it out. Thanks for listening.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more