Interview: Hatem Naguib – ransomware operators ‘a whole supply chain’

There’ll be people who have access to customer information, and how you can create a more sophisticated attack to be able to pursue them isn’t that difficult to do. I would say that that vector, combined with apps that are not protected well, and the proliferation of bots to be able to go and gain that access, these two combined have probably been single-handedly responsible for most of the attacks, and when they get those credentials, they begin the process of then infiltrating throughout an organisation.

So there’s a pattern that you can see within that, even when there’s a supply chain attack, that supply chain weakness tends to happen for the individual. I think one of the things that’s also relevant is that as we become more digital, our presence has become more digital. It has given a lot more information to attackers to be able to determine “How can I create something to get those credentials?”

Cyber Daily: How do we train people to be ready for that kind of attention?

Hatem Naguib: It’s a couple of things, I think.

One, I do think training is paramount. We have a training solution we offer our customers … The interesting thing is that there’s a consistent 4 to 6 per cent that are going to click. It’s not the same people, but a lot of times, they’re going to, depending on where they are in their [lives]. You’ve seen this: you’ve had a conversation with somebody about an order that you’ve got, and next thing you know, the order is coming, as if the computer heard.

My presence online indicates what I’m doing, and that information can be available – when I look at a phishing attack starting off with, “Hey, so and so, saw you at the company party on Saturday. Great, catching up. Hey, by the way, can I get that invoice process?”

VIEW ALL

“No, what’s that information?”

So that information is because I posted and I shared, and then now the attackers can kind of leverage that capability to do that. So we have had to leverage a lot more technology to kind of see predictive capability. You can determine where that email is coming from, and you can set the context of that email. Does this person typically get these types of emails? The same behavioural analysis can occur on the network, can occur in applications, and these types of things can indicate that this seems out of order.

This is where AI is supremely powerful as a defence mechanism, but also we recognise that it’s being leveraged as a weapon against us at the same time. But a lot of the security companies, including ourselves, for years, have been using machine learning and AI to determine if these are false positives, or are these indicators of a problem.

I think the other aspect to it is it’s profoundly lucrative to someone in the attack business. And, you know, I don’t think people fully appreciate the scale of enterprise that goes on to go after your information.

Cyber Daily: We use a lot of open source threat intelligence to track ransomware operators, and one of the things we try to do at Cyber Daily is cover every ransomware attack that affects Australian organisations. But the stats I keep seeing seem to suggest that what we see is just the tip of the iceberg, that there’s a whole lot of activity happening with ransomware actors dealing directly with their victims, and it never even makes it to a leak site. Does that chime with you?

Hatem Naguib: It chimes very well.

I think in the last year, these numbers are staggering. When you think about it, the number of companies that have had a ransomware attack in the last year, I think our stats are not Australia-based, but they’re in the 70 to 80 per cent range.

I know those are not reported the vast majority of the time, other than insurance companies sometimes, but almost a third or 40 per cent of them just end up paying. And this Attacker Industrial Complex has a person who sends the attack, who is different from the person who will send the ransom, and different from the person who will unencrypt …

It’s a whole supply chain.

And they know who their customer is, and they work very diligently to increase their customer count. This is on the more criminal side; the state actors also play a role in this, which is leveraging these attacks to create more dissonance within societies. And you know, they use the same tools, same mechanisms, and often a lot of crossover between them.

We’re seeing state actors work with ransomware actors to deploy their ransomware in a more targeted fashion. I think part of that is to be disruptive, and as we see in global conflict, that kind of creates and escalates them. And you know, the average individual gets affected by that, because these things get tested and used and then weaponised, and then it’s very easy for them to be leveraged as a kit to go out.

Cyber Daily: Do we think this is just the background noise of reality now, that this is just going to be a constant back and forth between network defenders and these criminals, both state-backed and financially motivated?

Hatem Naguib: Unfortunately, I do think that it has become more normal.

And I think there are two aspects that I think about. One, the amount of spend on security is less than the amount that criminals are making in the attacks, which is not a formula for success. So if we’re spending X and X plus five is being spent on the attack, then that’s a scenario that basically says this is going to get worse.

Two, I don’t think businesses should be left to fend for themselves on this. If this [were] in the physical world, governments would have stepped in a long time ago and basically said, “All right, what do we do to stop this?” You’re beginning to see that happen. You’re beginning to see more government impact around going after more notorious attackers and making sure that they can provide capabilities to protect societies in general. But I don’t think that that’s necessarily sufficient.

What’s interesting is that we find more and more customers are kind of shifting their consumption of security. So it used to be, they would buy their own tools. They would manage it themselves. Now they’re using someone else to manage the tools. Now they’re going and saying, “Hey, you know what? I don’t want to be in the security business. I’ve got my own business. I’ve got an alarm company for my physical security, so why don’t you just take care of the security and if there’s a problem, stop it, and if I need to know something, let me know”.

But treat it the same way we treat physical security, which is a set of companies that will be providing services to kind of watch what’s happening, and they’ll have the skills and the tools to be able to immediately mitigate – I think we’ll move more towards that.

Cyber Daily: What about smaller businesses? Because for every Qantas or Optus, we see probably about 10 times as many small businesses that clearly don’t have the funds to do this. What can a small business or a sole operator do, one that holds customer data that is clearly important to them? How do they secure themselves?

Hatem Naguib: I think the first thing to recognise is that it is a priority for them to address this issue. A lot of times, small businesses don’t think they’re going to be as targeted. They think, “I have a firewall and I have antivirus. I’m good”. And I say, “No, I don’t, I don’t think you appreciate how this is gonna play out”.

I think the education process is first.

Second, I think a lot of businesses don’t take it on themselves to do it. There’s a managed service partner ecosystem of people who can come in and provide security capabilities. You talk to these managed service partners, by the way, and when they’re with these customers, they’re somewhat mandating: here’s the set of things you’re going to be using to protect yourself, because I’m not going to be responsible for you. It’s running around with scissors.

I need you to know that when you’re using Microsoft 365, and you’re using these other tools, here are the four or five security tools that we want you to use. And that’s an important step, I think, to help kind of standardise people protecting themselves. And then, as I said, more and more MSPs and more and more companies are looking to kind of augment their capabilities, with this managed security and security-as-a-service model, which I think is going to be more prevalent in the future.