How To Rise To The Ransomware Challenge: NCSC For Startups Panel

uh thank you all for coming for the last talk of the day and we are joined on the stage with validato and goldilock and they are part of the ncsc for startups ransomware cohort so we are basically just going to be a panel discussion there was meant to be more of us on stage um but unfortunately a couple of people couldn't make it due to uh being ill but yeah so i'll hand it over to um stephen to introduce goldilock thank you very much i'm gonna move around a little bit because uh get a little bit more energy i know it's the end of the day um so we're goldilock um we are we produce a device which you can find in the back there um but i what first before i would talk a little bit about that i want to just to set the geopolitical context of what we're in um many of you have been watching maybe the undeclared war um which is uh a very interesting uh actually when jeremy fleming was meeting with us on wednesday he sort of says i don't really like the term war i like to talk about cyber force for good uh which which i understand it's its point but we're in a war that's a fact um and um yes we do want cyber force for good but the reality is we're we're in a war on three fronts uh we've got the russians on one front uh that are a geopolitical disruption uh we have the chinese that are continuing to engage in a wholesale corporate theft a recent economist article three weeks ago would have told you that 75 of corporate theft is still being engaged by the chinese uh and by the chinese state state-sponsored actors and the third is ransomware criminals whether they're in syndicates or individuals or in different forms that war has a very different than the war that exists um on the ground forces in ukraine because uh it's not it's a different topology ukraine can't change its borders we can in a cyber warfare we can change our borders and what we can do is we can reduce the cyber attack service that's the ministry of defense mantra we can reduce the cyber attack surface and change the topology so that the criminals and the war criminals cannot continue to engage um with us and steal our critical assets and disrupt our critical national infrastructure and the way that we can do that is we do not need to be online all the time you've just heard from microsoft and i think they did a great presentation here on it but she also highlighted how much were uh vulnerable the cloud is and all of that always being online all the time is ridiculous there is no need for us to be online all the time uh and if we are able to reduce our cyber attack surface if we are able to control and take back our control to go online and offline when we need to then we can incredibly improve our ability to fight these three evil actors on all fronts uh and that's that's what our mantra is we've built a device that allows you to completely go offline without using the internet as long as you have and use the internet as a control device to allow you to go online or offline you're vulnerable to attack and that device back there allows you to actually disconnect your critical assets your critical national infrastructure whatever it may be and to ensure that you are reducing your cyber attack surface and have it only online now if there are some things which are online all the time the other thing that you need is a ransomware kill switch what do we do when we're in a a situation if your colonial pipeline you scramble around for two and a half hours trying to find where the the cables are and you you you pull the cables eventually in different locations with our device what you're able to actually do send a text message and it has a physical disconnect it takes five seconds and and that's what you need to be able to do when you're under attack uh if you have left things online so um from our side uh one of the biggest ways to deal with ransomware and we'll there'll be chris has some great questions uh regarding uh some of the legal liability issues with respect to ransomware and where we're moving towards in this sector we have to take a lot more control back of of our cyber attack surface um so that's our our mission thank you very much thank you very much um so andrew uh do you want to introduce yourself yeah thanks very much chris so my name is andrew brown i'm the cto of valedetto and what uh web is he doing to help address the uh ransomware uh scourge that is uh plaguing the world's businesses is we've put together a breach and attack simulation platform which quite simplistically what it does is it tests your cybersecurity controls and i'm surprised that cyber has been around for so long without really this existing now you might turn around and say oh but we've got pen testers and we've got red teamers and stuff like that very much so do they test your cyber controls absolutely not okay i'm not saying that there's not a place for them there's a very good place for them what i'm talking about is when i qualified as an engineer i spend a lot of time in the instrumentation and electrical fields and the way we used to test things and make them work is is i had a pump for example i'd press the green button to turn it on and i get a nice little light on that's saying it's running okay and then i'd have to test i can't press the red button and make the actual pump stop and there was always an emergency stop button somewhere and whenever you built something new you'd have an order to come along and actually you'd have to verify that all of this worked which is standard engineering practice okay to make sure that these controls actually work but then i got into the cyber field and it just seemed to be fine that you could take the software that some vendor had told you uh worked and you have another 10 vendors telling you that theirs actually works better and you should buy their stuff because it stops more and it does better stuff and there's this whole competition out there and you just quite happily install it and you install all these security controls all over the place but you don't really actually get around to testing it so as an example by what i mean and how you test it think of something like your home security system and you put this really lovely infrared detector up in the corner of your room what what do you do you wander around and you see if you can find any blind spots in the room and maybe you adjust it so there's no blind spots maybe you have to put a second one in the room because there's a pillar and there's actually a blind spot behind the pillar but once you've eliminated all of those blind spots you then go along and you look at the actual alarm panel and you say okay if i wave my hand in front of the sensor do i get a message on the alarm panel yes i do so going back to our original um you know looking at uh have i got rid of our blind spots that's very much the protection in cyber okay are you is your protection actually working when we sit and look at the message on the alarm panel think of that as your seam solution your events and your cm solution am i seeing the event happening in the actual seam solution and then moving further on it's do i get a response okay so does the uh you know if i trigger this do i get the police coming do i get a response from a company that is going to come and inspect my premises or give me an actual uh you know visit or call to see if i'm okay so what we're looking there at protection detection and then response and that's exactly the same as what we're doing with our product being able to do that in an actual cyber field so once you've done all that you've got it all working you can then call on the professional burglar which we like unto the pen tester and say absolutely now please do your thing and see if you can actually break in but there's no point in getting the pen test draw the professional burger along unless you've done all the simple testing and that's really the premise of our product and we know from uh looking at so many companies out there that they've got a lot of i.t people in them and it is about enabling business it's about helping them there's a lot of really good id people there but are they the cyber specialists no they take the actual product they install it but they don't have the test tools to be able to understand is it doing what it's meant to be doing and they're also not they're necessarily the qualified cyber people and business to a large extent sees cyber as a necessary and or unnecessary expense on the bottom line or a business disabler rather than enabler so what we want to do is be able to enable business very cheaply very easily and help them have a better cyber posture okay so now we've had a nice introduction from both of the companies um we'll start with some of the questions so i'm going to start with something focusing on reconnaissance so what do ransomware groups look for in targets how do they select their targets and yeah why are the companies which are selected selected so there's a lot of uh different uh types of ransomware groups that are targeting different types of uh entities uh from the small to to the large uh one of the one of the most common ones that we've been seeing is um even putting bounties out for for credentials uh for for larger entities uh particularly uh government uh run or just those kind of entities that have have reached that critical mass where the amount of staff that they have and their infrastructure is starting to get quite outdated so there's a lot of vulnerabilities a lot of unsupported software's there um so that once they they've got in um they're able to move very quickly but also because of that size of the entity as well the the internal security training in the security awareness for staffing becomes quite a difficult task to do so you have a lot of naivety from it from the it side of things and um seeing that as a as quite a a a common entry point these days so targeting the nhs for example or any of those kind of entities where they are struggling to keep their infrastructure up to date yeah um just to add to that i i see there's some quite young members of our audience as well out there go and have a look and just do a little bit of a search on google and do for us a search for a site called showdown that's s-h-o-d-a-n if you search for showdown it's very useful resource out there there's something called open source intelligence and i talk to professionals every day and i'm quite amazed about the lack of knowledge about what is out there about an organization in open source intelligence and the beauty about showdown is i can sit there and i can go on to showdown and i can search the whole of the internet in a couple of seconds and i can find every single publicly facing server that has port 3389 open that's an rdp port that enables you to remotely manage that actual organization or that that server it doesn't take much to figure out or find out who that actual server belongs to okay once i know who it belongs to i can very probably log into it with an email address a little bit of engineering okay and i happen to have an actual uh you know username and passwords follow quite quickly because i can brute force it so this is just one type of example where you know if we look at this and we look at uh the threat actors out there it's a business they earn money they see nothing wrong with doing this okay so you end up your low-level people using things like showdown out there to go and find easy targets all they're interested in is earning actual money so when you end up then the receiving end of a ransomware attack um it's not necessary because you were directly targeted so it ranges from the one end where you're just randomly selected because you stood up a server in the cloud and you left port 3389 open and you didn't have a very strong password two exactly the other end okay where it's a state-sponsored actor and if you've got intellectual property um they're gonna want to get their hands on that and then they are going to put a lot of resource behind exploiting your organization cool thank you very much um so being on the forefront of uh ransomware and fighting against it uh do you have you come across any new or interesting techniques you have seen being used more recently or being used more i've seen an absolute cracker quite recently so it's an evolution of the existing uh we've got some screenshots here of you looking at some monkey grumble and we're going to send it out unless you you pay us some money but where the way that they um they handle it is they send you an email or a direct message through social media as a concerned citizen and what they're doing is hey this this website or this service or this group has got some information about you and there's a um they're making statements about you and it could be something like uh uh they're accusing you of being a pedophile or um they're digging out something that you may have tweeted in the past and with the the evolving sort of social standards that are expected today it seems quite controversial what you might have said and that's all i say and no call to action and what that's trying to do is invoke that emotional response from you and then you want to engage with it well what are they saying you want to naturally defend yourself don't you and then they'll give you the call to action they've got you then and what it'll be it'll be something like maybe like a website that's password protected so you have to sign up there's one method of getting your credentials because you're not thinking straight you know someone's made an accusation about you your emotions are high so you're going to be maybe a little low on your defenses there and then the second is right here's the accusations and it's not a pdf or it's a word doc and that's where the payload is normally included and because again you've been accused but you want to defend yourself what's going on uh your defenses are quite low then and you're probably in a more an emotional state to not think so critically or quite uh in the right way so that's been quite an interesting development i've seen over the last couple of a couple of months that that kind of approach uh andrew so um i've come across two very interesting ones and and one of them we've seen i i also do spend quite a lot of time on doing third party uh assessments and looking at you know uh vendors out there uh on behalf of companies and what we've seen during the pandemic is the rise of the rogue mobile application and the um ignorance around this or the uh unawareness about it is is um quite prolific i was having conversation with company the other day okay and they said well why should we be looking at our vendors why should we be assessing them and i said okay give me a list of your vendors that that's just run through them and they interestingly gave me the company who they'd outsourced all their payroll to uh so i said okay um let's go through i said i've done the vendor assessment for you i said you know on the surface they look all great uh no you know issues around that um i said just one scary thing they said what was what's the scary item i said well i said did you know that uh your payroll companies actually got this really neat mobile application he said no he says they haven't told us about it i said okay i said let me show you this application i said it's really nice i said you can like you know submit timesheets your expenses you get your pay slip through it okay you can change your bank details i said so really useful application he says well i'm going to make contact and find out why we don't know about it i said well i can tell you why you don't know about it i said because they don't know about it either it's a rogue mobile application that has been set up i said what it's designed to do as it is extract all of that information from people within your organization i said the way this exploit actually works is i said the threat actor will send your staff members an email saying hey we're the new payroll company please will you search for the uh new app we've just released download it onto your phone and if you happen to get any type of two-factor authentication message please just acknowledge it and use your business credentials to log in i said the beauty about this whole exploit is i said the phishing email will work straight into your company it's got no malicious link it's got no attachment to it okay and the user's not going to think it's suspicious because they're not having to click on anything they're not being taken anywhere okay i said so they'll search they'll download the application they'll put in your details and they'll acknowledge the two-factor authentication the threat actor is now logged into office 365. i said we need one okay one out of 2000 people and i'd probably be targeting your finance department first of all around this exercise i said now i'm in okay i said so don't ask the payroll company do they have any services out there that look for rogue mob applications are they telling their clients about them and are they getting them taken down and there was eyes opened all over the place so that that that was the first one that was a little bit obscure but then it got even further there was beautiful argue article posted this week and guys putting together raspberry pi kits with a little uh sim card in them and a wireless card and they're posting them to companies and um because where's everybody they're working from home so it goes into the post room and the good british personal system you've got to love the british postal system okay it will deliver this item it'll get put on the person's desk it's inside the company what's targeting the wi-fi network how long is it going to be there for who knows could be a month or two before someone comes back into work and if you're on the 19th floor of the building how secure is your wi-fi because who's going to externally break into it it's probably not very secure [Music] cool thank you very much that was really interesting um so a question for stephen now um so should you pay ransomware ransoms well right now uh the criminal liability for that already exists in law and um both for uh participating and uh being part of a crime and funding the crime uh as we know right now there is not much uh level of enforcement but that is moving in uh the different direction and there will be now more and more enforcement uh there is now a strict liability offense uh which means that you don't have actually necessarily have to have intent uh and that's when when you're paying somebody within a sanctioned country and as you know that those those countries have expanded especially with the russian invasion um so if you are paying to russia uh then it's a strict liability offense now uh the other thing aside from just legalizability is is also a moral liability i mean are do you really want to be participating and involved in in these levels of crime and i mean the obvious answer is no uh because you're you're just funding essentially our enemies and this needs to be stopped essentially by having better ransomware techniques and i think that you will see more and more the us's moving towards uh enforcing these uh and preventing the ransomware payments being made thank you very much um so uh last question before i open it up to the audience um how if you do get hit by ransomware how can you actually recover from a ransomware attack how can you actually get your business back on track um there's there's a lot of ways of looking at that and it depends how well you actually prepared for the ransomware attack um you know being on this ncsc startup program has been quite fascinating there's a couple of the solutions who weren't here uh weren't able to make it today absolutely specialize in that and just chatting to um you know these guys everybody says okay i've got backups i've go