We are hackers and cyber defenders working to fight cyber criminals. Ask Us Anything about the rising ransomware epidemic!

You mention that a degree may not be necessary for a job in cyber security, do you have resources or online courses that someone could use to gain relevant knowledge?

Edit: Although with some considerable delay, I would like to thank you all for your comments and your feedback. This is all very helpful and I’m genuinely impressed with how supportive you are!

I’ll give everything you’ve sent a proper look and might bother some of you with additional questions.

Bob: I'm a fan of the Cybersecurity Body of Knowledge (https://www.cybok.org/) and you can learn tons just by absorbing the MITRE ATT&CK content (https://attack.mitre.org/) (they update ~quarterly)

Jen: I completely agree with Bob's recommendations. For training courses, you can also look at SANS and also a lot of community security conferences, even smaller regional ones, offer trainings. They tend not to be free though.

Marc: There is an excellent thread in /r/cybersecurity covering just this.

Also: Mentorship Monday in /r/rcybersecurity.

Allan: I know most people don’t like social media, but infosec Twitter is a great place to learn and get help. People are always sharing resources, videos and little tidbits of information that can be very useful.

Jen: I also agree with Allan - I actually learn a ton from infosec twitter and asking questions.

What is the most common, non-phishing vector?

Allan: Remote Desktop Protocol, either through credential reuse or credential stuffing attacks

Allan: There are something like 8 BILLION username/passwords available for sale or free on underground markets at any given time and that doesn’t even take into account the number or organizations that just use poor password management for internet-exposed infrastructure

Marc: Yeah I'd say insecure credentials. Insecure credentials into infrastructure, systems, or accounts that can be used to pivot.

It’s easy to get the impression from these recent events that infrastructure is fairly easy to attack. What do you think is the likelihood that either a state or a rogue group takes down some critical infrastructure for a long period of time that severely disrupts life—something that would be equivalent to essentially destroying infrastructure in a war?

Marc: Very likely as many ransomware groups have seen that high risk infrastructure is both out of date and backed by organisations that will rush to pay because of the impact when it goes down. As a result many of them actively look for vulnerable, exposed infrastructure associated with these kinds of organisations because they know there is a high chance of a good pay-out.

Jen: This scenario doesn't feel far-fetched at all. We've already seen infrastructure be a target in several countries, and this is only likely to increase without intervention. Even when the attacker offers up the keys as they did with the attack on the Irish healthcare authority (HSE), it can take a long time to get ops fully back up and running. HSE is saying they think full recovery will cost them $600m, so think of all the work that's paying for and how long that will likely take. https://www.scmagazine.com/home/security-news/ransomware/costs-from-ransomware-attack-against-ireland-health-system-reach-600m/

Allan: It has already happened in Ukraine and other places, so 100%

James: This question is one I think about often. It’s more nuanced than simply thinking about the ease of the attack.

For state actors, this very well could result in war. NATO, for example, recently said that cyber attacks would also be covered by the alliance, resulting in the possibilities of joint responses to cyber events. This may serve as a deterrent to state sponsored destructive activities. Use of cyber capabilities are almost assured in wars. This is simply part of modern war for those countries with appropriate capabilities. War is always a concern, and cyber events will be another component to that concern, so this likelihood is roughly the same as the threat of war. It is more likely, imo, that domestic or foreign terrorism would result in destructive attacks. It’s also possible that organized crime or individual actors could have a large impact to daily life. This is reasonably likely to happen in my opinion, as the ease of attack is generally there and the motivation to cause legitimate harm is there as well. Intelligence teams track these groups to stay ahead of them and hopefully prevent attacks from happening, but no intelligence efforts are perfect, and no one catches everything.

Bob: They may not make all the headlines like the pipeline incident but there are semi-regular cases of various types of critical infrastructure being impacted or having near misses. It really is just a matter of time before it happens.

Please list the top 5 things corporations, business entities and people can do that they currently don't to better protect themselves from cyber attacks and ransomware?

Allan: 1. MFA, 2. Patching, 3. Endpoint protection AND monitoring, 4. scanning of remote infrastructure, 5. threat hunting for attackers.

Good list, I've often thought that remote VPNs from end users would be a big attack vector. Given people homes generally have pretty crappy endpoints. Any thoughts here?

Allan: Home routers are scanned continuously and are often targets of attack. Most people get their high speed routers from their ISP, plug them in and then never touch them until they are replaced several years later. That means no updates, no configuration checks or anything like that. So, yes, they, can be used as attack vectors which is why it is important to have a home firewall behind the router you get from the ISP, to protect your actual network.

Bob: There are many safe configurations for workstations and servers that organizations either do not know about or have been reticent to deploy. Just shoring up configurations on Active Directory and SMB servers alone can do wonders to help thwart attackers from being able to move laterally and encrypt or lock-out at scale.

Currently in school at an online college located in salt lake city ut. I'm in the CyberSecurity program but I feel like the program is kinda dated and the information does not line up very well with the test. Can I land an entry-level cyber job without finishing my degree if I have all Comptia certs related to cybersecurity?

Marc: You don't need a fancy degree to build a cybersecurity career. you need experience and knowledge. Even knowledge that seems old and minor can be incredibly useful. Take the opportunity you have and build on it by studying more current cutting edge stuff yourself. go to events like DEFCON and connect with the community. the more knowledge you can gain in your "learning" stage the better. However the best next step is to build experience, use what you have to take on volunteer/free/part time roles so start getting those hours of experience. there is no substitute for learning in a job.

protip: I have found charities/NGOs/ low income organisations a great place for this. they are desperate for the help and will welcome your donated time. Even if all you can do is keep them up to date on patches you will be doing them a huge favor and in turn that gives you cybersecurity experience and your first solid cybersecurity reference.

Marc: Its also really hard because the smaller the org the smaller the budget (if there even is one at all) to pay for security. Working in the CTI-League we ran into small medical facilities ALL THE TIME that lacked resources and personnel to help tackle even the simplest problem, This is definitely a huge challenge and something a lot of us are thinking about. we have to make sure that SMBs don't get left behind as we work to build a more secure ecosystem.

Bob: While some jobs may require certification, many employers are looking for folks with the "curiosity gene" combined with the knowledge of where to go to find information and solve problems. I'd highly suggest gravitating towards organizations who look for those attributes over those who are just looking for a certification stamp.

Jen: Employers in security are increasingly looking at hiring models and trying to break away from conventional hiring-from-schools models. Often landing a role is more about showing interest and making connections than what your resume says. As I said above, I recommend getting involved with local meet ups, attending free online events, that kind of thing will help build your knowledge and network.

Allan: You can, I don’t have a degree and have managed to grow my career. However, advancing in this field, as with many fields, is A LOT easier with a degree and there have definitely been job opportunities I missed out on because they wanted that degree. Keep up the good work and connect with us on LinkedIn so we can help you as you continue to grow.

What can a regular person with no cybersecurity or coding knowledge do to help?

James: A large part of effective security is up to the users, not the security engineers and administrators and the most important things are the most basic things too! Three things come to mind: 1) Use strong passwords that are unique to each site / service (a password manager can help!) 2) Keep good backups, and consider using more than one backup device where both devices are never plugged in at the same time. 3) Be vigilant! If something strikes you as odd, alert your corporate security team. Did you click a link and think it might be bad? Report it! Most ransomware actors take time to inventory networks after the initial compromise, so there may be time to still protect your network and your device! Time is of the essence here though!

Marc: Ransomware is a spectrum but most is opportunistic and relies on poor, fragmented security hygiene. Any contribution to up-leveling hygiene in a consistent manner makes an organisation stronger against many types of ransomware.

Marc: So every user from the lowest level intern all the way up to the CEO can make a big difference by working to support a consistent information security program. By challenging things that "look wrong" or which are suspicious, from always being skeptical with email links to reporting security flaws and operational issues. The best defense for a company against ransomware is that company's workforce itself.

Allan: Pay attention during security awareness training, know what the threats are and be cautious about emails your receive (especially if they have a warning flag).

What is the largest sum one of your clients ever had to pay?

Allan: Our clients make the ransomware gangs pay ;)

Jen: The biggest demands we've heard of are in the $40-50mill buckets, but they are definitely outliers.

If you had to choose between paying a cyber ransom in gum or pizza, which flavors would you choose to increase your bargaining potential?

Jen: Obviously pineapple

How can an end-user or consumer can protect him/herself? There are too many security products, like Bitdefender, Kaspersky, Sophos, etc, and one can check received emails or the sites which he/she can visit, but even sometimes that is not enough. Years ago, on a Windows 2012 server I saw a hacker running his apps as a built-in service user from remote desktop services. No AV found that malicious at that time.

So, what can we do? Which software / hardware shall we use? How can we protect ourselves?

I am aware nothing is %100 bulletproof but we have to start from somewhere.

Bob: Keep your home router patched and consider replacing every few years. Limit the use of "smart" devices in your home. Scrutinize every email and every link in social media. Limit the number of browser extensions you use and consider using an iOS device for more "risky" web activity. Keep your systems and software patched. Have regular, offline, backups handy. Much of this is the same advice folks have been giving for a decade or more.

Bob: Also use a password manager, preferably one that is plugged into services like "have i been pwnd?" so you know when you need to reset credentials (but you should be using services that offer or mandate 2-factor authentication).

Marc: String security hygiene is one of the best defenses we have. Patch exposed systems, turn on MFA and implement best practice like endpoint protection and you'll create a network thats hostile to ransomware.

Jen: Be suspicious of emails or texts from people you don't know, or that include links or attachments. Don't give out sensitive info, particularly your passwords. Use a password manager and use two-step verification wherever you can.

What type of software would you recommend against ransomware and things of the sort?

Allan: Unfortunately, there isn’t a single software solution that will solve the problem of ransomware (or other types of attacks). It really does require a holistic approach to security. Not just software, but the right policies, people and protocols in place to quickly identify and stop threats

Marc: agree - theres no single bullet, however theres a strategy (see the IST Ransomware Taskforce Report) that shows how organisations and industries can make themselves hostile to ransomware. Most ransomware is opportunist, just by toughening yourself up to become a much less attractive target. by strengthening security hygiene and turning on things like MFA you make lateral movement much harder. solving ransomware is a step by step journey, not a shrinkwrapped piece of software.

Bob: There is no path to purchasing your way into ransomware defense.

There is an argument often made that if "the military" and "law enforcement" begin to crackdown on infrastructure in a much more forward leaning manner, that these gangs will still be able to persist, regroup, reattack - i.e., that even working with private sector partners, there isn't enough data/insight available to really take it to these networks. Agree? Disagree?

Jen: There is definitely a huge challenge in that these criminals often operate in nations where the government either can't or won't stop them, and that makes it super hard for law enforcement to be effective. We need governments around the world to collaborate to crack down on these so-called "Safe harbor" states. This was actually one of the commitments that came out of the recent G7 Summit, but it remains to be seen how the G7 members will follow through on it.

Marc: While its absolutely true that to really hit the ransomware gangs hard we have to take the fight to them, we mustn't loose sight of how important it is for us to toughen. up and work together to make our whole ecosystem hostile to ransomware. By addressing the low hanging fruit many of the opportunistic gangs will get shut out, by improving our detection capabilities we will increase the data and forensic material needed to attribute them. There's a huge amount of stuff to be done at both ends of the fight and its my firm belief that we can only achieve it in partnership.

Allan: Right now, ransomware is the most profitable form of cybercrime, aside from possibly BEC. So, yes, even forward leaning efforts by law enforcement won’t necessarily stop ransomware attacks. Ransomware groups have been good at adapting and evolving their attacks to evade defenses. However, a more aggressive law enforcement stature will scare away a lot of the 2nd and 3rd tier ransomware actors (we’ve seen this already with Avaddon and other actors who “retired” this year). That reduces the number of groups law enforcement has to focus on.

Bob: To riff off of Alan's answer, the massive proliferation in attacks has been led, in large part, from Ransomware as a Service offerings which enable low-skilled attackers to get in on the action. Curbing that activity will be a huge help.

James: There is a tendency to sometimes reduce success to a simple “yes” or “no” question. With ongoing defensive efforts, the objective is to improve and adapt.

With the offensive efforts, the point is to take the attack to the attackers and make them have to adapt, change techniques, and generally be less comfortable in their belief that they can operate with impunity. The IST’s Ransomware Task Force report recommends using many different capabilities to help address the threat in a holistic way. Part of that multifaceted effort is to go after attackers and disrupt their capabilities.

Question - Is email tracking by invisible pixel or visible still possible in 2021? If impossible, do you know of anyway to track the geolocation of the person opening the email without them knowing and without their email application preventing this process from occurring?

Bob: Pixel tracking is alive and well and one of the most-used techniques. If your mail client stops images and will not execute javascript (or load external resources of any kind) then you're not going to be able to be tracked.

What is the best path to start a career in cyber security?

Allan: The best path is the one that works for you, everyone is different, I started in the helpdesk which was great because I got to learn about the problems that people had and it allowed me to be more empathetic as I progressed in my career.

Marc: The best cybersecurity people come from the ground up. Get a good baseline of knowledge in technical areas - often working low level IT jobs as an intern or first job can be a great start. Then work on building your base of cybersecurity knowledge. At some point you have to start getting cybersecurity work experience. Experience doing cybersecurity jobs is better than any piece of paper alone. Sometimes this can be gained from low level jobs by taking on cyber responsibilities - by being that IT guy checking patches and ensuring upgrades are done you can build cybersecurity experience.

Almost all the best cybersecurity people come from backgrounds like this. few have specialized degrees. I am one of them. I gave a more fuller answer in /r/cybersecurity

Bob: Cybersecurity has become a diverse field with many areas you can specialize in. Learn as much as you can about each area and see which one appeals the most, then dive in! You don't need permission to start learning a particular topic, and there are tons of local security meetups all across globe, plus many online communities that can help you get started.

Once you truly settle into some area, there are numerous pathways to more formal education (all the way up to PhD level). Just be curious and don't be afraid to keep asking "why" and "how".

Jen: Look for ways to educate yourself on what's going on and meet people that are working in security or have similar interests. Going to local meet ups, attending free online events, that kind of thing will help you build your knowledge and network. You can also look at open source security tools and free cyber ranges to try building your skills without having to spend a lot of money.

Should we ban ransomware payments? Alternatively, should we just ban coverage of ransom payments in insurance policies?

Marc: We should NOT ban ransomware payments. Many organisations find themselves in a difficult position where they feel they are trapped between their shareholders, their customers and law enforcement. This gets even worse when you consider healthcare. If someones life hung in the balance would you want a hospital prosecuted for paying a ransom to bring a surgical suite online?

let's not forget who the criminals are and not criminalize the victims. It only drives payments underground and destroys our chances of collaboration. Instead we should work to make ransomware payments more attributable, organisations hostile to ransomware and work on the world stage to eliminate hiding places where these cybercriminals can operate with little recourse.

Marc: Additionally I believe that we should work WITH ransomware insurance companies to make ransomware insurance more expensive for companies that aren't doing the basics. Insurance has been an excellent level for eliminating safety issues throughout history and it can be here too. Eliminating it removes one of the levers we have to influence how we fix this.

Jen: The reality is that both Bob and Marc are correct, and that's why this is hard.
From an idealistic point of view, I think a lot of people agree with Bob - ransom payments fund organized crime which is responsible for some pretty heinous things, including child exploitation and human trafficking. Also, if ransomware is primarily profit motivated, so the expectation is that if we take away the attackers chances of getting paid, they will eventually stop.
This is where Marc's more pragmatic position comes in. Because as we've said here, there is little risk or real expense or friction for attackers today, so before they give up on ransomware as a revenue stream, they are very likely to pay a big ol' game of chicken with victims. To tip the odds even further in their favor, they will likely focus on organizations that have the least resilience, which is either SMBs who face losing their entire business, and critical infrastructure providers that have no tolerance for downtime due to the criticality of their service. That's what we've seen when hospitals or fuel pipelines have felt they had no choice but to pay.
Even if a government tries to shore up these organizations, there is no such thing as an entirely bulletproof organization, and recovery always takes time. So we could end up seeing business leaders make payments in secret, which puts them in an even more vulnerable position.
So the net of all that is that we should figure out how to get to a state where banning payments could work in practice without causing a lot of unintended harm, but we're certainly not there today.

Bob: We should totally ban supporting child and sex trafficking through ransomware payments

Do you think resource-strapped SMBs are overwhelmed? Does it worry you that a prescriptive list of 15 things to do might not be actionable to them, making them not so useful? Is cloud the only way for them to go? Why not turnkey certifiable hybrid environments?

Jen: SMBs that know enough to be worried about security are overwhelmed, but many aren't even really aware of the risks or how they relate to their organizations. And yes, we definitely worry about the prescriptive lists. This came up in the Task Force a lot as we looked at why organizations are not adopting preventative measures. We need guidance to be tailored, pragmatic, and provide a path for maturity.

For many SMBs, following guidance isn't achievable in-house as they outsource all their technical needs. We need the organizations that provide those services to step up and provide a security baseline.

Allan: What Jen said

Bob: SMBs are most certainly overwhelmed and "cloud" is far from a panacea (it can actually make things worse w/r/t cyberattacks and data breaches if you aren't careful). SMBs already have to navigate other types of regulatory and statutory landscapes where they often seek the aid of specialists to get the details right. Now that IT is a critical component of their business processes, they need the same level of attention and help there, so they should be working with specialists to help get the basics right. However, much work is still needed at the policy and law enforcement levels to help curb ransomware so it is not as large of a threat to SMBs (or any organization).

James: Yes! But at the same time, everyone is nearly always operating with less than their full wish list.

There are no silver bullets in information security. That being said, working to reduce risk is what security is about. All punch lists, check lists, and Top 10, Top 15, etc should be interpreted in light of applied knowledge about business risks. It isn’t futile to work towards improvement, it is all we can reasonably do. As with all things, do not let perfection become the enemy of progress!

To defend myself from mal/ransomware: Can you recommend a firewall to use for my homelab? Is a hardware firewall better than a software one (using proxmox to virtualize).

Marc: "can you recommend a firewall?" - personally I use pfsense at home because its easily customised, runs on a lot of easily obtained consumer devices and has a solid feature-set and performance. remember though a firewall is only as good as the way you use it. a lot of sophisticated attacks jump things like firewalls by relying on the user to bring them inside the protected network.

Get a good firewall but if you are really interested in being secure look at all the ways you can up-level your security hygiene (ensure everything is kept up to date even that 7 year old IOT tv, ensure that you have segmented networks for untrusted devices like that laptop the annoying person brings when he visits, and be careful with what you connect, plug in or run. DONT CLICK SHIT.)

Bob: Using a firewall is one, small portion for defense. Without knowing your setup it is difficult to make recommendations. Keeping it patched, and the configuration as diminutive and tight as possible is almost more important then the "brand"/"flavor".

Allan: Given the proliferation of phishing as an attack vector for ransomware a firewall alone is not going to protect you. As to whether or not you need a hardware or software one, it depends on how comfortable you are with managing the underlying operating system and how much time you have. I use a hardware firewall at home because I have enough to do at $dayjob that I don’t need the headache of dealing with underlying OS issues on my home firewall.

Are hackers susceptible to other hacker group attacks? I know nothing of the culture, but I imagine it to be some kind of online gang turf war. Or is it more a case of hacker groups testing themselves against each other to strengthen their skills?

Marc: Hackers gonna hack. Yes hackers attack systems controlled by other hackers. the reasons why vary according to motivation. Nation state hackers attack other nation state hackers. Hackers running a business attack their competitors. in some ways it is like gangs or the mafia, in other ways its just about showing who is the lost leet. Hacking to many is about showing they are better. Breaking into another hackers system shows that you are better than them.

Bob: They collide all the time. For a few years (the activity is way down) public SMB server takeover was flipflopping between groups so they could have their own coin miners vs the other gangs. There is no honor amongst thieves.

Is the Anonymous group real, and do they fight for good?

Allan: Anonymous is real. I don’t think they define themselves by good/bad.

Silly questions aside, in your career what has been the best highlight of your time fighting cybercrime? Is there more the general public can do to help people like you fight against them?

Marc: Probably the hi-light of my career as a cybercrime fighter was watching 2,000 security professionals, law enforcement personnel and other government staff come together to fight cybercriminals attacking hospitals during the pandemic as part of the CTI League.

James: For me, it is all about influencing the overall security of the world. There is no other work for me that compares to being able to enable human freedoms and a free exchange of ideas on a global basis.

Individuals and companies are constantly protected from threats by altruistic efforts of public and private sector defenders who mostly go nameless and without any fanfare. Getting to sometimes contribute to those efforts is truly rewarding.

Bob: They are a real group.

As an employee of a small business who had 2 ransomware attacks happen to them(never paid, just backed up our server), how do we better prevent this even though we have anti-virus/physical firewall/anti-malware software? What is the procedure when we first discover we were attacked?

Bob: Did you identify how attackers managed to gain initial access in each instance? That is a vital component of your incident response process (even if your SMB is "just you" :) ). Did they get in via VPN credentials? Did you get a phishing email? Did you get hit with a drive-by exploit? Did you open an attachment in an environment with macros/active content execution enabled? Did your Exchange server get compromised in March but you didn't realize it? Attackers have a myriad of ways they can get in and you really need to know that to make any investments in technology or process changes.

How much of cyber polygon, the world economic forum and the great reset tied into this?

Marc: With great reset comes great responsibility

Bob: 14.253%

James: 31.337%

Jen: Ransomware is a huge with broad impact, so not surprisingly there are many many initiatives and efforts to examine the problem and come up with solutions. The Ransomware Task Force definitely benefited from the work that came before and we also fully appreciated that our efforts would not be the last word, and we hoped they could pave the way for other to follow.

WEF is running its own Ransomware initiative and we know they have been looking at the RTF report and talking with some of our members to help inform their own thinking. I'm looking forward to seeing what they come out with.

Isn't there a better payment/effort ratio to be on the side of the hacker? You guys are playing goalie right where you have to block all the shots 100% of the time and the hackers only have to get it right once. Illegality aside.

Marc: A yes, the age old question "but couldn't you make more as a criminal?" the answer is yes I probably could. However what stops me is morals, ethics and laws. I have a family i want to see grow up in a safe country and I love my community (the hacker community) so I want to protect them. I can't do that as a criminal.
I also hate bullies and fighting cybercrime is the ultimate bully takedown. Especially when the bully you take down is an entire country.

What are the odds that arrests will be made in some high profile case? At this point it seems as though there's little to deter these criminals since they lack an internal moral compass. It would be nice to see some of them caught and sent to prison for at least 20 years. Are they in countries that would be interested in prosecuting them if they were found?

Bob: Much depends on how successful foreign policy efforts are in the coming months/years. I do believe it is vital that we need more of these criminals caught and sentenced to level up the risk associated with these actions.

Marc: Arrests are made all the time, the problem is it is generally affiliates or low level operatives because the puppetmasters hide in countries where they cant be reached through normal judicial processes. This is why we have to start working on the world stage to eliminate these hiding places and take the fight to the criminals themselves.

Im a computer science student who knows python, c, linux, networking. Planning to get oscp this summer. What career path should i follow and what topics should i learn to be top rank?

Bob: You really should be learning what appeals to you. Most of the talented, and "happy" cyber folks I know lean into their passions and interests. It's difficult to tell others what your passions should be.

What is the cyber-war that is raging between countries all over the world? who's against who? and who are the strongest/biggest players?

Marc: Everyone is fighting everyone else. Its a story as old as time. The fact is a lot of these fights have been raging for a loooong time the only change is how they fight (cyber rather than guns and bullets) and the fact that we are much better at spotting it and reporting it.
the other challenge with cyberwarfare is its the ultimate asymmetric warfare mechanism. For a couple of thousand dollars one man with a laptop can cause great harm to a nation. Thats an unprecedented level of impact for very little investment. so naturally its happening A LOT.

I am curious how you can really stop Ransomware. I know there are preventative measures, but the state of IT in the world right now is largely open to exploitation. It seems like hunting the criminals is easier than countering the software efficiently. Outside of coming up with decryptors, what can be done post-infection? I know you can restore from backups, but what if those are encrypted too and off-sites aren't available?

I guess my question more directly is: how do you stop ransomware after its already happened? It seems like the overwhelming answer is 1.) restore from backups 2.) pray someone has a decryptor freely available, which is unlikely or 3.) Pay up, hopefully negotiate them down.

Are there other options? Do you see any potential alternative options being developed in the near future? I'm curious about how the pipeline got a lot of their money back, that hasn't seemed to been possible in other cases. What happened?

Bob: I'm working with an organization right now who is taking ransomware very, very seriously. They have a complete plan for asset replacement/reimaging, backup restoration, and service redundancy that they actually test in real-life scenarios. So, it is possible to recover. This has not been cheap for them, nor is it done in lieu of prevention efforts. If "IT" is a critical component of one's business processes, then it should be invested in the same way one would any other critical business process area. There is no free lunch.

Marc: In the 80's and 90's no one believed we could make an impact on car stereo thefts. In the 2000's no one believed we could make an impact on Smart Phone thefts. While none of these have "Gone Away" the truth is they were all impacted massively by a few small changes that made it harder for the criminal, reduced their profitability and made it more likely they would get caught.

Ransomware is obviously way harder than all these because it hides across shadowy international borders and its even harder than ever to attribute the real puppetmasters. However I believe firmly that we can make a massive difference by collaborating on this and hitting them criminals from every direction at once. Eliminate? maybe not no crime ever completely goes away, but stop this plague in its tracks - yes I believe we can.

Are cybercriminals having great access to Ransomware tools?

How would you recommend educating the public on Ransomeware? Are Baby Boomers and Gen X'ers more succeptable to the social engineering tactics involved in Ransomware, or is this a problem that greatly affects younger generations as well?

Bob: Nobody is unsusceptible to social engineering attacks.

Marc: This is at the very heart of why so much cybercrime has exploded recently. In a lot of cases - ransomware included - we aren't looking at particularly new TTPs (tools techniques and procedures) we are looking at an industrialization and easy availability of existing ones. What was done one on one is now done at scale.

What required complex knowledge can now be done with the click of a button. This industrialization fueled by the drive for profit makes these cybercrime gangs operate almost like tech startups. They develop a product - usually based on existing knowledge, they scale it and they operationalise it. then they run it like a business.

Marc: However this is also one of the things that makes them vulnerable. Businesses are affected by external pressures. Drive up the cost of operating, drive down the bottom line and ultimately business fail. We want to make ransomware gangs fail.

What are the recommended mitigations for organizations to put into place to defeat or minimize the impact of ransomware?

When you do pentests, do you check to see how effective RW would be? Should this be something pentesters should do?

How do you feel about the state of the industry where there are a ton of certifications for entry level pentesters, but the only thing companies want is the experience professionals have a hard time getting?

Bob: The report has links to many resources, but CISA and NCSC both have solid guides and most vendors have very similar lists of things that orgs shld do (that don't always require purchasing their stufF).

Marc: The best mitigation is good security hygiene. You can read more about what that means in the Ransomware Task Force Report we published. tl;dr however make sure your networks are secure and otached to the latest version, turn on MFA, turn of unnecessary services, run good endpoint protection software and don't click shit :)
Running ransomware tabletops is an EXCELLENT piece of advice for every size of organisation. Understanding what defenses you have in place and how you would tackle that kind of incident is something that very few organisations are ready for. You know you have backups, but are they in reach or out of reach of a laterally moving threat? do they work? How long would it take you to stand up a clean network? all of these things are quantifiable and knowing them ahead of time provides a huge amount of operational security.
I think breaking into the industry as a first timer is hard. I didnt start with a computer science degree and didn't get any certs until much later in my life. I do think certs have value - knowledge is power. However it has to be tempered with knowing things that are current and relevant. The most important thing is experience. You can get that - its easier than you think. Even volunteering to apply patches for an NGO counts. If you are passionate about cybersecurity there is a community out there to help.

Hello, I am 7/8 through a Bachelor's in Cyber Security, currently working in Physical Armed Security, how would you advise I transition to computer work?

Marc: Well technically my first security job was as a bouncer :) all knowledge no matter what domain is relevant. However to transition from the physical security domain into the cybersecurity domain requires building a body of current knowledge, developing current skills and slowly getting work experience that identifies you as someone who has done cybersecurity. it is very doable but it takes time and dedication.

Considering what you do and your level of access, how do you internally check yourself to make sure your members are not abusing the powers and authorities that they have to their own ends?

Marc: The same rules that bind me as an ethical security researcher also bind me when I fight cybercrime. Ultimately I am also bound by the law.

What password manager do you recommend, if any? Also, how many cats are too many?

Bob: The one you'll actually use. I've been a longstanding user of 1Password, but most of the ones with higher reputations are fine.

Marc: I use 1Password, my friends use keepass and I even know someone that uses lastpass. The honest truth is that so long as its from a reputable company with a history of handling security concerns responsibly and maturely any decent password manager is better than none. Each have different attributes and features, choose wisely ;)

Hi.

I'm relatively old by the young IT Crowd standards, and I work in service desk for one of the largest companies in the world.

However, I'm suffering from Burn-out right now, my psychologist say it's not real burn out but due to lack of challenges in my workplace, they could be right about that.

How hard is it for a 50+ year old to get a job in Cybersecurity? I've been around since the 80's where I low-level coded my own video games, and I've been messing around with monitoring and survellance gadgets all my life, it's kind of my spare time passion.

I'm the total-paranoid package, meaning - at work, I'm the first to suspect everything, I was the only one paranoid enough to find our security dept's own monitoring software that the whole 900+ IT team didn't even know about, just because I will go paranoid on the smallest system changes, like system slowdowns, and I'm all over task-manager...

At home I've been using Linux since 1998, slackware - the total paranoia package all the way...

How hard would you say it would be for me to go for a job within IT security? I don't know everything, but my passion usually drives me to learn things really fast.

Jen: In terms of how easy it is, I don't think it's ever easy to make a decision to retrain to switch careers when you are already far down one path, but the folks I know who have done so seem generally seem to think it was worth it.
There is a lot written on the "skills shortage" in infosec and as a result, a lot of employers are looking for news avenues for hiring. One thing I hear about a fair bit is programs for people that want to retrain in cybersecurity as they often bring a diverse perspective and approach to problem solving. I know the UK government runs some retraining programs, and I think there are some in the US too. So I would definitely encourage you to look into it. It's better than being bored!

IOS or Android?

Jen: iOS

Bob: iOS

What is your take on the recent LinkedIn breach?

Marc: Its hard to comment on the LinkedIn breach without knowing / talking about details that aren't public yet. However if we take a step back and look at the macro landscape it tells me that we are not doing enough to protect user data and that somehow we need to reign this in. Its hard because everyone is suffering from "breach fatigue". I don't know about you but i almost expect my credit monitoring renewal once a year from what every breach I've been caught up in. Somehow we have to change this.

There are over 8 billion credentials/records in the wild. At this point, the only notice I take of new credentials/record breaches is to cross-reference with "have i been pwnd?"-like services and ensure my accounts are all in-order and that the same protections on my financial accounts are safe.

It's often said that if organisations could just 'do the basics' (close RDP, MFA, patch etc.) it would make a big difference towards mitigating ransomware. Why do organisations find it so hard to do the basics and do we need to lower our expectations of what's possible?

Marc: Theres lots of reasons, first and foremost is simply not having the resources to tackle the problem. Working in the CTI League I lost count of the number of medical facilities we would find with vulnerabilities that had no one to apply the patches. However when you think of it given a choice between Doctors/Medicine and IT people im kind of glad they made the choice they made.

The other big reason is simply not knowing what they have, from organisations that don't realise their EPOS (payments) systems are connected to the internet and vulnerable to huge enterprises that have things that they didn't know they actually had. Theres lots of reasons. What it boils down to is we need to get better at knowing whats exposed, who it belongs to, how to report it, and how to support those organisations that fall behind the security poverty line.

Marc: For me the security poverty line is my greatest fear. Its all good for us to make recommendations that the million or billion dollar enterprises can follow but we MUST recognise ransomware is a scourge of the entire ecosystem. what we do must take into account the little orgs as well as the big orgs.

Bob: "Doing IT" is hard in most organizations b/c of the speed at which things are deployed and change, and by the diversity of groups and individuals with authority to make said changes. Unfortunately, we cannot lower our expectations since the attackers know where to hit the weak spots. We need to innovate ways in which to make it easier to identify and remediate gaps, along with deliver services more securely out of the box.

Allan: It is amazing how quickly organizations accumulate technical debt. That technical debt is what makes it hard to ever fully catch up on security challenges within an organization. In the first 4 months of this year there 6035 vulnerabilities announced, 188 of which were critical. Keeping up with just patching vulnerabilities, even in a small organization, can be a fulltime job and most small organizations can’t afford to hire a fulltime vulnerability management person. And that is only one aspect

James: I am a big fan of “do the basics!” There are many reasons this is hard: lack of time, lack of resources, lack of organizational support, internal corporate politics, lost institutional knowledge, lack of focus, etc. There is also complexity added by larger environments. It is easier to track 100 devices than 100,000. It is easier to secure one organization than a merged conglomerate of several acquisitions.

Sometimes the basics are far from basic when it comes to trying to implement them via a structured program! The bigger picture is about the business, however. Looking at security through an optic of “security is the only priority” is normally not appropriate. Businesses need to allocate time, resources, and energy towards earning money to stay afloat so they can pay their employees and exist in the first place. Often, this creates a tension for resources that impacts allocations to security initiatives.

This is why focusing on improvement based on a risk management perspective is always important. Focusing on the basics will normally have a significant ROI though, in terms of improving posture.

Do you believe in cyber attack escalation, the point where there are more attacks than the number of analysts trying to stop the attacks? If so, how can we get more people to help or experience for the current analysts like myself as an Incident Responder?

Marc: security is absolutely a scaling problem. criminals are scaling their operations all the time. This means we have to scale what we do to defend. That said I don't believe the answer is throwing people at it blinding. I think the answer involves both hiring more people and developing automation that helps us scale how we solve problems.
To hire more we need to create pipelines into education that give kids the right training to see it as a viable career early. As many of the questions show breaking into cybersecurity is hard and offputting. I personally believe thats because people arent given the right tools and knowledge to choose that path early.
Educating kids in cybersecurity will both create more cybersecurity staff and ensure that the rest have a much greater cybersecurity awareness and don't become the victims of tomorrow.

What are your thoughts on the cutting edge attacks used by ransomware actors? As a defender how are you expected to detect malleable c2 or stop attackers from installing a VM and starting the encryption process where the AV can't get to it?

Bob: Truthfully, most ransomware attackers don't need advanced tooling to accomplish their goals. The pipeline was ransomed b/c of plain credential use on a VPN. Not exactly rocket science.

Marc: Security is a constant game of wack-a-mole, as a researcher I firmly believe that anything man makes man can break. Thats why we have to stay on top of this and just like the bad guys do - evolve our knowledge and our tactics. Its job security for sure.

My secret fantasy is for a hacker to prove the fallability of electronic voting machines by changing the top vote getter in some election to Micky Mouse or some other blatantly non partisan fictional character to force bipartisan solutions to election vulnerability.

Do you think that's a possible scenario? USA based, obviously.

Marc: come to DEFCON and be that hacker. The voting village has voting machines for you to hack on ;)

Allan: Short answer: No.

Allan: Long Answer: No. The United States doesn’t have a single voting system, they have 60+ voting systems (50 States, plus DC and the territories, and many counties run their own voting systems).

Allan: To do what you want you would have to break into all the different voting systems and change the votes, that isn’t something that a single person, even a TV hacker could do.

Marc: As a TV hacker I endorse this message.

Are physical keys more rigid and secure than just SMS OTP or TOTP from authenticator app (Authy)? Thank you!

Bob: I prefer physical keys over anything delivered digitally, but having some 2FA is better than no 2FA (depending on the risk model of the individual/organization)

Marc: SMS OTP should be considered deprecated. There are attacks in the wild that allow interception of SMS via things like protocol weaknesses or even human attacks like sim swapping.

Beyond that the best advice I can give is that so long as you are using a separate secure multifactor devices (software on a mobile device, or dedicated hardware) you are in a stong position. Like all things that may/will change but right now thats how it is.

Allan: They are, but don’t let “doing something” stand in the way of “doing nothing” having MFA of any type is much better than have no MFA