Summary
In this episode of “The Defender’s Log,” host David Redekop interviews Alexander Rau, a cybersecurity partner at KPMG, about the evolving incident response (IR) landscape.
Rau notes that the past summer was exceptionally busy for IR, driven largely by zero-day firewall vulnerabilities. He highlights that threat actors are innovating, even using AI chatbots for initial ransom negotiations.
They discuss the challenges of the “human element.” Rau warns that multi-factor authentication (MFA) is no longer a silver bullet against Business Email Compromise (BEC) due to threats like session token stealing and sophisticated deepfakes.
Rau expresses significant concern for small-to-medium businesses (SMBs), which he calls the “backbone of the Canadian industry.” He observes that SMBs often lack the resources for proactive cybersecurity, only prioritizing it after a devastating breach. When an incident occurs, Rau says his team’s role is to bring a calm, methodical “marathon, not a sprint” approach to the client’s chaos.
Rau’s final advice, especially for SMBs, is to ask for help. He stresses that investing in proactive security, even through a small managed services provider, is far cheaper than the costs of recovering from an attack.
Full episode of The Defender’s Log here:
Defending the Frontline: Ransomware, AI, and Real-World Lessons | Alexander Rau | The Defender’s Log
TL;DR
- This past summer was the busiest on record for KPMG’s incident response (IR) team, driven largely by threat actors exploiting zero-day vulnerabilities in common firewalls.
- The two biggest threats are Ransomware (often technical) and Business Email Compromise (BEC), which targets the human element. Attackers now bypass MFA with session-token stealing and use AI/deepfakes to create highly convincing scams.
- A major concern is the cybersecurity gap for Small-Medium Businesses (SMBs). They often lack the resources to be proactive and only address security after a devastating incident, even though they are the backbone of the economy.
- Threat actors are “running a business” and are so busy they’ve reportedly started using AI chatbots for initial ransom negotiations and sometimes skip data theft (double extortion) just to encrypt victims faster.
- Incident response is a “marathon, not a sprint.” The IR team’s role is to bring a calm, proven methodology to the victim’s chaos and ensure the client’s internal team gets rest to avoid making critical mistakes under stress.
- While paying a ransom is a complex “business decision,” the single best advice is to “ask for help.” Paying for proactive expert help before an attack is always significantly cheaper than paying for recovery after a breach.
Links
View it on YouTube: https://www.youtube.com/watch?v=-YuAxmB0yGQ
Listen to the episode on your favourite podcast platform:
Spotify
https://open.spotify.com/episode/66Eu50G1q0eZZaOlpEu1tA
ADAMnetworks
https://adamnet.works
The Defender’s Log Episode 7: Trancript
Defending the Frontline: Ransomware, AI, and Real-World Lessons
In Today’s Episode:
- David: David Redekop (Your Host)
- Alex: Alexander Rau (Our Guest)
(Intro Music/Voiceover)
Voiceover: Deep in the digital shadows, where threats hide behind any random bite, a fearless crew of cyber security warriors guards the line between chaos and order. Their epic battles rarely spoken of until today. Welcome to the Defenders Log, where we crack open the secrets of top security chiefs, CISOs, and architects who faced the abyss and won. Here’s your host, David Reicop.
Introduction
David: Welcome back to another episode of The Defender’s Log. This is episode number eight and with me today I have Alexander Rau. Alex, I’m so glad that you could be here today. Alex is a partner in cyber security at KPMG and we have some horror stories to exchange today to some degree. We were just talking during the introduction, Alex, about how we have really the real world around us, right? We have computer noise. We have our notifications here. So hopefully you’re not going to have to bail in the middle of this episode for another incident response. How are you, Alex?
Alex: I’m good. Thanks for having me, David. It’s a real pleasure to be here. Yes, you’re right. And I hope that if something happens, although it’s Monday, usually these things happen on a Friday or a long weekend, so we might be safe, right? But I don’t want to jinx it.
A Busy Summer for Incident Response
Alex: What is interesting and I don’t know if you want me to to get into the stories right now is that uh usually when it comes to sort of cyber attacks you can see a cycle right you see our Christmas is busy like I sort of say the the western Christmas is busy but then the uh the phase after Christmas is becoming a little more slow but uh this year the summer has been an exception in my opinion from the work that we have seen from the uh ransomware events that we have been brought into to the unfortunate events that happened to happened to our clients. It has been the busiest summer for me and my team since I’ve been started in instant response and uh that was largely due to a lot of zero day vulnerabilities that uh have been around in the wild around some of the firewalls from firewall manufacturers and uh they were heavily exploited by some of the threat actors out there to the point where uh I think they got too busy um to to attack our clients. So, and they kept us busy, too, unfortunately. So, it’s uh it was a different summer for sure. Um it has died down a little bit, but we expect for the American Thanksgiving that things might be picking up again.
David: Wow. So, out of all the years that you’ve been doing incident response work, this is the busiest summer at and so you were what tapped with your existing capacity?
Managing Capacity and Global Collaboration
Alex: We were almost at capacity. So incident response is like uh I always compare to firefighters right you can never predict when you will be busy so you always have to be staffed and you always have to be staffed sort of I think a little bit more because we also have for example retainer clients right so and we have SLAs with those retainer clients and usually what happens when the flat gates open then everybody needs you right so we have to ensure and we have to make sure that in addition to the work that comes in on a daily basis we’re still there to respond at the SLAs’s to our retainer clients. So we were near capacity. The fortunate part and uh a pluck for KPMG here is that uh we were just named a leader in the IDC quadrant for worldwide instant response. So the positive here is even if our team is at capacity that doesn’t mean that we’ll run out of capacity. We can always reach out to our friends south of the border for additional capacity. and even the rest of the world. We have we’re very working very closely with our member firms across the globe to not only uh work together on instant but al incidents but also share cyber threat intelligence uh share knowledge what’s happening in your corner of the world that could be very beneficial right to gain that knowledge and there’s one thing to get CTI through official CTI channels but there’s another one if you actually directly talk to people who are in the trenches and uh are responding to incidents globally worldwide, right? So, yeah.
The Challenges of Threat Intelligence Sharing
David: I find that threat intelligence sharing is an ecosystem that has evolved uh over time. Uh but it’s this constant uh slow stepping game where there are some aspects of what we find in the industry that are best held close to our chest because it gives us a competitive advantage and yet um by the same token we want to collectively defeat the adversary more efficiently. though a lot of sharing is a good idea and so how have you found a way to balance that?
Alex: It’s interesting because we know of all the ISACs, right? There’s the FSISAC, there’s the mining ISAC, there’s others that are committed to sharing, right? We have the CCTX, the Canadian cyber threats exchange and I think the number one idea here is to share threats before they become a threat to other organizations, right? So you can stay ahead of the game. But uh when we talk to our clients who are sometimes member of those ISACs and uh we run through a scenario for example and we ask them at what point would you notify your peers in the ISAC and then suddenly the lawyers are getting engaged and saying well we shouldn’t really talk about to the outside of what’s going on with us right so I think there is a little bit of a push and pull of the people who do want to do do the right thing but the process not sometimes allowing us to do the right thing and I think what’s important here is with the with that concept is that it happens on a timely basis right because often times these threat actors they find a vulnerability then they probably maybe take an IND industry approach because you find similar technologies within similar industries right so wouldn’t it be beneficial for your competitor technically right to know that there’s potentially an attack happening on them. But uh I think there could definitely be more room there’s more room for improvement when it comes to sharing of that information because we we are bound within our organization but on the other hand we want to help the country as a whole right to be better defensible against those threat actors and uh and I think we have seen positive signals right with the CCTX with the Canadian government taking more of an interest and now with the latest sort of uh government frameworks around critical infrastructure and so on to to make it better uh to to protect I guess not only Canadians but the world as a whole.
David: Right. Right.
The Human Element: Social Engineering and Deepfakes
David: I mean one of the uh groups that uh we’re constantly seeing launching new uh ransomware campaigns successfully don’t even rely on uh unpatched systems anymore. They actually rely on deceiving human beings to paste scripts into an elevated PowerShell uh window and living off the land so to speak. How what percentage of the incidents that you respond to fall into that category now would you say?
Alex: Sort of the fishing or the tricking of humans uh like social piece to it. Uh yeah, that’s an interesting question. We see a lot of the two main categories of instance we see are number one ransomware and number two business email compromise. Right? So when it comes to ransomware I would have to say the majority of incidents are happening or happened the last couple of months and that that can change through technology misconfiguration zero days or things like that right or vulnerabilities like from a VPN perspective. uh when it comes to business email compromise there’s I think there’s a larger human element in opening the door for those threat actors right and we were hailing for the last couple years multi-factor authentication is the silver bullet when it comes to email compromise and fishing but uh we all know that’s not necessarily the case because now we see uh session token stealing right and then the threat actors can even MFA is enabled, they can still get access to confidential data, right? So we need to stay ahead and I think it becomes more and more challenging when you add that social human element to it, right? Like and and I think that element has been around since criminals were trying to steal money or other events from other people. be it be it in the olden days right when fraud and deceiving was always there and now we just see it with technology added to it right um I don’t want to divert the the conversation into the whole deep fake uh risks that we’re facing these days right like uh how do you guys know that you’re talking to me right now and we have seen some examples where individuals within organizations have been tricked to performing tasks that they weren’t supposed to do because they were told to by a non-real person and um to to defend against that. Like now we’re saying it will be a challenge and it is a challenge because it’s new, right? But we’ll find a way to defend against it, but then the threat actors will find another way to add something else to it. So I think it’s a constant cycle where I think the threat actors are always a step ahead and we’re trying to catch up and uh I have clicked on a fishing link, right? I can’t say I’ve fallen for a phone call yet because we’re doing less and less phone calls, but we get text messages and and and things like that. So I think with AI, they’re threat actors have become more and more sophisticated. The days are gone where the Nigerian prince had spelling errors in his email, right? So now they craft emails better than me or now you can clone everybody’s voice that has a YouTube video. This podcast could be used to clone your voice and my voice with free tools that are out there. So do more awareness with our clients with our peers within the family like our children who are growing up in this new era like in this changing era I should say right we have to prepare them so because they’re vulnerable they lack the experience and the expertise a lot of vulnerable population out there right and now I’m talking very very from a threat actor and from a cyber security risk perspective very targeted to individuals but the same is true for uh employees within an organization right there. We have and I don’t even want to say more or less technically sophisticated people. I don’t think it matters. I think what those bad actors go after is the human element and the fact that we want to help people, right? So, and that’s what they’re exploiting which is unfortunate. So, yeah.
Detecting Fakes and Generational Differences
David: I just had a conversation with our uh son over the weekend about um the ability to detect fake from real. And it’s not that we haven’t had this problem before, right? I mean, there’s entire industries around uh luxury watches where even the original manufacturers have a hard time sometimes distinguishing between something they actually manufactured versus something that was done elsewhere. In that same effort towards a really strong fake equivalency is being applied everywhere. And uh so we’re looking for those subtle hints like it’s not necessarily pixels, but it’s the messaging or it’s the exact words if it’s too smooth or or whatever it may be. I’m afraid that this might be the last generation of young kids, the ones that had some level awareness of what messaging looked like when it was authentic versus AI. I find that when I put our sons towards uh comparing the two, they’re pretty good. In many cases, they’re better than I am. And this speaks to how older generations uh today, people that are 10, 20, 30 years older than we are are the ones that are most su most susceptible to phone scams. I mean, um for goodness sake, my own mother-in-law, I hope she is not listening. This is not to uh embarrass anybody, but she recently came very close becoming victimized uh by someone pretending to be her grandson.
Alex: Yeah.
David: Right. And uh so these scams are everywhere and it’s frightening to to think that the next generation will be growing up with that natively. So maybe they will have a better signal detector that something isn’t quite right than we give them credit to be. I don’t know.
Alex’s Origin Story in Cybersecurity
David: But um before we jump into some more stories, uh Alex, I I wonder if you would because I don’t even know what’s your origin story, how did you ever even get interested in this space? Like most of us did not have this position uh as even foreseeable back in our university days, right? So how did you, what was the initial trigger that got you uh going in this direction in your career?
Alex: For me it was uh honestly I believe being needing the right people right and uh I met uh someone while I was uh the IT manager for a very small company. He was a client of the organization and he worked for IBM and we enjoyed talking to each other from a tech technology perspective and uh he guided me and uh he recommended to me that I should look into doing my CISSP because it’s a security certification and at the time I I can’t speak to nowadays but at the time it was very highly regarded as the certification like uh it was at the time when you had the six-hour pencil uh exam still, right? So, yeah, look at my hair. That’s how and I have to say it was one of the toughest exams that I studied for because what did they say? It’s like a wide world. That’s not very deep, but it’s very wide, right? You have to know a lot of things. And uh that’s really what for me what I would pin pivotal event in my career to to get into the cyber security space right and and then through that I was able then to at the time uh join IBM and that’s where I learned the ropes right uh was part of a penetration testing team like from from the ground up and then from there I went to semantic mand and then I ended up here at KPMG leading being a a team of instant responders and uh one thing that every time I I did a career change and I talked to the people at the new company and they asked me what are you looking for I’m looking for a career where every day is different right like where something new and and and certainly in cyber security we have that right not only is the threat landscape changing very rapidly and and even more so right like with AI now it’s it’s going even faster but uh also the clients that were dealing with, right? And uh and seeing the different environments, the different challenges that they’re dealing with. So, yeah, that’s a very uh short excerpt of how I ended up where I am, right? And uh but I’m grateful. I don’t regret anything. I think uh being in the space has opened so many doors for me. I’ve met so many people. We got to know each other, which is great. uh because uh we as an industry right we are here to and I alluded to this earlier we are here to make I think the world a better place be it for our children your your your mother who you talked about directly or indirectly but also for many organizations when we work for the IBMs for the KPMGs everybody thinks that oh you guys are only like working with like you’re helping the top 50 companies in Canada, right? But to be honest from that aspect, I feel our clients in that space are very mature, right? Like we from an IR perspective, we don’t see a lot from them.
The Small-Medium Business (SMB) Cybersecurity Gap
Alex: What I’m really concerned about, what I’ve seen a lot is that small medium business, which is the backbone of the Canadian industry, right? They are having a really hard time with catching up with the cyber security train, right? Understandably so, right? Because what do they focus on? They’re doing what they’re doing best in manufacturing a piece of equipment for a GM or whatever, right? Or whatever. And that’s what they’re good at. And with the recent pressures the last couple of years with inflation, workforce and so on, cyber security is not top of mind, right? As much as you and I would love to go out there and we always preach it pro be proactive, right? Have a cyber security program, have the latest and greatest technology, make sure you do all of these things, but all of these things cost money. All of these things cost resources, right? When you are a business owner, small medium business owner, and you really are crunched for your margins on what you do, I think cyber security falls often times between the cracks until you have an incident, right? And then and then you’re a small manufacturer and none of your machinery you can’t you can’t deliver like uh number one, you can’t produce. If you can’t produce, you can’t make revenue, right? You can’t pay your people. your suppliers or third parties might come after you because you couldn’t fulfill your SLAs. So that’s when people are starting to think unfortunately about cyber security right and that’s that we we meet clients at the worst of times unfortunately right and right it’s a joke when I talk to my clients like when I have a when we do some proactive work too right helping them with tabletop exercises and uh build IR plans and and things like that so when when we finish a project or when we talk to them once in a while on catchups we always were joking like you’re the guy I’m the guy that they want don’t want to see because if they see me, something goes wrong, right? So, uh and that’s the unfortunate part. I don’t know if you were recording yet, but uh it’s it it doesn’t happen on a Monday morning. It happens on a Friday night of a long weekend. And what do you do then? So, yeah.
David: Yeah. No, you mentioned that about uh your career that what you found appealing was that you’re looking for something where you wouldn’t be doing the same thing every day. And uh and maybe that explains why you haven’t bailed yet because there’s such a high turnover in the incident response representation because of the large amount of stress, right? Anybody who’s been through an incident would understand that that stress that the stakeholder or the person responsible that has let their guard down or feels like if only they had done something else now they wouldn’t be in this position. that directly translates to the incident response team. Um unless they have like super strong insulation against that kind of you know stress transfer but it is new right it is different each time and so u we do need some sustainability because a lot of the folks who are most equipped at doing that are the ones that just can’t sustain the pressure for too long. Mhm. So, uh, good on you for looking for that change and now having that change. And that’s partly what Yeah.
Alex: Interesting. It’s interesting that you say that though because the stress of an incident that you were describing is mostly on the victim’s side, right? The organization is getting hit. So, yeah.
David: Right.
Alex: Obviously, when we, my team, we do this 50 60 70 times a year, right? So for us right there is stress but it’s a different stress the stress is to help our client like they have a ransomware the first thing the CEO says how quickly can I pay when can I go back into production right so so but we need to guide them through the process because it doesn’t happen as quickly there’s a methodology we need to follow and as much as we have a different stress we are still empathetic with what they’re going through right the one of the sayings that I learned from a co dear colleague of mine he said it’s it’s not a sprint it’s a marathon unfortunately right that that we have to go through and uh the stresses are different depending on what side you’re on uh on the the supporting side like my team but I think we then bring that expertise and experience of having run through 50 60 ransomware incidents a year that we can then help our clients with. This is the methodology we follow and and because you you can be prepared and I wrote a blog post about this years ago like uh you can plan for everything but there’s a famous saying as soon as you hit the enemy right you can throw all your plans out the window and that’s the same thing like when somebody gets hit with a ransom organization even though they have an IR plan even there’s a table the first couple hours are still chicken with the head cut off kind of moments right because you still you have to find that rhythm you have to find and then often times that’s what we actually help with, right? Like we come, we bring sort of uh a plan to that chaos. We help them to find the footing and then really we guide them through the process and they’re actually doing the recovery and but we help them to get there. Right. So,
Managing Stress and the “Marathon” of Incident Response
David: Right. Right. Is there some purposeful unwinding that you or your own team does and or guiding the client uh through that? because it seems to me with that amount of uh pressure on everybody that there might be a stand just like you have a standardized procedure for attacking an incident maybe also have a standardized unwinding procedure.
Alex: It’s not necessarily standardized, but I think that we talked a little bit the great thing is at KPMG here, we have a large team like at we have the largest French-speaking instant response team based out of Quebec um outside of France, which is great, right? And uh so and we have also I think the benefit that KPMG is not a sole instant response firm where if our instant responders are I think our breaks come from the cycles in the attacks that I mentioned earlier but also by the number that the teams that we have that we can rotate around and I speak for myself I when I’m when I don’t have an incident or when I’m not busy that’s what that causes me stress I if I have three incidents on the go at the same time that’s what I th that I guess that’s my personal I think there is some characteristic for instant responders that they thrive on that stress they they thrive on those situations that it’s almost kind of uh the opposite the fact that we that’s our relaxation rather than sitting at the beach not having something on the phone which kind of sounds too that’s I love that I love doing that too right but I think that that cycle comes from having it staff properly, right? And uh actually telling but the true challenge and that’s what you’re saying. The true challenge is that for our clients when they experience a cyber incident, it’s all hands on deck and it can go on for days. But the weakest link again is the human factor and we need rest, we need sleep. If you’re stressed, if you’re not sleeping, you make mistakes. So our team can also then help come we become partners of our clients and the client then has additional team members us to that so they can have a rotation as well they can take breaks right and they can recharge and uh so what’s really important I think is for leadership in organizations to understand that concept what I was talking earl about that it’s a a marathon and not a sprint that things take time and people cannot work uh more than 24 hours in a day, right? And uh a friend of mine uh a classic uh quote that he once gave is when we helped the client with an instant response is you can’t create a baby in one month with nine men. It takes nine months, right? So um no matter what you do, there is a process we need to follow.
David: Right. Yeah. I find that it’s a uh really important aspect to understand that certain areas of an incident response uh project needs to be managed by a very small purposeful amount of people and throwing more people at it just complicates. It adds more overhead and there is an optimization opportunity there where you just get maximum amount of productivity out of the smallest possible team. And if you’re doing 50 60 of these, then I’m sure you’ve arrived at that.
Memorable Incidents and Evolving Threat Actor Tactics
David: Do you have any um particular um incident that’s like the most memorable one that you can think of this year? Like what’s the number one without revealing specific details? What was the most memorable one that you had this year?
Alex: So maybe not an incident per se, but uh we have seen a lot of the same threat actors this year, right? We saw a lot of Akira, we saw a lot of Quillin Group, right? And what’s sort of memorable this year is how the threat actors the same way that we’re busy, they’re busy, right? So um and they’re also human beings. So we have stories where the threat actor this is not part of the KPMG work but we through the lawyers we sort of hear about how they engage a ransom negotiator if the client so wishes to engage with them. And I would say nine times out of 10 a ransom negotiator gets involved because number one you can buy time right you can start talking to them and uh delay sort of the initial deadline that they gave you about uh public publicizing the private data and so on. So but so we hear through them and we’re we’re all we know each other right? So, but what was really interesting this year is how the threat actors admittedly uh told everyone that they are utilizing AI to also to improve their processes. Right? So, there was one uh situation where the threat actor admitted that they were so busy that the initial ransom negotiations are being done actually by a chatbot. Um so and only the final stages of the negotiation were done in person with a threat actor on with the actual p threat actor person on the other side. So, that was one that stuck around with me this year and is interesting are the cases that uh are not necessarily following a methodology, right? So, I would say eight 8020 rule like 80% of the ransomware cases they follow a playbook and this we use a similar playbook to respond, recover and contain the incident. But then once in a while there’s a case where uh the threat actor had uh gained additional access for example got access to the email system and they were actually admitting that they can read the email traffic between the lawyers and the ransom negotiator and themselves. So um that those sort of things when there’s an extra little when the threat actor gets a little bit more access and then you know and you see that’s actually real people that you’re fighting against, right? Those are the ones that stick in my mind the most. Right. So, and then unfortunately it’s where we get clients of all sizes, all industries, and those threat actors, they don’t care who they attack. If there’s an opportunity, they go after them, right? And we talked about your mom, we talked about children, and there is organizations out there who are dealing with vulnerable populations, right? We were on calls with them and they then asked, “Well, can you not tell them that we’re a social uh institution, we don’t have any money, we’re dealing with the vulnerable, right?” And uh and some threat actors, they don’t care, right? Like we have others uh threat actors, right, in the past who said if it’s like uh attacking hospitals or stuff, we will not condone that. But uh yeah, some of the newer threat actor groups, right, we see a lot of splinter groups with AI now and uh ransomware as a service. You never know who’s sitting on the keyboard on the other side. Honestly, sometimes for them, it’s really about transaction. If they can make Bitcoin, that’s what they’re after. They don’t care about the human element behind it. And then that’s sort of the hard part for us that those are ones that stick in my mind like when you’re dealing with a children’s aid society that got hit, right? or a school board, right? And you always get the we always talk about the first question, oh will you pay ransom? Should we pay ransom? Right? And a lot of people said right away, well, we will never pay a ransom, right? But then we’re in an incident and we find out that uh data of children has been stolen, right? And uh there’s the truth, the schools of thoughts, right? The law enforcement, they say you never pay a ransom, right? Like the horses out of the barn, they can always come back. But then there’s the other side that if we pay the ransom that data then doesn’t get out and so far we have to say that uh the threat actors are true to their word right if you pay them they uh they don’t release but that doesn’t mean they don’t still don’t have it somewhere and may come back right we have we have seen a couple of incidents this year where third party uh SAS services were breached right and if that service provider doesn’t pay they might go after the victims that are clients of theirs, right? So, it’s uh it’s becoming interesting and then there’s when they change tactics in a way that you know what you have your ransomware playbook, but then they actually call somebody and say, “Hey, we that there’s another human element, right? So, it’s then it loses its anonymity too, right? So many stories, too many to tell, but uh it’s the victims, certain victim organizations and some ways the threat actors are behaving when they’re changing their tactics and we come and even like um we had one case this year where we knew the threat actor has a playbook. They steal data, they encrypt, right? And then we had a couple where they just encrypt it. And we said, “Wow, that’s very unusual. Why would they do that?” Right? And then the next case we heard, we heard from them from the ransom negotiator that uh they told us that they are so busy right now. They’re just getting out there and encrypting everything. They don’t have time to set up data and they just want to get everybody encrypted right now. So they’re changing playbooks on the fly too, right? Because as they say, you can’t probably see on my part in the podcast that I have new air quotes, they’re running a business, too, right?
The Business of Ransomware and Targeting Weaknesses
David: Yeah. Yeah, and that’s the key to their way of thinking, they’re just running any business that uh runs on having a competitive advantage. And their internal competitive advantage is knowing more about where your weaknesses are, including whether or not you have ransomware, cyber insurance, knowing whether you have the ability to recover, knowing whether you know your finances are in a position where you would be inclined to pay a ransom. In fact, most of the time that the ransom amount is determined is based on an optimization algorithm to extract the maximum amount that you would be willing to pay as a victim, right? It’s really gotten incredibly sophisticated. It’s crazy. And what one of the things that we’ve noticed recently is that they really are targeting uh successfully those uh smalltime uh ISPs that have never enabled uh multifactor authentication in their email because that’s where business email compromise is actually a lot easier than it is with uh NMFA uh enforced by default. Like if you have a Gmail or or Microsoft account that you’re using personally, uh chances are by now you’ve been convinced to add at least one two-actor authentication element, but there’s a lot of these smalltime ISPs that were around 30 years ago, 20 years ago that have never enabled it. And so some of them are now to the point where what they’re doing is they’re saying, “You know what we’re going to do? We’re going to shut down our email system because too many of our customers have had some kind of an incident. You’re going to have to move off of our system. Yeah. And this is happening right here in our home province of Ontario, right? Um it’s it’s uh that that trend to me is in a way um sad that it takes so many victims in order to have a positive direction uh take place from a you know a securing posture perspective from these companies. But it’s also understandable because their core business is providing connectivity not email. years ago providing the email was just like a necessity but not anymore.
The Positive Shift: MFA and Improved Security Postures
Alex: Yeah. But I also like we also talk about the the bad things that are happening in the industry but you mentioned like uh if you have Gmail or or Microsoft and and things like that I have to say that they have um there have been a lot of good things coming out right like that we are forced now to do multifactor authentication. And I think our financial institutions are trying to better protect their customers, right? Especially um the vulnerable population with um multifactor pushing multifactor authentication. I think we’re sort of past that point where the general population is chalking this up. Oh, this is extra work. This is people are understanding now that this is to their benefit, right? And um and so I think that has been a big paradigm shift I think over the last couple of years where now you you talked about the generations that’s coming up that generation now they they don’t know anything different than multifactor authentication right like
David: that’s right
Alex: and and even when multifactor authentication first sort of came in and uh we we had to press a number that’s the same number on the screen right and then even that uh with MFA fatigue now has sort of come under scrutiny, but now you have to so it’s also changing and adapting, right? So now you actually have to type the number, right? So it only can be you and then there’s certain things that uh that are making it better, easier there is no uh perfect solution, right? I think a lot still has to do with awareness, training, things like that. and and unfortunately I would say the majority if it’s in personal life or in business life unfortunately something has to happen first for somebody to really learn right and and that’s the the unfortunate part especially with our business I think from I don’t have the latest numbers and there’s tons of reports out there but from a from a harm to the economy from a national perspective cyber crime is is huge right and that didn’t exist in that magnitude to 10, 15, 20 years ago. Right. So,
David: Right. Right.
The Ethics and Business Decisions of Paying Ransoms
Alex: It’s definitely changing and that money that is being extorted from this country is also not staying in the country, right? It’s going overseas.
David: right
Alex: It’s going to other places. So, I think there’s a double whammy for the economy, right? It’s being extracted and not being respent.
David: And tracking that information, tracking that number is notoriously difficult because you have uh areas where for example if your ransomware demand is to Russia uh or it’s a known uh Russian attacker and there are sanctions against um paying Russia that makes the ransom payment technically illegal. And so the circumvention around that is to pay the incident responder um so that there’s an arms length removal of the payment. I don’t know how that would stand up if that was ever scrutinized. But at the end of the day, it’s a business decision by the business stakeholder that has to decide is my business going to survive without the ransom payment. If the business will die without getting recovery versus the business will survive if we pay the ransom, then strictly from a business point of view, that’s an obvious decision that the business owner is going to make. It’s not realistic for those of us that have uh used the stance for years. Don’t pay the ransom. Of course, we’d love for that. If no one ever paid the ransom, the whole industry would disappear, but it’s just not practical. So, we do live in the real business world after all.
Alex: Yeah. So, for clarification, as the instant responder, we would never pay a ransom. We’re not in the paying ransom business. There’s special channels to go through that. And I think you’re right. Even if the company itself wouldn’t pay a sanctioned threat actor, they would still be responsible if they directed a third party to pay that ransom, right? So, yeah, it’s a business decision. But what is the scenario look like if you’re willing, let’s say you are willing to pay it, but you can’t because it is a sanctioned threat after, right? So then you’re really in in caught in between because then you can’t then you can’t I don’t want to say take advantage of paying the ransom because it’s like not good wording but you will have to um there will have to be a decision right and and and more often it’s I think ransom payments went down I think for the so if you had asked me like a year ago I would have said it’s probably 40 60 70 of uh organizations paying the ransom, but I’ve seen it going up um almost the opposite. Again, the pendulum has swung just simply the way that uh the threat actors are uh getting access to and and encrypting the systems. They’re going after the virtual environments. The backups are encrypted and then if you can’t recover, then you have to pay, right?
David: And it’s the double extortion, right? that added their ability to extract with a higher rate by saying, “Well, if you don’t pay, then we’ll also release your data.” Um, and that secondary extortion really gave them the threat actor uh a negotiation advantage. Man, that’s crazy. I’m glad you clarified that you never have. We haven’t either. Um, I just know of, you know, uh, perhaps shadier incident responders that, uh, found that to be an area where they could then offer help.
Alex: Well, it’s not so much that, it’s how many victims don’t even ask for help during an incident, right? They go directly to the fact they pay. They don’t even get the advantage of talking to the experts how you should deal with it and not to pay, right? So there’s a big number in the dark that we don’t even know about. We only can speak to the ones that actually come to us, right? So that’s the unfortunate part, too. So
David: That’s crazy. You know what? We really need to have uh you bring on a ransom negotiator and a lawyer and we’ll have a conversation. Uh I think that would be really really good.
Final Advice: Ask for Help
David: I know you have a time crunch coming up. Uh, Alex, do you have any uh last inspiring note or or encouragement that you want to leave with those that have or haven’t been ransomed yet? Yeah. What’s some wisdom that Alex wants to share?
Alex: I usually say the same thing when I get asked that question and I focus again on that segment of our economy that small medium business where cyber security is not top of mind and where they feel that uh they can’t do anything about it. But my advice here, what’s really on my mind is ask for help. Ask people who know what they’re doing. You get a better ROI. Even if you get a small managed security services provider to help you with that, the cost is cheaper. Yes, we always say the cost is cheaper to do it proactively than to pay a ransom later, right? So really my messaging, ask for help. Ask the experts. you get more for your money than if you do it yourself or you pay less before than you would have to pay after the breach. So that’s really my messaging that I have.
David: All right. So ask for help, pay a little bit now, don’t pay a lot later.
Alex: Pretty much that’s Well, really appreciate you having me on. This was a fun conversation and we talked about this before. We can probably talk for another two hours, but uh
Conclusion
David: Yeah, we sure can. It was a pleasure being
Alex: and likewise
David: and I look forward to our next project together, Alex. You’re a real uh fun guy to uh work with together. We see eye to eye here. Our mission is to uh protect people and that’s what we do and you do the same and so it’s nice working together and we’ll catch up with you again real soon.
Alex: Sounds good. Thank you so much.
David: Bye-bye.
(Outro Music/Voiceover)
Voiceover: The defender’s log requires more than a conversation. It takes action, research, and collective wisdom. If today’s episode resonated with you, we’d love to hear your insights. Join the conversation and help us shape the future together. We’ll be back with more stories, strategies, and real world solutions that are making a difference for everyone. In the meantime, be sure to subscribe, rate, write a review, and share it with someone you think would benefit from it, too. Thanks for listening, and we’ll see you on the next episode.
1 post – 1 participant
The post TDL 008 | Defending the Frontline: Ransomware, AI, and Real-World Lessons appeared first on Security Boulevard.