Episode 7: Hacking Through The Snow
Hello, and welcome to what the heck is at CISO. This podcast will help you in your journey to be a better cybersecurity leader. It's supported by AWS, the world's biggest cloud company, and Sysdig, the company on a mission to make every cloud deployment reliable and secure. I'm Rayna Stamboliyska, an EU digital ambassador and the CEO at our strategy. In this week's episode, I'm talking to people who track the security industry every day.
Rayna Stamboliyska:They look at the latest developments and search for upcoming changes or trends that will affect us every day. So what caught their Hokai in 2024, and what lessons can you learn heading into 2025? So on today's episode, I'm super happy to have Geoff White. Hi, Geoff.
Geoff White:Hi there.
Rayna Stamboliyska:So you're an investigative journalist covering securities, scams, and the Internet, and your latest book, Rinsed, covers money laundering online. We also have with us Kate, Kate O'Flaherty. Hi, Kate.
Kate O'Flaherty:Hi.
Rayna Stamboliyska:So you're a freelance journalist covering security for IT Pro, Wired, Forbes, and many others. And you track IT security for businesses and for consumers, which thank you, for this as a consumer.
Kate O'Flaherty:You're welcome.
Rayna Stamboliyska:Last but never the least, Dan Raywood. Hi, Dan.
Dan Raywood:Hello.
Rayna Stamboliyska:So you're a freelance writer and part time editor for SC Media UK, and you cover everything from nation state hackers to major data breaches and regulatory changes. To open up our conversation today, I want to ask you what was the most important story for 2024 you worked on? And I have one caveat for you. You can't say it was CrowdStrike. So let's start with Geoff.
Rayna Stamboliyska:What was it for you?
Geoff White:Thanks, Rayna. I mean, for me, the standout from this year has got to be the LockBit takedown. This was, obviously, as your listeners will probably know, you know, the world's largest ransomware gang breaking into organizations across the world, scrambling their data, demanding a ransom to unscramble the data, and threatening to leak organizations' data if they didn't pay the ransom, which is sort of classic double dip ransomware behavior. The reason this is significant is that there's two reasons, really. Firstly, I think that ransomware is an underestimated criminological phenomenon.
Geoff White:Even among the general public, among criminologists and lawyers, they just haven't really realized quite how remarkable ransomware is. For my money, and it is all about the money, this is the first truly at scale global significant crime wave. Previously, criminals could operate globally if they had, you know, accomplices working in different countries. They had to scale their network. You could look at something like the mafia as a model.
Geoff White:But even the mafia never managed to get the global reach that ransomware has done. This is everywhere, every country, all at once. And it's an incredibly devolved and federated industry. You've got multiple people working on these ransomware campaigns, spreading the stuff, infecting victims, working together. It really was.
Geoff White:It was the sort of the high point, I think, of kind of online crime. And last year, ransomware had its 1st $1,000,000,000 year. You know, the the ransoms paid added up to at least a1000000000, probably a lot more. LockBit was a leading force in this. The National Crime Agency started working with various partners in Europe and and in the FBI to take down LockBit.
Geoff White:And what was remarkable was the way they did that. They didn't just target the gang. They understood that a large part of what made Lockbit successful was its brand. You know, the idea that you could sign up as an affiliate, pay I think it was about a Bitcoin, and you could become a ransomware affiliate. And you could start making money out of ransomware ing people.
Geoff White:But in order to make all that happen, the guys behind Locklear had to tell you, look, you can trust us. We are a trustworthy gang. We are gonna pay you. Our software is super effective, super easy to use. So join up with us and we will make millions together.
Geoff White:That's a brand. It was being sold as a brand. And the affiliate signed up to this brand. So the NCA went after it and decided they were not just gonna try and take this gang down. They were going to try and damage the brand itself.
Geoff White:They were going to destroy the affiliate's trust in the man behind LockBit, the famed LockBit sup who was the, LockBit support, the administrator behind LockBit. And they did exactly that. They took over the gang's infrastructure, took over the gang's own website, and started using it to publish on the dark web details of the gang, including the identity of the person behind it, who they claim is a chap called Dmitry Koroshev living, perhaps unsurprisingly, in the Russian Federation. So it really was an absolutely remarkable takedown from all sorts of different directions.
Rayna Stamboliyska:It's an interesting conversation around brand, right, because and I think we can get back to it later on. The brand safety aspect is very important, right, in the fallout because they tried to dismantle it. But then again, things didn't went exactly as planned in terms of brand. Let's get to it a little later because this is something that also concerns defenders, how they approach the weight of a cybercriminal brand. And, Kate, how about you?
Kate O'Flaherty:I mean, what I thought was interesting about the Lancet takedown, and maybe this is just from a journalistic point of view, was just the nature of how it happens and how the law enforcement actually kind of played them at their own game. And they doxed all the members of the gang, and they all received these messages. And I found that whole thing quite amusing. So it's quite a great story in itself, isn't it? And, yeah, this whole operation that they were running is just absolute madness, really, that it's able to take place with these ransomware as a service operations.
Kate O'Flaherty:But I guess the other question is, is LockBit really dead? Because so many kind of other people popped up in their place afterwards. So from a defender's perspective, it's very much like you can't just rest now, you know, the biggest biggest affiliate and and gang is gone. It's something that, you know, still should be on your minds, and and maybe they haven't got rid of them completely.
Geoff White:Just sorry to interject, Kate. It's funny you mentioned that. I'm actually I've been messaging with the person who claims to be locked sup, who apparently is Dmitry Koroshev, who is promising a new release of a new version of lockbit lockbit 4. And that's for a couple of reasons. I mean, number 1, he wants to keep making money.
Geoff White:I mean, one of the interesting wrinkles about the lockbit investigation from the NCA side was they were obviously able to see what had happened to all of the Bitcoin transactions paid by the ransomware victims. And they were able to see Dmitry Korysev's cut of this, how much money he actually had. There was 1,000,000 1,000,000 of dollars worth of Bitcoin in these wallets that was just untouched, either never got round to spending or haven't got any plans to spend. So all of that can now be frozen, potentially recovered. So a, he's lost a lot of his money.
Geoff White:But b, perhaps more importantly, he's lost a lot of the trust of the affiliates because the affiliates are furious. You can imagine how annoyed you'd be. You've signed up with this guy. You thought he was super secure. He's now been identified.
Geoff White:You potentially are gonna be identified as part of it. So Khoroshov's got this interesting task now. He's gotta get back on it. He's gotta regain his place at the top of the tree if only for his own safety so the affiliates in Russia don't come and and chop off his kneecaps.
Rayna Stamboliyska:This is very a very likely image of what it could look like.
Geoff White:We are talking about Russian criminals who are doing this in Russia, the same country where he's based. There's a strong likelihood they will find him because they know exactly where he is, and they will take him apart. So, look, if he's still messaging me, maybe he's still alive, but he's got some risks to conquer there.
Rayna Stamboliyska:Or he has a very active and performant executive assistant, which I wouldn't be surprised. I mean, he's the CEO, right, of something that handles really a lot of money. But, yeah, thank you for this. Kate, how about you? I know from previous conversations, you mentioned something about China.
Kate O'Flaherty:Yeah. So what I was interested in over the course of this year, really, is the growing threat of China. China's already been a threat for quite a long time and quite a major threat as well. But I think it's just the way it's been spoken about so publicly, the biggest example being towards the beginning of the year when the then defense secretary, Grant Chaps, came out and said China was responsible for the hack on the MOD and that this was something, you know, we needed to be dealing with. I think that that kind of brings us very much to the present moment as well where we've got a lot of accusations being thrown at the People's Republic of China and a lot of stuff being said about the election interference.
Kate O'Flaherty:And, actually, specifically, China hacking the telecoms networks, which again has been something that we've been talking about for years. It's not really been proven or spoken about outwardly by the, security agencies, but now there's very much a focus. Right? China is attacking us, agencies, but now there's very much a focus. Right?
Kate O'Flaherty:China is attacking us. They're stealing IP, which is one of the things that China has always done, and they're a big threat to us. So, yeah, I'm finding that very interesting more from the point of view is that it's being spoken about so much. And, actually, received a press release this morning, funnily enough, from Crowdstrike talking about a new group that they've been tracking called Liminal Panda, and that is a state sponsored Chinese adversary that's targeting the telecom sector. So, all very apps, all very current, and, interesting as well.
Geoff White:I find it really tough covering the Chinese stuff. I don't know about you, Kate, but, you know, with a lot of the sort of stuff I've done around North Korea and Russia, there were these big sort of US indictments. They're quite noisy. The gangs leave a lot of traces. The security companies have a lot of detail.
Geoff White:It's interesting. I find China quite difficult to cover because a lot of its behavior is is very stealthy. It's quite well disguised. And it's I don't know how to put this. It's quite boring.
Geoff White:It's like it's it's classic espionage. So it never you know, they never do the crazy stuff that the North Koreans do. So I'm really glad that you cover this so much because I really feel like I should be doing more on it, but I kind of I I find it really difficult to get a juicy story to do with China. It's peculiar.
Kate O'Flaherty:Yeah. I know what you mean. I mean, I find it really interesting on the espionage side of things because it all fits with the whole spy stuff that we've been all covering for so many years. And I guess that fits quite well with Russia as well who is very much involved in that.
Rayna Stamboliyska:Dan, how about you? What tickled your fancy this year?
Dan Raywood:Well, lots of things do interest me. And I think, yeah, both the things that Jeff and Kate have been talking about have been very interesting and CrowdStrike, but we don't have to talk about that. I think just to follow-up on the points there about about nation states, I've always been very interested by the sort of the attribution side. Who actually cares? Does the average seesaw is they really that bothered about who's attacking him?
Dan Raywood:Or is it more about, a, how do you stop them? And, b, you know, what what what are they nicked, and what can we, you know, stop them doing with it? But the story that I think really actually caught my attention from 2024 was actually broke around mid June actually or very, very early June, and it was doing a company called Synovis, s y, double n, o v I s. And what I think was particularly interesting about this is this was supply chain attack. So we don't this isn't new.
Dan Raywood:You know, I've been writing about supply chain effect since the attack on RSA back in 2011. And, obviously, we can look at SolarWinds as the other notable one of recent years. What was interesting here, this was a company that was, I believe, formed as part of NHS Trust in Southeast London, supplying can't remember exactly what they supplied to them, but it was some sort of data anyway or collecting data.
Geoff White:It was sort of testing services, wasn't it? Yeah. Synovus, they did blood testing and stuff. Yeah.
Dan Raywood:I knew it was something with blood. Yeah. And somehow they were attacked, which then impacted these NHS trusts in southeast London. And I think the few things that really caught my attention and kept me writing about this right through till September, actually, Number 1 was, you know, we've all had eyes on NHS security or health care security probably since WannaCry in 2017, I think that was. Yeah.
Dan Raywood:We can talk about all the different aspects of health care security. It was someone almost actually directly impacting an NHS trust. Whether that's what they were after, we probably don't really know. We probably won't know. What I did find very interesting was the Cineviz did tell you they had data stolen.
Dan Raywood:They confirmed this was legitimate. And it's all happening within days of it happening. I think the first story broke about the 3rd June, which for those of us in the UK was right at the heart of InfoSec Europe, and we're all quite busy anyway. Within about 2 weeks, they've confirmed that this data stolen was legitimate. Then there was a $50,000,000 ransom demanded from Synovis.
Dan Raywood:Literally, the next day, 21st June, data was leaked. If anyone remembers the I think it was the post office where they demanded 800,000,000 saying you can afford it, and it's like, no. We can't. And the other thing about the it was sort of about a month ago. The ICO put a statement up saying it's really time we started protecting more vulnerable individuals.
Dan Raywood:Not worrying about data breaches being numbers and statistics, morphing about the people who are impacted. So for me, that that's why Cineviz actually was a really I like a good ongoing story, something not, you know, kind of one and done. And there's been some really good stuff this year and, you know, a lot bit. I was at 44 con, the British cybersecurity conference in, I think it was September, October, and they had the NCA talking about how they had an out of control version of LockBit. These stories that keep on giving you kind of more and more, you know, CrowdStrike, yes, there was a lot.
Dan Raywood:And literally, like, as we record today, there's been some research come out saying the impact of CrowdStrike has led people to be more resilient in their preparation. But think about Synovus. I I think supply chain stories, well, there's so much more to learn and uncover, and I don't think we're probably done with it yet. I think we'd need to know who did it and why they did it, and what they typically targeting Synovus or the trust. But for me, that's the one that really stood out, particularly in the last 6 months anyway.
Rayna Stamboliyska:This is super interesting because, like, a few things that you said really spook me the good in a good way. Right? So one thing is that we, operationally speaking, don't necessarily always care about attribution. Right? In the way that it's not necessarily something that we have the means to act upon in terms of, you know, my company is a Chinese target, so what do I do?
Rayna Stamboliyska:You know, so it's an interesting point you made there saying that perhaps a lot of cybersecurity leaders don't care about who the culprit is, you know, as long as they are not targeted. So this is one thing I find very interesting because we talk about those things on social media and so on and so forth and on panels about geopolitical tensions and whatnot. But I'm not sure, and you're right there, how much this actually impacts on an everyday cybersecurity strategy decisions. And you mentioned something that I also very much care about is following on those stories, you know, because sometimes you get just the news about stuff. And then now what?
Rayna Stamboliyska:Are we done? Was there something anything done there? Or, like, we need closure in a way, you know. So how do you do that? How do you work on that?
Rayna Stamboliyska:And what I mean also here is that, again, we are talking about you interacting with people who are not necessarily super happy disclosing information to the media.
Kate O'Flaherty:Can I just say as well, living in Southeast London myself and being directly affected and knowing people who are directly affected by this attack, the way that it was communicated through the, kind of, the medical profession is that this company, or the blood test company, they called it, was under a ransomware attack? And that was months after it had happened, and the blood test was still not available. So there were people there were elderly people in this area who were waiting for almost emergency blood tests, not so much so because they did have an emergency blood test thing set up. But the point was is that the education around this was this is an ongoing attack that's still happening, and they can't do the blood tests for now. I mean, that is insane that that was happening and that the NHS was using this company.
Geoff White:I find it quite interesting that looking from the attacker side of how this works, because one of the things that's interesting for me about ransomware and the affiliate model is that you've got a range of individuals who are affiliates. Some of whom are like top draw, very experienced cyber criminals. They will go after, you know, big FTSE 100 companies. But some of whom are just frankly numtees who signed up to ransomware gang because they wanna make a bit of money. I interviewed a primary school in Derbyshire who'd been hit by ransomware.
Geoff White:Now obviously, at primary school, they've got no money and they're not going to pay. So whichever affiliate hit them was a complete idiot, never got any money, and wasted their time. So you've got this range of people and they're trying different things because all these affiliates are trying to make a bit of coin. What I find fascinating about the Synovus attack is, as I understand Synovus, it's a private company, but one of its major sort of investors or backers is an NHS trust. So it's in this interesting crossover space between public sector, you know, NHS, who will not pay.
Geoff White:And the message, I think, has gone out. They don't pay hospitals or not supposed to pay. But Synovus is is sort of a private company. So I wonder whether the logic from the affiliate was okay. We're not hitting a hospital here.
Geoff White:We're hitting a company that supplies a hospital. So that's a fair game. We can't be accused of hitting a hospital. And, b, maybe they're not covered by the NHS policy that we don't pay. So maybe they will pay the ransom.
Geoff White:And, also, because they were supplied to various hospitals and, as Kate said, GP surgeries and so on, we're affecting multiple targets with one hit on one supplier. So I thought it was quite a smart attack. I think it was the Quillian ransomware group it was attributed to. It's quite a sort of smart attack because you can see they were thinking maybe this will work. Maybe we can get a ransom out of this.
Geoff White:But, as I understand it, no ransom was paid, which, of course, feeds into Kate's point. You know, you don't pay the ransom. You don't get your data back. If you've not got a recovery plan in place, you get hosed for months. You know, it's it's it's bad.
Rayna Stamboliyska:Yeah. I'm not sure we can still claim that there is honor among thieves. More of a business optimization decision.
Dan Raywood:It's good to have a story with multiple facets as well. Like I say, it's a supply chain attack. It's ransomware. It's health care security. And also, I think it was just I think, like, you know, Kate said it was good communications that we were getting statements quite regularly from NHS England, I believe, or NHS Direct.
Dan Raywood:So we have a lots of things to work with. Well, I had a lot of things to work from from my perspective. Like, you know, we always keep the story running. And I think we'll probably get later on to things that kinda, are gonna be happening or predict for for the future. Ransomware is kind of this persistent thing that we don't seem to have any kind of way of stopping.
Dan Raywood:We've had various projects happen over the years like no more ransom. But, ultimately, it's still a pretty easy way for people to make money, like Jeff just said. People can get on board with this. There's ransomware as a service kits are available if you know where to get them. And I think that's probably something we need to still consider is how do we actually get beyond this problem or over this problem.
Rayna Stamboliyska:It's interesting that you mentioned the regular press releases. So you all cover one way or another our message and success is building cyber resilience. You know? And, again, how have you seen CISOs and cybersecurity leaders more broadly adapt their communication strategies when discussing such major accidents?
Geoff White:I'd be surprised, Raina, if I don't know whether CSOs do have a part in the communication. Do they? I mean, that's handled by the PRF department, is it not? Eventually, I don't know. I don't know.
Geoff White:How much how much do you have?
Rayna Stamboliyska:It really depends. Like, for clients I've worked with, I help them just put up some templates and things to just, you know, not waste time because the problem when you're managing a big incident that is borderline transforming into a cyber crisis, you know, crisis of cybersecurity origin, you just can't handle the PR stuff. Have you talked to, like, in private or have you seen in, well, outgoing communication from affected companies, places where the CISO or the, you know, the person, the director for cyber or whatever their title is, actually is mentioned or takes an active role in that sort of communication. Have you seen that?
Dan Raywood:I think the problem is a lot of the time, and I found this in past experiences, that the CISO is reluctant to speak on behalf of their company. So I saw an example from many, many years, many jobs ago for me before the London Olympics to date it, actually. I had the CSO of TFL speaking at a conference of the magazine I worked for at the time, talking about what a pain the Olympics were for infrastructure. He didn't realize he was on the record despite speaking at a magazine conference. I read something up, and he said to me, like, the problem is I stand by what I said.
Dan Raywood:The problem is it's my view and not the and it you put the sort of the slap of of whichever company it is, be it Cidivis, be it, you know, TFL or whatever. And as soon as that that person speaks, they represent the entire company. And, you know, it's not like the NHS. You're talking about, what, tens, but hundreds of thousands of people. If they come out going, yeah, we're we're vulnerable to ransomware, that one person and, you know, likes of us 3 kinda go, oh, great.
Dan Raywood:Source. Let's talk about that. Look at the Thames Water thing. I mean, The Guardian contacted Thames Water who dismissed all these claims about a catastrophic potential cyberattack. But a source did say that their infrastructure is crippled or whatever IT infrastructure.
Dan Raywood:So that's often the the problem I find is that a lot of CSAs are quite reluctant to talk, and those who are talking, it's either part of their roles talks to the media, which is great, or they're, you know, the kind of consultants, and they have the wide overview of what's going on in all of IT with different clients. So you have to kind of pick your, your targets quite well from my perspective about who is gonna say 1, who is able to talk.
Rayna Stamboliyska:Yeah. It really differs from organization to organization. But how do you feel about getting, like a male that it was a highly sophisticated attack?
Geoff White:Well, this is the thing. You know, we're dealing here with victims of crime. You know? That's why I'm obsessed with the criminals and what they do is because they're the ones to blame. They're the ones doing the crime.
Geoff White:The problem is because a lot of these crime types and again, looking at this from a criminological point of view, these crime types are new. You know, somebody gets attacked in the street and robbed for their money or beaten up, they have a victim of crime. It's very we're very used to that. What what's still difficult in cybercrime is this thing of, well, when is blaming the victim legitimate? Because sometimes there are companies that were just an absolute basket case that did not spend enough money on security and, you know, they got hit and fell victim because they just didn't defend themselves enough.
Geoff White:I guess the analogy would be, you know, if you get burgled but you left your front door wide open in the middle of the day with a big sign on it, you know, we can say, well, actually, no. Come on. You're asking for it. But if the door was closed but not locked properly, you know, we're trying to work our way through when it's legitimate to blame the victim, when the victim has been so negligent, particularly with an organization as opposed to an individual, that you can say, no. Sorry.
Geoff White:You don't have a defense here. You're the victim of the crime, but, you know, you made it so easy for the criminals. We can actually attach some blame to you.
Kate O'Flaherty:I don't think people help themselves when they continue being silent following a cyberattack at all. And if you look at, like, Royal Mail cyberattack, it was 2023 now, wasn't it? Initially, there was just this radio silence, and people become very suspicious. And then when they do speak, people are annoyed, especially, you know, if you're a client or a third party who might be affected by the breach. I do think people are learning from this more recently.
Kate O'Flaherty:I think there is more of a focus on communication and how important it is to say how you're affected, who was affected, and how and how that might be impacting people, especially when some victims are and I'll call them victims in this case if it's, say, you know, people are getting attacked all the time. You're going to fall victim to a cyber attack. That's just a fact. But there are people who will then put up a website with some advice for clients on it. This is what you should be doing.
Kate O'Flaherty:Watch out for phishing emails. All of that stuff is really appreciated, and I think it really improves your brand reputation as a result.
Rayna Stamboliyska:What you perhaps don't see, because it's not necessarily public, is that we also get all the sales emails about, oh, you had, you know, a problem with x y z vendor. Our product is way better. And if you had signed up, you know, for our product, you would never have had that problem, which is, yeah, a bit of a delicate, you know, way of doing business. But it's interesting, like, how or what stands out for you when reporting on those situations? Like, what distinguishes good reaction and, I mean, mainly communication here, right, and what transpires through communication in terms of coordination efforts and whatever.
Rayna Stamboliyska:What stands out for you as good communication in that sort of situations?
Kate O'Flaherty:I think it's being transparent, having a landing page with all the information that you can reveal on there, doing the reporting to the regulator saying that you're doing that so you can show you're doing everything by the book and say which kind of security measures you're putting in place as a result. What have you learned so far? Obviously, you won't be in a position to do that immediately. But when you are, keep updating that, and that will really help reassure your customers so they don't get kind of these sales pitches and get stolen from you.
Dan Raywood:Yeah. Just an interesting one, from CrowdStrike again. On the day, it was a Friday as I recall, I was scrambling around the morning trying to pick up what I could from, you know, x and LinkedIn, Reddit, all the different sources. There was no real source yet to what was actually going on. And because that because CrowdStrike, was, headquartered in the US.
Dan Raywood:We didn't really get anything from CrowdStrike until later in that day. So that that was kind of you could say, you know, that that that was bad on them for not having it prepared, but they're probably trying to figure out exactly the same thing on earth is going on that we can go to the public and to the press and say, this is what's happened. It took a while to get that around. But, yeah, it it from that side, it's good to have that preparation to sort of know how do you do crisis communication. I think a lot of PR companies, will probably be good to advise on that sort of thing.
Geoff White:I mean, for yeah. From my perspective, knowing what the hell happened in as much detail as you can and not putting out sort of blanket statements about a sophisticated attack. So what actually happened? What are we dealing with there to the extent that you know it? Because journalists like us are gonna ask some quite gnarly technical questions about this stuff.
Geoff White:You know, be armed with the fact to what happened to the extent that you know them. What is your plan? What are you doing? How are you gonna put this right? And thirdly, most importantly, sort of who's feeling the pain and understand, you know, understand the pain they're feeling, you know, in the MoveIt breach.
Geoff White:I'm a freelancer. I freelance for the BBC, for example. The BBC was one of the victims of the Move It hack, this piece of software that moved data around. And the BBC sort of emailed this all and said this could include your physical address. Well, I I cover organized crime, North Korean hackers.
Geoff White:My physical address being out there is very it's a red line event. As in, do I tell my family stay away from the home and I leave? That's that's what we're dealing with. Is it this point where my address is out there and I I can't go home now? I have to stay away from home.
Geoff White:Right? Now, brilliantly, in this case, I phoned up the BBC. And because it's a big sclerotic bureaucratic organization, I said, look, what address have you actually got on file for me? And they didn't have my current address. They didn't even have my previous address.
Geoff White:They have my address from 2 addresses ago. So if any dodgy organized crooks turned up in my house, they would have found a very bemused homeowner They're not me. But, you know, this is the thing. You've got to feel the pain that your customers and the people affected might might be feeling and get on their level and and, you know, work with that.
Rayna Stamboliyska:How do you decide what needs to be reported? I remember, you know, things in the beginnings when we used to do fact checking and, you know, fighting against disinformation. How do I decide what I fact checked publicly? Like, if it's something that's on Facebook and it's been seen, like, by 500 eyeballs but it ends up on the BBC on the Le Mans website, it will be seen by way more than 500 eyeballs, you know? But is it something worth debunking, or is it just giving more visibility to BS, you know, to, like, to things that are undeserving of attention and of publicity?
Rayna Stamboliyska:So how do you decide, like, how do you kind of, what are the trade offs you make there in terms of time sensitivity, in terms of, you know, while also criticality for the people affected?
Dan Raywood:It's a tricky one. I've been asked for many years, you know, how do you pick the stories that you cover? I do news content for SC UK. And, yeah, you get a lot of stuff come in under embargo. You know, you sit on it until the day, and then you can look at it and go, okay.
Dan Raywood:Is there a decent angle here? A lot of it's survey stuff, so you write on it as, like, a news and brief, you know, 2 or 3 paragraph stories. And, yeah, some of it can be a little bit filler. There's no there's no doubt about that. You you you've got an eye for kind of what's gonna make an interesting story.
Dan Raywood:So, for example, on the the day we're recording, like, Apple put a couple of patches to 0 days. That's a pretty big deal for quite a lot of people. But at the same time, yeah, I've just been looking if we've probably got on this call, there's, like, you know, FIO, FOI stuff coming from the Scottish Parliament about cyberattacks. I mentioned the Thames Water thing. I guess you develop a a sense for what is gonna be attractive to people's eyes if we're 20 years or one term.
Dan Raywood:What are people gonna be interested in? And at the same time, you know, you converse with people, you know, you listen to stuff, you you read stuff, you think, okay. Let's pick an angle out of this. You know? Is there something here that's interesting?
Dan Raywood:And then, you know, I would go and talk to some contacts. You know, you talk to a couple people going, you know, do you think this is interesting? 9 times out of 10, I'm pretty much on the mark. Sometimes they go, no. This is nothing, and you sort of shelve it.
Dan Raywood:I was working on something actually and and, which is currently on the shelf. And the reason why is because a number of other companies won't really talk about it, but it needs a kind of industry response. But, yeah, I think over time, you do kind of build a a concept of what people are interested. And, I think, yeah, actually, Jeff, well, I listen to your stuff. I read your stuff.
Dan Raywood:And I think it's from your side, yeah, what do you know what people are interested in?
Geoff White:Yeah. It's a good question. I mean, I'm intensely aware that I'm sort of I'm not on the kind of day to day news beat. And I miss a lot of stuff. I mean, the Thames Water stuff, frankly, I had no idea about.
Geoff White:And I kind of there's a lot of stuff that sort of passes me by. And that's one of the things it's one of the compromises you have to make when you're sort of doing longer term stuff is you miss a lot of the day to day stuff. And you just have to watch stories slide by that you really want to look into, but you just don't have time to do all of it. So what I'm looking for is to tell as much as I can the entire story from beginning to end. So something it's gotta be something significant.
Geoff White:It's gotta be something that affects lots of people. There's got to be victims and villains because that's what makes a story. That's why Star Wars is successful because you got Princess Leia and Darth Vader. There's got some heroes. You've got some have some Luke Skywalkers in there.
Geoff White:And for me, it's gotta have a kind of global significance. It's why things like North Korea and stuff done around Russia and money laundering and financial crime. You know, it affects lots of people, but you're trying to tell the entire story from the single victim who, you know, lost their life savings. Spoke to somebody the other day who lost $740,000 to romance fraud. And then you trace it all the way back to ideally the villains.
Geoff White:I actually spoke to one of the people who who was carrying out those kind of frauds who may well have been the person who was defrauding him, you know, on dating apps. So you're trying to sort of tell the whole story from beginning to end and really put it in context. You know, for me, it's yes. There's loads of ransomware happening, but why? Like, who are the people behind this?
Geoff White:What's the dynamics behind that? What why is this thing happening? And that's what I try and do is take a step back and try and tell that story beginning to end. But yeah. I mean, the thing is, Dan, if you pick the wrong story, you might spend a day wasting your time chasing it down.
Geoff White:If I pick the wrong story, I can I can spend a year and then at the end of it, I have nothing? So, I'm not sure who's who's whose life is better actually on that perspective.
Dan Raywood:I remember for many, many, many years ago, early part of the last decade, someone put, like, a hoax research paper out about why Internet Explorer users aren't very bright or something like that. And a lot of people wrote it up. I didn't, not because I'm smart. It's because I was so busy. I just didn't get around to it.
Dan Raywood:And by the time it came around, there was a hoax. I was like, never mind. So I'll just strike it off my list of to do, you know. So, yeah. I mean, you don't you don't see that so much anymore.
Dan Raywood:I think back in the, I I often point to the fact that Edward Snowden I think the Edward Snowden story, that for me changed a lot of things. So all of a sudden, you know, his representatives or or Glenn Greenwald, you know, they contacted certain journalists to sort of say, do you wanna write about this? Now they contacted Kate and Jeff, but not me, so that's fine. But do you know that's genuine? You know?
Dan Raywood:Does Jeff know this is a phishing? Is this someone trying to scam him? Is someone trying to hoax him? Or is this the next Edward Snowden coming on the whistleblower? I think you gotta be quite careful, you know, because a lot of the time back then, that was probably happening.
Dan Raywood:Now I don't think it happens so much. I don't think people are trying to you know, we've certainly got our enemies in the world as as journalists, but, I think for people to try and make us look silly is probably not what what we're getting so much in cybersecurity.
Kate O'Flaherty:I don't think they need to convince journalists to write fake stories anymore, though, because they're everywhere anyway. And people are saying they're thinking that they're more real than our stories because they're not trusting the mainstream media. So, you know, that's how bad things have got, isn't it?
Geoff White:Yeah. Yeah. They could publish themselves, and if they've got a decent Twitter following or, you know, Instagram following. Funny if I get emails every now and again and messages every now and again from people who come to me with an amazing story and whistleblower. And there's one thing that connects them all together, they're all completely mad.
Geoff White:I can guarantee if somebody points me with a story, oh my gosh. I've got this huge exclusive for you. It's either PR who's just lying or it's somebody who's a complete fanciest. So in a way, it's easy to filter that out. I do my own work.
Geoff White:Like, I find the story and I investigate it. I was very rare somebody comes to me with something that turns out to be worth its salt.
Rayna Stamboliyska:From friends at CSIRT, especially national CSIRT, you know, national agencies, they get the same type of emails that are completely phantasmagorical, you know, about new whatever masonry stuff, you know. So you're not the only one, and I empathize with you about this. So let's look to the future, 2025. We have a lot of emerging threats that we can discuss. But what topic, more specifically, not necessarily a specific threat, but what topic do you think that security leaders should care or will care?
Rayna Stamboliyska:I mean, if you have a crystal ball, please do use it now. We'll be, you know, eternally thankful for this. What topic do you think those security leaders need to take care of in the next 12 months?
Kate O'Flaherty:I think AI is going to be a really big issue, really, from a data privacy perspective as well because not just, you know, the capabilities of AI and what generative AI can do and how it makes, creating malware easier for kind of operators and attackers, actually, because of what users are doing with it. So not only could they be using something that is flawed in itself, but they're putting company data into things like chat GPT, which is a massive business risk. And the scale of it and the scope of it is, like, so wide that it's very difficult to control, I think. So companies, you know, they can have policies, but are people gonna listen to that? Are they just gonna be chucking all this, like, valuable company IP into chat GPT?
Kate O'Flaherty:Even if it's just to create some code or something like that, because you're just not going to think about the little intricacies that could be violation of data protection. So I think that's gonna be a really big deal. The other thing that I would say as well is just as a kind of aside but not is passwords authentication, multifactor authentication, and kind of the end of passwords, I think, is going to be quite a big deal. And since we're already seeing people trying to end passwords, we're seeing the emergence of security keys and passkeys and kinda more and more of these and people like Google insisting that these need to be used and Microsoft as well. But, also, some new guidance came out from NIST in the US or updated guidance, I should say, which was that we shouldn't be making people create new passwords every 12 months, which I was surprised this was even a thing now, but, apparently, it is.
Kate O'Flaherty:And, actually, speaking to people that I know who aren't so much, you know, in the industry, they do have to change their passwords every 12 months. I'm freelance, so I just do 3 months. Every 3 months. And it's crazy. And a lot of these apps are kind of actually conditioned to do that, aren't they?
Kate O'Flaherty:Or is it just IT departments that are doing that? But either way, it's just insane and completely needless and just makes things less secure. So I'm against that.
Rayna Stamboliyska:You're right to point out the AI thing. To me, it looks way more like shadow IT of a slightly different flavor. And I would throw in there all the low code, no code things that people build for their own productivity, but in the workplace. Right? With company data, be it, you know, strategic assets or personal data, it doesn't matter.
Rayna Stamboliyska:It's not supposed to be going to whatever external apps out there. And from recent discussions with global companies, they are seeing this coming in more and more. Right? So, yeah, thank you for highlighting this.
Dan Raywood:The thing that I believe still drives practitioners and CISOs that are in the in the cybersecurity world is regulation. That's part of governance regulation and compliance GRC overall. But I think that the regulation compliance side is still just the biggest thing because I I saw some research actually as we're recording today about how many people weren't sure if they would need needed to be compliant with NIST 2, which came out, like, mid October or the the deadline for which was mid October. And then in January coming up, it's DORA compliance as well. I don't know how much is known about these things.
Dan Raywood:I was writing about GDPR from when it was kind of first given the kind of the concept really back in the early 20 tens. We get a lot of attention, a lot of coverage because people were asking questions about this, and people were aware it affected them. But I think that with Dora and this too, and there's probably tons of others that I haven't really become aware of. I don't know how much businesses know about this and know what they need to do, but these are things they need to be in line with.
Rayna Stamboliyska:From the ground, the panic is starting to be felt. And excuse the passive voice. It's not very elegant, but it's, like, the most subtle I can come up with. And it's not super reassuring because we're sort of past the deadlines, right, for a proper preparation and for a most like, a more sustainable approach to doing something crazy, which is, you know, being on the right side of the law. Yeah.
Rayna Stamboliyska:The panic is here, and it's real.
Dan Raywood:I think it's good for the auditors and the consultants who are the ones who can help you with that. That that's that's the place to go. But I think for the practitioners, it's a bit of uncertainty.
Rayna Stamboliyska:You're right. Jeff?
Geoff White:Yeah. Interesting. Looking ahead, I'm gonna be potentially quite controversial about the AI threat in cybersecurity. I think it's being massively overhyped. Yes.
Geoff White:Hackers are using AI. You know, they're using it to tweak malware. They're using it to do target reconnaissance. They're using it to improve their phishing emails and phishing messages. But that's kind of the same sort of stuff I'm doing with AI where I'm doing what I was doing normally.
Geoff White:But every now and again, I think, oh, I could use AI to make this a bit easier and do it a bit quicker. That's being matched by the sort of explosion of AI developments on the defensive side. So cyber defenders have always used what we used to call machine learning and now call AI. So I think, you know, it's quite a boring summer. I've been looking for the exciting story and it's actually quite boring what's going on in AI and cybersecurity.
Geoff White:It'll make a difference but then on the attack side and on the defense side. So you probably come out even is my estimation of it. I think where it is gonna make a massive difference is on the fraud and scam side. It's already having a huge impact on that. Fraudsters and scammers live in a world where they don't want to know what's real and what's not.
Geoff White:That's the nature of fraud. Artificial intelligence and the deep fake area of artificial intelligence is playing perfect into that. What is already a pandemic of fraud and scams is going to turbo boost that. And I know a lot of cybersecurity people think, well, that's fraud. It's not really me.
Geoff White:It's like our compliance guys. You need to understand that's a still threat to your business, and they're gonna also use cyber means for that. They're gonna use phishing emails. All the stuff that cybersecurity does is gonna be impacted by that explosion in fraud, thanks to the use of AI. So if you're not already in touch with the compliance and fraud type people in your organization, get in touch with them.
Geoff White:Know who they are. Start talking to them. Because frankly, if the organization gets taken down by a massive scam and you were the cybersecurity person, say, well, that wasn't really meant to do with me. It doesn't matter. Your company is toast.
Geoff White:You all need to defend it. It's a a global sort of issue. And it worries me. It worries me that cybersecurity doesn't think that fraud and scams are its problem. They are and they're a problem to your business, an existential problem potentially for your business.
Rayna Stamboliyska:No. That's very true. I mean and we've seen, especially in the past year, convergence between different types of of scammers. I like your beat about the scam stuff, and I'm following a few on my loan for clients as well from Southeast Asia. You have those scam centers, you know, where people get kidnapped to do financial crime, right, to do pig butchering.
Rayna Stamboliyska:That's how we call it. And, those are, like, the fake investments, you know, either in crypto or whatever. You know? But it's also quite a lot of romance scams because, again, financially, it's very interesting. And on the other side of the globe, we've seen, you know, traditional scammers who are very good at social engineering, who were very prominent also in romance scams, start perusing and doing pure learning about how you do live stream deep fakes so that people get actually scammed literally in in real life.
Rayna Stamboliyska:And now those 2 sort of streams of pain are getting together. And if you combine, you know, a massive, in terms of volumes, operation, like those come centers in Southeast Asia that, by the way, mobilize trafficked people to do those comms. If you combine that huge volume with the know how of people who have been honing their skills both on the technology and on the social engineering side of things. I don't know how this is not one of our most crucial problems today from a company, but also from a personal point of view, but especially from a company point of view because we're talking still a lot to businesses. Now that I've depressed everyone, do you have a one sentence conclusion about the future, recommendation to our listeners on something that is really close to your heart that you want to get through to them.
Rayna Stamboliyska:One sentence.
Kate O'Flaherty:I know Dan mentioned earlier about iOS 18.1.1 coming out. So to that end, I'd like to say, make sure that you're looking out for vulnerabilities in your product and that you're patching them as soon as you can and applying any mitigations because attackers are constantly taking advantage of vulnerabilities in software, and we're seeing that a lot this year. That's a long sentence. Sorry.
Geoff White:For me, it would be about going back to that point I made, you know, you're in the security business. Yes. Cybersecurity is part of it, but try and look holistically at the business. You know, what's the organization you work for? What do they do?
Geoff White:How might they be targeted? What's the worst thing that criminals can do in terms of attacking the business? And try and feel that you're part of that larger piece around security. It's quite easy. I I worry to get so siloed into cybersecurity.
Geoff White:I do this, but I don't do that. And I know that nobody wants more work and more responsibilities and stuff. But ultimately, you know, you are part of this bigger organization. Criminals do not see the organization they're attacking in terms of, oh, I'll attack the cyber part or I'll attack the accounts part. They just see a juicy victim.
Geoff White:And so for the defenders inside, you need to kind of maybe lift your head up a bit and look at the horizon and sort of see this organization you're working for in the round. Again, a very long sentence, but I think I used a couple of commas.
Rayna Stamboliyska:Thank you.
Dan Raywood:I think if I was just to pick one thing, it would be just be kind of aim for resilience and survival. I know it sounds a little negative, but after CrowdStrike and after the instances we've we've been citing today, If that was to happen to you or, you know, you were to try and face that down again, how would you survive it next time around? Have you got the practice in mind? Have you got the investment in sort of getting back up and running again? If you were to be here with ransomware, how would you survive it, and how would you get over that, and how would you keep on working?
Dan Raywood:So I think resilience probably should be a kind of priority for most businesses going into the next year.
Rayna Stamboliyska:Thank you. This has been wonderful. I learned a lot, and it got me thinking about too many things that I want to share. So thank you again, dear listener. What is on your mind as we head into 2025?
Rayna Stamboliyska:Any lessons that you have learned, please get in touch or comment, Read the publications that our guests write for. And if you enjoyed this episode, please leave a 5 star review where you got this podcast so that it helps others find the show. That's all for this episode of What the Hack is a CISO, supported by AWS, the world's biggest cloud company, and by Sysdig, the company on a mission to make every cloud deployment reliable and secure. I'm Ryan Stambouriska, and I'll see you next time.
