Attivo Networks Blogs

Repelling A Ransomware Attack: Tony Cole of Attivo Networks On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack

Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Tony Cole.

Tony Cole is a cybersecurity expert with more than 35 years’ experience and today is the Chief Technology Officer at Attivo Networks responsible for strategy and vision. Prior to joining Attivo Networks, he served in a number of executive roles at FireEye, McAfee, Symantec, and is a retired cyber operator from the U.S. Army. Mr. Cole serves on the NASA Advisory Council and the (ISC)² Board of Directors as Treasurer and Chair of Audit and Risk.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up traveling a lot and living in different locations around the United States such as Florida, Vermont, New Hampshire, Massachusetts, and California. It seemed like we moved to a new town or state almost every year. After high school, I went to college for only a year before dropping out over a lack of focus caused by a traumatic death in the family. It weighed heavily on me and, after some great advice from a mentor, I joined the Army and went into the cryptographic field. Back then crypto meant something entirely different than what most people think of today. I started out fixing and then building large cryptographic systems and networks around the globe for the military community. Then, as those systems became increasingly connected, I was drawn into the cybersecurity side of things before there was really a career for it. I also went back to school part-time and finished college focusing on a Bachelor of Science in information systems.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I was in my colonel’s office one afternoon having a discussion about my next assignment and where it would take me. After a very long run at the command, he informed me that they could not extend me on my assignment because I had been at U.S. Army Intelligence & Security Command too long. Just as I received this news, in walked another colonel who said he needed a really good leader to come help with a project that the Land Information Warfare Activity (LIWA) had started called the Army Computer Emergency Response Team (ACERT). I immediately volunteered for the position since it was local. It was either that or go overseas, and I didn’t want to move my family again. At that point, I really didn’t know much about what the ACERT did, yet that work would become the focus of the rest of my career, inside and outside the military.

Can you share the most interesting story that happened to you since you began this fascinating career?

Ever since I had been directed to start working in cybersecurity at the ACERT, it was exciting for me and I liked it quite a bit. However, I’ll always remember a major case in the Army that I worked on when I was a liaison to the FBI at their headquarters for a case meeting. We were having a meeting when Janet Reno, the US Attorney General at the time, came in and sat down next to me. I thought to myself, “Man, this is a pretty cool field. I think I want to stay in this.”

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

One trait drilled into me by the military is, “lead by example.” I once worked with a team building very remote networks in Asia. We were trying to get it done before typhoon season, so I had worked this team’s tails off. I was working hand in hand beside them for almost six months. One night, toward the end of the project, we were sitting at the hotel before heading home and one of the guys looked at me and said, “Hey, if you ever retire and start a company, I would love to come work for you again.” In my mind, I had been working them to death in a remote location with nothing to do, so to me hearing that was that was really the best illustration of “lead by example.” You gain the respect of your team by being just as engaged as they are, while always trying to take care of them.

Another example I took from my time in the military is, “try to have an open and wide perspective.” I had already spent a lot of time in the military in Europe, Asia, Central/South America when I had a young soldier assigned to my team who had a tattoo on his arm. I asked him about it once and he said, “Well, I’ll be frank with you, I’m a former gang member trying to clean up my life.” I immediately thought it would be a problem, but I couldn’t have been more wrong. He was one of the best soldiers that ever worked for me. It really drove home the need to understand that initial perceptions can be really off-target and to avoid pre-judging someone based on their background.

My third trait would be, “know your weaknesses, and understand them.” If you can’t shore them up yourself, make sure you fill any gaps with expertise from your own team. It’s important to know and understand what you’re not good at so you can fill out your team and address any knowledge gaps that exist. At my previous company, I took over a P&L without much financial experience. While I studied up, I also hired for a few directors to support me. One of the leaders I found was brilliant on the financial side and made our organization more successful while also helping me get better in this area.

Are you working on any exciting new projects now? How do you think that will help people?

At Attivo Networks, we’re helping organizations recognize new innovations that make a material difference. Cybercriminals are leveraging stolen credentials to conduct their attacks, and organizations in every industry need to recognize that identity security is only becoming more important. We developed new Identity Detection and Response (IDR) technology to help fill the gaps that exist between endpoint detection tools and existing identity solutions. This new IDR technology is helping organizations understand how to protect identities in their networks and is essential to defending against increasing ransomware and malware attacks.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?

I’ve been in cyber for most of my adult life, ever since ransomware initially appeared as “scareware.” If I haven’t been building something, I’ve been in the trenches or advising those in the trenches for almost 35 years now. I started off building the Army Computer Emergency Response Team, then regional computer emergency response teams for the military and then the Pentagon Computer Emergency Response Team. After that, I intended to retire and stay in DC, but then 9/11 happened and I stayed in longer than I planned. Eventually, I jumped into the tech sector with Recourse Technologies, which was in the honeypot business. Then I worked at Symantec for seven years, followed by stints with McAfee and FireEye. I also joined the NASA Advisory Council and a number of other councils. Eventually, I decided I was traveling too much, so moved to what was then a startup, Attivo Networks, in 2018 where I’ve been with them ever since. A great deal of my time in many of these roles was focused on building systems, advising on architecture, incident response, and technology, all around current threats which includes ransomware.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?

First, there was Scareware. It was one of the original strains of ransomware. Attackers would just have a pop-up tell someone their system was infected. Frankly, it could often be nothing more than that and was often an easy cleanup. That was the start in this area.

Next came Locker Ransomware. Some people call it Lockware. It simply locks you out and shows you a ransom demand. It was frequently accompanied by a timer as well to add urgency. But there was often nothing else behind it, the system was just locked.

Then ransomware became encryption-focused. This is the dirge we still see today. Systems are compromised, then encrypted by the attacker, and operators are locked out of them completely. An encryption key is required to regain access.

Finally, there was Multifaceted Extortion Ransomware. This is a version where systems are encrypted but attackers have also stolen sensitive data and are threatening to leak it if the ransom is not paid. This shows that they’ve stolen important information from a system that they’re going to leak. In the last case, the attackers even have websites set up in advance to leak the stolen data to the media if necessary if the victim refuses to pay the ransom.

Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?

Definitely businesses today. There’s more money in attacking a business than targeting an individual. Not to say individuals aren’t at risk. They are. However, businesses are targeted more frequently because they tend to have the revenue to pay the attacker and often the most to lose.

Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?

An organization should have an incident response plan in place tied in with their general counsel, C-suite and incident response (IR) team. If they can afford it, they should also have an external incident response team on retainer that they can bring in for the necessary expertise, especially if they don’t have these capabilities in house.

The most important step is to activate the incident response plan and bring in that expertise, usually an external contractor that does incident response for a living. They are contractually paid by you and can provide advice on what’s best for the business.

Then engage law enforcement. Law enforcement can help you but may have a different perspective and goal than your organization does.

If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?

Listen to your incident response team. Follow best practices. And, around that, ensure that you’re implementing best practices for your organization. Do you have offline backups? Can you check to make sure those backups weren’t impacted? Work hand in hand with your IR experts and follow your IR plan. Your general counsel should be an integral part of the team to ensure you are following the laws and protecting your company and customers as best you can throughout the event.

Should a victim pay the ransom? Please explain what you mean with an example or story.

My general response is no. Don’t pay the ransom if at all possible. Law enforcement typically also won’t want you to pay. But this is another reason to have a good incident response team on retainer to provide advice. They can look at your environment, your backups, etc. and tell you the ramifications. This includes how deep the encryption is, how infected your environment is and whether you can clean it up yourself. Listen to your IR team and work with law enforcement, but I generally recommend not paying it. It’s also worth noting that under some of the new treasury rules, you might violate some laws if you make a payment that winds up benefiting a group or individual under sanctions from the United States. The IR team will also have recommendations on the attacker group’s past actions. If they get paid, will they provide a key? Will they help if there’s a problem with decrypting the environment? This is why expertise focused on this issue is important to have on your team.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Cyber hygiene is important, but organizations need to do a lot more than just that. They need to tackle the whole identity problem, put MFA in place, and establish a holistic focus on identity. That means looking at Active Directory (AD), cleaning it up, and ensuring that people have the right amount of provisioned entitlements for what they do in their job — but not so many that they’re overprovisioned. Today’s organizations are often in the cloud or moving toward the cloud and they often lose track of those provisions. Don’t ignore AD, monitor, manage, and look for attacks inside it. It’s best to tie in the whole identity piece alongside cyber hygiene since it’s just as important.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

A deeper look needs to be taken to ensure that people understand what happened in past incidents and what could have been done to prevent them from succeeding, or at least minimize the impact. Today, the same recommendations are often rehashed without consideration of the impact those recommendations would have on the analyzed attack. A great example is the SolarWinds attack. Recommendations came back that MFA is critical to stopping these attacks. Would it have helped? Yes. Would it have stopped all the attacks successfully? No. A focus on protecting Identity systems such as AD would have had a major impact on early detection of the attack thereby minimizing the impact. MFA is very important, but the bigger picture from this attack and almost every other attack shows that a focus on managing and protecting identity systems is just as important. This is well highlighted in Microsoft’s own recent report in their new ‘Cyber Signals’ magazine where they title the first report ‘Identity is the new battleground’.

What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)

Implement MFA. Multifactor Authentication is relatively easy to implement and adds a significant level of difficulty for an attacker to compromise a single account. If an attacker compromises a system and can extract usernames and passwords, odds are they can crack some passwords given enough time and computing power. If MFA is implemented, then any compromised accounts aren’t useful without the second form of authentication available.

Protect your identity systems. MFA may help protect user accounts, but it doesn’t help if that isn’t the route the attacker takes into your system. If a user clicks on a phishing email with a malicious link, a weaponized attachment targeting an unpatched system or, worse yet, an unknown vulnerability utilizing exploit code (a zero day) then MFA is useless. The attacker has bypassed the need to directly crack that password. Once inside, they can check memory and applications for stored credentials, which they almost always find, and it is game on. Time to move on to Active Directory and elevate privileges and move laterally to find their newly identified targets.

Segment your networks. Separating your enterprise into different network segments enhances your ability to place traps, decoys, bait and other tripwires that can help detect the attacker. A single, simple flat network makes life much easier for the attacker since they don’t have to navigate much to find the data and don’t have detection methods to evade. Imagine a mine field where only one mine exists versus a comprehensive field of mines.

Implement Zero Trust. Zero trust is a journey where you put together a structure to implement an assumption-of-breach mentality. Your plan assumes you’ve been compromised and, based on that, initially trust nothing in the environment. Validate each action based on not trusting users, or their requests to access resources, and then build a structure to do exactly that. Zero Trust is picking up steam in the industry and for good reason. An assumption of breach mentality means you’re always looking for the adversary inside your environment, across users, across Active Directory, and inside your available resources. This makes is much harder for even sophisticated attackers to be successful in stealing data.

Implement Active Defense. Defenders today say they must be on their toes 24/7, 365 days a year. Take that away from the attackers by implementing an Active Defense. MITRE, a not-for-profit corporation which operates federally funded R&D centers to solve cybersecurity challenges, has a great program around this effort called Engage, which is well-aligned with NIST, a laboratory and non-regulatory agency of the US Department of Commerce working to promote American innovation and industrial competitiveness. It focuses on deception and takes the attacker’s advantage away. Why wait and try to detect the attackers all the time? Why not put bait out there to lure attackers that compromise your systems directly into decoy environments? Hide important shares, hide important administrative accounts, cloak data that you don’t want the attacker to find. Make those attackers distrust their own tools as they try to gather data inside your enterprise. This is also a growing trend for good reason. Attackers querying these systems set off alerts as they interact with Active Defense systems minimizing impact to the enterprise.

Tie these five things together and you’re on a good path to having a much more secure environment that’s more likely to quickly detect attacks, even from sophisticated attackers.

If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger.

It would be some type of social media campaign and related app that drove people into video introductions for face-to-face conversations instead of just randomly responding to someone else’s post. A system to remove the anonymity and add the humanity back into online interactions between people.

Read the original interview with Tyler Gallagher in Authority Magazine.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published.

17 − 17 =

Ready to find out what’s lurking in your network?

Scroll to Top