Experts Only Podcast #95: Understanding Cyber Threats with Cyber Security Expert Richard Hummel

Welcome Richard Hummel, Manager, Threat Research at Arbor Networks, the security division of NETSCOUT, to Experts Only Podcast.

Hear from a #cybersecurity expert as he joins host Jon Powers to discuss #cyberthreats and #cyberattack prevention in the #energy industry.

Tune in for this alarming–but important–discussion.

Transcript

Jon Powers:

Welcome to Experts Only podcast, sponsored by CleanCapital. You can learn more cleancapital.com. I’m your host Jon Powers. Each week, we explore the intersection of energy, innovation and finance with leaders across the industry. Thank you so much for joining us.

Jon Powers:

Welcome back to Experts Only, I’m your host Jon Powers. I want to step out of a normal episode today and really help all of us understand what’s going on in terms of cybersecurity and the security threats we’re seeing in the energy space. And we’re all very familiar with happened the Colonial Pipeline earlier this year. And we’re going to talk to a cybersecurity expert, Richard Hummel, who is involved with threat research had Arbor Networks part of NETSCOUT. And he’s got a really diverse background in the cyber space. We’re going to talk, not just what’s happening in utilities, but what’s happening in the marketplace overall in terms of cyber attacks and how then you can, as a company or leader, can help protect your organization moving forward.

Jon Powers:

This is a conversation that probably will scare you a little bit. It definitely scared me but it helped also help drive many of us to action to do the prevention that we need to be doing because as we talk about, it’s not just the solutions when you’ve got a ransomware or DDoS attack as we’ll talk about but it’s about doing the work ahead of time to make sure you’re protected and can prevent those from happening. Hope you enjoy the conversation.

Jon Powers:

Richard, thanks for joining me in Experts Only.

Richard Hummel:

Yeah, thanks for having me, Jon. Appreciate it.

Jon Powers:

Yeah, absolutely. I want to dive into a variety of topics here but really want to first talk about your experience and what led you to get interested in cybersecurity and such a critical emerging market we’re seeing today.

Richard Hummel:

It was never really a focus of mine. Truth be told I went to school to become a lawyer. And so I did pre-law. I did some criminal justice and at the time I was enjoying it. I just got this idea, no, why don’t I just join the army? And I’ll go for paralegal. I was like, okay, this is a free ride, get my education paid for, I’ll be a lawyer. It turns out that I had signed paperwork, I was in the MIPS office ready to ship out and they said, “You can’t do paralegal.” And I said, “Well, why not?” And it turned out because I was homeschooled, it was flagging me in the system. They wouldn’t let me do it.

Jon Powers:

Oh wow.

Richard Hummel:

I was like, “All right, give me the next job that requires the most intensive training that you have.” And that was signals intel. And so I joined the military as a signals intel analyst. And when I first got into my unit, they said, “You’re actually going to be cyber.” And so they send me to the some beta course that you cyber train. This was before the army actually had a cyber branch because the Air Force and the Marines and Navy already had those. And so me and one other guy did this and we were the first four deployed soldiers that actually had cyber training.

Jon Powers:

Amazing.

Richard Hummel:

And that was it. That’s what kind of kicked me off. And ever since then, I’ve just really, really enjoyed it. I’ve gone from doing traditional cyber stuff, tracking terrorists and regional adversaries, to reverse engineer malware, tracking cyber crime operators that do ransomware and point of sale malware. And now here I am at NETSCOUT doing DDoS cyber intel.

Jon Powers:

Excellent. I want to step back and we talk about NETSCOUT in a second, but just for the audience, we’re really going to step back and look at the issues of the attacks we’re seeing in the utility space. Everyone’s sort of familiar with the Colonial Pipeline attack of recent. But before we do that, I’d like to sort of get a framework or maybe if you could paint a picture for the audience of what is the current dynamic in cybersecurity? Why are we seeing, I think more publicly, we’re really beginning to see attacks like we’ve never seen before but it’s not like it’s just starting. This has been on the move for years.

Richard Hummel:

Yeah, exactly. And the thing is, is DDoS and ransomware two of the things that we’re going to talk about here have been around since really the advent of the internet. DDoS attack basically been around since DARPA invented the internet way back. Ransomware has been around since 1989, believe it or not.

Jon Powers:

Wow.

Richard Hummel:

And so we’ve seen this phenomenon for a long time and there’s been certain points or inflection periods over time where we see a surge of this activity. Just thinking through what you maybe have seen in media, you can go back to Gameover ZeuS and CryptoLocker when the current kind of iteration of ransomware person we’re seeing, everybody’s like, wow, CryptoLocker, these guys are making millions of dollars. Then you have CryptoWall and they had 30, $40 million over the course of their lifespan. And everybody recognizes these kind of names. And then same thing with DDoS. You have the Marai bot that happened in 2016 16 and everybody knows about Marai and the DDoS attacks against Dyn.

Richard Hummel:

And the reality is I think what happens is these attacks are getting bigger. They’re getting more sophisticated. There’s more adversaries getting bold. And what other adversaries do is they monitor the attack trends or the life cycles or what’s happening. And they actually see that this guy’s succeeding, I can make a quick payday. And so now you have more adversaries getting involved in this and then you also have the ease of access. A lot of these operators over recent years have changed things to actually function and operate just like a business would. These ransomware guys offer this ransomware as a service. DDoS for hire services with booters and stressors allow anyone.

Jon Powers:

Stop for a second. When you were saying that, so you’re saying there’s a platform that’s sort of white labeling ransomware that someone is taking in right now?

Richard Hummel:

It’s a whole ecosystem. I wouldn’t necessarily consider it white labeling but what they do is they outsource things. And so you have a malware author, they actually code the ransomware. They don’t actually deploy it. They’re not the ones actually infecting victims. They don’t manage the infrastructure. They basically code this malware and say, “You can pay us to become an affiliate of our ransomware as a service.” And so they will pay into this and then it’s the operator’s responsibility to distribute that ransomware and actually infect people. And so you might go back a couple years, the Dridex takedown, the Trickbot takedowns. They take them down and they come back. Why do they come back? Because the actual authors are not the ones being taken down, they’re taking down operators that are running certain branches of this code.

Richard Hummel:

And so the ease of access has just changed the dynamic. You can go for $10 in Bitcoin and launch a fairly significant size DDoS attack, any one of your choosing. And so the ease of access has really changed this. And then intel cryptocurrency, now you have an easy method of paying for these things. And naturally, you’re just going to have more and more of this. And the more success you see in the media, the more adversaries want to get involved in it.

Jon Powers:

I do want to get into the energy and utility side of this for a second but let’s just step out of that and look at the broader market of attacks that we’re seeing. Can you give folks a sense of scale of what are we seeing sort of looking at the US, let’s look at the US economy. What are we seeing in terms of scale before we sort of dive into the utility side.

Richard Hummel:

One interesting thing when we’re looking at let’s just look at DDoS first. When you look at DDoS, it’s not necessarily.

Jon Powers:

Can you explain what DDoS is by the way, for people who don’t know?

Richard Hummel:

DDoS is distributed denial of service. Basically, there’s a really common parallel between ransomware and DDoS. Both of them affect availability. The goal here is to knock a service, a platform, something offline that you can’t use. If you encrypt files with ransomware, you can’t use your files. And most likely can’t use your computer. If you successfully launch a DDoS attack, you’re doing network exhaustion and knocking that service offline. And so they both can have similar effects in terms of availability. The difference with DDoS is that you’re actually launching the adversary has a network of devices, either a botnet or they’re using legitimate devices and reflecting traffic off of them to a target of their choosing. In which case it will saturate a network sufficient to tip it over. That’s their goal. And so that’s DDoS in a nutshell.

Richard Hummel:

And the thing is both ransomware and DDoS, you might hear about these highly targeted incidents. You mentioned the Colonial Pipeline but the reality is most of these adversaries are indiscriminate about who they go after. They just attack anyone. In fact, ransomware.

Jon Powers:

They’re going after school districts, they’re going after hospitals.

Richard Hummel:

School districts, local. The thing is more of the sophisticated ransomware operations will go after local businesses, they’ll got after big enterprises but the vast majority of ransomware out there, they don’t care who they target. It’s opportunistic. If they get a list of the email addresses, they’re going to send a spam message to you. And the way I explained this earlier with the business model is that you have a third party that is actually trying to send out the spam messages. You might have a malware author, you have an operator that says, “I want to run this.” And then they will consult with the third party that says, “Okay, now I need a spam campaign that’s going to send out this malware.” And so they’ll send it out and they’ve gotten really, really good about this. And so the spam messages you get are often indistinguishable from legitimate messages. And so they’re really good about infecting. And then you have this whole ecosystem there. And so they will target whomever they can.

Richard Hummel:

I always go back to this term that I try to coin and I don’t know that it’s taken root anywhere, but opportunistic targeting because they are targeting specific people.

Jon Powers:

I like that, I’m going to start using that.

Richard Hummel:

Hey, you know what? Take for example, breaches. A while ago we had the OPM breach. I guess been about three or four years ago now. You have your email addresses, you have your names, you have your addresses, you have your Social Security numbers, all that compromised and all that data correlated to an individual person.

Jon Powers:

Yeah, and for people don’t know that basically was the entire federal government.

Richard Hummel:

Essentially.

Jon Powers:

Any personnel who worked in, I was in there at the time was hit by that.

Richard Hummel:

Mine was leaked in the OPM stuff as well. You take that and you have an adversary like these third party spam distributors and now they have an entire corpus of data where they can craft socially in your emails specific to those users. Now they don’t care which of those users they’re going after, if it’s crimeware, they just, they want to hit them all. If I can craft an email that looks like you should pay attention because man, your stuff just got leaked in OPM, your Social Security number’s at risk. I can craft a very good email to try to get you to click on something. And so that would be the opportunistic party that I was talking about. It’s not necessarily spear phishing where they’re going after a very specific organization for a specific purpose. It’s they’re going after the whole thing because it’s available to them. And so that’s kind of the phenomena with the whole ransomware scene. It really doesn’t matter who you are. It doesn’t matter where you sit.

Richard Hummel:

I will say there’s an exception for this. A lot of the really famous ransomware, CryptoLocker, CryptoWall, TeslaCrypt, TorrentLocker and some of the other ones, when you actually get into reverse engineering just because I did some reversing for a while. A lot of those ransomwares were designed to not encrypt files if your computer had Russian language settings or was in a Russian IP space.

Jon Powers:

Oh, interesting.

Richard Hummel:

And so, because those operators are believed to have been from Russia so as long as they didn’t target Russian citizens.

Jon Powers:

They were safe.

Richard Hummel:

Then they did whatever they wanted. And so in some cases you would see that phenomenon where Russia wouldn’t have as much activity. But that said, ransomware comes from everywhere, from every country. And so that will target anywhere. DDoS, we see a lot of the same phenomenon. In fact, the vast bulk of DDoS attacks are actually against consumers like you and me and specifically gamers. But what most people probably don’t know is that 80% roughly of DDoS attacks, it can all be traced back to gaming because you have these disgruntled users that are facing their opponents and maybe they’re having a VOIP communication chat or whatever it might. And man, they just killed them for the 10th time and I’ve had it with you and I want to DDoS you. I’m going to knock you offline so I can beat you.

Jon Powers:

Oh, wow.

Richard Hummel:

And so it’s relatively easy to find IP addresses your opponent, especially when you’re communicating to them because a lot of these VOIP communication protocols for real IP addresses for who you’re speaking to. And so I’m going to find the IP address, I’m going to knock you offline. And the same issue for the underground eSports because there’s a lot of money riding on this. Tens of millions of dollars, if not hundreds of millions. And so you have a lot of these attacks. If you’re in a match and you’re knocked offline for even three seconds, it’s enough to tilt that match in favor of somebody. Gamers themselves might not be involved in those eSports, it could be other people that are just gambling on them. Just state somebody and now the other person has to go down.

Richard Hummel:

And so I would say that for both ransomware and DDoS, monetary gain is the predominant focus of both of these. That’s not to say you can’t have demonstrations. You can’t have active, there could be some nation state involved, but monetary gain is the predominant focus. And so if they’re trying to get a payday, it doesn’t matter what country it’s from. Doesn’t matter what industry you’re part of. I’m going to go after where I think the money is. And that’s what we see with both DDoS and ransomware.

Jon Powers:

In a second, I’m going to have you sort of walk us through the Colonial Pipeline attack, just from the cyber side. I think people understand on the energy front, obviously the influence there. But before we do that, just one more basic question, we’re seeing the emergence of a lot of these attacks out of Russia, probably out of China and other areas, is that because they have had the infrastructure investment, whether it be in their military or other places to now build up entire teams that know how to do this? What’s driving that out of those locations?

Richard Hummel:

Everything that I’ve said so far is non-nation state sponsored. Now that’s not to say that governments couldn’t be backing some of this activity. I’m not really in a position to say that because I haven’t done the attribution side for a long time, but there’s any number of reasons but one could be a simple fact that there’s no repercussions if they do this to non-resident folks. You can have crime syndicates that are just raking in the money and there’s literally no repercussions. There’s no extradition. Sure they can be indited, but if they stay in Russia then so what?

Jon Powers:

Yeah, who’s going to find them?

Richard Hummel:

And so that’s part of the problem. And really, if we wanted to solve this problem, we have to have cross country extradition plans, we have to be able to have law enforcement and Interpol and Russian law enforcement help us here. And I just don’t see that happening in the near future.

Jon Powers:

Yeah. I don’t disagree. And I think people have a misconception that you see these big announcements around these attacks. That’s just the tip of the iceberg.

Richard Hummel:

That’s the tip.

Jon Powers:

That’s just what DHS and NSA and others want to even know about because there’s so much happening underneath that doesn’t get talked about.

Richard Hummel:

Yeah. And the thing is a lot of these media events are the minuscule portion of this attack. You hear about Colonial Pipeline, you hear about there’s recent attacks on was it Luma Energy? There’s various other things where you see these big media events but those are for DDoS attacks, that’s one in 10 million. And so we’re talking about a very, very tiny portion of all of the ransomware and DDoS attacks that ever make their way public. But there’s so much more happening on the backside. In fact, we surveyed enterprises’ internet service providers last year. And the number one threat that they faced was ransomware. And the number two threat was DDoS and specifically DDoS extortion. And those are two of the primary concerns that they had going into 2021.

Jon Powers:

When you say we, you’re talking about NETSCOUT.

Richard Hummel:

NETSCOUT, yes.

Jon Powers:

Can you talk for a second for folks that aren’t aware of NETSCOUT, what you guys do?

Richard Hummel:

The shortest way to say this is that NETSCOUT is guardians of the connected world. And the whole meaning behind that is that we are trying to make sure that every single person that is a customer of ours stays connected to the rest of the world. We understand that that is the lifeblood for most of these organizations. A lot of the internet service providers of the world are customers of ours. And they don’t survive if they don’t maintain internet connectivity. And they don’t maintain those pipelines to their consumers in all of the enterprises’ purchasing services. And so we absolutely value ourselves as being those guardians and trying to maintain that always on service assurance. And so that’s essentially what NETSCOUT does. We provide visibility, we provide mitigation and protection in the DDoS space and understanding what traffic, internet traffic is pulling across customers’ networks so you can make informed decisions about what to do with that. And so that’s essentially where NETSCOUT comes in to help.

Jon Powers:

You mentioned internet providers, do you work with smaller firms? Or are they mostly larger, sort of fully integrated geopolitical firms?

Richard Hummel:

We work with any size customer. And the thing is obviously our products, I won’t say I’m not going to do a product pitch here, but I won’t say that they’re cheap. I will say you have different tiers though. And just like we have different tiers is other peers usually have tiers. You have on prem stock, if you have your own security team, you might have your own scrubbing center and scrubbing equipment is very expensive. If you’re an enterprise, maybe you just need a device that’s sitting at your perimeter, it’s going to make decisions about inbound, outbound traffic. We have that size.

Richard Hummel:

You also might say, “Well, I can’t actually put any equipment on premises. What do I do now?” Well now you have cloud solutions. Arbor Cloud is one that we have. And so now you can even have Arbor Cloud handle things and so you might have some intelligent decision making happen. If we get DDoS attack, let’s route traffic through Arbor Cloud and they’ll do the scrubbing and the clean track back to us. And so there’s really kind of all sizes for all different types of organizations. And there’s obviously other solutions, if I just need a website monitored, there’s other products in the industry that can just do single website type things. And so really there is a right size for anyone.

Jon Powers:

Let’s dive into the energy space, obviously going back to being connected, there’s few industries like energy that is as connected to all of us in our homes and our businesses. Why are utilities under attack? And then I do want to walk, if you can walk me through what we know at this point publicly of not the repercussions of the Colonial attack, but how it happened. What were the weak points that they took advantage of? And how did this become to transpire over the last, I guess it was couple weeks ago?

Richard Hummel:

Yeah. I think the first question you posed the why, why energy is hit. I think I’ve already covered that a little bit. And like I said, with DDoS and ransomware, monetary gain is the predominant focus and what better way to hit then in energy, which is the lifeblood of what keeps our lights on. If I can successfully compromise a company that’s dealing with energy servicing the eastern seaboard or western, whatever it might be. You’re talking about…

Jon Powers:

Let me flip that question around. Is a majority of the attacks we’re seeing today based on monetary gain by criminal syndicate versus a national security risk that the Russians now have their fingertips on our utility devices or both?

Richard Hummel:

That is a loaded question. And I will say that there’s definite possibility for it to be both. However, most of what we deal with and what we see is very much on the crime side, where they’re looking for a pay day. Now, I can’t speak with authority on, is that crime syndicate also sponsored by a government? It’s quite possible. We’ve seen attacks from North Korea before, for instance, where they’ve leveraged DDoS attacks to take down cryptocurrency exchanges. And so there definitely is some form of these ransomware and DDoS attacks that are absolutely nation state sponsored but I couldn’t tell you which ones are. For the most part, we tend to look at the crime motivation, which is the monetary gain.

Jon Powers:

Interesting. And for the listeners, the Department of Homeland Security under President Trump actually put out a report, I think probably two years ago now that basically outlined that the Russians had their fingerprints on our energy utilities as of now. Whether it be a criminal side or I think they were talking about the nation state side. And when they do that, they’re doing that because they’re sending a signal saying, “We know you got this.” Okay, so for folks that aren’t, unless you did not read the news, I think most people know what happened to the Colonial Pipeline, but at a high level, this is providing fuel up and down the eastern seaboard. It shut down for days, cost billions from an economic perspective. Caused folks in places like North Carolina to be in line for almost full days to get gas in their vehicles. How did this happen? How was Colonial targeted? Maybe not targeted, maybe it was an economic perspective, but how did they actually execute on this on the cyber side?

Richard Hummel:

Yeah. First off I want to just kind of touch on one aspect of this that maybe is obvious but it helps to kind of draw a parallel here is we believe that the DarkSide crew, the guys that were responsible for launching this ransomware are crime syndicate, they’re looking for a payout.

Jon Powers:

For folks that don’t know, DarkSide’s the Russian crime syndicate, that you mentioned. A little history on that. Can you give just a quick history on that team?

Richard Hummel:

I haven’t followed DarkSide too closely but I’ve been following them more recently, obviously because the ransomware but these guys very specifically go after targeted organizations. They’re looking for medium sized organizations, local governments, people that aren’t necessarily super high profile. They have some sort of weird mission statement that they don’t want to cause any sociopolitical disruptions. They clearly failed at that.

Jon Powers:

No one checked their mission to statement on that attack.

Richard Hummel:

They’ve gone relatively silent after that because it brought so much attention to them.

Jon Powers:

Oh wow.

Richard Hummel:

But that’s their mission statement, they wanted to go after people that weren’t going to have a huge impact on society in order to elicit payment. They also, I read some, I don’t know if it was a blog or somebody commenting on kind of their mission statement but these guys were launching attacks and showing holes in people’s organizations while soliciting payment. Now come on, they’re not white hat guys. These are bright guys doing bad things. They need to stop. Anyway, there’s that whole aspect but what’s even more important here is look at the success that they have. Even if it was another crime group that was looking at men, all they had to do is go after this and they did it this way but more so look at nation states. What happened to our country because they managed to compromise this organization? And I’ll get into what I understand about how that they did this. But nation states looking at this, they shut down the entire eastern seaboard.

Jon Powers:

Oh absolutely.

Richard Hummel:

Stopping gas and oil by one simple ransomware attack. And so nations states are absolutely going to pay attention to that and be like, man, this is going to go in my toolkit, in my attack playbook if I ever want to take out the energy grid.

Jon Powers:

Yeah, absolutely.

Richard Hummel:

Now the how, my understanding is that they actually accessed via age or means of getting into systems. My understanding is that there was a latent user account that was in their third party vendor. Let me actually lay out the attack. What actually happened. Colonial Pipeline didn’t actually get attacked. It was actually a vendor of theirs that they managed the billing for the oil where they’re shipping. And so what happened is that they couldn’t tell how much oil they were shipping to one of their consumers and so instead of just shipping oil continuously, they shut the whole pipeline down until they could figure out how much to bill somebody. And so that results in this domino effect of this huge loss but they anticipated the loss from that was less than just continuing to ship just millions of gallons of oil without charging anybody.

Jon Powers:

Wow.

Richard Hummel:

And so the Colonial Pipeline itself didn’t actually get hit, it was actually a third party vendor. And my understanding is that they got in because it was an account there that wasn’t being used anymore from a past employee that had credentials that were compromised. And so they used a method that has been employed for probably over a decade, if not more at this point, of brute forcing or purchasing compromised credentials somewhere on the underground and using those to log into an account and gain access. And that is still one of the predominant ways that adversaries get in. It’s just this simple brute forcing, using known exploits that should have been hashed many, many years ago and using social engineering tactics by email to get people to click or download something.

Jon Powers:

Simplify that for me. Some previous employee had their password and log in for whatever system, the invoicing system that had been basically taken. Somebody had gotten a hold of it, nefarious ways.

Richard Hummel:

That’s my understanding. And most of my understanding of this comes from reading other people’s research.

Jon Powers:

Sure. No, I understand.

Richard Hummel:

BleepingComputer has good ones. ZDNet, Ars Technica, they have some pretty good technical, deep dives into some of these things.

Jon Powers:

And then they use that entry point to put in the ransomware.

Richard Hummel:

Yes. If they’re able to get access to a system, in theory, that system should not be connected to critical systems that can literally blow up an entire organization. There were some other security concerns that should have been addressed here, not just some latent account, whatever. Not only was it a latent account but if it managed to deploy ransomware that impacted their entire invoicing system, then that account clearly should not have been provisioned as such and even more so if that person was no longer working there, it should very clearly have been removed from permissions groups.

Jon Powers:

Yeah, absolutely.

Richard Hummel:

There was definitely some procedure fails from what I can tell that happened here.

Jon Powers:

That’s fascinating. For our audience who consists of leaders in the industry and folks sort of working across all spectrums, thinking about that, it wasn’t Colonial that got hit, it was their invoicing vendor that caused this multi-billion dollars. And then once they had that ransomware in place, was it four million? They asked for four million in cryptocurrency.

Richard Hummel:

I think four million. Now for this size of organization, they normally would’ve asked for a lot more. But because of the social impact that they had, they decreased the cost of the ransom a lot.

Jon Powers:

I always thought it was an Austin Powers moment where it was $4 million. I’m like, does he know what that means? This isn’t rubles.

Richard Hummel:

No, you would think that, but there’s actually these boutique insurance companies out there. I’m not remembering the name of any off the top of my head but there are actually companies out there that specialize in negotiating ransomware payments with the bad guys. And these are legitimate companies mind you. If you as an organization decide, I’m going to pay for this. You can consult with one of these companies that actually interface with you on your behalf with the bad guys, be able to get your files back essentially. And so I don’t know if one of those were employed in this circumstance, it’s quite possible. But again, in my opinion, they should not have paid. I am of the stance that never ever is it okay to pay ransomware. One, because it enables the adversaries. It makes you complicit in an actual crime that’s happening. And three, there’s no guarantee that the adversaries aren’t going to come back or even decrypt your files.

Jon Powers:

Yeah, I was going to ask you that question. 101 for those of us that aren’t in the industry, if you pay, how do you know they’re even going to take the ransom?

Richard Hummel:

You don’t. You are operating on complete and total fate.

Jon Powers:

For somebody who’s trying to steal something.

Richard Hummel:

You probably remember WannaCry, way back when. WannaCry had this issue where there wasn’t actually unique IDs per infection and the way you had to contact the adversary, they couldn’t tell which device you had or which encryption keys were being used. And so often there was actually no way you could make a payment but you would have no recourse to actually recover your files because the adversary couldn’t even send you the right encryption key. And I’ve seen many, many ransomware families like that, where there’s actually no way for them to send you the proper encryption key or they’re not attracted to individual users on a pay by pay perspective. And so again, it’s just, it’s one of those things that’s just stay away from that as much as possible.

Jon Powers:

Yeah, so let’s play with this for a second. If you’re advising the CEO of, we’ll use Colonial, but let’s stick it to energy company X gets hit with a ransomware, first of all, what should they do? What should their actions be? How do they even get this? Because most, I imagine, most have some type of security relationship but many don’t. Especially smaller companies, it’s just something that you don’t. What do you advise people?

Richard Hummel:

Yeah. Maybe I can take it one step removed from that first. What should you doing now? When I deal with ransomware today, but what should you do now? And that is practice good network hygiene. With the case of the Colonial Pipeline, if they had cleaned up that account that wasn’t being used anymore or they had simply just got rid of the ability to brute force usernames and passwords, if they had properly isolated and segmented their networks to not affect the rest of it. There’s any number of things they could have done to prevent that.

Richard Hummel:

And so to me, preparation is the single most important aspect of both ransomware and DDoS. If you’re prepared to handle some of these things, if you’re patching your systems, if you’re isolating your networks, if you’re educating your users about what spam looks like or what things to click on and what things not to click on, if you are practicing the good hygiene of deleting accounts that aren’t being used anymore, getting rid of default usernames and credentials, implementing two factor authentication, all of these things are just common things that we in the security industry have been preaching for many, many, many years.

Richard Hummel:

And if we just follow these and we stay up to date with these, we’re going to be prepared to handle a lot of these threats. And I would say greater than 80% of these threats can be handled by taking care of the things we’ve been talking about for many, many years. And DDoS especially is really key here because, so we’ve been tracking this DDoS Fortune company, there’s two of them actually running right now. One is Lazarus Baramata. The other one is Fancy Lazarus. And these guys, what they’ll do is they’ll launch a DDoS attack in demonstration and then they’ll send an extortion demand that says, “Hey, we’re going to continue to launch these attacks if you don’t pay us Bitcoin.”

Richard Hummel:

And what we have seen in every single customer that I’ve helped with, that my colleagues have helped with, even non-customers that have reached back to us for assistance. If they have some form of DDoS mitigation and protection services in place almost to a letter, not a single one of them experiencing negative downtime or business impact because they were prepared to handle these attacks and those attacks were relatively rudimentary. They were your run of the mill attacks. They were things we haven’t seen before. And the same is true in ransomware, brute forcing, exploitation of known credentials, things like EternalBlue and EternalRomance that are exploits that operate on SMB. There’s any number of these things that have just been around for so, so long that people aren’t patching. They’re not aware of.

Jon Powers:

Just prevention.

Richard Hummel:

And so they’re getting in the same way.

Jon Powers:

Yeah, I imagine most of the folks out there aren’t doing the prevention or maybe starting to do the prevention. For those that aren’t and this happen, most folks won’t even know who to pick up the phone to call. First of all, you’re probably in trouble at that point. You’ve had the heart attack. You’re in the hospital. You probably shouldn’t eat the 15 Big Macs. One is exercise.

Richard Hummel:

If I have to say, your organization and you have the ability to actually call somebody for help in this case, my go to would be FireEye or Mandiant because I actually used to work for FireEye and Mandiant. I know they do a phenomenal job with incident response. NETSCOUT is not the person you call when you have a ransomware infection, I’ll tell you that right now.

Jon Powers:

You guys are prevention people?

Richard Hummel:

We are preventing the DDoS attacks. And here’s another thing, it’s not if you’re going to get DDoS attacked, it’s when you’re going to get DDoS attacked. And you as a consumer might realize it then. As a consumer, if I go down for a couple minutes, that’s irrelevant. I don’t really care. But if your lifeblood consists of maintaining that internet connection, then you should consider that it’s not if they’re going to get attacked, it’s when. There might not even be a direct attack against you as an organization, it could be collateral damage. And in the DDoS world, collateral damage happens every single day and all the time. And so you might have, for instance, you might have some gamers out there that are mad at somebody and their opponents using a VPN, a commercial VPN IP address. But what happens if they take down that VPN? Well, anybody else using it is going to get taken offline too. Collateral damage is a really big thing in DDoS world. And so absolutely prevention is key.

Richard Hummel:

Now that said, if you are under a DDoS attack, we do have a hotline you can call at NETSCOUT, but don’t call us for ransomware if you’re encrypted because we’re not going to be able help you. Call someone like FireEye or Mandiant that can actually do some post based forensics. Two different sides of the coin.

Jon Powers:

Well, it’s important. I think most people don’t understand that. And just that explanation in its own right, is going to go very far in helping people understand what they need to be doing.

Richard Hummel:

Exactly. The response is different when you’ve been hit because you have two different things you got to go after but the prevention aspect, a lot of the overlaps are still there. Adequately being prepared, isolating your networks, making sure that if one goes down, the other one stays up, making sure you don’t have normal gaps in your security posture. Things that should be patched are patched. And so there’s a lot of similarities in terms of the prevention aspects, but there’s very different spots in terms of how you deal with that after you get hit.

Jon Powers:

Yeah. And as our world gets more and more interconnected, between the concept of internet of things, every venture capitalist in the world is looking at how to tie in closer to the internet of things world, we’re seeing some coordination happening now in the new administration, Homeland Security, the White House and others on this. But if there’s a trend line in this space, it continues to go up in terms of attacks.

Richard Hummel:

Up and to the right.

Jon Powers:

Up and to the right.

Richard Hummel:

Yeah, we actually, we talked about that in the last threat report and up and to the right is pretty much what we’re seeing across the board, whether it’s in terms of the number of attacks or the types of new attacks that we’re seeing. Just in fact in the past, I think the past year we have seen adversaries significantly use and weaponize upwards of eight new vectors that we’d never seen before.

Jon Powers:

Wow.

Richard Hummel:

And that doesn’t change. The DDoS for hire services, why would they ever remove a DDoS attack vector? It makes no sense, but if the new one comes out, let’s add to it. Now you have this whole smorgasbord of things that people can choose from and let’s just keep increasing it. And so I think this is an early preview for you over our next threat report. But over the past six months, we’ve seen an attack leveraged 32 different DDoS attack vectors in a singular attack.

Jon Powers:

Wow.

Richard Hummel:

Which is nuts because now you have defenders that have to try to scramble and prevent all these different things and make sure that their systems have automated ways in which to handle it. And it’s crazy. Up into the right is absolutely correct.

Jon Powers:

Well, thanks for scaring us, Richard. Appreciate it.

Richard Hummel:

You mentioned the IoT and here’s another scary metric that maybe you didn’t know, but if you put a new IoT device online, within five minutes, that IoT device is going to get brute force attempts.

Jon Powers:

Wow.

Richard Hummel:

And we’ve tested this multiple times.

Jon Powers:

Think of getting a Nest thermostat or a baby camera or whatever.

Richard Hummel:

Well, I will caveat that baby cameras for the most part, don’t reside on your network. I don’t want to scare people to think it does. Somebody’s going to lock into your baby camera and look at whatever. But your Nest thermostat, Christmas happens, you open all your gifts. This past Christmas, when I opened my gifts, I had at least four devices that I got that were IoT devices and needed internet connectivity. I could probably count 50 things just in my office alone that probably can connect to the internet. And so the reality is that if I plug that in, within five minutes, expect it to get brute force attacked with default credentials passwords. Some of these devices don’t even have the ability to log in and change using the passwords that they have set. Or if they do, how many consumers know about them? Does your router have a firewall in front of it? Probably not. Your router might be, is it being updated regularly? Do you go in and you change your settings? There’s all these things.

Richard Hummel:

And then factor in COVID where all the enterprises went to a work from home. And all of our corporate devices went from being behind corporate firewalls or what we call inside the castle to your home network. Do you have corporate firewalls? Do you have IDS and IPS in front of that? Probably not. And so now you have this whole other aspect of the security posture that you have to worry about.

Jon Powers:

Fascinating. We’ll definitely have you back on to talk more about this. This is, Richard, fascinating and I want to thank Drew Pearson and the team for helping us set this up. But I do want to ask one last question. If you can go back to yourself coming out of homeschool, getting ready to go in the Army, could sit down and give yourself one piece of advice, what would it be?

Richard Hummel:

You know what? If I had to do it all over again, I would tell myself to do the same thing.

Jon Powers:

That’s amazing. That’s great.

Richard Hummel:

This field that I’m in here is awesome. And everybody that has moved into it since I’ve been part of, whether I’ve advised them to move into it, they enjoy it thoroughly. My brother followed in my footsteps because I told him it was so much fun. And now he’s enjoying doing the same kinds of things that I am. And so if I had to give myself advice, I would say, forget the law stuff and go into cyber.

Jon Powers:

That’s awesome. Well, Richard, thanks so much for joining us. And I really appreciate the work you guys are all doing at NETSCOUT and trying to keep a lot of us safe out there and obviously some clear messages for the audience and we look forward to continuing the conversation for sure.

Richard Hummel:

Absolutely, Jon. Thanks for having us.

Jon Powers:

Yeah, thanks to our producers, Colleen Young and Carly Battin. As always, you can get more episodes at cleancapital.com and we look forward to future conversations. Thanks so much.

Jon Powers:

Thanks for listening in today’s conversation. Find more episodes on cleancapital.com, iTunes or wherever you get your podcasts. If you like what you hear, be sure to subscribe and leave us a five star review. We look forward to continuing our conversation on energy, innovation and finance with you.