EP 2: Cyber threat landscape

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

Episode 2: The cyber threat landscape

Date: 26th February 2020
SpeakersKris McConkey (Host), Gerry Stellatos (Guest), Sloane Menkes (Guest)

Duration: 21m 40s

Join PwC experts Kris McConkey, Gerry Stellatos and Sloane Menkes as they discuss the latest trends and developments in the current cyber threat landscape. From a changing geopolitical environment to recent notable breaches, understand what steps your organisation should take to ensure it remains secure.

Listen on:  Apple PodcastsBuzzsprout

Kris: Hello everybody and welcome to our podcast series, the global realities of cybersecurity. I’m your host Kris McConkey based in London for PwC UK. Each episode of this series we’ll be inviting along some of our colleagues who are experts in their fields to discuss what they do at PwC and what they’re focussing on in the ever changing world of Cybersecurity. Today's conversation is centred around the Cyber Threat Landscape and I’m joined by Gerry Stallatos and Sloane Menkes principles at PwC over in the US and who have spent their careers helping organizations respond to breaches and crisis events. Sloane & Gerry, thank you very much for joining me today, I’ll give you guys a brief opportunity to introduce yourselves. 

Sloane: Thanks Kris, this is Sloane Menkes and I’m a principal as you mentioned over in our US Cybersecurity and Privacy practice and I’ve focussed the past 22 years on cybersecurity and I’ve really been around the cycle of Cyber and securing assets and I spend most of my time building executive resiliencey into organizations and helping with the cyber strategy to do that.

Gerry: Hi this is Gerry Stallatos, I’m a principal within our US and Cybersecurity practice along with Sloane. I’m currently responsible for leading incident response  and threat intelligence intelligence for the US firm. My background over the past 18 years has been helping organizations detect and respond. I initially started my career working at the national security agency, working as a global network analyst and then transitioned into the private industry detect, respond as well as improve their overall maturity when it comes to Cybersecurity - thanks for having us.

Kris: So Gerry, I guess if we start with you since you and your team literally spend everyday responding to intrusions and breaches, can you give us a view of some of the new and interesting changes that you’ve seen in the landscape in the recent years or so.

Gerry: Sure Kris, happy to. You know, what's old is new in that the incident we've seen affecting our clients previously as still continuing to happen today. For example, over the past several years we’ve seen organizations invest more in threat detection technology, threat intelligence. Augmenting their ability to detect and respond with more resources leveraging external partners. And what we’ve seen threat actors respond to is the targets have become harder for them to compromise. They’re going to target, or focus on the weakest link in the chain. For example Supply Chain. And so we’ve seen a recurrence in ultimately the targeting and exploitation which has been going on with trusted third parties. Organizations are still struggling with the basic fundamentals of information security. What assets do I have? What’s my perimeter as I move to Cloud? But, Who has access to my environment? What resources and support do they provide? When we see with threat actors is when it’s hard to go into the front door, ultimately from a client perspective, they’re finding these trusted parties and looking to leverage them as ultimately that might provide access into an environment or certainly the information that they have as well. I would say from a second theme, and this is something that was very interesting to me in my own career where I have a lot of experience doing targeted threat actor investigations and in some situations we would see the same use of infrastructure or tooling that targeted threat actors would use on nation state or commercial industry but we would also see that potentially being repurposed or used for the targeting of non- nation state clients, in specific verticals. One thing that comes to mind is I’ve worked a case with law firms that were affected by targeting this situation we see that there were nation state actors that actually leveraged tooling and infrastructure to target law firms for ultimately personal or financial gain. I know recently you’ve got something out of the UK where from an organized crime perspective I think it’ll be helpful to share with the group. 

Kris: Yea Gerry, there’s some really interesting things happening in that space at the minute and I guess one of the big trends we’ve seen in the organized crime space, particularly in the last 12 months has been this evolution of this clan mentality which is very much like a syndicate or clan with a whole bunch of actors who previously have operated independently, but are developing relationships to deliver each others payloads, to refer people to each other and to actually monetize the victim environments that they have access to in a much more coordinated and sophisticated way. One of the most prevalent of those in the past 12 months which has resulted in some really big impact incidents is the combination EMMEMET, TRICKBOT and RICOH asa kind of a trilogy that whenever it gets into a network it figures out what it’s in then starts delivering extra payloads that end up with pretty targeted ransomware, it’s really interesting. The other one that’s kind of linked to that and I mentioned Riuch, is the big game ransomware side of things and I know you guys have been working on a bunch of cases as well.

Gerry: Yes this has been recently with some of the trends around, and I’m likely not going to pronounce this correctly but, SNOWDOKEEPE. 

Kris: I get it wrong every time!

Gerry: Where clients, certainly ransomware has certainly been a topic of mind across all client bases what ultimately is an effective strategy. The general premise was you know, enter into an environment, encrypt all of the information and then ultimately a client would make a business decision as to whether to pay or not. And there was also this, the information was just encrypted - but was ultimately not transferred out of the environment. An assumption that investigators like us would come to, based upon the available evidence would be help our clients make a determination of what did or did not happen. What’s happened recently though is we’re seeing the threat of releasing this information if a client or organizations that are victims do not pay. That’s a bit of a game changer and scary for individuals who are concerned about ransomware and this premise around disrupting or impacting a business, well certainly disrupting - now that information might be exposed or transferred out of the environment, certainly will lead to organizations thinking about how do they respond to a crisis like this, what potential litigation or what potential outcomes might result in information being exposed, it's not just that when your business is exposed to ransomware you’re exposed, you’re disrupted - but ultimately this will lead to potentially litigation and different outcomes that might be problematic. 

Kris: Gerry, I mean we’re only in early 2020 at this stage and there’s already been some pretty high profile examples in the press already of exactly the type you described, so this is something we’re definitely seeing more actors start to focus on in terms of both ransomware but also information leak afterwards as well. Sloane, let me throw this over to you because that whole disruptive actor space very often demands quite a different lens on incident response, and I guess I’m much more focussed on the incident management, service restoration and continuity side of things so how have you seen organizations bridge the gap between what typically happens on the technical, forensics and up to the wider organizational crisis response and those types of things. 07:44. 

Sloane: Thanks Kris, I think it’s still a lot of the same, yet we see organizations utilizing more of the same ideas or even ideals or responding to crises holistically. And what I mean by that is a crisis is a business disruptor no matter what type of incident it is. Now whether it’s ransomware, locking down and encrypting information or it’s a different threat actor using a different threat vector. So really bringing the response mentality together using the principle of managing those organizational crises and looking at it as more that just an IT issue. So how do you do, well it translates into those usual principles that one would apply to business disruption or crisis. You need to have a crisis plan, you need to know where all the folks / people - I like to think of it as answering what is the crisis plan? Who is involved or named as key participants? In responding to a crisis and how are they going to respond? And what’s most important for them to be thinking about and you want to exercise that, you want to build up resiliencey and we’re seeing organizations as they’re responding, either they are resilient because they’ve been thinking through this as they have practiced and built up some resiliencey. One thing I haven’t mentioned is communications. Those communication plans and the channels they are communicating, whether it’s off band because you want to secure it and you know that people are going to be looking inside your technology for communications that are key to going around this business disruptor or crisis, we want to make sure that communication channels are there and they’re out of band and aligned with the organization and secured so that you have an efficient response. 

Kris: Awesome thankyou, and I guess both of you guys are continually out talking to clients who have been impacted by some sort of cyber attack, so in your experience and I guess Sloane, if we can start with you again what are the top three things that you typically see clients thinking about exploring that actually have some kind of impact and help manage their threat profile. 10:00”.

Sloane: Sure, so the first thing that I’d say Kris is Practice, practice, practice. Think executive exercises whether it's on a crisis plan or even an incident response plan / cyber incident response plan. Those are important but we’re seeing clients more and more combine them with red and purple teaming and really utilising the exercise as a way for executives to build the resiliency but also bring in the technical team and let them build in the resiliency through red and purple teaming within enterprises, so I’d say that’s number one. Number two, as clients continue to increase the use of analytics they’re developing these more refined use cases and really embedding these processes across their cyber programs. There’s this array of technical solutions and technology that our clients are deploying and those tools allow for the deployment of capabilities that are going to allow for more response capabilities and resiliency. And lastly I’d say that the third thing I think that we’re seeing to answer your question is given some of these recent high profile breaches we’re seeing an increase in the markets focus on cyber due diligence prior to mergers and acquisitions, and why is that? Well we’ve seen some very public activities that affected the outcome. And there's been a shift from viewing M&A risk just from compliance and as an organization complying with what they have to do, whether that’s a regulator in their industry or is that compliance being focussed on potential vulnerabilities and the look is on potential vulnerabilities that a company may need to identify before an acquisition, I’ll pause there and say sometimes you can’t mitigate before an acquisition, you’ve got to mitigate afterwards and that goes back to planning. You’ve got to plan for what the post integration merger is going to look like, if you’ve identified the vulnerabilities, maybe they do affect the acquisitions state, but put a plan together on that post integration that allows you to deal with those vulnerabilities that you’ve identified. 

Kris: Nice, how about you Gerry?

Gerry: I think Sloane is spot on with her comments that she just shared and you know I’ll piggy back on the last point around mergers and acquisitions activity, where a lot of our clients and I’d say industry in general there’s some recent examples where the value of deals have certainly been affected by the target company acquired having some kind of breach or event and organisations are starting to think well how do I change my threat profile model as far as due diligence as well. We see a lot more clients asking for support in non-traditional ways, focussed on technical testing services. Can I do a red team? Can I do an external or internal vulnerability assessment? Or penetration test as well? Depending on the maturity of the organisation as well as the concept around proactive threat hunting where can I identify threats that might exist in an environment? When Sloane and I are having these conversations with clients we’ll tend to phrase this around pre-deal, pre-network integration or post-deal, pre network integration where there are some services that are advantageous upfront to help organizations potentially understand the risk but then ultimately you’ve got potentially too large, or too small entities. How do you bring them together and how does that fit into a broader strategy? I’d say that the two other areas of focus that we see clients talking about more coming out of threat actor events are firstly resilience. And there’s been a focus in the market around what truly is resilience, you know here at pwc we’ve had a lot of conversations with clients around it’s not just business continuity disaster recovery and some other basic fundamentals of information security built into an organisation being able to have a stronger posture around resilience, what are my assets? What is my perimeter? And when I think about the technology that exists in my data centres, moving to the cloud as well, organisations are coming up with or asking for new ways to identify dependencies that might exist between those assets both from a critical infrastructure perspective, citicial systems as well as core systems that run environments like active directory. I know we’re going to be talking more about that a little later on in the podcast, you know then lastly we here at pwc are focussed on how can we do more with less but leverage technology to help us implement or enable our service or solution delivery and clients are coming to us with that ask, you know we’ve got clients who have different technologies. You know they may or may not be able to attract or retain talent and are looking for solutions to help them do more with less, how can I enable technology to talk to another and facilitate response. Facilitate my GRC type applications so there’s a lot of conversation around automation and how can you implement that in the business and get technologies talking to each other so you can enable both security and the business as well. 

Kris: very cool thankyou. I’ll guess i'll throw one more in the mix from the european side of the pond, we quite regularly see businesses over here and I’m sure it’ll be similar over in the US, but they’re effectively running on a patchwork quilt of old processes and systems that have evolved over decades and it’s definitely something that we’re seeing a few CISOs and CIOs start thinking about a lot more over here, which is about reartecting what they’re trying to secure to make it more securable and actually simplifying it so it’s easier to secure rather than just sticking more bandaids on what they’ve already got and quite often when you get under the hood of those things the fundamental issues at the core of that is the whole ID environment with identity and privileged access and administration activities are managed across the organisation not just from a technical perspective, how do I get a privileged account whenever I need it but actually the cultural level as well in terms of how the administrative teams are willing to accept some change in around how they go about doing their business to make it more securable. Ok, to wrap us up I’m going to ask you both to break out your crystal balls and tell me what you think we’re going to see in the rest of 2020 in the threat landscape and what trends you know on the geopolitical side of things or the technological side of things are going to keep driving change in that threat landscape for our clients. Sloane, let’s start with you. 

Sloane: Great, I think real world events, we’re here in early 2020 and we know they’re causing immediate cyber activity, recent events in the Middle East causing a wave of attacks. But even before that we were seeing a wave of attacks against US based utilities and critical infrastructure even those located near dams and lochs and I think it highlights just how dangerous cyber attacks be on daily lives if those cyber attacks are not defended against. So really as we continue to see upgrades to critical infrastructure cyber defences and controls will lead to service interruptions and downtime for customers. Because organisations are dependant on maintaining service whilst finding that availability to make the necessary changes to improve their security posture and I don’t just mean IT in this statement, I’m talking about the operational technology as well. So, ICRS and those controls, as well as the operational technology controls, I’ll just add from a different point of view, we saw the effects on the election cycle within the US a few years ago and how different actor groups continue to attempt to influence public opinion with a focus on the methods and sources of information that not only how journalists but how the general public got information, so when I crack open my crystal ball I know that there are Election cycles upcoming and I think we’ll continue to see increased foreign interest in influencing that and they’ll do that through different threat vectors. 

Kris: Gerry, back over to you

Gerry: We’ll have to do a podcast a year from now to see how right or how wrong I am with the next several statements, so we’ll continue to see the targeting of trust relationships, third party suppliers in that as we become more interconnected and organisations do rely on third parties to help provide services or some type of capability to them, because frankly talent is a challenge for a lot of organisations as long as that interconnectivity and trust continues to build and you know organisations rely on it, ultimately threat actors will look to exploit that for access. Another trend that I know our global intel team has been tracking is this increasing availability of capabilities that traditionally whereas nation states had the capability in terms of resources and technology and manpower to build zero days and other exploits, now we’re seeing the prevalence of tooling that essentially allows organisations to cut out their R&D. When I say organisations, nefarious individuals such as organised crime or potentially other nation states that are looking to evolve or develop their capabilities so it’s much easier to conduct computer network operations in today's day and age as compared with years ago and I think that is something that we’ll continue to see. And then lastly there’s still a lot of work that can be done around planning and preparation and as much as we talk about going back to the basics and fundamentals of information security, organisations are still trying to get their hands around asset management, asset identification and those basic fundamentals so you know in some situations I think clients are taking a step back and thinking how do we start doing those building blocks right, helping us to incorporate those themes into resilience and ultimately the more resilient you are the less likely you will have a service disruption and one of things I’ve always advised clients is when an external threat actor enters your environment through a trusted insider and we’re seeing a lot of clients start thinking about control frameworks where the same controls can be used to prevent targeted threat actors intrusions can ultimately help you with insiders as well. So I threw a fourth one in there but ultimately I think what’s old is new.

Kris: I’ll let you away with having four, rather than three, thank you very much for that. So thank you to my guests Sloane Menkes and Gerry Stellatos and thank you for joining us and listening. Remember to subscribe to our podcast series, so you don’t miss out on future episodes and if you have any questions about what we do here at PwC in cybersecurity please reach out to me or my guests.  

 

Contact us

Sean Joyce

Global and US Cybersecurity, Privacy & Forensics Leader, PwC United States

Paul O'Rourke

Asia-Pacific and Global Financial Services Cyber Leader, PwC Australia

Tel: +61 419 109 214