Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
What a Ransomware Attack on a Hospital Really Means
0 Plays2 seconds ago
Zach Lewis, CIO/CISO at University of Health Sciences and Pharmacy in St. Louis, joins the show to talk about his experience with a ransomware attack by the LockBit group.
Zach takes us beyond the technical recovery into territory most people don't talk about: the gut-punch moment of finding the ransom note and the months of running on pure adrenaline while keeping his team from cracking under pressure.
Key takeaways from our conversation:
The human toll matters. When hospital systems go down, it's not just inconvenient. People can't get medications, emergency rooms have to reroute patients, and lives are at stake. This is the cyber war nobody wants to acknowledge.
Attribution is nearly impossible. Even when you know who attacked you, there's rarely closure for victims.
Leading through crisis. Zach shares how he kept his team together during months of remediation by staying calm on the outside, and knowing which team members could handle the pressure and which ones needed to stick to routine work. Sometimes the best leadership is just being that steady presence when everything else is chaos.
If you want to understand what really happens when ransomware strikes, this episode is required listening.
Available wherever you get your podcasts.
Zach's book "Locked Up" drops January 6th and is available for pre-order now: https://www.amazon.com/dp/1394357044
Mentioned:
Recommended
Transcript
Digital Vulnerabilities in Hospitals
00:00:00
Speaker
Yeah, it's definitely a lot more massive than I think people first give it credit for when they think about it, right? So you have a few layers there when when an attack happens like that. um You know, all of your medication is stored in a computer system now. Everything you've been on, every medical procedure you've had, um who are your doctors, who are your contacts are.
00:00:20
Speaker
you Everything that's being done to you when schedules are happening. And then aside from just you as the person, you also have like the machines and the MRIs and scanners and CT scans. All these things are very computerized now.
00:00:31
Speaker
Those scans and those reports going right into another computer system that in a lot of cases is being analyzed by a computer system or even an AI in some instances at this point. So... All that stuff builds up your entire health a background history and doctors use that to to figure out you know what might be happening, how medicines are gonna play together, um what next steps are in terms of when you're getting scheduled. If they can't do all that, they pretty much grind to a halt.
Welcome and Introduction of Zach Lewis
00:01:06
Speaker
Welcome back to Bare Knuckles and Brass Tacks. This is the tech podcast about humans. I'm George K. And I'm George And today we have Zach Lewis, CIO and CISO, who is here to talk with us about the hospital system and university system he manages.
00:01:24
Speaker
and the ransomware attack they endured. So I think a lot of people hear about ransomware attacks or AKA cyber attacks, AKA cyber incidents when they're reading the news.
00:01:35
Speaker
But today we have a chance to really get into what that means at a human level, both for security teams, but also for you, the listeners who might be patients of said hospital systems and the implications of those attacks. This one was a really good interview.
00:01:51
Speaker
Yeah, i I really appreciate that we're taking um ah really big kind of, i don't want to say cool, but like interesting thing that people hear about it all the time, but they don't actually really know what it means past the surface They just know it's generally a bad thing.
00:02:08
Speaker
But now, you know, we've made it, I believe, with this interview, we've made a little bit more real. We've explained to people kind of what it feels like, what what people's responses naturally are. And, you know, I think through Zach's expertise and through his lived lived experience, we've kind of provided a blueprint for how folks who are listening to this who may not be in security, may not even be in tech.
00:02:30
Speaker
um how they should kind of logic through when something bad happens like
Ransomware Attack Experience
00:02:36
Speaker
ransomware. And first of all, what is ransomware? even start with that. um What happens if they are the victim of an attack and how they kind of need to set their mind up in a way that they can get through it and hopefully actually not have, you know, long lasting sustained damage to any of their digital infrastructure.
00:02:53
Speaker
I think that's it's pretty good value for the show. Yeah, absolutely. So ah Zach has a book coming out in January about this experience with the Lockbit Ransomware Group, but we get into some details here. So enough of us. Let's turn it over to Zach.
00:03:14
Speaker
Zach Lewis, welcome to the show. ah Thanks, George. I appreciate it. It's been an honor to be here. We're excited to talk to you. ah For the benefit of our listeners, you are here to talk about a ransomware attack, but we're going to take a slightly different angle. We're going to explore a little bit of, you know, the impact that this has on society, because I think a lot of listeners probably see headlines as it relates to these attacks. And it's always like just two lines in a news article, right? Right.
00:03:45
Speaker
But you lived through it and experienced it. And so why don't we just start at the beginning for the benefit of our audience. Just tell us kind of where you work and just start at the beginning and we'll take it from there.
00:03:57
Speaker
Yeah, thanks. So I am ah the the CIO, Chief Information Officer and the Chief Information Security Officer for the University of Health Sciences and Pharmacy in St. Louis. I've been here about...
00:04:09
Speaker
10 years, give or take. um and And, you know, if we're talking about ransomware, a couple of years ago, we experienced a ransomware attack. um And I'll kind pause there. I'll let you kind of guide with some questions. But um where do you where do you want to start with that?
Discovery and Immediate Response
00:04:24
Speaker
Yeah, so I guess for the listeners who do not work in cyber, you know, ransomware is when malicious file comes into the system and essentially locks up and encrypts your file. So you just can't get to stuff that is needed for operations. So why don't you walk us through, i guess, ah the day, you know, how do you discover the attack? And then what does the subsequent response look like?
00:04:54
Speaker
Sure. So I got a call fairly early um on the the morning of the attack that some of our our servers, our some of our environment wasn't available anymore. It actually gone down.
00:05:05
Speaker
And we were at a point in our so project and and refresh cycle that we knew a lot of equipment needed to be refreshed, needed to be replaced with something new. They were kind of going end of life. And we thought with this crash that when they said end of life, it really meant end of life. Like this stuff's not going to run any longer. So we went into ah disaster recovery mode, trying to bring stuff back online, stand and servers back up, turn them back on to get functioning.
00:05:31
Speaker
um i only to come to find out when I got in the systems and started looking at things that there was a ah ransom note left in there by by some red actors. and And that group, for those who care, was called Lockbit.
00:05:42
Speaker
at the time. um They were probably one of the largest and most prolific ransomware groups circa They've since fallen off a little bit after the FBI did a takedown on them, but I've seen some recent articles that they're coming back and forming a a cartel of sorts with with various threat actor groups, so that's kind of interesting. but Anyway, I find this ransomware note saying that, hey, we've ah we're the bad guys. We've gotten into your systems and we've encrypted them. and And to your point, that means that the files needed to to run certain things are now inaccessible to us. They're there, but we can't read them. We can't open them. We can't access them.
00:06:19
Speaker
um And they had actually gone in and encrypted the sort of the the foundational system level, the root level of our virtual environment. um So those files couldn't be used to to run our servers.
00:06:32
Speaker
and and they were down. um that's That's different than a lot of other ransomware where they just come in and encrypt files and you can open files like a Word document or a PDF.
00:06:43
Speaker
um This was actual server files. So the servers couldn't run and we couldn't get to anything there. And it's sort of at that level, there's not a lot of security um tools or platforms you can run to sort of protect that that layer and and detect when things are going wrong.
00:06:58
Speaker
Zach, so I have to ask though, and, and, you know, there's a process that's in place and for folks who aren't um part of the tech community or cyber community, and typically speaking, CISOs and more mature organizations um oftentimes will have ah protocols in place called an IRP, which is an incident response plan.
00:07:18
Speaker
An instant response plan is what happens when ransomware actually gets into the environment and begins initiating its action. So typically speaking, and and and and Zach, I'd love to get kind of your experience based on research you did afterwards, because it's not always this case, but the typical approach is it will ah ah use a cryptographic locking mechanism to prevent you from being able to access the files in the various directories that it gets access into.
00:07:45
Speaker
Right. So oftentimes it'll move laterally between different drives. So go from your finance drive to your supply drive, to your operations drive, and it'll just work its way from there to try to take out your entire network or whatever it can access.
00:07:59
Speaker
um And so for folks who kind of don't really work in the industry, your your network will have different components and segments to it. So that's what we talk about segmentation. And so trying to to take a remediate action or respond to this attack as soon as you recognize the attack has taken hold, the earliest that you can actually get some kind of response mitigation, mitigation being like an effort to counter the attack to get your systems back up and running,
00:08:29
Speaker
um As soon as you can start doing that process, once you've realized the attacks in place, it's a better chance that you have of actually getting through the attack without it damaging business impact, whether you're at an academic institute or a hospital or an actual business.
00:08:45
Speaker
So with that context in play, did you have already a plan in place and and what was going through your mind when you had to make the call? Because typically it's the CISO who makes the call at there is one, if not then the CIO.
00:09:01
Speaker
When you said, yes, there is a breach. Yes, we're being impacted right now.
Incident Response Plan Activation
00:09:05
Speaker
What was your logic and did you have a plan in place and and how did that look? Yeah. So immediately upon finding the ransomware note in in we call our in our hypervisor, um that they literally claimed, hey, we're Lockbit. We've encrypted your systems.
00:09:20
Speaker
We have your files. You need to go to this dark website where you can chat with us. like Boom, we stopped troubleshooting at that point. We stopped disaster recovery. We activated an incident response plan that we have, which has steps in it in terms of no who we're supposed to call, who we're notifying, um what we're doing with systems, etc. So we activated that immediately.
00:09:42
Speaker
um And upon that, I i then went into to a couple of our leadership team members, like our COO or CFO, general counsel president like alerted them to what was going on. We need to get a quick, quick group together.
00:09:54
Speaker
um i was going to activate cyber insurance. It seems to be ah a pretty good first step for a lot of medium to small size, if not not large size companies. industries and then ah kind of just played it out from there and what they wanted to do. They brought in some incident respond responders for us. They brought in some forensics guys for us and then we kind of worked together with those two teams to both rebuild and and figure out like root cause and where these threat actors kind of got in. That that was our first step, but immediately stop troubleshooting. Don't reboot anymore. Don't don't mess with any systems. Don't take anything down. We might need that for forensics data.
00:10:28
Speaker
Now the question, sorry for George, the question I ask is, did you guys have a business continuity and disaster recovery plan in place? And did you know, like, did you have the comfort of knowing your backups are current and that break glass option is there?
Operational Impact of Cyber Attacks
00:10:45
Speaker
Yeah, so we we had disaster recovery. We don't really call it but business continuity in our case, but we do have a disaster recovery plan um with various scenarios and steps on on recovering for different things. And and we've had we had a pretty robust ah backup structure, and we could talk more about that. I think it was important for how we were able to recover, but we had a ah three-tier system, um very similar to ah also a grandfather-father-son sort of methodology behind that. But yeah.
00:11:11
Speaker
we Just laying groundwork. George, sorry, go ahead. Yeah, I dig it. I dig it. um i mean, you are the CISO after all. So let's get to a more human element here, the impact.
00:11:25
Speaker
So, Zach, I think when people read, they'll get a headline, right? Like, such and such hospital... you know, experiences, cyber incident, cyber attack, the headlines kind of differ.
00:11:39
Speaker
um Such and such operations down due to alleged cyber breach, whatever. Can you talk to our listeners about like what exactly that means in a hospital context? and And we'll get to sort of a ah larger story there. But like, I think people might think, well, you know, doctors see people in person, they walk through halls,
00:12:05
Speaker
like how much do they really need like the computers? Like, can't they just like write the notes down on paper? Right. So can you walk us through like, what is the impact of an attack of this nature?
00:12:17
Speaker
ah So, yeah, it's definitely a lot more massive than I think people first give it credit for when they think about it. Right. So you have a few layers there when, when an attack happens like that. um Hospital systems, academic systems where we kind of,
00:12:32
Speaker
play in both realms. are a health sciences university where we're training people to be in the hospital system where they go on rotation. But when you have that, um you know, all of your medication is stored in a computer system now. Everything you've been on, every medical procedure you've had,
00:12:48
Speaker
um Who are your doctors? Who are your contacts are? um You know, everything that's being done to you when schedules are happening. And then aside from just you as the person, you also have like the machines and the the um MRIs and scanners and CT scans. All these things are very computerized now um with those those scans and those reports going right into another computer system that in a lot of cases is being analyzed by a computer system or even an AI in some instances at this point. so you know you have your and You have notes. Nurses are taking notes. They're going into your medical file. um
00:13:20
Speaker
All that stuff builds up your entire health sort of you know um ah background history. And doctors use that to to figure out you know what might be happening, how medicines are going to play together, um what next steps are in terms of when you're getting scheduled. If they can't do all that, they pretty much grind to a halt um until they can flip over into some other, know,
00:13:42
Speaker
operating methodology. and And we've seen a few instances where for hospitals have had a cyber attack and they eventually did switch to handwritten notes to just start getting things churning. But it becomes very hard to even prescribe a prescription um at that point because all that goes through a computer system and talks to You know, your Walgreens and your CVSs and your various pharmacies throughout the country. So all very interconnected, pretty much stops a hospital from operating and in the traditional sense that you would think of.
00:14:14
Speaker
Yes. And to be very clear, ah there have been, you know, deaths associated with these attacks on hospitals because care cannot be delivered. And one instance in Germany was also because the emergency room could not receive. So they had to reroute an active cardiac patient and that patient did not make it because they could not get to the hospital closest to them.
00:14:36
Speaker
um Yeah. And I think we have a friend of the show, Chase Cunningham. He's been recently featured in a documentary, but his position has been that like, this is the cyber war that everyone talks about, right? Like we don't think about ah warfare as as like these ransomware groups or these others, we think of it as like two armies sort of face to face. But if you think about the way cyberspace operates, which is borderless, this is an attack on critical infrastructure, which is a hospital, right?
00:15:08
Speaker
Yeah. um So I appreciate one, what you have been through, that you've documented it and also helping illustrate this impact for our listeners, because like you said,
00:15:21
Speaker
A server is like an air traffic control system, right? The data goes from the um MRI into some ah network and then is sent back out so somebody else can read those results and then get the results to you. You know, like people are like, oh, you're going to get the results will be emailed to you. Well, that all happens on the back end.
00:15:38
Speaker
And if that all comes down for our listeners, I would like to say that is like tomorrow you have to only walk or bike to work like. No cars work.
00:15:49
Speaker
No road systems work. It's like not so easy to just like go to handwritten operations. ah Anyway, back to you, George. Yeah. And kind of the way that i look at as well, um it's funny because in the, in the, the mainstream civilian world, they don't really see it as a war yet.
00:16:11
Speaker
But if you talk to anyone and there's a lot of folks in industry, obviously who are ex-military as well, especially folks who worked in this world within the services, um we call it, you know, is cyber war.
00:16:21
Speaker
There's a cyber theater of operations. Um, i think I think, Zach, you you would probably agree that the difference in the cyberspace is that, and this is kind of like my experience of it, and I'd love to see if if you have a a similar take as well.
00:16:38
Speaker
These threat actors could be nation state, or they could just be gangs, or they could just be teenagers. Because I'm pretty sure, like, for example, the Scattered Spider crew. I'm pretty sure there's bunch of teenagers. A.K.A. Shiny Hunters, A.K.A. Lapsus, A.K.A. Yeah.
00:16:54
Speaker
So how then, like knowing that the nature of the people who might be trying to go after you are actually global and because of the way that the cyberspace ah works, anyone can actually individually target you specifically, whether they're an entire nation state or just a bunch of crooks.
00:17:14
Speaker
How then ah do you prepare your team and your organization, you know, through security culture that you're trying to drive? And you're in a very lucky seat being the CIO and CISO, so you have a little bit more um little bit more sway and influence, I would hope.
00:17:29
Speaker
But how do you then prepare the organization for the day that something like this happens?
Building Security Awareness
00:17:34
Speaker
And then, you know, something like this has happened. How do you then ah figure out the lessons learned and then translate that into evolution and progress for the organization?
00:17:44
Speaker
Yeah. um I'll touch on that in just a second. Before I get there, I just want to say also on the ransomware attacks, like especially when they're you know nation states and these threat actor groups from other countries, attribution becomes next to impossible because we can't actually say who it is. And and this is more for your listeners. You guys know this.
00:18:00
Speaker
But um you know pinning you know who to blame is impossible. So in the instances of these deaths that they've seen in the hospital from a cyber attack, like... who you gonna Who are you going to go after? You know, you you can't get that that attribution. And then even if you you, know, can put a name to it, there's extradition laws. And sometimes we don't have those with, you know, places like Russia or China. So we're not even going to get that person to to charge them or do anything with. And it's very, it becomes very difficult to, I don't know, get that, I'm not going to call it satisfaction, but like peace a peace of mind. they' Like, hey, we we got, you know, who caused this or or how. Yeah, there's very little closure. Yeah, no closure. Yeah. Yeah.
00:18:38
Speaker
So yeah that's another problem. But um to your original question, um you know, it's interesting. So I talk to our board ah pretty regularly, i guess at least quarterly.
00:18:50
Speaker
um And I talk the leadership team quite often. i share... Different sorts of attacks. Usually if they're ah revolving around the education, academics, academics is probably the second, third, arguably, depending on where you're looking at, most targeted industry. So there's there's a plethora of attacks to share there, but just showing them. And I was doing this a little before the event and lot after and since the event. But um hey, these these attacks have happened.
00:19:16
Speaker
This is what this school is doing. This is very common. Ransomware attacks are at you know this percent. It goes up every year. and We've heard the moniker, not if, but when. I don't like to labor that point because it's been around for so long and but i try not to lead with with fear and and disinformation and uncertainty with you fud that sort of thing in front of the leadership team and in front of the board i just try to give the facts like hey this is this is like almost a part of operating anymore it's it's not comfortable but that is sort of the reality of the situation that this is likely going to happen and i think a cso's job
00:19:54
Speaker
perspective from a lot of different people who aren't in the security space is that, hey, we hired a CISO. We're not going to get breached anymore. There's not going to be a cyber threat. Like, this guy, that's his job. He's here. And if, you know, someone gets in, like,
00:20:08
Speaker
Is he doing his job? Right. um And I think that perspective has to change some and and some understanding that has to happen. They're like, no, we're here like for when that does happen. So you guys know how to you respond and recover. Like that's kind of that that sweet spot where we get into and we're going to guide through that that event. We don't want it to happen, but, you know, it might probably going to happen at some point.
00:20:30
Speaker
um So, you know, you I don't like ah the phrase security culture. i don't. There's some stuff around that. Just, you know, training those people to identify stuff. kind of ah I just I don't like it.
00:20:43
Speaker
um I think there's stuff you do. You know, you might put up good email security. You tell people don't click on emails. That's super. That's great. Maybe come in and try to, you know, human compliance test different departments and teams to see if they're going to give away information or give up accounts. But yeah.
00:20:59
Speaker
At the end the day, that's that's not what I'm going to hedge all my bets on. um A lot of education, a lot of good practices. We want to be able to detect when i and a ransomware group or a threat act or a cyber attack is occurring. We want to be able to respond quickly and stop that stuff from happening. But I think that's i think detection and and response is way more important than a ah security culture sort of mindset.
00:21:23
Speaker
Hey listeners, we hope you're enjoying the start of season four with our new angle of attack looking outside just cyber to technology's broader human impacts. If there's a burning topic you think we should address, let us know.
00:21:36
Speaker
Is the AI hype really a bubble about to burst? What's with romance scams? Or maybe you're thinking about the impact on your kids or have questions about what the future job market looks like for them.
00:21:48
Speaker
Let us know what you'd like us to cover. Email us at contact at bareknucklespod.com. And now back to the interview.
00:22:00
Speaker
And if I can ask them, you know, and that's that's a fair critique. Let's explore that for sec. Instead security culture, would you would you then better define it as like,
00:22:12
Speaker
Security aware, not security, right that's cheesy, but like security mindset. Like there has to be some kind of way to convey ah generalized knowledge and and, you know, prioritization for, know, maintaining good so like cyber hygienic practices.
00:22:28
Speaker
If you are any common member of the organization, like how do you then label that? Sure. um i mean, you can label it a security awareness. You can label it a security culture. I mean, the label is half time a dozen. know, I don't it doesn't matter at the end of the day. I think what is important, I'll back up and say, you know, there there was a time where people would say that there wasn't always a tech solution for a human problem. And you couldn't like fix every human problem with it with a piece of technology. And I think now we're starting to get more and more into that area where you can you actually can do that in ah in a lot of instances. and i And I look to AI without talking about AI. but um And I'll go back to my email example where...
00:23:10
Speaker
I mean, I think four years ago, probably we were getting five, six, seven phishing emails that that got through, you know, our traditional like a security email gateway seg and that people were were interacting with. And it was like, how do you stop that? And we found something that was like a next gen email sort of solution. And that once we put that in, those things dried up. They were gone. We maybe get one that gets through a year now and and you know, with email being one of the biggest attack vectors, we can just shut that down and um you know, we'll still do the training and show you ah ah phishing campaign and see if we can get people to click on them and tell them not to and and what's some good identifiers.
00:23:50
Speaker
Um, But if we can just keep it from happening in general, that's I think that's even better. um And that's I'm leaning it a little harder into that um to try to fix those problems from our biggest attack vectors and not let it happen. So that's not really a culture, but I guess it's ah more security preparedness, so security resilience um and for the for the organization and how we're werere bringing that in.
00:24:16
Speaker
Yeah, let's let me return back to the human elements. Is that how are you doing? Like, can you walk us through the moment where you find that ransom note? Is that sort of just like the cold sweat? Oh, shit moment?
Leadership in Crisis
00:24:30
Speaker
Or are you the type that just was like, okay, this is the reality respond. And then, um yeah, if you could talk us through Not just the, not the technical recovery so much, is but like once you get this tied off, like how are you dealing with it as the top of the IT and security organization?
00:24:48
Speaker
Yeah, I think for most CISOs, and I'm speaking very broadly here for a lot of different people, but when you encounter, when it's your company, and I'm not like you're an MSP or or an MSSP coming in and you work in multiple companies that don't directly pay you, but like when it's the company you work for and you find that ransomware note after you've had a problem, you're going to get a feeling in your gut. Like you just do. You're like, that's going to sting. Like this is going to be...
00:25:14
Speaker
a pain, man, this is going to suck. um and And depending on you know how how robust it is or or how bad things are, to be very bad at a very bad pain. But I remember um getting that note.
00:25:26
Speaker
um I informed our leadership team and I came back and I knew I had three important phone calls to make. So the first phone call I made was to our cyber insurance. Hey, we've had a ransomware attack. We need some help.
00:25:37
Speaker
And then I called um my friend at the FBI um who was going to put me in touch with CSA. We'll do the IC3 report, a whole thing. But like, hey, we've got a ransomware attack. I need some help. And then that third call was to my wife. And I was like, hey, we've had a ransomware attack.
00:25:50
Speaker
I'm probably going to be late and this is going to suck for the next few weeks. Also, this could be a resume generating event, depending on how things play out. So, you know, you might want to strap in. and I really, I so really appreciate that candor. That's, that's very real.
00:26:06
Speaker
Yeah, I mean, you've seen CISOs being fired for cyber attacks and and data breaches that happened. I do think that's just starting to trend down, which is super and and fantastic.
00:26:17
Speaker
ah that It's terrible when that happens. um People are looking for a scapegoat, but it does still occur and it it used to occur a lot more. um So, i again, human element, there's a lot of work that's going to go into it. You're going to have a lot of lot of work, a lot of conversations.
00:26:32
Speaker
um You're going to dig through a lot of stuff. At the same time, when you're investigating what happened and trying to you're also trying to recover, you're trying to keep things operational. um And then we we spin over and you look at the human element of everyone else. So, you know when do you tell everyone that there's been a cyber attack? when do you let them know that potentially their data has been taken? When you let the public know, when you let faculty, staff, and, you know, employ students know. So there's a lot of conversation pieces of how that's going to affect others.
00:27:01
Speaker
um And then if you do have, you know, sensitive data, whether it's social security numbers or medical information or whatever released on certain people, that's a conversation too of, hey, not only was there breach, but we lost information relevant to you, um very personal to you.
00:27:17
Speaker
And we're going to make it right by giving you credit monitoring, ah right? Like, get excited. um It's a very, very difficult conversation to have with people at times. Yes, I i laugh because ah here, i mean, this is a podcast so people can't see it, but here is my ah Change Healthcare credit monitoring notification in the mail.
00:27:39
Speaker
um So can you talk a little bit about after you kind of tie it off, you ah get your systems back online. You know, I recognize in in my experience talking with CISOs, usually there's like this massive cortisol dump across the team. Like you can't just sort of ride the adrenaline forever.
00:27:58
Speaker
What does that look like? Like after the event, how did you sort of come to terms with it or or just talk through your experience there? Yes. the You know, the remediation of these events and and conclusion of these events can can take a while. I think in our instance, you know our attack happened in April and I think it was like mid-June, late June before we were kind of like buttoning everything up and and really kind of concluding it all. So you have several months.
00:28:23
Speaker
We're running hot and heavy. And then when that finally ends, you see it coming. And when you finally get the final like, you know, department of ed or whatever government regulatory body is finally like, all right, this case looks okay. We're going to, you know, we're closed up. We don't need any more information. It is very large side. of relief you feel the weight off your shoulders you kind of relax little better maybe even sleep a little better that night but um or like key person doesn't just like the work doesn't necessarily in there right so you know like we've gotten everything recovered we're good hey board everything's great now we're rocking and rolling tips
00:29:03
Speaker
But also I need some money to come and put in some new stuff. we don't want this to happen again. Like that fire, the best time to go in for a quick influx of dollars to do something. So, um you know, fire up some projects after that, get a sigh of relief, but then ramp back up and get going. Right.
00:29:22
Speaker
yeah sure. Sure.
00:29:56
Speaker
Mm-hmm.
00:30:13
Speaker
Yeah. I actually talk a little about this, uh, about this in the, in the book that I have coming out, but, um, on specifically around that, I think as the leader, as the CIO or the CISA or whoever you are in, in regards to this, I mean, you are the leader, you're the figurehead. So you have to keep your stuff together.
00:30:32
Speaker
Um, and, and, you know, have a, have a plan. So you come out, you know, you don't freak out. Don't, don't be like, I got to quit. This is, this is terrible. This is the end of the world. Like, you need to realize like this happens i'm going to work through it i'm going to get the team to work through it and you keep that calm sort of demeanor like it's all right we're going to get through this sort of thing um very stoic if you will um and and i very much enjoy the stoic practices so i think if you can find deep within you whatever little amount of stoicism that you understand or realize like keep that calm presence and and have a plan ah you know if you have an incident response plan super
00:31:09
Speaker
Follow it. and Obviously, there's going to be some deviations at times, but, you know, having a good plan beforehand and being able to reference that super helps you understand like, oh, I have i have the next decision already planned for because, you know, you got a lot going on in your head. There's a lot going on around you. If you can take a couple of those decisions away and just put it on a piece of paper that you read like, hey, Zach, do this next.
00:31:32
Speaker
It's like, oh, OK, well, clearly and when I was in a better headspace, I said, this is what I'm supposed to do. I should probably follow it. So, know, an emotional mess on the inside if you want to be. I mean i don't know how everybody operates, but on the outside, you need to be that calm, cool, ah that leader that people are going to turn to. And then, you know, you give them work like everyone's going little bit more work there. but But keep in mind, like watch people. You just need to understand and and know your team in in some way to as much as you can. I get some people have huge teams, but like you kind of understand the human element. So I'm like, is this guy cracking over here? Maybe don't throw him um a ton of extra forensic work or or server rebuilds or or whatever that might be. There were people on my team who...
00:32:16
Speaker
I mean, i had I had one guy in particular, I was like, I just can't have him doing things. He is not going to handle this. Like, I'm going to put him on like everyday normal work that other people might have to do so they can do other stuff. Because if he gets involved here, he's he's going to crack and it's not going to work. So you just got to really know your team and and give them what they can handle.
00:32:38
Speaker
Yeah. Yeah. Yeah. That's amazing. um Zach, one of the things that I have tried to do know, you know
00:32:52
Speaker
my mom gets a breach notification notice in the mail and I have to like explain that, no, they didn't steal this insurance money. It's like the insurance company uses this software and this software, you know, yeah like I try to explain all this stuff that we take for granted in the industry.
Advice on Cyber Threats
00:33:09
Speaker
The other thing that I try to help people understand is You know, we understand that ransomware groups are highly organized. It's a business. That's a great question. You know, ransomware, as I mentioned earlier, is almost unfortunately like a part of life, a part of operating business anymore, it seems like. And been documented. They're super polite. They're like, please make your payment. Very fair to very good chance that your data has already been breached in some sort of data breach ransomware attack and is probably out there, you know.
00:33:41
Speaker
I'll be frank with you, your social security number, phone number, your email, name, your address, all that stuff is probably setting out there be purchased for about five cents right now from a dark website. And likely some of your medical history too. I think they're,
00:34:00
Speaker
steps you should take knowing that that's were likely cyber um you know take away from a lot of these attacks happen and the companies come out and say hey we haven't seen any indication that the data's been used yet it's like okay well maybe they wait with that six months or or a year or or two years like you don't really know so um again, watch accounts that get opened in your name, freeze your credit. You know, there's a bunch of things sort of like that. Do MFA on your accounts, handful of things that, that are good practice for the everyday person to do in anticipation of, of stopping, you know, anything from that, like that happening, uh, anything negative happening from those attacks, because you can't really do anything from the, the company level to stop it because your data is going into so many systems and so many places all the time.
00:34:49
Speaker
Um, And there's just going to be there's going to be a breach. So realize it. um I think, you know, you mentioned your mom getting ah a note in the mail about credit monitoring. My my mother also got a note in the mail about credit monitoring this week and gave me a call about it.
00:35:02
Speaker
And I even told her, I was like, you know, i don't know. I don't remember necessarily this this this is cyber attack, mom, because there's so many. um I will have to Google it because also i'm like, are people sending out fake letters and sending, you know, everyday people to sites that aren't real and having them put their information and causing another, like there's so many layers to think about it. And it was like, let me look it up. Okay. This is real. Yeah. You could, you could probably do that. Like send me, send me a picture of the letter. Like, I guess this one's legit. There's been so many, um, get your, your next batch of credit monitoring. But, um,
00:35:38
Speaker
Yeah, again, those was freeze your credit, you know watch your accounts, see what's being opened or on under your name. yeah I've seen people who've filed taxes and filed figured out, hey, my tax return's already been filed for me this year. And it's it's crazy. There's so many layers of that where it could be months before we even know that yeah know they've taken that data to use it for for anything.
00:36:00
Speaker
that That gives me like ah one, I think, generalized piece of advice for our audience. Now you bring that up. that a lot of folks do and it's kind of embarrassing, they don't realize. But if you do have an email that you think is a fish or even an SMS, but mostly email, and it's got live links to malicious sites, don't just continue pushing the email. yeah Like the amount of people that just forward me an email, it's like, this is a live fish. Like you're just, now you're just propagating it through the environment.
00:36:31
Speaker
And you're like, just send us a screenshot. Like, honestly, we can we can see it. We monitor the email server. i I don't know if you ever experienced that, but it's like these little things sometimes that people do when they don't understand. And when talk about mom, my mom's favorite thing is like, she'll get like weird stuff in like Facebook Messenger or whatever. And like, it's really phishing.
00:36:51
Speaker
And she'll send me the thing and just be like, is this real or not? And I'm like, stop sending viruses to but
00:37:00
Speaker
Yeah, i think i think that i I've seen like ah my phone. Goddamn. It's like fake job stuff all the time. And now there's this new tactic where they will group text, right? Like 40 random numbers and you're just one.
00:37:17
Speaker
What they're counting on is somebody replying. Because once you reply to the number, you have validated it And then they sort of like, they're like a legit entity.
00:37:27
Speaker
And I've tried to tell people like, don't you, you think you're having fun with the scammer? Like you want to have this funny back? Like you have now legitimized the number and the system. But if you, that's the reason we have the report junk in Gmail, you have report phishing.
00:37:42
Speaker
i want to encourage people, the more they do that, you teach machine learning on the backend you know, block this whole thing, you know, so sot do not engage report like that's the tip.
00:37:55
Speaker
going to have fun there for a second playing with that, that, you know, person who's who's spamming you. But now you're going to get like 15 new people to start spamming you. So get excited for all those messages that are going to come in. You know, those attacks, you know, you think about them and it's like,
00:38:09
Speaker
how does this work? Like, I'm smarter than the average person. I'm not going to fall for this, but they wouldn't keep doing it if it didn't work. This it is probably very culturally related, and at least in the States and and maybe Canada too, but we are a people of do things right now. We always rush. We're always in a hurry. We're trying to get done things quickly. So when you see that and it's like, hey, gotta do this right now. Oh, okay, I better go. And people don't slow down just think about it. Like, you really just stop and think,
00:38:39
Speaker
This doesn't make sense. That's what you need to do. Like, just, just take a breath, man. and Really think about what's being asked to you. You can, you can mitigate, you can mitigate a lot by just pause. Yes. Like create, creating friction, like just a two second pause for neocortex to take over from reptile brain and help that decision making.
00:39:01
Speaker
dip Zach, I think we we could talk about this honestly all day because the amount of human error that gets driven by just incomplete thinking. um I think, well, you did write a book about it.
00:39:13
Speaker
ah what if you If you could, before we close off, we're going to
Upcoming Book: 'Locked Up'
00:39:17
Speaker
end off the episode. What's the name of your book and how can people get it? Yeah, so the book is called Locked Up. um There's a very long subtitle, which I won't bore you with, but Locked Up, and it's called Locked Up because we dealt with Locked Bit, the threat actor group, right? um And you can find that on Amazon, Barnes & Noble, Books A Million. You wherever books are sold, it it it drops January 6th. It is available for pre-order.
00:39:39
Speaker
Right now, there's some cool pre-order incentives if you get in there and and let me know about it. But um yeah, go out, take a look. I'm looking forward to Audio are going to drop as well, so enjoy. Well, from one CISO to another and ah we on behalf of George as well, thank you for sharing your time with us today. And that was really educational. I hope we get a chance talk to talk you again sometime soon.
00:39:59
Speaker
Yeah. Thanks, guys. I appreciate it. It was awesome. Thank you very much.
00:40:05
Speaker
If you like this conversation, share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tacks drop every Monday.
00:40:18
Speaker
If you're already subscribed, thank you for your support and your swagger. Please consider leaving a rating or a review. It helps others find the show. We'll catch you next week, but until then, stay real.