Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Play next
What a Ransomware Attack on a Hospital Really Mean (Audio Issue Fixed) image

What a Ransomware Attack on a Hospital Really Mean (Audio Issue Fixed)

Bare Knuckles and Brass Tacks
Avatar
0 Plays2 seconds ago

RE-ISSUE: This recording corrects for an audio overlap problem in the previous version of this interview at the 28:00 mark.

Zach Lewis, CIO/CISO at University of Health Sciences and Pharmacy in St. Louis, joins the show to talk about his experience with a ransomware attack by the LockBit group.

Zach takes us beyond the technical recovery into territory most people don't talk about: the gut-punch moment of finding the ransom note and the months of running on pure adrenaline while keeping his team from cracking under pressure.

Key takeaways from our conversation:

The human toll matters. When hospital systems go down, it's not just inconvenient. People can't get medications, emergency rooms have to reroute patients, and lives are at stake. This is the cyber war nobody wants to acknowledge.

Attribution is nearly impossible. Even when you know who attacked you, there's rarely closure for victims.

Leading through crisis. Zach shares how he kept his team together during months of remediation by staying calm on the outside, and knowing which team members could handle the pressure and which ones needed to stick to routine work. Sometimes the best leadership is just being that steady presence when everything else is chaos.

If you want to understand what really happens when ransomware strikes, this episode is required listening.

Available wherever you get your podcasts.

Zach's book "Locked Up" drops January 6th and is available for pre-order now: https://www.amazon.com/dp/1394357044

Mentioned:

Cyber Attack Suspected in German Woman’s Death

Chase Cunningham and cyber war

Recommended
What a Ransomware Attack on a Hospital Really Means image
What a Ransomware Attack on a Hospital Really Means
S4 E12 · Bare Knuckles and Brass Tacks
00:40:57·1 day ago
Can Ethical AI Democratize Therapy and Higher Quality Care? image
Can Ethical AI Democratize Therapy and Higher Quality Care?
S4 E11 · Bare Knuckles and Brass Tacks
00:57:03·9 days ago
So, Are We Gonna Cure Cancer or Just Double Down on Mining Attention? image
So, Are We Gonna Cure Cancer or Just Double Down on Mining Attention?
S4 E10 · Bare Knuckles and Brass Tacks
00:36:59·16 days ago
BEST OF: Sex & Tech: Privacy, Power, and Human Intimacy in an AI Future image
BEST OF: Sex & Tech: Privacy, Power, and Human Intimacy in an AI Future
S4 E9 · Bare Knuckles and Brass Tacks
00:48:16·23 days ago
Are We Building a Star Trek Future or One that Looks Like Minority Report? image
Are We Building a Star Trek Future or One that Looks Like Minority Report?
S4 E8 · Bare Knuckles and Brass Tacks
00:40:51·1 month ago
Thinking Like an Adversary, and How to Prepare for AI in Work and Life image
Thinking Like an Adversary, and How to Prepare for AI in Work and Life
S4 E7 · Bare Knuckles and Brass Tacks
00:40:23·1 month ago
Stalkerware Being Sold on TikTok & Monetizing our Worst Instincts image
Stalkerware Being Sold on TikTok & Monetizing our Worst Instincts
S4 E6 · Bare Knuckles and Brass Tacks
00:38:09·1 month ago
Robot Brothels, AI Therapists, and the Future of Human Intimacy image
Robot Brothels, AI Therapists, and the Future of Human Intimacy
S4 E5 · Bare Knuckles and Brass Tacks
00:32:43·1 month ago
Building a Shield for Your Mind Against Digital Manipulation image
Building a Shield for Your Mind Against Digital Manipulation
S4 E4 · Bare Knuckles and Brass Tacks
00:40:39·1 month ago
Life After the NFL: Lessons for Identity, Goals, and Team Leadership image
Life After the NFL: Lessons for Identity, Goals, and Team Leadership
S4 E3 · Bare Knuckles and Brass Tacks
00:38:28·2 months ago
Sex & Tech: Privacy, Power, and Human Intimacy in an AI Future image
Sex & Tech: Privacy, Power, and Human Intimacy in an AI Future
S4 E2 · Bare Knuckles and Brass Tacks
00:48:16·2 months ago
Season 4 is here! And with it, something new... image
Season 4 is here! And with it, something new...
S4 E1 · Bare Knuckles and Brass Tacks
00:07:48·2 months ago
The AI-human future: Collapsing silos, leveling up teams, and investing in builders image
The AI-human future: Collapsing silos, leveling up teams, and investing in builders
S3 E51 · Bare Knuckles and Brass Tacks
00:38:45·2 months ago
The Tech Industry and Being the Role Model You Needed as a Kid image
The Tech Industry and Being the Role Model You Needed as a Kid
S3 E50 · Bare Knuckles and Brass Tacks
00:35:23·3 months ago
Status Check: AI Hype, Practical Use, & Up-skilling for a New Economy image
Status Check: AI Hype, Practical Use, & Up-skilling for a New Economy
S3 E49 · Bare Knuckles and Brass Tacks
00:33:09·3 months ago
Code as Critical Infrastructure, Entrepreneurship, and Funding Innovation image
Code as Critical Infrastructure, Entrepreneurship, and Funding Innovation
S3 E48 · Bare Knuckles and Brass Tacks
00:50:56·3 months ago
Building Teams, the Quantum Future, Outsourcing, and So Much More! image
Building Teams, the Quantum Future, Outsourcing, and So Much More!
S3 E47 · Bare Knuckles and Brass Tacks
00:44:47·3 months ago
Best of: Supporting the Queer Community in Cybersecurity image
Best of: Supporting the Queer Community in Cybersecurity
S3 E46 · Bare Knuckles and Brass Tacks
00:31:36·3 months ago
Phish Club is Building a Community for Junior Practitioners image
Phish Club is Building a Community for Junior Practitioners
S3 E45 · Bare Knuckles and Brass Tacks
00:43:41·4 months ago
From Digital Saturation Back to Real Relationships in Cyber Marketing image
From Digital Saturation Back to Real Relationships in Cyber Marketing
S3 E44 · Bare Knuckles and Brass Tacks
00:40:59·4 months ago
Transcript

Digital Dependency in Healthcare

00:00:00
Speaker
Yeah, it's definitely a lot more massive than I think people first give it credit for when they think about it, right? So you have a few layers there when when an attack happens like that. um You know, all of your medication is stored in a computer system now. Everything you've been on, every medical procedure you've had, um who are your doctors, who are your contacts are.
00:00:20
Speaker
you Everything that's being done to you when schedules are happening. And then aside from just you as the person, you also have like the machines and the the um MRIs and scanners and CT scans. All these things are very computerized now.
00:00:31
Speaker
Those scans and those reports going right into another computer system that in a lot of cases is being analyzed by a computer system or even an AI in some instances at this point. So... All that stuff builds up your entire health a background history and doctors use that to to figure out you know what might be happening, how medicines are gonna play together, um what next steps are in terms of when you're getting scheduled. If they can't do all that, they pretty much grind to a halt.

Podcast Introduction and Guest

00:01:06
Speaker
Welcome back to Bare Knuckles and Brass Tacks. This is the tech podcast about humans. I'm George K. And I'm Jorday. And today we have Zach Lewis, CIO and CISO, who is here to talk with us about the hospital system and university system he manages.
00:01:24
Speaker
and the ransomware attack they endured. So I think a lot of people hear about ransomware attacks or AKA cyber attacks, AKA cyber incidents when they're reading the news.
00:01:35
Speaker
But today we have a chance to really get into what that means at a human level, both for security teams, but also for you, the listeners who might be patients of said hospital systems and the implications of

Ransomware's Impact on Healthcare

00:01:48
Speaker
those attacks. This one was a really good interview.
00:01:51
Speaker
Yeah, i I really appreciate that we're taking um ah really big kind of, and don't want to say cool, but like interesting thing that people hear about it all the time, but they don't actually really know what it means past the surface They just know it's generally a bad thing.
00:02:08
Speaker
But now, you know, we've made it, I believe, with this interview, we've made a little bit more real. We've explained to people kind of what it feels like, what what people's responses naturally are. And, you know, I think through Zach's expertise and through his lived lived experience, we've kind of provided a blueprint for how folks who are listening to this who may not be in security, may not even be in tech.
00:02:30
Speaker
um how they should kind of logic through when something bad happens like ransomware. And first of all, what is ransomware? even start with that. um What happens if they are the victim of an attack and how they kind of need to set their mind up in a way that they can get through it and hopefully actually not have, you know, long lasting sustained damage to any of their digital infrastructure.
00:02:53
Speaker
I think that's it's pretty good value for the show. Yeah, absolutely. So ah Zach has a book coming out in January about this experience with the Lockbit ransomware group, but we get into some details here. So enough of us. Let's turn it over to Zach.

Discovery of the Attack: A First-Person Account

00:03:14
Speaker
Zach Lewis, welcome to the show. ah Thanks, George. I appreciate it. It's been an honor to be here. We're excited to talk to you. ah For the benefit of our listeners, you are here to talk about a ransomware attack, but we're going to take a slightly different angle.
00:03:30
Speaker
We're going to explore a little bit of the impact that this has on society because I think a lot of listeners probably see headlines as it relates to these attacks. And it's always like just two lines in a news article, right?
00:03:45
Speaker
But you lived through it and experienced it. And so why don't we just start at the beginning for the benefit of our audience. Just tell us kind of where you work and just start at the beginning and we'll take it from there.
00:03:57
Speaker
Yeah, thanks. So I am ah the the CIO, Chief Information Officer and the Chief Information Security Officer for the University of Health Sciences and Pharmacy in St. Louis. I've been here about...
00:04:09
Speaker
10 years, give or take. um and And, you know, if we're talking about ransomware, a couple of years ago, we experienced a ransomware attack. um And I'll kind of pause there. i I'll let you kind of guide with some questions. But um where do you where do you want to start with that?

Ransomware Mechanisms and Initial Response

00:04:24
Speaker
Yeah, so I guess for the listeners who do not work in cyber, you know, ransomware is when malicious file comes into the system and essentially locks up and encrypts your file. So you just can't get to stuff that is needed for operations. So why don't you walk us through, i guess, ah the day, you know, how do you discover the attack? And then what does the subsequent response look like?
00:04:54
Speaker
Sure. So I got a call fairly early um on the the morning of the attack that some of our our servers, our some of our environment wasn't available anymore. It hadd actually gone down.
00:05:05
Speaker
And we were at a point in our so project and and refresh cycle that we knew a lot of equipment needed to be refreshed, needed to be replaced with something new. They were kind of going end of life. And we thought with this crash that when they said end of life, it really meant end of life. Like this stuff's not going to run any longer. So we went into ah disaster recovery mode, trying to bring stuff back online, stand and servers back up, turn them back on to get functioning.
00:05:31
Speaker
um i only to come to find out when I got in the systems and started looking at things that there was a ah ransom note left in there by by some red actors. and And that group, for those who care, was called Lockbit.
00:05:42
Speaker
at the time. um They were probably one of the largest and most prolific ransomware groups circa 2022, 2023. They've since fallen off a little bit after the FBI did a takedown on them, but I've seen some recent articles that they're coming back and forming a a cartel of sorts with with various threat actor groups, so that's kind of interesting, but Anyway, I find this ransomware note saying that, hey, we've ah we're the bad guys. We've gotten into your systems and we've encrypted them. and And to your point, that means that the files needed to to run certain things are now inaccessible to us. They're there, but we can't read them. We can't open them. We can't access them.
00:06:19
Speaker
um And they had actually gone in and encrypted the sort of the the foundational system level, the root level of our virtual environment. um So those files couldn't be used to to run our servers.
00:06:32
Speaker
and and they were down. um that's That's different than a lot of other ransomware where they just come in and encrypt files and you can open files like a Word document or a PDF.
00:06:43
Speaker
um This was actual server files. So the servers couldn't run and we couldn't get to anything there. And it's sort of at that level, there's not a lot of security um tools or platforms you can run to sort of protect that that layer and and detect when things are going wrong.

Activating the Incident Response Plan

00:06:58
Speaker
Zach, so I have to ask though, and, and, you know, there's a process that's in place and for folks who aren't um part of the tech community or cyber community, typically speaking, CISOs and more mature organizations um oftentimes will have ah protocols in place called an IRP, which is an incident response plan.
00:07:18
Speaker
An instant response plan is what happens when ransomware actually gets into the environment and begins initiating its action. So typically speaking, and and and and Zach, I'd love to get kind of your experience based on research you did afterwards, because it's not always this case, but the typical approach is it will ah ah use a cryptographic locking mechanism to prevent you from being able to access the files in the various directories that it gets access into.
00:07:45
Speaker
Right. So oftentimes it'll move laterally between different drives. So go from your finance drive to your supply drive, to your operations drive, and it'll just work its way from there to try to take out your entire network or whatever it can access.
00:07:59
Speaker
um And so for folks who kind of don't really work in the industry, your your network will have different components and segments to it. So that's what we talk about segmentation. And so trying to take a remediate action or respond to this attack as soon as you recognize the attack has taken hold, the earliest that you can actually get some kind of response mitigation, mitigation being like an effort to counter the attack to get your systems back up and running,
00:08:29
Speaker
um As soon as you can start doing that process, once you've realized the attacks in place, it's a better chance that you have of actually getting through the attack without damaging business impact, whether you're at an academic institute or a hospital or an actual business.
00:08:45
Speaker
So with that context in play, Did you have already a plan in place and and what was going through your mind when you had to make the call? Because typically it's the CISO who makes the call if there is one, if not then the CIO.
00:09:01
Speaker
When you said, yes, there is a breach. Yes, we're being impacted right now. What was your logic and did you have a plan in place and and how did that look? Yeah. So immediately upon finding the ransomware note in in we call our in our hypervisor, um that they literally claimed, hey, we're Lockbit. We've encrypted your systems.
00:09:20
Speaker
We have your files. You need to go to this dark website where you can chat with us. like Boom, we stopped troubleshooting at that point. We stopped disaster recovery. We activated an incident response plan that we have, which has steps in it in terms of no who we're supposed to call, who we're notifying, um what we're doing with systems, etc. So we we activated that immediately.
00:09:42
Speaker
um And upon that, I i then went into to a couple of our leadership team members, like our COO or CFO, general counsel president like alerted them to what was going on. We need to get a quick, quick group together.
00:09:54
Speaker
um i was going to activate cyber insurance. It seems to be ah a pretty good first step for a lot of medium to small size, if not not large size companies. industries and then ah kind of just played it out from there and what they wanted to do. They brought in some incident respond responders for us. They brought in some forensics guys for us and then we kind of worked together with those two teams to both rebuild and and figure out like root cause and where these threat actors kind of got in. That that was our first step, but immediately stop troubleshooting. Don't reboot anymore. Don't don't mess with any systems. Don't take anything down. We might need that for forensics data.

Operational Disruptions in Hospitals

00:10:28
Speaker
Now the question, sorry for George, the question I ask is, did you guys have a business continuity and disaster recovery plan in place? And did you know, like, did you have the comfort of knowing your backups are current and that break glass option is there?
00:10:45
Speaker
Yeah, so we we had disaster recovery. We don't really call it but business continuity in our case, but we do have a disaster recovery plan um with various scenarios and steps on on recovering for different things. And and we've had we had a pretty robust ah backup structure, and we could talk more about that. I think it it was important for how we were able to recover, but we had a ah three-tier system, um very similar to ah also a grandfather-father-son sort of methodology behind that. But yeah.
00:11:11
Speaker
we Just laying groundwork. George, sorry, go ahead. Yeah, I dig it. I dig it. um i mean, you are the CISO after all. So let's get to a more human element here, the impact.
00:11:25
Speaker
So, Zach, I think when people read, they'll get a headline, right? Like, such and such hospital... you know, experiences cyber incident, cyber attack, the headlines kind of differ.
00:11:39
Speaker
um Such and such operations down due to alleged cyber breach, whatever. Can you talk to our listeners about like what exactly that means in a hospital context?
00:11:53
Speaker
And we'll get to sort of a ah larger story there. But like, I think people might think, well, you know, doctors see people in person, they walk through halls,
00:12:05
Speaker
like how much do they really need like the computers? Like, can't they just like write the notes down on paper? Right. So can you walk us through like, what is the impact of an attack of this nature?
00:12:17
Speaker
ah So, yeah, it's definitely a lot more massive than I think people first give it credit for when they think about it. Right. So you have a few layers there when, when an attack happens like that. um Hospital systems, academic systems where we kind of,
00:12:32
Speaker
play in both realms. because we are a health sciences university and we're training people to be in the hospital system where they go on rotation. But when you have that, um, you know, all of your medication is stored in a computer system now. Everything you've been on, every medical procedure you've had, um, Who are your doctors? Who are your contacts are? um You know, everything that's being done to you when schedules are happening. And then aside from just you as the person, you also have like the machines and the MRIs and scanners and ct scans. All these things are very computerized now um with those those scans and those reports going right into another computer system that in a lot of cases is being analyzed by a computer system or even an AI in some instances at this point. So...
00:13:15
Speaker
you know you have your and You have notes. Nurses are taking notes. They're going into your medical file. um All that stuff builds up your entire health sort of you know um ah background history.
00:13:27
Speaker
And doctors use that to to figure out you know what might be happening, how medicines are going to play together, um what next steps are in terms of when you're getting scheduled. If they can't do all that, they they pretty much grind to a halt um until they can flip over into some other, know,
00:13:42
Speaker
operating methodology. and And we've seen a few instances where hospitals have had a cyber attack and they eventually did switch to handwritten notes to just start getting things churning. But it becomes very hard to even prescribe a prescription um at that point because all that goes through a computer system and talks to You know, your Walgreens and your CVSs and your various pharmacies throughout the country. So all very interconnected, pretty much stops a hospital from operating and in the traditional sense that you would think of.

Cyber Attacks as Modern Warfare

00:14:14
Speaker
Yes. And to be very clear, ah there have been, you know, deaths associated with these attacks on hospitals because care cannot be delivered. And one instance in Germany was also because the emergency room could not receive. So they had to reroute an active cardiac patient and that patient did not make it because they could not get to the hospital closest to them.
00:14:36
Speaker
um Yeah. And I think we have a friend of the show, Chase Cunningham. He's been recently featured in a documentary, but his position has been that like, this is the cyber war that everyone talks about, right? Like we don't think about ah warfare as as like these ransomware groups or these others, we think of it as like two armies sort of face to face. But if you think about the way cyberspace operates, which is borderless, this is an attack on critical infrastructure, which is a hospital, right?
00:15:08
Speaker
Yeah. um So I appreciate one, what you have been through, that you've documented it and also helping illustrate this impact for our listeners, because like you said,
00:15:21
Speaker
server is like an air traffic control system right the data goes from the um mri into some uh network and then is sent back out so somebody else can read those results and then get the results to you you know like people are like oh you're gonna get the results will be emailed to you well that all happens on the back end and if that all comes down for our listeners i would like to say that is like tomorrow you have to only walk or bike to work like No cars work.
00:15:49
Speaker
No road systems work. It's like not so easy to just like go to handwritten operations. ah Anyway, back to you, George. Yeah. And kind of the way that i look at as well, um it's funny because in the, in the, the mainstream civilian world, they don't really see it as a war yet.
00:16:11
Speaker
But if you talk to anyone and there's a lot of folks in industry, obviously who are ex-military as well, especially folks who worked in this world within the services, um we call it, you know, is cyber war.
00:16:21
Speaker
There's a cyber theater of operations. Um, i think I think, Zach, you you would probably agree that the difference in the cyberspace is that, and this is kind of like my experience of it, and I'd love to see if if you have a a similar take as well.
00:16:38
Speaker
These threat actors could be a nation state, or they could just be gangs, or they could just be teenagers. Because I'm pretty sure, like, for example, the Scattered Spider crew, I'm pretty sure there's bunch teenagers. A.K.A. Shiny Hunters, A.K.A. Lapsus, A.K.A. Yeah.
00:16:54
Speaker
So how then, like knowing that the nature of the people who might be trying to go after you are actually global and because of the way that the cyberspace ah works, anyone can actually individually target you specifically, whether they're an entire nation state or just a bunch of crooks.
00:17:14
Speaker
How then ah do you prepare your team and your organization, you know, through security culture that you're trying to drive? And you're in a very lucky seat being the CIO and CISO, so you have a little bit more um little bit more sway and influence, I would hope.
00:17:29
Speaker
But how do you then prepare the organization for the day that something like this happens? And then, you know, something like this has happened. How do you then ah figure out the lessons learned and then translate that into evolution and progress for the organization?
00:17:44
Speaker
Yeah. um I'll touch on that in just a second. Before I get there, I just want to say also on the ransomware attacks, like especially when they're you know nation states and these threat actor groups from other countries, attribution becomes next to impossible because we can't actually say who it is. And and this is more for your listeners. You guys know this.
00:18:00
Speaker
But um you know pinning you know who to blame is impossible. So in the instances of these deaths that they've seen in the hospital from a cyber attack, like... who you goingnna Who are you going to go after? You know, you you can't get that that attribution. And then even if you you, know, can put a name to it, there's extradition laws. And sometimes we don't have those with, you know, places like Russia or China. So we're not even going to get that person to to charge them or do anything with. And it's very, it becomes very difficult to, I don't know, get that, I'm not going to call it satisfaction, but like peace a peace

Security Awareness and Misconceptions

00:18:32
Speaker
of mind. they Like, hey, we we got, you know, who caused this or or how. Yeah, there's very little closure. Yeah, no closure. Yeah. Yeah.
00:18:38
Speaker
So yeah that's another problem. But um to your original question, um you know, it's interesting. So I talk to our board ah pretty regularly, i guess at least quarterly.
00:18:50
Speaker
um And I talk the leadership team quite often. i share... Different sorts of attacks. Usually if they're ah revolving around the education, academics, academics is probably the second, third, arguably, depending on where you're looking at, most targeted industry. So there's there's a plethora of attacks to share there, but just showing them. And I was doing this a little before the event and lot after and since the event. But um hey, these these attacks have happened.
00:19:16
Speaker
This is what this school is doing. This is very common. Ransomware attacks are at you know this percent. It goes up every year. and We've heard the moniker, not if, but when. I don't like to labor that point because it's been around for so long. and But I try not to lead with but fear and and disinformation and and uncertainty with you know FUD, that sort of thing in front of the leadership team and in front of the board. I just try to give him the facts. Like, hey, this is like almost a part of operating anymore. it's yeah It's not comfortable, but that is sort of the reality of the situation, that this is likely going to happen.
00:19:50
Speaker
And I think a CISO's job perspective from a lot of different people who aren't in the security space is that, hey, we hired a CISO. We're not going to get breached anymore.
00:20:01
Speaker
There's not going to be a cyber threat. Like, this guy, that's his job. He's here. And if, you know, someone gets in, like, Is he doing his job? Right. um And I think that perspective has to change some and that some understanding that has to happen. They're like, no, we're here like for when that does happen. So you guys know how to you respond and recover. Like that's kind of that that sweet spot where we get into and we're going to guide through that that event. We don't want it to happen, but, you know, it might probably going to happen at some point.
00:20:30
Speaker
um So, you know, you I don't like ah the phrase security culture. i don't, there's some stuff around that. Just, you know, training those people to identify stuff. kind of ah I just, I don't like it.
00:20:43
Speaker
um I think there's stuff you do. You know, you might put up good email security. You tell people don't click on emails. That's super. That's great. Maybe come in and try to, you know, human compliance test different departments and teams to see if they're going to give away information or give up accounts. But,
00:20:59
Speaker
At the end the day, that's that's not what I'm going to hedge all my bets on. um A lot of education, a lot of good practices. We want to be able to detect when i and a ransomware group or a threat act or a cyber attack is occurring. We want to be able to respond quickly and stop that stuff from happening. But I think that's i think detection and and response is way more important than a ah security culture sort of mindset.
00:21:23
Speaker
Hey listeners, we hope you're enjoying the start of season four with our new angle of attack looking outside just cyber to technology's broader human impacts.

Season Four Themes: Technology's Human Impact

00:21:32
Speaker
If there's a burning topic you think we should address, let us know.
00:21:36
Speaker
Is the AI hype really a bubble about to burst? What's with romance scams? Or maybe you're thinking about the impact on your kids or have questions about what the future job market looks like for them.
00:21:48
Speaker
Let us know what you'd like us to cover. Email us at contact at bareknucklespod.com. And now back to the interview. And if I can ask them, you know, and that's that's a fair critique. Let's explore that for sec.
00:22:05
Speaker
Instead security culture, would you would you then better define it as like, Security aware, not security aware, that's cheesy, but like security mindset.
00:22:16
Speaker
Like there has to be some kind of way to convey ah generalized knowledge and, and you know, prioritization for, know, maintaining good so like cyber hygienic practices if you are any common member of the organization. Like how do you then label that?
00:22:33
Speaker
Sure. um i mean, you can label it a security awareness. You can label it a security culture. I mean, the label is half time a dozen. know, I don't it doesn't matter at the end of the day. I think what is important, I'll back up and say, you know, there there was a time where people would say that there wasn't always a tech solution for a human problem. And you couldn't like fix every human problem with it with a piece of technology. And I think now we're starting to get more and more into that area where you can you actually can do that in ah in a lot of instances. and i And I look to AI without talking about AI. but um And I'll go back to my email example where...
00:23:10
Speaker
I mean, I think four years ago, probably we were getting five, six, seven phishing emails that that got through, you know, ah our traditional like a security email gateway seg and that people were were interacting with. And it was like, how do you stop that? And we found something that was like a next gen email sort of solution. And that once we put that in, those things dried up. They were gone. We maybe get one that gets through a year now and and you know, with email being one of the biggest attack vectors, we can just shut that down and um you know, we'll still do the training and show you ah ah phishing campaign and see if we can get people to click on them and tell them not to and and what's some good identifiers.
00:23:50
Speaker
Um, But if we can just keep it from happening in general, that's I think that's even better. um And that's I'm leaning it a little harder into that um to try to fix those problems from our biggest attack vectors and not let it happen. So that's not really a culture, but I guess it's ah more security preparedness, so security resilience um and for the for the organization and how we're werere bringing that in.
00:24:16
Speaker
Yeah, let's let me return back to the human

Personal Account of Managing the Crisis

00:24:21
Speaker
elements. Is that how are you doing? Like, can you walk us through the moment where you find that ransom note? Is that sort of just like the cold sweat? Oh, shit moment? Or are you the type that just was like, OK, this is the reality respond. And then, um yeah, if you could talk us through Not just the, not the technical recovery so much, is but like once you get this tied off, like how are you dealing with it as the top of the IT and security organization?
00:24:48
Speaker
Yeah, I think for most CISOs, and I'm speaking very broadly here for a lot of different people, but when you encounter, when it's your company, and I'm not like you're an MSP or or an MSSP coming in and you work in multiple companies that don't directly pay you, but like when it's the company you work for and you find that ransomware note after you've had a problem, you're going to get a feeling in your gut. Like you just do. You're like, that's going to sting. Like this is going to be...
00:25:14
Speaker
a pain, man, this is going to suck. um and And depending on you know how how robust it is or or how bad things are, to be very bad at a very bad pain. But I remember um getting that note.
00:25:26
Speaker
um I informed our leadership team and I came back and I knew I had three important phone calls to make. So the first phone call I made was to our cyber insurance. Hey, we've had a ransomware attack. We need some help.
00:25:37
Speaker
And then I called um my friend at the FBI um who was going to put me in touch with CSA. We'll do the IC3 report, a whole thing. But like, hey, we've got a ransomware attack. I need some help. And then that third call was to my wife. And I was like, hey, we've had a ransomware attack.
00:25:50
Speaker
I'm probably going to be late and this is going to suck for the next few weeks. Also, this could be a resume generating event, depending on how things play out. So, you know, you might want to strap in. and I really, I so really appreciate that candor. That's, that's very real.
00:26:06
Speaker
Yeah, I mean, you've seen CISOs being fired for cyber attacks and and data breaches that happened. I do think that's just starting to trend down, which is super and and fantastic.
00:26:17
Speaker
ah that It's terrible when that happens. um People are looking for a scapegoat, but it does still occur and it it used to occur a lot more. um So, i again, human element, there's a lot of work that's going to go into it. You're going to have a lot of lot of work, a lot of conversations.
00:26:32
Speaker
um You're going to dig through a lot of stuff. At the same time, when you're investigating what happened and trying to you're also trying to recover, you're trying to keep things operational. um And then we we spin over and you look at the human element of everyone else. So, you know when do you tell everyone that there's been a cyber attack? when do you let them know that potentially their data has been taken? When you let the public know, when you let faculty, staff, and, you know, employ students know. So there's a lot of conversation pieces of how that's going to affect others.
00:27:01
Speaker
um And then if you do have, you know, sensitive data, whether it's social security numbers or medical information or whatever released on certain people, that's a conversation too of, hey, not only was there breach, but we lost information relevant to you, um very personal to you.
00:27:17
Speaker
And we're going to make it right by giving you credit monitoring, ah right? Like, get excited. um It's a very, very difficult conversation to have with people at times. Yes, I i laugh because ah here, i mean, this is a podcast so people can't see it, but here is my ah change healthcare credit monitoring notification in the mail.

Aftermath and Security Opportunities

00:27:39
Speaker
um So can you talk a little bit about after you kind of tie it off, you ah get your systems back online. You know, I recognize in in my experience talking with CISOs, usually there's like this massive cortisol dump across the team. Like you can't just sort of ride the adrenaline forever.
00:27:58
Speaker
What does that look like? Like after the event, how did you sort of come to terms with it or just talk through your experience there? Yes, the you know, the remediation of these events and and conclusion of these events can can take a while. I think in our instance, you know our attack happened in April, and I think it was like mid-June, late June, before we were kind of like buttoning everything up and and really kind of concluding it all. So you have several months where you're just running hot and heavy.
00:28:25
Speaker
And then when that finally ends, you you see it coming. um and But when you finally get the final like... you know, Department of of Ed or or whatever government regulatory body is finally like, all right, this case looks okay. We're going to, you know, we're closed up. We don't need any more information. It is ah ah ah very large sigh of relief. You feel the weight of off your shoulders. you You kind of relax a little better. Maybe even sleep a little better that night. But, um,
00:28:53
Speaker
yeah the work doesn't necessarily end there, right? So, like, we've gotten everything recovered. We're good. Hey, board, everything's great now. We're we're we're rocking and rolling. But also, I need some money to come and, you know, put in some new stuff. We don't want this to happen again. Like, it's the best time to go in for a ah quick grab, a quick influx of dollars to do something. So, um you know, fire up some projects after that. Get a sigh of relief, but then ramp back up and get going, right?

Team Management During a Crisis

00:29:22
Speaker
Yeah, sure. I want to be on that point too, because we're we're trying to really ah paint the picture of the human experience of of going through an attack and and all the processes with it. From your experience as as a team leader and as a team leader of many team leaders,
00:29:38
Speaker
How do you, in in in the middle of this fire, keep people on board, rowing the ship in the same direction? And yeah the biggest fear is just like, people don't start quitting or like a key person doesn't just like leave and like, I'm i'm done. i don't wanna deal with this.
00:29:57
Speaker
how do you How do you manage to keep that cohesion together and what are your experiences and your tips and just keeping that that morale in a place where, you know, even if you're not under that fire, you guys are still able to get the team together and get through it.
00:30:13
Speaker
Yeah, I actually talk a little about this about this in the in the book that I have coming out, but um um specifically around that, I think as the leader, as the CIO or the CISA or whoever you are in in regards to this, i mean, you are the leader, you're the figurehead. So you have to keep your stuff together um and and you know have ah have a plan. So you come out, you know you don't freak out.
00:30:38
Speaker
Don't <unk> be like, I got to quit. this is This is terrible. This is the end of the world. Like, you need to realize like this happens i'm going to work through it i'm going to get the team to work through it and you keep that calm sort of demeanor like it's all right we're going to get through this sort of thing um very stoic if you will um and and i very much enjoy the stoic practices so i think if you can find deep within you whatever little amount of stoicism that you understand or realize like keep that calm presence and and have a plan ah you know if you have an incident response plan super
00:31:09
Speaker
Follow it. and Obviously, there's going to be some deviations at times, but, you know, having a good plan beforehand and being able to reference that super helps you understand like, whoo, I have I have the next decision already planned for because, you know, you got a lot going in your head. There's a lot going on around you. If you can take a couple of those decisions away and just put it on a piece of paper that you read like, hey, Zach, do this next.
00:31:32
Speaker
It's like, oh, OK, well, clearly and when I was in a better headspace, I said, this is what I'm supposed to do. I should probably follow it. So you can be, you know, an emotional mess on the inside if you want to be. I mean i don't know how you how everybody operates, but on the outside, you need to be that calm, cool, ah that leader that people are going to turn to. And then, you know, you give them work like everyone's going to have a little bit more work there. But but keep in mind, like watch people. You just need to understand and and know your team in in some way to as much as you can. I get some people have huge teams, but like you kind of understand the human element. So I'm like, is this guy cracking over here? Maybe don't throw him um a ton of extra forensic work or or server rebuilds or whatever that might be. There were people on my team who...
00:32:16
Speaker
I mean, i had I had one guy in particular, I was like, I just can't have him doing things. He is not going to handle this. Like, I'm going to put him on like everyday normal work that other people might have to do so they can do other stuff. Because if he gets involved here, he's he's going to crack and it's not going to work. So you just got to really know your team and and give them what they can handle.
00:32:38
Speaker
Yeah. Yeah. management Yeah. yeah i That's amazing.

Public Understanding of Ransomware

00:32:44
Speaker
um Zach, one of the things that I have tried to do know, you know
00:32:52
Speaker
my mom gets a breach notification notice in the mail and I have to like explain that, no, they didn't steal this insurance money. It's like the insurance company uses this software and this software, you know, yeah like I try to explain all this stuff that we take for granted in the industry.
00:33:09
Speaker
The other thing that I try to help people understand is You know, we understand that ransomware groups are highly organized. It's a business, right? You said that the ransomware note referred you to a dark website where they essentially maintain customer service portals.
00:33:26
Speaker
um And it has been documented like they're super polite. They're like, please make your payment to, that you know, it's just professionalized. um So I have really tried to help people understand that, that it's not like the lone hacker in the hoodie in the basement, la the Matrix, you know, just launching these things for their own a criminal benefit, but rather highly organized groups, ah some of which are proxies for nation states. that you know, they're allowed to run rampant because they're just seen as non-state actors that can do damage on the adversary.
00:34:01
Speaker
But what would you have our listeners who are not in cyber take away from this experience? Like if you could give them like, hey, this is the one thing I want you to understand when you see ransomware in the news, what what would that be?
00:34:16
Speaker
Yeah, ah that's a great question. You know, ransomware, as I mentioned earlier, is is almost unfortunately like a part of life, a part of operating a business anymore, it seems like.
00:34:28
Speaker
um There's a very fair to very good chance that your data has already been... breached in some sort of, of you know, data breach ransomware attack and is is probably out there.
00:34:40
Speaker
You know, I'll be frank with you. your so Your social security number, phone number, your email, your name, your address, all that stuff is is probably setting out there to be purchased for about five cents right now from from a dark website.
00:34:55
Speaker
um and And likely some of your your medical history too. so um I think there steps you should take, um, and knowing that that's likely, um, you know, a lot of these attacks happen and the companies come out and I say, Hey, we haven't seen any indication that the data has been used yet. It's like, okay, well maybe they wait six months or or a year or or two years. Like you don't really know. So, um,
00:35:20
Speaker
Again, watch accounts that get opened in your name, freeze your credit. You know, there's a bunch of things sort of like that. Do MFA on your accounts. Handful of things that that are good practice for the everyday person to do in anticipation of of stopping, you know, anything from that like that happening, anything negative happening from those attacks because you can't really do anything from the ah company level to stop it because your data is going into so many systems and so many places all the time.
00:35:49
Speaker
um And there's just going to be there's going to be a breach. So realize it. um I think, you know, you mentioned your mom getting ah a note in the mail about credit monitoring. My my mother also got a note in the mail about credit monitoring this week and gave me a call about it.
00:36:02
Speaker
And I even told her, I was like, you know, i don't know. I don't remember necessarily this this this is cyber attack, mom, because there's so many. um I will have to Google it because also I'm like,
00:36:13
Speaker
are people sending out fake letters and sending, you know, everyday people to sites that aren't real and having them put their information and causing another, like there's so many layers to think about it. And it was like, let me look it up. Okay. This is real. Yeah. You could, you could probably do that. Like send me, send me a picture of the letter. Like, I guess this one's legit. There's been so many, um, get your, your next batch of credit monitoring. But, um,
00:36:38
Speaker
Yeah, I again, those freeze your credit, you know, watch your accounts, see what's being opened or on under your name. Now, I've seen people who filed taxes and filed figured out, hey, my tax returns already been filed for me this year. And it's it's crazy. There's so many layers of that where it could be months before we even know that yeah they've taken that data to use it for for anything.
00:36:59
Speaker
that That gives me like ah one, I think, generalized piece of advice for our audience. Now you bring that up. that a lot of folks do and it's kind of embarrassing, they don't realize. But if you do have an email that you think is a fish or even an SMS, but mostly email, and it's got live links to malicious sites, don't just continue pushing the email. yeah Like the amount of people that just forward me an email, it's like, this is a live fish. Like you're just, now you're just propagating it through the environment.
00:37:30
Speaker
And you're like, just send us a screenshot. Like, honestly, we can we can see it. We monitor the email server. i I don't know if you ever experienced that, but it's like these little things sometimes that people do when they don't understand. And when we talk about mom, my mom's favorite thing is like, she'll get like weird stuff in like Facebook Messenger or whatever. And like, it's really phishing.
00:37:50
Speaker
And she'll send me the thing and just be like, is this real or not?

Book Announcement: 'Locked Up'

00:37:54
Speaker
And I'm like, stop sending viruses to but
00:38:00
Speaker
Yeah, i think i think that i I've seen like ah my phone, goddamn, it's like fake job stuff all the time. And now there's this new tactic where they will group text, right? Like 40 random numbers and you're just one.
00:38:17
Speaker
What they're counting on is somebody replying because once you reply to the number, you have validated it And then they sort of like they're like a legit entity.
00:38:27
Speaker
And I've tried to tell people like, don't you you think you're having fun with the scammer? Like you want to have this funny back? and Like you have now legitimized the number in the system. But if you that's the reason we have the report junk in Gmail, you have report phishing.
00:38:42
Speaker
I want to encourage people the more they do that you teach machine learning on the back end. you know, block this whole thing, you know, so so do not engage, report.
00:38:53
Speaker
Like, you guys that's the takeaway. You're going to fun there for a second playing with that, that you know, person who's who's spamming you, but now you're going to get like 15 new people to start spamming you. So get excited for all those messages that are going to come in. You know, those attacks, you know, you think about them and it's like,
00:39:09
Speaker
how does this work? Like, I'm smarter than the average person. I'm not gonna fall for this, but they wouldn't keep doing it if it didn't work. This it is probably very culturally related, and at least in the States and and maybe Canada too, but we are a people of do things right now. We always rush. We're always in a hurry.
00:39:27
Speaker
trying to get done things quickly. So when you see that and it's like, hey, gotta do this right now. okay, I better go. And people people don't slow down just think about it Like, if you really just stop and think, this doesn't make sense, that's what you need to do. Like, just just take a breath, man.
00:39:45
Speaker
ah Really think about what's being asked of you. can you can mitigate You can mitigate a lot by just pause, yeah like creat creating friction, like just a two-second pause for neocortex to take over from reptile brain and help that decision-making.
00:40:02
Speaker
Zach, I think we we could talk about this honestly all day because the amount of human error that gets driven by just incomplete thinking. um I think, well, you did write a book about it.
00:40:13
Speaker
ah well if If you could, before we close off, we're going to end off the episode. What's the name of your book and how can people get it Yeah, so the book is called Locked Up. um There's a very long subtitle, which I won't bore you with, but Locked Up, and it's called Locked Up because we dealt with Locked Bit, the threat actor group, right? um And you can find that on Amazon, Barnes & Noble, Books A Million, you know, wherever books are sold. It it drops January 6th. It is available for pre-order.
00:40:39
Speaker
Right now, there's some cool pre-order incentives if you get in there and and let me know about it. But um yeah, go out, take a look. I'm looking forward to Audiobook's going to drop as well, so enjoy. Well, from one CISO to another and ah so we on behalf of George as well, thank you for sharing your time with us today. And that was really educational. I hope we get a chance talk to talk you again sometime soon.
00:40:58
Speaker
Yeah. Thanks, guys. I appreciate it. It was awesome. Thank you very much.
00:41:05
Speaker
If you like this conversation, share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tacks drop every Monday.
00:41:18
Speaker
If you're already subscribed, thank you for your support and your swagger. Please consider leaving a rating or a review. It helps others find the show. We'll catch you next week, but until then, stay real.