SAN FRANCISCO – Ransomware may be poised to return as a top scourge for companies, as more and more of them pay up after an attack in an effort to minimize the cost of recovery.
That’s just one insight gleaned from an interview at RSA Conference 2019 last week with Josh Zelonis, senior analyst at Forrester Research. Threatpost sat down with Zelonis to discuss looming threats to corporate security, especially those that may not be that well-known.
According to Zelonis, ransomware attackers often share information about their attacks and which companies are vulnerable. A new trend of victims paying off the ransoms could reverse the wane in ransomware attacks that has been seen in the last year or so, he said.
Also, one of the next great enterprise challenges includes industrial IoT and the convergence of operational technology with IT in utility, smart-city and manufacturing environments, he said. And, mobile threats are poised to become more sophisticated and advanced in the not-too-far future.
Discover more in the video and transcript, below.
** What follows is a transcript of the interview **
Tara Seals: Hi, I’m Tara Seals, senior editor with Threatpost, and I’m here with Josh Zelonis of Forrester Research. He’s a senior analyst over there. Welcome, Josh, thank you very much for joining us.
Josh Zelonis: Thank you for having me.
Tara Seals: Before we kick off our video interview here, you had mentioned that you’ve been seeing a trend of companies actually paying the ransomware when they get hit by an attack. So, I thought that could be a really interesting place to start our conversation if you wanted to tell me a little bit about what you’re seeing there.
Josh Zelonis: Yeah absolutely. So one of the trends that I’ve been hearing about more and more is that insurance companies are actually starting to pay the ransoms because it’s costing them less than going and doing the remediation, going back to backups, which may or may not even exist. And so a lot of the time the incident response companies are being brought in to broker the transaction with the adversaries themselves in order to ensure that the payment is made and recovery is possible.
Now part of the problem, as you might imagine, is that this creates a market where it becomes more and more profitable to use ransomware as a method of attack against an organization. Primarily the reason why this is such a challenge is that we’ve been seeing ransomware tapering off in the last number of years, and now that it seems that we’re starting to create a market, I expect that we’ll see that turn around and start increasing again.
Tara Seals: I was gonna say – so, ransomware has definitely dropped off, if all the reports are to be believed, in the past year, dovetailing with the price of cryptocurrency also going down, right?
Josh Zelonis: Yes.
Tara Seals: So, the volume in terms of this wave stemming from insurance companies paying this, you expect that could actually overcome those economic barriers for cybercriminals?
Josh Zelonis: Absolutely. And the other issue that’s extremely dangerous about this is…let’s say you respond and you make the payment and then you are able to recover your files, that doesn’t necessarily put you in a better position, and there’s no reason for the cybercriminals not to come right back.
Tara Seals: I was going to ask that. So do you think that they share intel the same way that defenders share intel in terms of, “Hey these guys, they pay, they’re pretty easy to compromise.” Do you think that sort of conversation happens on the Dark Web?
Josh Zelonis: That is definitely a conversation that I’ve heard happens, that people are cognizant of who’s paid in the past and are going and targeting those organizations again. Now, an interesting other trend that we’re seeing is that a lot of these ransomware outbreaks, they’re not new breaches. And so what we’re seeing is that adversaries are getting into a network and they’re not being detected for a period of time while the adversary goes and figures out where the goods are so to speak. And gets to know the organization. And by that means, they know what they can get from the organization, because they know what their capabilities are.
Tara Seals: Now, do they use that recon for other purposes, not just maybe the destructive ransomware attack that basically tells the company, “Hey I’m here. I’m in your network. Do something about it.” Is that just the last step in a whole chain of information exfiltration and other attacks?
Josh Zelonis: I don’t know that that’s the case…even earlier today I was having a conversation with an incident response company that I work with, and they were talking about how they were involved in a ransomware outbreak in a health-care organization and they could have exfiltrated healthcare data but they didn’t, they just crypted everything.
Tara Seals: Oh, that’s interesting.
Josh Zelonis: And so I don’t know if that’s good news but bad news, but it certainly seems like there’s expertise within the adversaries; they know what they’re able to move and what they’re able to commoditize. And so, I would expect that in that particular situation if they did understand what they had access to, then they may sell that information to somebody else who would come and steal that.
Tara Seals: Interesting. So that’s one major new trend when it comes to corporate security. What are some of the other things that you’re seeing? Is there anything vertical-specific or anything around IoT [the internet of things] that’s looming and maybe not that well-known?
Josh Zelonis: IoT is definitely the next avenue for attack, and it’s interesting because as you walk around the expo, you’ll see that a lot of the endpoint-protection vendors, they’re really reaching a maturity as far as their ability to do detection and responses. Using the Mitre Att&ck evaluation that happened recently is a perfect example of it.
Now what you run into when you start getting into [industrial] IoT environments is, you’re not able to go and deploy these endpoint agents on these PLCs [programmable logic controllers], and so then, you don’t have that measure of attack. So, while people are ready to say, “Hey, the actual target environment is where information is, or the malware is executed or bad behavior happens,” what you run into having an endpoint-centric view like that is, you overlook the fact that the PLCs have processing capability and that you can actually target these. For instance, you can target manufacturing robotics and potentially damage or interrupt their capabilities.
Tara Seals: And just to be clear, we’re talking about you know, manufacturing or a smart-utility type of environment.
Josh Zelonis: Exactly.
Tara Seals: This type of IoT deployment is not about a [consumer] camera or an Nest device.
Josh Zelonis: Not a camera or an Nest device, no. Most of what I look at is more in the enterprise space than the end-user space.
Tara Seals: Right, so a lot of those networks are running on what we all operation technology [OT], right?
Josh Zelonis: Yes.
Tara Seals: And they operate slightly differently from our typical IT environment. Do you find the companies that are implementing these IoT devices have a sense of the security requirements that come along with it or no?
Josh Zelonis: What I’m hearing more and more is that these organizations don’t know what to do, and that a lot of intrusions are being identified as having [happened a while ago] – that there have been compromises that happened long ago and the adversaries have just been sitting there collecting information or whatnot. And so, it’s difficult, because [OT] people don’t really know how to solve this problem. They don’t know what type of vulnerabilities to patch and it becomes important to understand and be able to quantify what the risk is to the organization, because it’s extremely quantifiable how much it’s gonna cost to shut down the plant for X amount of time to, for instance, deploy a patch.
Tara Seals: So…basically, they’re worried about outcomes and impacts, right?
Josh Zelonis: Exactly.
Tara Seals: And so you would advocate taking a risk-management approach to this?
Josh Zelonis: I think that you have to, and I would add that what I’m hearing is that most organizations would be well-served to add additional monitoring to their environments in order to surface these adversaries that are already there.
Tara Seals: And do you get a sense of just how endemic this is? Do you feel that there’s a large adversary base that’s interested in critical infrastructure and utilities and smart manufacturing and these types of environments?
Josh Zelonis: Based on the conversations that I have, there’s only really a handful of adversary groups that are going after these large OT environments. But these are sophisticated and well-funded, they tend to be more from the nation-state persuasion, if you will.
What’s going to happen over time is that those capabilities are going to become more and more commoditized, and then, once we see that in the cybercrime sector, that’s going to be…scary.
Tara Seals: So that democratization of the tools used there –
Josh Zelonis: Of the capabilities, absolutely.
Tara Seals: – and obviously, [OT environments] become more attractive [to other kinds of cybercriminals], the bigger the threat surface gets. So the more IT devices [the more attacks], and it’s just this self-perpetuating cycle. That’s scary, Josh!
Let’s see, is there anything else in terms of looming trends that aren’t often talked about or maybe don’t get enough notice that you think is worth touching on?
Josh Zelonis: Mobile is one that I see as a little bit farther out, and it’s interesting because I see us five years or 10 years from now not having laptops anymore. You know, we’ve seen the demos where somebody will throw their phone on a hot plate and then they’ll be able to have the screen come up on their monitor and use the keyboard and mouse. And the processing power that we have in our phones is amazing. If you think about the phone in your pocket, it certainly has more capability than my first computer did. And so the value of compute, if you will, is high enough. When we were looking at things like cryptojacking, for instance, that was commoditizing compute. There’s absolute value that you can associate with that compute.
And you also think about all the data that moves through your life, at some point it touches those mobile devices and so, while this is still part of the story of IoT it’s not the OT side. It’s more of where is everything else? And I expect we’re going to see more sophisticated attacks that are going to become more and more scary in the overall outcomes that we see.
Tara Seals: Interesting. Okay, well I think we have to leave it there, we only have a short amount of time, but thank you very much for joining me.
Josh Zelonis: Absolutely.
Tara Seals: And again, I’m Tara Seals with Threatpost, I’m here with Josh Zelonis with Forrester Research, thank you very much.
Josh Zelonis: Thank you.