WEBVTT 1 00:00:00.120 --> 00:00:03.510 Anna Delaney: Hello, and welcome to Proof of Concept, the ISMG 2 00:00:03.510 --> 00:00:06.210 talk show, where we discuss today's and tomorrow's 3 00:00:06.240 --> 00:00:10.170 cybersecurity challenges and quiz experts in the field on how 4 00:00:10.170 --> 00:00:13.410 we can potentially solve them. I'm Anna Delaney, director of 5 00:00:13.410 --> 00:00:16.530 productions at ISMG. And I'm very pleased to introduce my 6 00:00:16.530 --> 00:00:19.950 co-host, Tom Field, senior vice president of Editorial. Hello, 7 00:00:19.950 --> 00:00:20.160 Tom. 8 00:00:20.160 --> 00:00:21.510 Tom Field: Hello! Pleasure to see you. 9 00:00:21.810 --> 00:00:25.560 Anna Delaney: Pleasure always. Before introducing our guests, 10 00:00:25.560 --> 00:00:28.050 Tom, what is the most interesting thing in 11 00:00:28.050 --> 00:00:29.220 cybersecurity today? 12 00:00:29.480 --> 00:00:31.340 Tom Field: You know, I was prepared to come in here and 13 00:00:31.340 --> 00:00:33.800 talk about the one-year anniversary of the Colonial 14 00:00:33.800 --> 00:00:36.620 Pipeline ransomware attack because it was on everybody's 15 00:00:36.620 --> 00:00:39.980 minds. But, you read the news today and the headline that's 16 00:00:39.980 --> 00:00:43.880 got my attention is the government of Costa Rica—an 17 00:00:43.880 --> 00:00:48.650 entire country—declaring a state of emergency because of Conti 18 00:00:48.680 --> 00:00:53.240 ransomware attack. A state of emergency, Anna. This is what 19 00:00:53.240 --> 00:00:56.630 happens when you have hurricanes. This is what happens 20 00:00:56.660 --> 00:01:00.320 when there is a coup. This is what happens when your nation is 21 00:01:00.350 --> 00:01:05.120 attacked by physical forces. Now, we have a state of 22 00:01:05.120 --> 00:01:09.320 emergency because of ransomware. That, to me, is the biggest news 23 00:01:09.320 --> 00:01:09.680 today. 24 00:01:11.100 --> 00:01:14.370 Anna Delaney: Incredible, but also, as you say, it's a year 25 00:01:14.370 --> 00:01:19.410 since the Colonial attack. So the question is, what have we 26 00:01:19.410 --> 00:01:23.610 learned this past year? And the news today, as you say, is 27 00:01:23.640 --> 00:01:28.260 alarming. I was going to say that certainly, I think the 28 00:01:28.260 --> 00:01:31.920 conversations have improved. There's more talk about cyber 29 00:01:31.950 --> 00:01:35.880 preparedness and cyber resilience and cyber readiness. 30 00:01:36.240 --> 00:01:41.130 But is critical infrastructure more secure than before? Now, 31 00:01:41.160 --> 00:01:45.330 have we strengthened our security postures? Are we more 32 00:01:45.360 --> 00:01:48.420 prepared? How do we prepare? I don't know, these are questions 33 00:01:48.420 --> 00:01:50.190 perhaps our guests will have some thoughts on. 34 00:01:50.610 --> 00:01:53.070 Tom Field: Anna, I will say we've refined our conversations. 35 00:01:53.070 --> 00:01:57.120 But what we've learned is that whatever today's big headline is 36 00:01:57.120 --> 00:02:00.150 going to be, there's going to be a bigger one tomorrow. And so 37 00:02:00.150 --> 00:02:01.410 far, nothing's proven that wrong. 38 00:02:03.300 --> 00:02:08.010 Anna Delaney: And Tom, in less than three weeks' time, where 39 00:02:08.010 --> 00:02:08.640 will we be? 40 00:02:09.539 --> 00:02:11.579 Tom Field: Less than three weeks' time in two weeks' time, 41 00:02:11.579 --> 00:02:14.819 Anna, we are going to be together in London, preparing 42 00:02:14.819 --> 00:02:19.079 for our Live London summit. Very much looking forward to it; my 43 00:02:19.079 --> 00:02:21.869 first trip back to London since fall of 2019. 44 00:02:22.560 --> 00:02:25.140 Anna Delaney: Yes, I was going to say also after that, though, 45 00:02:26.760 --> 00:02:28.380 we'll then be in San Francisco. 46 00:02:28.650 --> 00:02:32.040 Tom Field: Of course, RSA Conference is live events. I 47 00:02:32.040 --> 00:02:34.380 can't keep them straight anymore. Yes, we will be at RSA 48 00:02:34.380 --> 00:02:37.860 Conference in three weeks, and the first time that we have been 49 00:02:37.860 --> 00:02:40.260 there since 2020. 50 00:02:40.260 --> 00:02:43.710 Anna Delaney: This will be a new experience for me, of course, 51 00:02:43.710 --> 00:02:47.790 being with the ISMG team at RSA. So looking forward to it. Any 52 00:02:47.790 --> 00:02:49.050 hints and tips, welcome. 53 00:02:51.450 --> 00:02:53.670 Tom Field: So I think that's the question. 54 00:02:53.940 --> 00:02:56.760 Anna Delaney: Yeah. Well, perhaps it's time to introduce 55 00:02:56.760 --> 00:03:01.440 our first guest, Ari Redbord, head of Legal and Government 56 00:03:01.440 --> 00:03:04.800 Affairs at TRM Labs. Ari, so good to see you again. 57 00:03:05.190 --> 00:03:07.710 Ari Redbord: Anna, great to see you as well. Tom, nice to see 58 00:03:07.710 --> 00:03:08.040 you. 59 00:03:08.340 --> 00:03:09.030 Tom Field: Ari, always. 60 00:03:10.110 --> 00:03:12.840 Anna Delaney: So starting with a big story. The U.S. Treasury 61 00:03:12.840 --> 00:03:16.020 announced last week the first ever U.S. sanctions on 62 00:03:16.020 --> 00:03:20.670 cryptocurrency mixer Blender.io. And according to U.S. officials, 63 00:03:20.670 --> 00:03:24.930 the service was used by North Korean state hackers, Lazarus 64 00:03:24.930 --> 00:03:27.810 Group, to launder some of the funds stolen during the Ronin 65 00:03:27.810 --> 00:03:31.290 network hack at the end of March. So Ari, what are your 66 00:03:31.290 --> 00:03:33.780 thoughts? What's the significance of this move? 67 00:03:34.140 --> 00:03:36.810 Ari Redbord: Sure. Yeah, no, and it's a great question. And 68 00:03:36.810 --> 00:03:39.480 really, it's just an interesting moment. We've seen sort of a 69 00:03:39.540 --> 00:03:43.380 flurry of activity in the cryptocurrency space by Treasury 70 00:03:43.380 --> 00:03:46.170 over the last, you know, six or eight months. And, you know, 71 00:03:46.170 --> 00:03:49.230 Tom, at the beginning of the show talked about the one year 72 00:03:49.230 --> 00:03:51.600 anniversary of Colonial Pipeline, which, quite frankly, 73 00:03:51.600 --> 00:03:54.090 is a shock to me that we're almost sort of at that point 74 00:03:54.090 --> 00:03:57.150 already. But it really did sort of harken in many respects, it 75 00:03:57.150 --> 00:04:01.620 was a watershed and sort of move to this digital battlefield. And 76 00:04:01.650 --> 00:04:04.920 the Ronin hack is a really great example, essentially, you know, 77 00:04:04.920 --> 00:04:10.290 a few weeks ago, a hacker attacked the Ronin Bridge, which 78 00:04:10.290 --> 00:04:14.490 is a bridge between blockchains associated with the Axie 79 00:04:14.490 --> 00:04:19.320 Infinity, the play to earn game that is wildly popular, and 80 00:04:19.320 --> 00:04:24.840 those attackers stole about $600 million, $625 million in that 81 00:04:24.840 --> 00:04:28.620 attack, making it really the largest or one of the largest 82 00:04:29.250 --> 00:04:32.520 hacks of any sort of cryptocurrency business. And, 83 00:04:32.970 --> 00:04:37.530 you know, a couple of weeks later, OFAC, the Department of 84 00:04:37.530 --> 00:04:42.660 Treasury of the sanctions regulator, put an address on the 85 00:04:42.660 --> 00:04:45.930 sanctions list associated with Lazarus Group, which is the 86 00:04:45.930 --> 00:04:49.950 North Korea hacking unit, the state-sponsored professionalized 87 00:04:50.520 --> 00:04:53.760 hacking team, and essentially what they did there was 88 00:04:53.760 --> 00:04:58.470 associate Lazarus Group and North Korea with that hack. And 89 00:04:58.470 --> 00:05:01.470 it was really an extraordinary moment. Because, look, we've 90 00:05:01.470 --> 00:05:05.670 seen North Korea for years attack cryptocurrency 91 00:05:05.670 --> 00:05:11.010 businesses, because, you know, look in the age of crypto, you 92 00:05:11.010 --> 00:05:14.040 know, a hack means you can essentially steal money at the 93 00:05:14.040 --> 00:05:18.180 speed of the internet. And for North Korea, a country with 94 00:05:18.180 --> 00:05:23.760 really pretty much absolutely no economy to speak of, they 95 00:05:23.760 --> 00:05:27.480 realized very quickly that you know, stealing funds can result 96 00:05:27.480 --> 00:05:31.770 in destabilizing activity, can fund weapons proliferation. So 97 00:05:31.770 --> 00:05:36.420 they've, you know, engaged in a series of escalating attacks. 98 00:05:36.600 --> 00:05:40.770 And finally, sort of culminating in a 600 plus million dollar 99 00:05:40.770 --> 00:05:44.580 hack of Ronin. So to get back to your question about this 100 00:05:44.580 --> 00:05:48.150 designation, what we've seen over the last few weeks is North 101 00:05:48.150 --> 00:05:52.380 Korea really launder those funds, because the goal is to 102 00:05:52.380 --> 00:05:55.710 move them to obfuscate the transactions from law 103 00:05:55.710 --> 00:05:59.550 enforcement and blockchain analytics tools like TRM, in 104 00:05:59.550 --> 00:06:02.940 order to ultimately off ramp them. And we've seen them use a 105 00:06:02.940 --> 00:06:07.020 number of mixing services, and what mixing services or mixers 106 00:06:07.020 --> 00:06:11.100 or blenders, they are on chain, they're essentially exchanges 107 00:06:11.220 --> 00:06:14.760 where users put in their cryptocurrency, it mixes it 108 00:06:14.760 --> 00:06:18.690 together, and then sends it out the other side, not associated 109 00:06:18.690 --> 00:06:23.070 necessarily with the illicit activity. It is an obfuscation 110 00:06:23.070 --> 00:06:27.150 technique. There's one of these called Tornado Cash, which we've 111 00:06:27.150 --> 00:06:30.750 seen millions and millions of dollars flow through associated 112 00:06:30.750 --> 00:06:34.650 with this hack, and another called Blender.io, where we saw 113 00:06:34.650 --> 00:06:40.230 about $20 billion of funds flow through as that were the 114 00:06:40.230 --> 00:06:44.220 proceeds of the Ronin hack. And Treasury finally took action 115 00:06:44.550 --> 00:06:48.870 against Blender.io, basically saying hey, look, you did not 116 00:06:48.870 --> 00:06:52.500 have the compliance controls in place necessary. And what you 117 00:06:52.500 --> 00:06:57.240 are doing is facilitating North Korea money laundering. So, it 118 00:06:57.240 --> 00:07:01.710 is literally a direct response to this Ronin hack and North 119 00:07:01.710 --> 00:07:04.230 Korea's attempt to launder these funds. 120 00:07:05.610 --> 00:07:08.520 Anna Delaney: Really helpful background there, Ari. But of 121 00:07:08.520 --> 00:07:12.540 course, the press release was quite interesting. It used the 122 00:07:12.540 --> 00:07:17.520 words national security threat. It's not just about this hack, 123 00:07:17.520 --> 00:07:19.350 is it? There's a wider issue here. 124 00:07:19.650 --> 00:07:21.780 Ari Redbord: Now, it's a great question. And really, I think 125 00:07:21.780 --> 00:07:24.960 really the most important one. Look, I mean, in any financial 126 00:07:24.960 --> 00:07:27.060 system, you're going to have fraud, and you're going to have, 127 00:07:27.720 --> 00:07:32.400 you know, financial crime. But when North Korea, when state 128 00:07:32.400 --> 00:07:36.810 actors are involved, you know, things inevitably escalate. 129 00:07:37.050 --> 00:07:40.200 Because look, you know, you see the Bitfinex hack, for example, 130 00:07:40.260 --> 00:07:42.600 where you see these individuals attempt to launder funds, you 131 00:07:42.600 --> 00:07:45.450 know, over years and across blockchains and obfuscation 132 00:07:45.450 --> 00:07:49.080 techniques. And it's about greed, essentially. And it's 133 00:07:49.080 --> 00:07:51.600 really important to stop those because look, a hack of a 134 00:07:51.600 --> 00:07:53.970 cryptocurrency exchanges, potentially the loss of people's 135 00:07:53.970 --> 00:07:58.920 life savings, it is serious always. But it is escalated when 136 00:07:58.950 --> 00:08:03.090 those funds—$600 million, which is a significant portion of 137 00:08:03.090 --> 00:08:07.770 North Korea's GDP, right? Like this is not inconsequential. It 138 00:08:08.100 --> 00:08:13.230 is a national security issue when North Korea has now funds 139 00:08:13.260 --> 00:08:16.680 to fund weapons proliferation. And I think we see the reaction 140 00:08:16.680 --> 00:08:20.040 here. Look, OFAC does not designate addresses associated 141 00:08:20.040 --> 00:08:26.040 with a hack. They designate, they sanction addresses 142 00:08:26.070 --> 00:08:28.320 associated with the hack when there's a national security 143 00:08:28.320 --> 00:08:31.620 threat. And here's clear the U.S. Treasury Department, that 144 00:08:31.650 --> 00:08:34.830 the White House, that foreign partners are involved with this 145 00:08:34.860 --> 00:08:37.170 investigation and with the sanctions. 146 00:08:38.309 --> 00:08:40.739 Anna Delaney: And it's interesting to read that Russia 147 00:08:42.179 --> 00:08:45.809 sort of linked ransomware groups are also using Blender.io. I 148 00:08:46.649 --> 00:08:51.719 think Ryuk, Conti and TrickBot as well. So, how bad is this 149 00:08:51.719 --> 00:08:54.119 cryptocurrency mixing problem? 150 00:08:54.750 --> 00:08:56.940 Ari Redbord: Yeah, you know, it's interesting, look, as we 151 00:08:56.940 --> 00:09:01.200 move to sort of a more open financial system where more 152 00:09:01.200 --> 00:09:05.040 transactions occur on open blockchains, on open ledgers 153 00:09:05.040 --> 00:09:08.550 where everyone can see, you know, transactions in real time, 154 00:09:08.730 --> 00:09:13.560 there's going to be legitimate reasons to want to keep your 155 00:09:13.560 --> 00:09:16.440 transactions private. And potentially, you know, 156 00:09:17.190 --> 00:09:21.990 legitimate mixing services are an answer to that question, 157 00:09:22.020 --> 00:09:25.530 right? But what's really important is that even these 158 00:09:25.530 --> 00:09:30.180 mixing services have compliance controls in place, that they are 159 00:09:30.180 --> 00:09:33.840 screening for sanction addresses, right? That they are 160 00:09:33.870 --> 00:09:38.400 essentially able to block funds or file suspicious activity 161 00:09:38.400 --> 00:09:41.550 reports or engage with law enforcement if bad actors are 162 00:09:41.550 --> 00:09:43.920 going to use those platforms. So it's interesting, you know, 163 00:09:43.920 --> 00:09:47.340 mixers are not illegal. And there are legitimate reasons to 164 00:09:47.340 --> 00:09:54.990 use them. What is illegal is to advertise a mixer on a darknet 165 00:09:54.990 --> 00:09:58.440 market within literally an attempt to launder funds or to 166 00:09:58.440 --> 00:10:02.430 provide the way to launder funds. There are two pending 167 00:10:02.430 --> 00:10:07.860 cases from the Department of Justice. One called Helix, and 168 00:10:07.860 --> 00:10:11.160 the other called Bitcoin Fog, where these were mixing services 169 00:10:11.160 --> 00:10:16.980 that were advertising on AlphaBay to be used to obfuscate 170 00:10:17.310 --> 00:10:20.340 transactions involving, you know, narcotics and other types 171 00:10:20.340 --> 00:10:24.000 of illicit activity. So, you know, mixing services per se, 172 00:10:24.030 --> 00:10:27.030 are not as much the problem as not having the compliance 173 00:10:27.030 --> 00:10:30.600 controls in place to stop them. But look, you know, I know this 174 00:10:30.600 --> 00:10:33.780 show is about cyber. And I think one thing that's always really 175 00:10:33.780 --> 00:10:37.200 important to remember is that cryptocurrency essentially, you 176 00:10:37.200 --> 00:10:39.720 know, look is the thing that's being stolen or the thing that's 177 00:10:39.720 --> 00:10:44.610 being attacked or the reason for the hack. But really, what has 178 00:10:44.610 --> 00:10:48.810 to happen here is, you know, Ronin, Axie Infinity, 179 00:10:50.280 --> 00:10:53.460 cryptocurrency businesses really need to work to harden their 180 00:10:53.460 --> 00:10:55.530 cyber defenses. And I know that's such a focus of what you 181 00:10:55.530 --> 00:10:59.430 guys do. And what you talk about is trying to sort of ensure that 182 00:11:00.000 --> 00:11:02.280 we're really thinking about cyber, we're really thinking 183 00:11:02.280 --> 00:11:05.280 about cybersecurity, you know, as we're growing our businesses. 184 00:11:06.600 --> 00:11:08.370 Anna Delaney: So how do you think this is going to rattle or 185 00:11:08.400 --> 00:11:10.740 even shift the cybercrime ecosystem? 186 00:11:11.190 --> 00:11:13.320 Ari Redbord: Yeah, you know, look, I mean, Treasury has had a 187 00:11:13.320 --> 00:11:16.110 lot of effect with these sanctions designations on 188 00:11:16.110 --> 00:11:18.600 cryptocurrency businesses. And what I think is what now I'm 189 00:11:18.600 --> 00:11:21.810 thinking of as like the trifecta of sort of the illicit 190 00:11:21.810 --> 00:11:25.200 underbelly of the overall sort of growing crypto economy. I 191 00:11:25.200 --> 00:11:29.250 mean, at first, you saw Treasury go after SUEX, which was a non 192 00:11:29.250 --> 00:11:32.880 compliant exchange based in Russia, for essentially allowing 193 00:11:32.880 --> 00:11:36.150 ransomware payments to flow through it. A couple of weeks 194 00:11:36.150 --> 00:11:39.300 later, they sanction Chatex, another Russia-based exchange 195 00:11:39.360 --> 00:11:41.760 for very similar reasons. And it doesn't matter if it's 196 00:11:41.760 --> 00:11:45.270 ransomware, or sanctions, or terrorist financing. It's really 197 00:11:45.270 --> 00:11:48.900 for not having the compliance controls necessary to stop 198 00:11:48.960 --> 00:11:51.960 illicit activity. And essentially, you know, without 199 00:11:51.960 --> 00:11:54.930 those controls, you're facilitating it. Then we saw 200 00:11:54.930 --> 00:11:59.190 sort of next Treasury go after darknet markets. We saw them 201 00:11:59.190 --> 00:12:02.880 take down the largest darknet market Hydra, with coordination 202 00:12:02.880 --> 00:12:06.450 from German law enforcement. And now we're seeing them go after a 203 00:12:06.450 --> 00:12:09.780 mixing service that, quite frankly, is facilitating money 204 00:12:09.780 --> 00:12:13.530 laundering by not having compliance controls in place. 205 00:12:13.650 --> 00:12:16.170 And I think what we're going to see is this sort of steady 206 00:12:16.170 --> 00:12:20.370 drumbeat from Treasury from foreign partners of going after 207 00:12:20.430 --> 00:12:23.970 entities that sort of formed that illicit underbelly, while 208 00:12:23.970 --> 00:12:26.940 to the extent possible, sort of staying away from the overall 209 00:12:26.940 --> 00:12:29.880 growing crypto economy, you know, exchanges with compliance 210 00:12:29.880 --> 00:12:32.160 controls in place, for example. 211 00:12:33.300 --> 00:12:35.490 Anna Delaney: Always fascinating, Ari, speaking to 212 00:12:35.490 --> 00:12:37.260 you. Thank you very much. Over to you, Tom. 213 00:12:37.710 --> 00:12:38.820 Ari Redbord: Thank you so much for having me. 214 00:12:39.030 --> 00:12:41.370 Tom Field: Don't you think Anna, this has got to be like Ari's 215 00:12:41.370 --> 00:12:45.360 greatest professional year ever. Since what you have seen since 216 00:12:45.360 --> 00:12:46.440 the beginning of the year. 217 00:12:47.250 --> 00:12:49.380 Ari Redbord: Well, a lot is going on for sure. 218 00:12:49.800 --> 00:12:51.960 Tom Field: You know, and we're not even halfway through it yet. 219 00:12:52.620 --> 00:12:54.780 And I'm thrilled to bring our next guest on to the screen 220 00:12:54.780 --> 00:12:57.030 here. He and I go back many years to when he was a deputy 221 00:12:57.030 --> 00:13:00.570 CISO with Bank of the West out in San Francisco. He's most 222 00:13:00.570 --> 00:13:04.200 recently the CISO of PNC Bank, and he's out there today, 223 00:13:04.350 --> 00:13:06.570 climbing new mounts. David Pollino, thanks so much for 224 00:13:06.570 --> 00:13:07.650 being here with us today. 225 00:13:08.790 --> 00:13:10.830 David Pollino: Hey Tom, great to see you. Thanks for having me. 226 00:13:11.370 --> 00:13:13.590 Tom Field: David, Anna mentioned this, Ari mentioned it, we 227 00:13:13.590 --> 00:13:17.070 talked about at the top of the hour here. This past weekend was 228 00:13:17.070 --> 00:13:21.420 the one-year anniversary of the Colonial Pipeline ransomware 229 00:13:21.420 --> 00:13:25.800 attack that impacted the entire East Coast economy of the United 230 00:13:25.800 --> 00:13:29.880 States. And then we wake up to news that the Costa Rica 231 00:13:29.880 --> 00:13:32.760 government has declared a state of emergency. How are we doing 232 00:13:32.760 --> 00:13:33.930 with this ransomware thing? 233 00:13:35.580 --> 00:13:38.400 David Pollino: It appears we're not very effective with the 234 00:13:38.400 --> 00:13:42.690 whole response to the ransomware attack. I think it should be a 235 00:13:42.690 --> 00:13:45.600 wake-up call for everybody—individuals, 236 00:13:45.720 --> 00:13:47.610 businesses, big and small, government agencies—that we 237 00:13:47.610 --> 00:13:49.470 probably need to reevaluate the investment that we're making in 238 00:13:49.470 --> 00:13:51.450 our cyber defenses, and hopefully, make 2022 a year that 239 00:13:51.450 --> 00:13:53.250 we start to see things getting better as opposed to getting 240 00:13:53.370 --> 00:13:53.640 worse. 241 00:13:53.640 --> 00:13:59.580 Tom Field: Maybe we need to go back 40 years now to former 242 00:13:59.730 --> 00:14:09.930 First Lady, Nancy Reagan. Just start saying No, as long as 243 00:14:09.930 --> 00:14:12.690 we're continuing to pay these ransoms, is going to continue to 244 00:14:12.690 --> 00:14:18.450 be ransomware to pay dividends too. I know it's not as simple 245 00:14:18.450 --> 00:14:21.480 as just don't pay, but maybe it is just as simple as just don't 246 00:14:21.000 --> 00:14:25.500 David Pollino: Yeah, it's definitely an interesting 247 00:14:21.480 --> 00:14:21.780 pay. 248 00:14:25.500 --> 00:14:31.140 question. I've had a number of conversations with businesses 249 00:14:31.140 --> 00:14:34.500 around their incident response plans, and many of them now are 250 00:14:34.500 --> 00:14:38.790 actually adding that paying the ransom to their incident 251 00:14:38.790 --> 00:14:42.060 response plans, which is you know, not a good thing to hear 252 00:14:42.150 --> 00:14:45.510 as a cybersecurity professional, but it's the business trying to 253 00:14:45.750 --> 00:14:48.660 explore every option that they could potentially have. 254 00:14:49.290 --> 00:14:53.520 Insurance companies I've heard are not paying the reimbursing 255 00:14:53.520 --> 00:14:57.750 the ransom payments, like they were in the past. So you know, I 256 00:14:57.750 --> 00:15:03.900 think there's definitely a readiness conversation to be had 257 00:15:03.900 --> 00:15:07.140 to make sure that if you are hit with ransomware, could you start 258 00:15:07.140 --> 00:15:10.830 from scratch? Could you back up from the last known good? Could 259 00:15:10.830 --> 00:15:13.920 you get the business back up and running in a timely manner and 260 00:15:13.920 --> 00:15:15.810 not even consider paying the ransom? 261 00:15:16.200 --> 00:15:17.820 Tom Field: A good point! I know the insurance companies are 262 00:15:17.820 --> 00:15:21.090 hoping that at least in the U.S. that Congress declares 263 00:15:21.300 --> 00:15:24.330 ransomware attacks on nation-state-funded adversaries 264 00:15:24.330 --> 00:15:27.810 as an act of war, because then it becomes moot, the ransom 265 00:15:27.810 --> 00:15:31.140 wouldn't be paid. I guess, at that point, ransomware becomes a 266 00:15:31.140 --> 00:15:35.910 hack of God. But, in any event, David, this past week, CISA 267 00:15:35.910 --> 00:15:40.740 released a list of the top 15 most routinely exploited 268 00:15:40.740 --> 00:15:45.540 vulnerabilities of 2021. Maybe not as surprised, Log4Shell was 269 00:15:45.540 --> 00:15:48.540 at the top of that list. Did you get chance to review this? 270 00:15:49.260 --> 00:15:51.900 David Pollino: Yeah, it was an interesting report. I can't say 271 00:15:51.900 --> 00:15:56.520 it was very enlightening. You know, anyone who's been paying 272 00:15:56.520 --> 00:15:59.700 attention to some of the vulnerabilities over the past 273 00:15:59.700 --> 00:16:02.400 year said, yep, that those are on the list, those are on the 274 00:16:02.400 --> 00:16:05.970 list. Like Ari said, some of them feels like it's been so 275 00:16:05.970 --> 00:16:10.470 much longer than just a year. The Log4Shell, I think that's a 276 00:16:10.470 --> 00:16:13.980 good wake-up call for everybody to understand their software 277 00:16:13.980 --> 00:16:17.760 supply chain. Whether they're developing their own software or 278 00:16:17.760 --> 00:16:21.000 buying off-the-shelf software, it commonly comes with open 279 00:16:21.000 --> 00:16:23.970 source components. And when these vulnerabilities are 280 00:16:23.970 --> 00:16:27.660 published, is it easy to sit back and say, do I have this 281 00:16:27.660 --> 00:16:32.400 deployed on my network? Yes or no. So I think many companies 282 00:16:32.400 --> 00:16:35.970 are starting to take it a little bit more seriously. Having that 283 00:16:36.060 --> 00:16:39.840 the bill of materials for their software components, and also 284 00:16:39.840 --> 00:16:44.310 having an additional focus on open-source components, when 285 00:16:44.310 --> 00:16:48.030 they're deploying their own software. So seeing Log4j in 286 00:16:48.030 --> 00:16:50.880 there wasn't surprised. It was at the end of the year, and we 287 00:16:50.880 --> 00:16:54.660 all have kind of our scars from having to respond to that, 288 00:16:54.660 --> 00:16:58.530 because it was so widely exploited and so easy to 289 00:16:58.530 --> 00:17:02.130 exploit. The other one that was on there that you know, or a 290 00:17:02.130 --> 00:17:06.060 handful of them were related to the Microsoft Exchange 291 00:17:06.270 --> 00:17:10.590 vulnerabilities. And it seemed like I had to look up the date 292 00:17:10.590 --> 00:17:15.420 of it. But last year, the Department of Justice had their 293 00:17:15.540 --> 00:17:20.700 court authorized effort to remove web shells. It was just 294 00:17:20.700 --> 00:17:25.590 about a year ago, just over a year ago. But it felt so long 295 00:17:25.590 --> 00:17:29.880 ago, that was a huge change in the industry that actually see 296 00:17:29.970 --> 00:17:33.660 the Department of Justice take proactive action to, you know, 297 00:17:33.660 --> 00:17:37.950 to remove these shells. But that also goes to show that who is 298 00:17:37.950 --> 00:17:41.940 still running their own email servers anymore. I mean, it's 299 00:17:41.940 --> 00:17:46.110 proven that probably Microsoft is the only company on earth 300 00:17:46.110 --> 00:17:50.010 that's qualified to be able to run Microsoft Exchange Server. 301 00:17:50.130 --> 00:17:53.940 And with the cost of cloud services now, I think it makes 302 00:17:53.940 --> 00:17:58.410 sense for just about every business to outsource that to 303 00:17:58.560 --> 00:18:04.140 whether it's like the Google Suite or Office 365. Make 304 00:18:04.170 --> 00:18:07.950 managing email and those document sharing services 305 00:18:07.950 --> 00:18:11.640 somebody else's problem, so you can focus on your business. So 306 00:18:11.670 --> 00:18:15.270 really, businesses should also be reconsidering exactly what 307 00:18:15.270 --> 00:18:18.420 technology that they're trying to support themselves. Because 308 00:18:18.420 --> 00:18:22.200 these have been routinely compromised that many of these 309 00:18:22.200 --> 00:18:29.010 are the ProxyShell vulnerabilities as well, 310 00:18:29.160 --> 00:18:32.730 hitting, you know, these Microsoft products that are 311 00:18:32.730 --> 00:18:35.970 commonly used. So you have Log4Shell, you have all these 312 00:18:36.180 --> 00:18:39.870 exchange ones. And then a couple of the other ones that were 313 00:18:39.870 --> 00:18:43.530 interesting, and very important is around VPN gateways. 314 00:18:44.010 --> 00:18:47.580 Sometimes network infrastructure is not at the top of our list 315 00:18:47.580 --> 00:18:53.010 for patching. But VPN gateways are absolutely a great way into 316 00:18:53.010 --> 00:19:00.750 a business. And having a good routine to be able to make sure 317 00:19:00.750 --> 00:19:04.770 that those VPN gateways are up to date. And also, as the 318 00:19:04.770 --> 00:19:09.570 recommendations from that report, point out, are using MFA 319 00:19:09.690 --> 00:19:14.490 to help kind of give one additional layer of security 320 00:19:14.490 --> 00:19:18.750 there. So, taking a look at your networking infrastructure, 321 00:19:19.350 --> 00:19:24.000 having a good routine for quickly patching those, because 322 00:19:24.030 --> 00:19:28.620 that's really what we see in that report is that when these 323 00:19:28.650 --> 00:19:32.610 vulnerabilities are published, sometimes proof of concept code 324 00:19:33.060 --> 00:19:36.360 is published shortly thereafter. But whether the proof of concept 325 00:19:36.360 --> 00:19:40.980 code is published or not, you know, people are hard at work, 326 00:19:40.980 --> 00:19:43.800 reverse engineering the patches to find exactly what the 327 00:19:43.800 --> 00:19:46.920 vulnerability is. So when those patches come out, you need to 328 00:19:46.920 --> 00:19:50.400 be, you know, applying those patches on your infrastructure 329 00:19:50.430 --> 00:19:54.540 quickly. But perhaps probably the most discouraging thing in 330 00:19:54.540 --> 00:19:59.340 the report was that three of the vulnerabilities in the 2021 331 00:19:59.370 --> 00:20:03.930 report were the same as 2020. So, you know, it seems like 332 00:20:03.930 --> 00:20:08.730 we're not learning our lessons quick enough and being able to, 333 00:20:09.870 --> 00:20:13.350 patch the or secure vulnerabilities that are 334 00:20:13.380 --> 00:20:17.760 well-known. And so it was definitely an interesting report 335 00:20:17.760 --> 00:20:21.510 there. But like I said, not a lot of surprises for 336 00:20:21.510 --> 00:20:23.100 cybersecurity professionals. 337 00:20:23.250 --> 00:20:25.650 Tom Field: David, beyond that, it doesn't appear in the CISA 338 00:20:25.650 --> 00:20:28.410 report, certainly, but I've got it on authority from those who 339 00:20:28.410 --> 00:20:31.740 follow such things that within the past two weeks, and as 340 00:20:31.740 --> 00:20:35.910 recently as the past two weeks, as organizations have downloaded 341 00:20:35.940 --> 00:20:42.330 Log4j, up to 40% of new downloads have been infected 342 00:20:42.330 --> 00:20:46.110 versions. No, we aren't learning lessons. So my question to you, 343 00:20:46.410 --> 00:20:48.510 when you see lists like this come out, how do you advise 344 00:20:48.510 --> 00:20:51.990 organizations that you consult with to review these? 345 00:20:53.220 --> 00:20:58.110 David Pollino: It's important for any large enterprise to have 346 00:20:58.140 --> 00:21:02.190 a threat intelligence program. The threat intelligence program 347 00:21:02.190 --> 00:21:06.060 would look at not just incidents that happened, Colonial Pipeline 348 00:21:06.060 --> 00:21:09.570 and ask themselves a question, could we be hit by this 349 00:21:09.570 --> 00:21:13.830 particular, you know, attack, but also, when reports like this 350 00:21:13.830 --> 00:21:18.000 are published, these should be socialized with the executives, 351 00:21:18.000 --> 00:21:21.990 the board members. And you know, the question that comes when you 352 00:21:21.990 --> 00:21:25.290 socialize a report like this is, are we vulnerable to any of 353 00:21:25.290 --> 00:21:28.020 these? Do we have these vulnerabilities in our 354 00:21:28.020 --> 00:21:33.210 infrastructure? And so probably the proactive scans will be 355 00:21:33.210 --> 00:21:35.730 looking at if we do have the vulnerabilities in the 356 00:21:35.730 --> 00:21:38.880 environment and being able to take appropriate action. So 357 00:21:39.780 --> 00:21:45.120 utilizing the items that hit the mainstream media like this, to 358 00:21:45.120 --> 00:21:47.940 help educate the board and executive committee, are 359 00:21:47.940 --> 00:21:48.420 important. 360 00:21:48.870 --> 00:21:51.270 Tom Field: Good. Anna, we bring you back to the conversation 361 00:21:51.270 --> 00:21:51.450 here. 362 00:21:52.140 --> 00:21:54.150 Anna Delaney: Very good. That was a brilliant discussion. 363 00:21:54.180 --> 00:21:57.600 Thanks, David. So I'd love to bring you all back to the party. 364 00:21:58.800 --> 00:22:03.150 And this question is around reward schemes. So we heard last 365 00:22:03.150 --> 00:22:05.400 week that the U.S. State Department announced it is 366 00:22:05.430 --> 00:22:09.330 offering a reward of up to $10 million for information on 367 00:22:09.330 --> 00:22:13.620 leaders of the Conti ransomware gang. And we've seen a few 368 00:22:13.620 --> 00:22:16.320 bounties advertised for information on particular 369 00:22:16.320 --> 00:22:21.990 criminal groups recently, how effective are these rewards in 370 00:22:21.990 --> 00:22:27.030 the fight against cybercrime? What are your thoughts? Ari? 371 00:22:28.380 --> 00:22:31.470 Ari Redbord: Yeah, look, I mean, I think traditionally, this sort 372 00:22:31.470 --> 00:22:35.070 of, from the early days of the most want wanted list to, you 373 00:22:35.070 --> 00:22:39.390 know, there was a huge emphasis on this during sort of the 374 00:22:39.420 --> 00:22:45.660 post-9/11 world. Bounties or rewards, they do work. I do 375 00:22:45.660 --> 00:22:48.570 think that sort of, you know, a lot of the same groups are 376 00:22:48.720 --> 00:22:50.520 already looking for these people, and will continue to 377 00:22:50.520 --> 00:22:52.620 look for these people. I think there's some motivation around 378 00:22:52.620 --> 00:22:57.120 it, but I don't know if it is a solution. But I do, I will say 379 00:22:57.120 --> 00:22:58.230 that they do tend to work. 380 00:22:59.790 --> 00:23:00.270 Anna Delaney: David? 381 00:23:01.110 --> 00:23:04.230 David Pollino: Yeah, if we see the success of a bug bounty 382 00:23:04.230 --> 00:23:08.520 programs, when you put, you know, a monetary reward behind 383 00:23:08.520 --> 00:23:11.700 something, people get interested in it. So I don't think it's a 384 00:23:11.700 --> 00:23:15.330 bad thing. But as Ari mentioned, it's probably not the most 385 00:23:15.330 --> 00:23:20.280 effective way of chasing any type of criminal activity. So 386 00:23:20.280 --> 00:23:26.550 you know, like, we brought out a brown vulnerabilities, we need 387 00:23:26.550 --> 00:23:30.480 to make sure that we're reexamining our efforts. And if 388 00:23:30.480 --> 00:23:33.630 we continue to have the same problems over and over again, 389 00:23:33.960 --> 00:23:36.930 then maybe we need to reevaluate how we're addressing them. So 390 00:23:37.140 --> 00:23:40.740 you know, the reward might be good, but it might be a good 391 00:23:40.740 --> 00:23:45.000 opportunity to say, do we have the right approach to policing 392 00:23:45.000 --> 00:23:48.210 cybercrime in general? Or is there something else needed? 393 00:23:49.380 --> 00:23:50.280 Tom Field: Anna, if I may? 394 00:23:50.430 --> 00:23:50.670 Anna Delaney: Yeah. 395 00:23:50.670 --> 00:23:53.580 Tom Field: Attribution is so hard. It really is so difficult 396 00:23:53.580 --> 00:23:58.410 to track this back to a single adversary. And the incentive for 397 00:23:58.410 --> 00:24:03.990 continuing to exploit ransomware is so high. I'm not sure $10 398 00:24:03.990 --> 00:24:05.190 million is enough. 399 00:24:07.230 --> 00:24:10.115 Anna Delaney: I was going to ask, what's the purpose of these 400 00:24:10.176 --> 00:24:13.983 awards? I mean, it's surely not just about the reward. Does it 401 00:24:14.044 --> 00:24:17.666 send out a message to these criminal gangs? Is that message 402 00:24:17.727 --> 00:24:19.140 even working? Thoughts? 403 00:24:20.460 --> 00:24:23.940 Ari Redbord: Yeah, look, I think that it does send a message and 404 00:24:24.300 --> 00:24:27.300 when you're sort of building out these reward programs, 405 00:24:27.300 --> 00:24:29.730 especially when you're, you know, talking about the State 406 00:24:29.730 --> 00:24:33.270 Department, you are showing a real focus on it. I think a lot 407 00:24:33.270 --> 00:24:36.300 of times, these types of programs are designed in many 408 00:24:36.300 --> 00:24:39.420 respects to sort of show what the current priorities are. The 409 00:24:39.420 --> 00:24:41.820 fact that these types of resources are dedicated in this 410 00:24:41.820 --> 00:24:44.250 space, I think just confirms what we've all known for some 411 00:24:44.250 --> 00:24:46.560 time. And that is the focus on sort of this digital 412 00:24:46.560 --> 00:24:51.540 battlefield, is very real. And we've moved kind of into a world 413 00:24:51.540 --> 00:24:54.210 where look, I mean, you can draw just so many parallels to that 414 00:24:54.210 --> 00:24:58.470 post-9/11 world where there's the level of coordination across 415 00:24:58.500 --> 00:25:01.680 agencies across governments. These types of programs from the 416 00:25:01.680 --> 00:25:04.560 State Department, right? These are all types of techniques that 417 00:25:04.560 --> 00:25:08.730 we used post-9/11. And, again, harkening back to the Colonial 418 00:25:08.730 --> 00:25:12.630 Pipeline attack, Chris Wray, the director of the FBI, you know, 419 00:25:12.660 --> 00:25:16.140 within days of it, essentially compared this to 9/11. And 420 00:25:16.140 --> 00:25:19.590 really was a watershed. And we're seeing governments build 421 00:25:19.590 --> 00:25:24.570 out and respond to these attacks. And it's not just 422 00:25:24.570 --> 00:25:27.480 ransomware, there's so many sort of other of these hacks and that 423 00:25:27.480 --> 00:25:29.910 we were talking about earlier. There's a movement to the 424 00:25:29.910 --> 00:25:32.130 digital battlefield, and governments are prioritizing it. 425 00:25:34.170 --> 00:25:37.710 Anna Delaney: So, RSA around the corner, are you both going? 426 00:25:39.300 --> 00:25:42.930 David, are you on your way? Are we meeting in San Francisco? 427 00:25:43.590 --> 00:25:46.271 David Pollino: No, I will not be there. I lived in the San 428 00:25:46.333 --> 00:25:50.075 Francisco Bay area for many years. And so it would go by the 429 00:25:50.137 --> 00:25:53.817 show plenty of times. It's amazing to see how it grew from, 430 00:25:53.879 --> 00:25:57.745 I think, just a few thousands when I first started going there 431 00:25:57.808 --> 00:26:01.612 in the late '90s, to, you know, tens of thousands today. But, 432 00:26:01.674 --> 00:26:05.353 I'm sure you guys will have a good time there. But nope, no 433 00:26:05.416 --> 00:26:08.160 plans. I prefer the smaller conferences now. 434 00:26:09.000 --> 00:26:11.820 Ari Redbord: No, it's really exciting. And, you know, look, I 435 00:26:11.820 --> 00:26:16.200 mean, the world is back. And it's fun that this group is back 436 00:26:16.200 --> 00:26:18.000 as well. And I think, there's going to be tons of great 437 00:26:18.000 --> 00:26:19.530 opportunities going forward. 438 00:26:19.920 --> 00:26:20.550 Tom Field: You'll be there? 439 00:26:21.960 --> 00:26:22.980 Ari Redbord: I will not be there. 440 00:26:26.340 --> 00:26:27.510 Tom Field: Anna, you be there please. 441 00:26:27.600 --> 00:26:28.350 Anna Delaney: I'll be there. 442 00:26:28.410 --> 00:26:30.600 Tom Field: I will be as well. Nice to be back. 443 00:26:30.900 --> 00:26:34.410 Anna Delaney: Yeah. At least that. So headed into the second 444 00:26:34.410 --> 00:26:37.590 half of the year soon. What are we looking toward? 445 00:26:39.870 --> 00:26:43.500 Ari Redbord: Yeah, I mean, look from my perspective, it's, you 446 00:26:43.500 --> 00:26:47.580 know, 24/7 crypto, and there's crypto never sleeps. So I think 447 00:26:47.580 --> 00:26:52.710 we're going to continue to see, really until crypto businesses, 448 00:26:54.120 --> 00:26:56.400 you know, begin to harden cyber defenses, we're still going to 449 00:26:56.400 --> 00:26:58.380 see these types of attacks that we've been talking about 450 00:26:58.380 --> 00:27:02.730 earlier. But we're also going to see Treasury and foreign 451 00:27:02.730 --> 00:27:07.350 partners go after these types of actors. Look, I mean, we're even 452 00:27:07.350 --> 00:27:10.890 seeing, you know, a couple of weeks ago, for the first time, 453 00:27:11.130 --> 00:27:15.060 Treasury sort of put a crypto designation, related designation 454 00:27:15.060 --> 00:27:21.630 in the Russia sanctions context, sanctioning a crypto mining 455 00:27:21.660 --> 00:27:27.120 company that had large mining farms. These large server farms 456 00:27:27.330 --> 00:27:31.860 in Russia, to really say, look, you know, crypto mining is like 457 00:27:31.860 --> 00:27:35.400 oil or natural gas, we need to cut off sort of your energy 458 00:27:35.400 --> 00:27:39.030 supply, your ability to create value with your energy. So, 459 00:27:39.030 --> 00:27:41.550 there's so much going on in the space, whether it's sanctions, 460 00:27:41.550 --> 00:27:45.960 whether it's, you know, Department of Justice, and we're 461 00:27:45.960 --> 00:27:47.910 going to continue to see sort of more and more activity. 462 00:27:48.990 --> 00:27:51.180 Anna Delaney: We'll be lucky to have you on the show going 463 00:27:51.480 --> 00:27:54.960 forward. I am surprised, you made time for us, Ari. 464 00:27:56.310 --> 00:27:57.480 Ari Redbord: Always, Anna. 465 00:27:57.600 --> 00:27:58.380 Anna Delaney: Oh, that is good to know. 466 00:27:58.380 --> 00:27:58.920 Ari Redbord: Always. 467 00:28:00.420 --> 00:28:03.240 Anna Delaney: David, what does the year ahead, half year ahead 468 00:28:03.240 --> 00:28:04.350 look like for you? 469 00:28:05.640 --> 00:28:09.960 David Pollino: Well, we discussed before this Proof of 470 00:28:09.960 --> 00:28:13.650 Concept session here that the new law that was passed around 471 00:28:13.680 --> 00:28:16.260 requiring the FBI to have a little bit better data 472 00:28:16.260 --> 00:28:20.490 collection around cybercrime. I wonder how many people realize 473 00:28:20.490 --> 00:28:24.390 that cybercrime is the largest form of crime in the United 474 00:28:24.390 --> 00:28:28.920 States. I mean, it's unbelievable how easy it is to 475 00:28:28.980 --> 00:28:32.070 stick for many criminals to get away with it, and how difficult 476 00:28:32.070 --> 00:28:35.640 it is for us to really get down to the root cause. So I think, 477 00:28:35.640 --> 00:28:38.700 we're going to see more cybercrime. We're going to 478 00:28:38.820 --> 00:28:42.660 continue to see more scams; we're going to continue to see 479 00:28:42.780 --> 00:28:48.510 more unauthorized access to data and data being published. And I 480 00:28:48.510 --> 00:28:53.580 don't think ransomware is going away anytime soon. So, more of 481 00:28:53.580 --> 00:28:57.780 the same, but hopefully with this new rule here, we'll 482 00:28:57.780 --> 00:29:01.770 understand exactly why it's hurting and maybe even come up 483 00:29:01.770 --> 00:29:04.560 with some new ideas on how to protect ourselves against it. 484 00:29:06.090 --> 00:29:07.410 Anna Delaney: Tom, work is not done. 485 00:29:08.520 --> 00:29:09.780 Tom Field: Can I offer my wish list? 486 00:29:09.810 --> 00:29:10.320 Anna Delaney: Go for it. 487 00:29:10.890 --> 00:29:12.780 Tom Field: I want to see the U.S. government pay out $10 488 00:29:12.780 --> 00:29:19.170 million in a bounty. I want to see a ransomware perp walk. I 489 00:29:19.170 --> 00:29:23.040 want to see us have holidays that don't coincide with new 490 00:29:23.040 --> 00:29:26.430 large-scale supply chain attacks. I don't know that we're 491 00:29:26.430 --> 00:29:28.290 going to see any of that. I think it's going to be a half 492 00:29:28.290 --> 00:29:29.130 year more of the same. 493 00:29:31.560 --> 00:29:35.400 Anna Delaney: And breathe. I hope you're wrong. But yes. 494 00:29:36.270 --> 00:29:39.480 Something tells me, you may be right. Well, thank you, 495 00:29:39.480 --> 00:29:42.060 everyone. This has been fantastic. It's been fun and 496 00:29:42.060 --> 00:29:45.330 informative. So, Ari Redbord, David Pollino, thank you so much 497 00:29:45.330 --> 00:29:46.050 for joining us. 498 00:29:46.680 --> 00:29:47.850 Ari Redbord: Thank you so much for having me. 499 00:29:48.300 --> 00:29:49.350 David Pollino: Yeah. Thank you for having me. 500 00:29:50.340 --> 00:29:52.260 Anna Delaney: And thank you so much for watching. Until next 501 00:29:52.260 --> 00:29:52.590 time.