This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on Unhack the News. (Intro)  

I think every company I've met with over the past six months alone, in terms of board meetings, they're expressing these concerns that, hey we want that visibility.

We want our CEO to be aware. And we want to know what the plan is.

Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

We want to thank our Unhack the News partners, CrowdStrike, Fortified Health, Enterprise Health, Island, and Order for their support. And now, this episode of Unhack the News.

(Main)   hi, I'm Drex. Welcome to Unhack the News. This is going to be a very interesting and special episode because my good friend and formerly best friend at work.

Maybe Cristian Rodriguez is on the show. Cristian introduce yourself. Will you just keep getting promoted?

What's the job now? What's happening? Yeah,

this year. So yeah, I'm the field CTO of the Americas. I've been with the company for, Going on 10 years. The end of this year is going to be 10 years and I've had, I think the most titles out of anyone in the company, right? So

10 years ago, how big was CrowdStrike 10 years ago?

How many people?

When I started, we were a little over a hundred people. I was like 120 esque, and now we're approaching 9, 000.

Yeah, you've seen it. Yeah. You've been along for the whole crazy rocket rides. Absolutely. Absolutely.

Yeah.

You also you have your own podcast.

I've been a guest on your podcast. Yeah.

You were one of my first guests. Actually. We did a healthcare focused episode last year.

Yeah.

You were on there with Dennis Egan. I think we did a two parter to that. And

it's been, and it's been on for a year now. Yeah,

it's the Adversary Universe podcast.

Yeah, we're approaching the end of year one and the feedback has been overwhelmingly positive. There's been a lot of folks coming and sending feedback that they really enjoy the authenticity of the episodes. It doesn't sound overly scripted. It's just, Adam and I having great conversation about bad guys.

You guys do a great job working together on the podcast. And in the last several episodes, I noticed that you have also added sound effects for when certain things, when you ask Adam a question and he can't quite come up with the answer. There's like the Jeopardy music starts to play in the background.

I love that so much. I might actually steal it.

That's great. Yeah. The the team that's responsible for post production work we were begging at one point just to put a little more, color into the content because we were just having so much fun. And by the way, there's a lot of editing that goes into the podcast.

And so the episodes that do air some surgical, changing and, modifications that are sometimes made because I'll hear a portion of a segment and I go, I thought I said five other things, and it actually has to go through like legal review, or the team says hey we need to compress this messaging, and so they try to keep it as authentic as possible, or and true to the nature of the original dialogue, but sometimes we drop a curse word every now and then, and we're like, hey, we can't say that on the air, so it needs to be modified.

But there's a lot of editing that goes into it, but it's as close as possible what want it to be.

Yeah, it's great fun. Listen every episode. I would say anybody in should listen to every episode because you guys are so good at getting into The sort of bloody gross details of with the bad guys.

In the last episode, you all dug into the reality that sometimes bad guys, once they're named by CrowdStrike, that's almost like a badge of honor. It's a badge of street cred for them.

Yeah, it's it basically, we've seen evidence of them really embracing the naming conventions that we've adopted over the past decade or so.

told their peers hey, look, we've been named by CrowdStrike. We've made

it.

Yeah, we've made it. Exactly. And so it is interesting. I think it's fascinating that the adversaries also spend a lot of time researching whether or not they are recognized and if Their campaigns are being publicized and, how close the good guys are to, being on their trail if it's public knowledge. And so I think it's fascinating that they have some collection of blogs somewhere, right? Someone has an RSS feed going on.

They have their own kind of marketing and their own social media teams or something like they're looking for to make sure that they're rated highly and they have new subscribers

I think we had an episode and I'm not, by the way, trying to overplug the podcast, but there's a really great episode where we interviewed a gentleman that used to be an FBI behavioral profiler. And so, Cam and his last name eludes me. So apologies, but Cam he covers the dark tetrad, right?

It was, so these four personality traits and there's like psychopathy and there's narcissism and Machiavellianism and sadism. And if you take this last episode we did on the adversaries, basking in the glory of getting a name from CrowdStrike and you start mimicking contrasting that against things like narcissism and You know that sadism and start to realize oh wow, these guys really do enjoy Some of the recognition right and then there's others that really don't want that that are much more surgical in their approach, and they're very purposeful. But there's others that just want that, glory, and we saw that years ago with, there was a group out of Nigeria, one of the groups we were tracking that was responsible for lot of BECs, or business email compromise attacks.

And it was, I think they were called the Yahoo Boys at the time. And they were so adamant about advertising publicly in the form of rap videos that they posted on YouTube and like other media outlets and streaming platforms. They would in their rap videos, they would talk about The fact that they hacked these companies and they were just so happy about Hey, we did all these bad things and look at the gold chains and look at all the great things that we've accomplished from these BEC attacks.

And they were subsequently arrested a whole group of them. There's a really good article on FBI getting involved, but it's, some of them want that almost, like star recognition, right? And I think we should probably do an episode on like the socio-economics of these countries that generate the most e crime actors versus other countries that have, more first world type of economies that you don't necessarily think So, when it comes to these kinds of attacks we find that, or the attacks are a little more sophisticated versus some of these other groups that come from third world countries and it feels a certain type of behavior when it comes to these types of attacks.

I think it would be fascinating discussion. I mean

you got to think too in some of the countries that don't have extradition treaties, Yeah. This is the kind of work that kind of makes them rock stars in their countries, right? And

their towns, exactly, and their villages, and their towns, especially if they, and I'm not saying like I'm pro bad guy, right?

But in certain countries yeah, these guys, Will make money and their neighbors don't know where it's coming from, but they'll try to pump that money. Much like your typical Yeah. Physical gangster. Or like that says I'm gonna to my neighborhood. They try to Robinhood it. . Exactly.

They try to Robinhood it. Exactly. And we see that as well. And I mean some of these groups are so sophisticated and they're so big. They have their own call centers and they have like their own HR departments and they're hiring people to do this. And so it's interesting that they've. They've really made crime a business, right? And not in terms of a slang or a motto, it's a real business.

No, a lot of these bad guys they're structured like corporations. I mean, they're not incorporated, but they have all the stuff.

They have employee of the month programs and all of those bonus programs and all those things. Exactly. So there's also a ton of tips in the podcast and one of the ones that I thought was probably really interesting and fascinating in the last episode, y'all were talking about when something bad happens and you set up the conference call or the video call, a couple of different parts of that.

One was the tip of If it's a business email compromise, if you think you're in their system, maybe you don't want to set up that call using your corporate business email. Yeah. And I want you to talk about why that. And the other one was, and when you're on the video call, it's probably an important thing to actually see you on the video.

Yes, exactly. Talk about that. Tell me a couple of those stories.

It's interesting. I'll tell you a

bb

story that happened years ago when I first started at CrowdStrike. We have a service here called Overwatch. It's now been rebranded as the CAO team, but it's our team of hunters that are eyes on glass on behalf of our customers, and I remember getting a call from Overwatch one day and they said, Hey, we worked a lot with these smaller think tanks basically, and these, one of the think tanks that we were working with had just installed us in monitor only mode. We found an adversary in their environment on a Saturday morning, just like taking stuff, right? They were on the Exchange servers. I mean, just they're in the environment. And Overwatch was trying to call the customer.

And I remember this was like very early in my career. Here's a question I could go, well, did you email them? And someone from Overwatch said, absolutely not. It's like the adversaries in the Exchange environment. They're seeing all the emails. They're extracting these emails like. We're not going to email them and tell them that we know that they're a tip off.

Exactly. And so they're like can you find this customer? And this is, I live somewhere else. And they're like, as in physically find them.

I was like, drive over to the building. Yeah, like something.

Exactly. Yeah. I remember. And on Saturday, I remember doing a lot of homework and finally tracking down this customer and saying, Hey, you're gonna have to just go in there, just like unplug something, right?

We've been trying to reach you all day. And again, a very small organization, they have one person in charge of everything. All IT, all security, think about that, right? Very small. Understaffed is an understatement, right? So it's more of like you have a problem, right? Like, it's time for you to unplug this.

And we basically helped them, kick the adversary out. Long story, but it, for me, that was the first Time I realized wow, that's a really good point. If the adversaries in your environment, especially your email system, and your email exchange and correspondence includes information around the incident itself, your response program or your plan, the action plan.

I mean, that is just the adversary just sitting there. Attached is our incident response plan to this email. Exactly. We're going to be meeting at this location. We're going to get on this Zoom link or whatever type of, web meeting tool. It's diminishing returns at that point, right?

When you're communicating over email. So I think that the out of band that Adam recommended for saying, hey, an incident response plan should ultimately have out of band communication that doesn't include the use of email, corporate email systems, because this is, something that the adversary could use to their advantage.

And yeah, but it's fascinating. Great insight. Yeah, seriously, you don't really think about that. until you're dealing with it. And when he told me about adversaries sitting in on the actual war room calls, I think that's fascinating, right? To say that there's a war room going on, and there have been instances, and I don't think this portion made it into the podcast, but there were instances where we got involved, and There's someone on the call, not on video, right?

And we say, hey who is this? And no one can answer. Only to realize after some homework that, oh yeah, this is the bad guy sitting in on this phone call, in this war room.

in a war room too, sometimes there's it can be 30 or, I mean, there can be a ton of people on Zoom, and so you don't necessarily

recognize all the numbers.

You don't recognize the numbers, and think having a plan that says A, we're going to let you in. Sometimes these web programs or these web meeting tools like Zoom, You can actually allow the participant in, right? Oh

I think

that

would

be

something

very useful.

Set it up

like that, yeah. So you know who that is, so you let them in. They don't just auto connect.

Exactly. Versus auto connecting, like you have to approve the entry and then get that person on camera, and then have them validate their identity via either it's a password or something. But there should be a validation process that is very analog, right?

Thanks, right? Over this digital world that we're communicating in, there needs to be something to help validate you are who you say you are. And I say that also a bit tongue in cheek with respect to what AI did what we saw with AI, with that one deep fake that happened in Hong Kong where video system that had the fake CEO.

So there needs to be something analog to validate who you are. And I think we're going to see a lot more of that.

  📍 📍 📍 📍

This June, we're inviting you to join us. It's simple. Just visit ThisWeekHealth. com and click on the cancer ribbon to make your donation. Together, we can continue Alex's mission to make a significant impact. Every donation moves us closer to a world where no child has to face cancer. So, take a moment, click on that ribbon, and make your contribution.

Thanks for your support, and let's make this June a month to remember. 📍  

So

Adversary Universe, great podcast. Love it. Tell Adam we all say hi. let's get to a couple of news stories. One is the scattered spider big shot What have you heard or what do you know about that? It seems like really big news.

Yeah, that was interesting. So he got picked up in Spain, I think. And I think that's interesting because, we don't have a lot to disclose, of what was published. But that's interesting because he's the second member of Scattered Spider, or affiliated with Scattered Spider, that is made in Spain.

their way into law enforcement, right? There's one other before this, if you recall in, I think it was Palm Coast, Florida, that was picked up and he was responsible for a lot of the sim swapping campaigns that were very successful. And I don't know if you want me to explain sim swapping.

Yeah, go

ahead. Sure.

Yeah. so in short, sim swapping is A very surgical social engineering approach to getting your mobile company to, you're convincing your mobile company to swap your phone number to a different SIM card using this very, Aggressive validation process. So at Longstreet they're scraping everything they know about you and calling up your cell phone company and they're convincing the operator on the other line to say, Hey, I have a new phone, a new SIM.

Do you mind swapping it over? Here's a SIM number. And when they ask you for the validation, you basically work your way through a series of questions in an effort to get that whole

social engineering of the, It is. Of the person you're talking to on the phone.

Exactly. And so, and then once that happens, that adversary has access to everything from intercepting your MFA text messages, right?

For those that have received a text message. Because

those now go to his phone. Yeah

exactly. So now, the bad guy's in, especially if they've already compromised your credentials. They're just waiting and prepping themselves for what that secondary multi factor, authentication prompt is, and it could be something as basic as a text, and that's game changing.

And they've been extremely successful at that for the past several years. And so they picked up that one guy in Palm Coast or he was based out of Palm Coast, Florida which is scarily close to me, but so, and then they picked up this other guy in Spain, which they believe is The ringleader also very responsible for this.

So I think this group, Scattered Spiders, they've really almost resurrected social engineering on a new level, right? It was very aggressive. They spoke English really well. They worked their way through help desk calls. I mean, it's just a very persistent actor, right? That also has a pretty broad network.

And so while I believe this is just, two members of a larger group, I'm sure we're going to hear. a little more about this,

I mean, I try to always be an optimist when I hear things like this, and I'm like, all right, score one for the good guys, but at the same time, I know those bad guys have the ultimate in incident response programs and business continuity programs, and there's a backup guy for the backup guy for the backup guy when someone's taken out, so.

Yeah. And they've been responsible for some really big hacks too, so.

They are.

The pessimist in me says. the Scattered Spider at all.

Yeah, I think, even if he's one member it's one member of many, right? And I think that, what we've seen even before with other groups we've tracked, you cut one head off and then four more grow back, right?

And so, you have we've seen it with groups that have, have torn down their infrastructure, or say they're tearing down their infrastructure. There was one group we actually recently spoke about. I remember presenting this at a conference years ago where they had posted in one of their forums that they made so much money that they were stepping away from this life of crime and they're like, Hey, we have this infrastructure, we're going to, we're going to tear it down.

And then, we saw not long after that, this new group come out of the, the blue and they started using that same infrastructure and repurposing some of the malware that was used in that campaign or that ransomware that was used in the campaign which to us meant that, there could have been a splintering off of that group.

Maybe one group said, Hey, we're not done yet making money. And we're going to relaunch this infrastructure and use it as a campaign. It could be that group that, wanted to try to get the Department of Justice off them. And they basically came up under this new group and they tried to maybe hide their trade craft.

I mean, there's so many things that could be going on in these worlds.

And we even see like politically sometimes there's a political disagreement inside the company. Now there's not an intellectual property set of laws for these bad guys. So they also steal stuff from each other when they split their off and get a jumpstart on the start of the new company.

Completely. It's like a, I think about the days when like my mom was getting into like multi level marketing or like my neighbor was like, Hey, you should, do you want to sign up under this program? And I go, well, what's the catch?

And Oh, I make money the more that you spend and the more that you sell, but you'll make more money if you sign up more people. And I feel like this very, intricate pyramid system of e crime groups is out there. Ransomware as a service and access brokers sit at the top, and then you have the operators at the bottom of that trying to monetize as much as possible, like the bottom feeders.

The ransomware as a service pyramid scheme. Exactly. Yeah. Hey, we'll cover just one more. There's been a lot of testimony on the Hill lately. There's a lot of other stuff that's been coming up, regulations through the SEC conversations about healthcare regulations and healthcare policy.

A lot of it is pushing the responsibility. for cybersecurity past the CISO to the CEO and sometimes all the way to the board. Have you been seeing more of that or hearing more of that conversation? I know you talk to folks all over the country and around the world so.

You've been in these roles before where you've seen certain, there's lots of companies are the CISO is a bit of a scapegoat, right?

A lot of pressure falling on a CISO and there, there's even. Plenty of articles that talk about the lifespan of a CISO in an organization, averaging roughly, what, 18 months to two years, which I think an interesting stat. But to see that burden is being now spread out through the organization upward I think is very interesting because I think lot of boards that I've been meeting with.

that are taking security a lot more seriously, right? I've been invited to these board meetings to say, can you just educate us on what you're seeing out there and what does our posture look like today? And what else can we be doing to invest in, the security and the posture of the company and how do we protect the organization?

And I think that is a major indicator of boards recognizing that, Hey, the buck isn't going to stop at the CISO anymore, right? This is going to hit, a much higher level of management. And I think there's going to be a much broader set of accountability that we're going to see across some larger organizations, especially in the wake of the rules, for the more publicly traded companies, right?

And so, which by the way, isn't necessarily new, right? The concept of there being some type of regulation that, holds your feet to the fire. We start with GDPR. Years ago in Europe, and we've seen that now here, now with this new SEC ruling. I think the four day materiality thing is an interesting discussion, which is like a whole podcast episode in itself.

But I think that's interesting that yeah I do see companies that are definitely paying a lot more attention to the impact of a and The lawsuits that come with a breach, right? Especially when you have like your own, information that was stolen that's tied to consumer.

Yeah that, that is a big spend, right? And I think it should capture the attention of the CEOs of these companies we work with. But, I think every company I've met with over the past six months alone, in terms of board meetings, they're expressing these concerns that, hey we want that visibility.

We want our CEO to be aware. And we want to know what the plan is. And so I think that's promising that there's a lot more investment from the boards and there's a lot more tension, but I think it's still, I think it's even leave some of the smaller companies at a bit of a disadvantage that don't necessarily have those types of resources.

We have programs, but you know, it's an interesting discussion, right? Where the book I think always stops with, the director

It feels like at least that's where it starts and then like you said, I think more and more now we see it up channeled and whether it's because of sort of internal company operations and policy or whether it's because of the public forcing the issue and asking the questions definitely folks higher up on the food chain are more and more involved in cybersecurity than ever before, especially when something goes wrong.

Yeah, especially when something goes wrong. I think it's the ripple effect of the price tag. I mean, there was a, you actually covered a really interesting breach recently. I listened to your podcast or you have this it's a kind of a quick review. The two minute drill.

I think it's fantastic, by the way, so I see that pop up. I'm like, Oh sweet. I wonder what Drex is talking about. And you were covering that healthcare breach and with the 22, 25 extortion attempt, and it essentially went to a ransomware broker and a broker never give the money to the sub operator, and it became this thing of hey, we paid you, and the guy at the bottom of the pyramid is I never got my paycheck, right? I think that type of financial impact it's double edged, right?

It's, hey, you lost the 22 million dollars, it's gone, and the adversary still went and leaked the data. I think that type of attention is capturing. Also, the interest of these board members to say, Oh, wow, it's not as easy as we thought, or we know that insurance isn't the answer. Cyber insurance isn't the answer, right?

It's just one of the many, arrows in our quiver, but it doesn't necessarily mitigate against, the larger impact and the broader impact. And I think that's actually really driving a lot more conversations into the board to say, well, we know if there's something major that happens, You know, this could be detrimental to the business, right?

And it's more than just us spending money in security as a cost center. It's us saying we're protecting the company from, going out of business potentially, right? So there's a lot, I think, of impact analysis that's now made it into the vernacular of these board members. And that's catching the ears of CEOs now, right?

Yeah. Hey I know you have to go catch a plane. I appreciate you being on today. It's a lot of fun. We should catch up more often. I really do appreciate you being on the podcast though. And good luck with adversary universe and all the other stuff you're doing. I know you're traveling a ton and you're speaking at a lot of conferences.

So, keep your eye on the road because you may very well see Cristian out there in a city near you.

That's right. Absolutely. No, thanks for having me so much, Drex

appreciate it.    📍 📍

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. 📍 Thanks to our Unhack the News partners CrowdStrike. Fortified Health, Enterprise Health, Island, and Order. You can learn more about these great partners at thisweekhealth. com slash partners. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.