This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the News): Knowing Your Cyber Threats and X Takedown Impact with Troy Ament

Our engineers design solutions specifically for healthcare to outpace cyber threats, enabling providers to pursue innovation without compromise. Partner with us to safeguard patient data, deliver care from anywhere, and secure connected devices, including medical IoT. Our best in class cybersecurity is backed by industry leading threat intelligence and AI to drive autonomous security operations and reduce dependence on multiple disconnected vendor systems.

It's what makes us the cybersecurity partner of choice and the security to depend on when lives depend on you.

Visit ThisWeekHealth. com slash Palo dash Alto dash Networks for more information.

Today on Unhack the News.

(Intro) these threat groups have started to understand, wow, they know what our next step is. They know how we negotiate. They know what our next move is going to be in a ransomware attack. So they're trying to have to hide their playbook,

Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News. (Main) Everybody, it's Drex, and we are doing unhack the news again, and there's never any shortage of stuff to talk about in the news. I've got Troy with me from Palo Alto networks. Say hi, Troy. Hey, how are you doing Drex?

Thanks for having me. Absolutely. glad you're here. We've been working on this for a while, you and I, trying to figure out how to get together for Unhack the News. I'm glad we finally got it done. It's your first time on the show. It is.

Thanks for having me.

maybe we should just start here.

Yeah. I've been in healthcare my entire career. lead EMR implementations for in the beginning of my career for about five years. And across a couple large health systems and then the CISO at a couple large health systems as well.

Now I've moved on to this side of the business, love it, work with healthcare customers every day, see something different every day. And so I'm our global industry leader of healthcare at Palo Alto Networks. So we've got a large portfolio of services and products that protect, secure and, sometimes remediate breaches, right?

As it turns out. I'm reading more and more, we do the CISO summits around the country, we do the city tour dinners around the country, the conversations with CISOs have the transition has happened over time from it's about keeping everyone out. That's just like table stakes.

Now it's become much more about detection and response.

and it definitely is a complex ecosystem. One of the stories I want to talk about today is something from the register, and this isn't specifically about a health care organization at all.

But you and I both know that often the first time a health care organization knows that there's something. Going wrong is when the FBI calls them and in this particular article It says this is the FBI open up. China's volt typhoon is on your network and it's funny because it gets into the story of the person who got the call from the security team was like You're crazy.

This sounds like a, somebody's trying to scam me and it took them a while to actually really answer the call. But it's true, right? Do you guys see that too?

Yeah, even going back to my days as a CISO, I've been that person in that chair, right? So I've gotten that call, from the FBI.

And then the other side of it, because some customers become so surprised or, not sure. Is to have your formed relationships from incident response and threat intelligence perspective. That's important because, unfortunately, there's all too many partners out there that are using this, we call it ambulance chasing, right?

Saying they have a threat intelligence specific to your organization. So just making sure these are the ones that we're going to partner with to receive that information and act upon. Because, like you said, Drex that example there was somebody, gosh, is this right? So it's just important to know what sources you're going to utilize.

The same with regional office. Your local police authorities who are in the cyber crime unit all of those folks are really important to have in your Rolodex, like at the top of your Rolodex, so that you know who they are. You have them programming into your phone. So if they call it pops up, you know who they are really important part of the whole plan for cyber security.

Let me flip to another story here, because this one I find to be really interesting, and it's from CyberScoop, and the story is about how investigators say differing names for hacker groups hinder law enforcement, and that's really interesting to me, because there are a lot of different names.

How do you all deal with that? Because you're working against these bad guys all the time.

Yeah, so it's important for us to know who we're working with, working against because we start to learn their playbook, right? Whether it's ransomware negotiation, whether it's, the tools that they use, their craft, where their skill sets lie, that's really important.

Big division of Palo Alto networks. So we've got a deep understanding of these different threat groups. And these threat groups have started to understand, wow, they, they know what our next step is. They know how we negotiate. They know what our next move is going to be in a ransomware attack. So they're trying to have to hide their playbook, hide their formations, all of those types of things so that they're better positioned.

But that's our perspective on it. That's what we're seeing.

It's always amazing to me to think about, I used to get, through an Intel briefs on Friday and it was always. I would leave those thread Intel briefs on Friday afternoon and I'm like, why do I do these thread Intel briefs on Friday afternoon?

How do you know what those moves are?

We see repetition, right? And all of us are creatures of habit no matter what we're doing, you know within our daily lives whether we're doing good or doing bad see them doing reconnaissance It's early in the week, maybe they select their victim.

They start to do maybe a little bit later in the week they work the same hours that they get up during the daylights. They operate like an enterprise, right? So if it's eight to five in their geography, wherever they're at in the world, that's when they're going to be working out in some scenarios, depending upon Your security maturity.

Do you have your shields up and your best people in place to protect your organization at those times? And sometimes that can be advantageous to them, but so we start to see, them starting to do phishing attacks early in the week. And then once they gain a foothold, what we see in health care, at least what we've seen over the last five years based on our experiences, then they'll wait until Saturday night, Sunday morning, that type of thing, and really launch their attack when a health system likely.

and if they can get two steps ahead, it's harder if you don't have instant response retainers in place to contact vendors, all of those types of things. That's why they launched their attacks at that time, because. They can be more successful.

Yeah, once they're in, if they can get because it barely takes any time now, right?

It used to be. Tell me if you think this is true. This is just like a notion that I feel like I have. From talking to folks, it used to be that the bad guys would get in and they would very slowly and meticulously go through the network and find all the vulnerabilities and, do all that kind of work.

Yeah. And I think they, this is like building a home, right? They all have different roles and responsibilities. The plumbers doing their job. The sheet rockers doing their job.

Maybe the person that's going after, doing executing the phishing attack is inside the same threat group. But it might be a totally separate contractor that is going to sell that information on to the person that's going to execute the ransomware attack.

So I do think you're right there. I think their work is very intentional and very quick because, that's their role. So yeah.

And my brain works in analogies and I've tried to explain this in the past as the bad guys were like big tech companies and they have a lot of independent consultants that work with them who are really good at specific things like negotiating ransomware, but I might actually steal your contractor example, because I think that's actually.

A lot better and a lot easier for more people to relate to. So thanks for that. I love a good analogy.

Resource to arrive. So when we close the window of our response, whether it's a phishing scam that then leads into a ransomware attack of them getting a foothold, that's why it's really important because they're not perfect and there's definitely gaps within the timelines of their attacks.

And you're looking for that particular pattern of the way that contractor does the process of building their house that helps you identify who that contractor who that bad guy is essentially.

The buyer is then going to try to use those as quickly as possible, because if you're a buyer of any type of credit card information, credential theft, any of that information, we all know that the faster you use it, the more reliable that information is going to be.

Yeah, fantastic, man. It's crazy world we live in.

And speaking of that, one more story. X was attacked this week. Twitter was attacked this week distributed denial of service. I have a problem with the word distributed. I don't know why, but a distributed denial of service, a DDoS attack. And I explained it a little bit earlier in the week in the two minute drill.

A bunch of PCs or IOT devices or other things are compromised and then they're built into sort of this bot army where the bad guy says, go to this site or go to this web page and just launch traffic. It's usually doesn't result in like ransomware or data being stolen. It's really just a disrupt the business.

Yeah, it's chaos. It's just total chaos into your network.

It's coming from everywhere. You're not seeing like code manipulation. You're not seeing different languages necessarily, because a lot of it is just network congestion, right? Fortunately those attacks they take a lot of resources, right? Not only people and reconnaissance, but then technology and bandwidth, right?

But in some scenarios, these threat actors are finding compromised devices that they can then build a big, large bot army, right? And then point it in the direction of an organization that would really be affected. If we think about, health systems or healthcare organizations, or even out to retail.

We don't necessarily worry about that as much. Now, another scenario could be during benefits enrollment season. That's a long season. So we got to think about that because, threat actors are always evolving.

They're looking for holes in operations within health care. And how could these different mechanisms that work in other industries, If you impact operations, you're going to get a ransomware payment, right? That's the name of the game as it relates to ransom attacks.

This doesn't just happen to companies like X. I know it's happened in health care to a few years ago. There was a DDoS attack at Boston Children's and there was bunch of activity. Ultimately, that person was caught and convicted. But the other thing is sometimes these.

DDoS attacks are just distractions while something, watch my right hand because I'm doing something with my left hand as a magician would try to keep you fool. Same thing, same kind of thing.

As a distraction, but they can be piling on and not just DDoS attacks. It can be. Other types of attacks like defacing your website, contacting your board members, all of these techniques are things that the threat actors are utilizing to apply more pressure and more pressure to, basically, win their game of whatever their goal is.

usually it's monetarily involved, right?

You say something else there too that makes me think of a comment we probably should put out here too as cybersecurity professionals, protecting yourself and protecting your family. I say that because sometimes they know who you are and that

you're

a key critical component.

I think specific to health care we see the threat actors in some scenarios contact board members or maybe if they've impacted or sold a lot of patient records.

They know the board members names because they're on all these health systems websites, right? That's pretty common information. And if they , steal that medical information, they contact that board member via probably a publicly known email address and say this was your patient encounter on this date.

I've got your information. And then When you're in the heat of the moment and that board member comes to the meeting, right? That's really challenging, right? So a part of your, tabletop exercises, including your board, including your Senior leadership.

These are the types of things that you're probably going to see happen, right? Especially in very large, breaches.

Turning up the heat to push you toward that ransomware payment or whatever the case may be. Hey, thanks for being on the show today. It was really good to see you.

All right. Thanks, Drex. be here.

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.