May 6, 2024

In this episode of The Virtual CISO Podcast, host John Verry talks with Sagi Brody, CTO of Opti9, about the persistent threat of ransomware and how organizations can defend against it. They start with a light discussion about Florida life before diving into the evolution of ransomware, from its beginnings in 1989 to today’s sophisticated attacks like Crypto Lock and extortion ware. Key topics include:

  • The stages of a ransomware attack, from initial access to targeting high-value assets.
  • The value of simplicity in IT environments for enhancing security.
  • How Opti9 uses AI and machine learning with their Observer tool to detect ransomware by monitoring backup and disaster recovery systems.

The importance of strong communication between security and IT teams in handling ransomware incidents.

 

John Verry (00:40.478)
Hey there and welcome to yet another episode of the Virtual See-saw Podcast. With you as always, John Ver, your host, and with me today, Saghi Brody. And I hope I got that right this time.

Sagi Brody (00:45.422)
speed.

Sagi Brody (00:58.371)
Yeah, thanks.

John Verry (00:59.958)
Good to have you on today. So I always like to start simple. Tell us a little bit about who you are and what is it that you do every day.

Sagi Brody (01:08.006)
Yeah, so I was a co-founder CTO of a cloud computing company about 20 years ago.

that ended up merging with a few other companies and turned into Optinine, which I’m still the CTO of today. And in addition to that, I also consult with a bunch of other, and I’m on the board of a bunch of other cybe companies. And what I’m doing today is really mostly just helping customers determine the right solutions for their use cases, trying to get people to kind of think bigger and not get too pigeonholed. And I’m also just doing a ton of reading and R&D

how our digital infrastructure world is changing and what’s sort of coming down the pipe.

John Verry (01:52.52)
That will be a never-ending, advocation, right? Before we get down to business, I usually ask, what’s your drink of choice?

Sagi Brody (02:02.71)
Yeah, so I moved down from New York to Florida not too long ago and the sun has got me just probably drinking more beer than I should be lately, but I’ve been drinking a lot of

Sagi Brody (02:16.626)
scotch late evening, you know, turn the fire on sort of thing.

John Verry (02:21.79)
Yeah, nothing like a glass of wine or a glass of bourbon in front of a fireplace up north. Florida definitely, I never even thought about Florida to change your drinking habits. I’m not a Scotch guy, but I’m a bourbon guy. One of the things I do in the summer up here, which is remarkably good, unsweetened green tea, honey, lemon, and a little bit of bourbon. Just super light, super refreshing. So give it a try. It is, it’s really good. So one of the reasons why I was excited to have you on.

Sagi Brody (02:44.914)
Thanks.

John Verry (02:51.746)
is at Opti9, one of the things that you guys specialize in is helping people address the risk of ransomware. Now I find it remarkable having this conversation in 2024 in preparation for it. I did wonder when the first ransomware was supposedly recorded. They came up with 1989 and it was done on floppy disks. But I think it really became in vogue and more significant post Bitcoin.

right, because there was a way to actually monetize it, and that’s probably arguably, I think, 2012 or so, it really started to become an issue. So we’re a dozen years into this being a significant issue, but yet we haven’t solved it yet. So let’s start with A, define what ransomware is, and talk a little bit about how you’ve seen it evolve over the last decade.

Sagi Brody (03:41.55)
Yeah, sure. So, you know, I think that, you know, ransomware is probably used a little too loosely these days, I believe, especially when you start seeing statistics out there. I saw one yesterday that said that they polled over a thousand companies or enterprise organizations and 75% of them said they were hit with at least one ransomware attack last year. And to me that just seemed just way too high. And I wondered if the respondents were kind

and just generics, cyber attacks in their response. I mean, I think ransomware is a subset of cyber attacks. And typically what it’s referring to is a piece of software getting into an asset, typically a server or a computer, and either crypto locking it so that it’s encrypted and you cannot access or utilize the asset until you pay the ransom and get the unlock keys

Or it could also refer to data exfiltration, meaning an attacker gets into an organization, essentially gets your sensitive data, copies it out, and then basically just blackmails you. You know, I think those are the main two sort of versions that people typically are referring to.

John Verry (05:01.679)
Yeah, the CryptoLock obviously is the classic. The last one, that’s I guess what you commonly refer to as extortion wear.

Sagi Brody (05:09.27)
Yeah, I mean, I definitely see it. You know, you don’t hear that term used as much. I do see a lot of, I do see both variations sort of being referred to as ransomware.

John Verry (05:19.31)
Gotcha. Because in both cases, someone is ransoming you, you know, in the first case to have access back to your data or computing resource, and the latter not to disclose that information, correct?

Sagi Brody (05:30.454)
Yeah.

John Verry (05:32.278)
So on the same page there. So you did talk about this idea of a piece of malware, if you will, getting onto a system. I saw a presentation you gave once on the anatomy of a typical ransomware attack. I thought it was pretty well done. Can you just walk through it at a high level? What does that look like?

Sagi Brody (05:51.542)
Yeah, sure. Thank you. Yeah, I think there’s a there’s a you know, just like other, you know, have to keep mind these attackers, you know, they are You know that they’re technologists, just like us today that they’re getting trained up on these, you know, on commercial pieces of software, then maybe they’re getting their certifications on different Types of software and technologies so that they just have different goals right there. Those are a little bit more nefarious and the rest of us. But they are just like the rest of us. And just like we follow to standardize workflows and pattern.

to accomplish our goals, that’s what they’re doing. And the typical workflow for a ransomware attack is they’re first getting into an IT organization, obviously from the perimeter. And the way that they’re first getting in these days, it’s typically something like a phishing attack or sending a compromised email or using some facet of social engineering. I think what’s interesting

as some of the largest and most publicized attacks that we’ve heard about do have a social engineering aspect. The example I like to give is the Stuxnet attack that occurred against the Iranian nuclear.

centrifuges, right, and that was started with someone leaving a USB disc in front of the office. I mean, that facility was completely air-gapped. It had no connectivity to the outside world whatsoever, but, you know, human curiosity is not something that you can solve for technically. So someone picked up the USB stick, I wonder what this is, took it upstairs to their desk inside the nuclear facility, plugged it in, and now the attackers are on the inside out.

They had a certain amount of data. They knew what types of devices were in.

Sagi Brody (07:46.59)
They knew what types of Siemens industrial manufacturing equipment was there. And they were able to code the ransomware so that once it was on the inside, it was able to proliferate throughout the organization internally and look for a specific type of asset to go after. Now that part of ransomware I think is very typical and evolving. The high value asset is going to change depending on who your target is or what your goals are.

the general strategy of I’m gonna get in some way and there’s again there’s a few different ways to get in once I’m in the software is going to automatically you know traverse the network and look for a high value asset to then attack you know that’s the typical workflow

John Verry (08:34.542)
Yeah, it’s funny you should bring up Stuxnet because that is one of the more fascinating because if anyone doesn’t know about that, listening to this, do a little research, there was a great, I don’t know if it was a Netflix or a great documentary on Stuxnet. That was the US government that perpetrated that particular piece of malware and the cooperation with Siemens, the cooperation with some, they went on the market and bought Zero Days. Really fascinating how that actually all went down.

So they get the bad stuff, the malware, onto a system. They identify the high value asset that is going to be ransomed or extorted and game on. So when you think about limiting that, we’ve made, I think over as an industry, if you will, we’ve made significant investments over the last 12 years.

I know security awareness education, people are doing fishing exercises, a lot more focus on endpoint protection, the tools of advance, more artificial intelligence involved, vulnerability and configuration management, EDR, XDR, SIM, SOC. Why have we not been more successful with all of those investments, right? Ransomware is still a significant.

Sagi Brody (09:50.082)
Yeah, you know, it’s hate to be cliche, but this is all an arms race, right? And the folks on the other side are, you know, in many cases, just as smart, certainly sometimes smarter. I think that some of that comes down to complexity, right? I think one of the things that IT leaders are not talking about these days is, you know, the role of IT leaders, you know, CISOs, CTOs, CIOs, I think one of the goals should be to,

reduce complexity creep and try to create the most simplest environment possible. Because the simpler the environment, the easier it is to monitor, to secure, to manage, to ensure compliance of. And so complexity creep is a real thing. Every time someone in the organization goes and signs up for a new SaaS platform, or uses another cloud, they’ve just increased the complexity of the environment

or how challenging it may or may not be to secure it dramatically. So we need to make simplicity of IT a goal because now we have a smaller sort of data set or environment to work with to secure. So I think that’s part of it. I think the environments are getting more complex over time and the attackers only have to be right once, right? Regardless of all the different potential mitigations and protections, if there’s one vulnerability, that’s really all they need.

time we as the White Hat folks or the folks that are doing the protection, every time that we put in a mitigation in place, they become aware of it and they’re going after. I’ll give you a good example. Going back to the workflow that we just spoke about, one of the things that we saw at Optinine was the workflow changed a little bit. Once the attackers got into an environment, they became aware that, hey, lots of folks have backups, and not just a local backup, but maybe an…

offsite backup or maybe they have a disaster recovery configuration somewhere and they’re replicating all their data. So they modify the workflow. Now when they get in, they first look for those types of systems. They look for the backups, they look for the replication so that they can destroy that. And it makes total sense. If your goal is to extract a ransom, you want to increase the likelihood of getting paid. And so you’re going to eliminate any possibility for recovery. And so now they’re going after those backups. They’re getting trained up on the backup.

Sagi Brody (12:19.676)
application software and you know they’re now we have to get smarter there. The other thing I think to answer your question is there’s just a ton of bad assumptions that people that you know that leaders have and I’m not just for you know I’m not really referring to you know IT leaders but just general typically folks that don’t know as much you know people have a false sense of security you know maybe they see a report on TV around ransomware and they’re like well you know we have we have EDR so we’re good or we moved on.

data to the clouds. I’m sure Microsoft is protecting us from that. Or I know we have this disaster recovery configuration, so I’m sure we’re okay. And there’s just all these really bad assumptions and people don’t realize, you know, all the different layers of the stack, as you mentioned, that you have to deal with and all the different layers of protection you need.

John Verry (13:11.374)
So that’s really interesting. I agree with you on the complexity. And so one of the things which we notice, right, so as an organization, we help a lot of our clients become attested to comprehensive frameworks. ISO 27001, SOC 2, FedRAMP, things of that nature. And it’s pretty damn rare for one of our customers that is attested to actually have a ransomware issue. And I think I attribute that to the fact that they have a clear understanding of what the issues are and they’ve built a layered approach.

to solving that, right? No one tool, no one, there’s no single magic bullet. But I do agree with you, right, that layers equals complexity as well. So what are the strategies, right? Because I think you would agree that you need a somewhat layered approach. What recommendations do you have for somebody who’s, I need these layers, but yet I still need to maintain a higher level of simplicity to ensure that I don’t have breakdowns in the ongoing execution and operation of said layers.

Sagi Brody (14:12.474)
I think you just really need to understand the layers and understand the solutions that you’re bringing in and not make any assumptions around what they’re doing or what they’re not doing. I think if an organization is going out and…

getting a seeking SOC 2 attestation, obviously I think they’re, to an extent, they’re ahead of the game. I mean, I think that not everything gets translated properly. But if an organization is doing that, they’re obviously gonna be sort of more mature from a change control process. And I think that’s really important. I think a lot of this comes down to somebody, individuals within the organization doing silly things. Right?

You can argue that it’s more it’s less about having the proper protections and it’s probably it’s probably more around people Just not clicking on those phishing links or doing silly or doing silly things I think a lot of this comes down to human behavior, you know When you look at the attacks that are specifically targeted, you know attackers that are going after a specific organization for a specific reason That’s a completely different ballgame, right? And that’s and I think now you really need to get into what are the layers that we need but if we’re talking about

these sort of automated attacks that are just sort of they’re sending out thousands of you know automated emails and they’re hoping they get five percent back you know I think a lot a lot can be solved with training. Also you know vendor diligence here is very important and when I think about SOC 2 and I think about some of the questions that are in there you know I think there’s again a lot of change control related items. Some industries are much further along than others when it comes

have not been attacked yet, just because that industry is, for whatever reason, has not been targeted. But it’s going to happen. For me, the best example of that is really the commercial and business aviation industry.

John Verry (16:18.806)
Yeah, so question for you. So one of the things I tend to advocate, because I agree with you on the complexity side, we need the layers, right? We need a certain stack of tools. Sometimes, you know, best of breed versus single vendor, both from a services vendor and or from the perspective of, whether it’s a Palo or a Fortinet or Z scale, whatever. And sometimes having not best of breed and sometimes having just.

single vendor to simplify that ongoing operation, maintenance, knowledge, understanding, training can be helpful. Are you guys advocates of that?

Sagi Brody (16:56.774)
I think the most important thing an organization needs to ask themselves when talking about all these things is, what do we have an appetite to take ownership of from a security perspective? Do we want to be responsible to protect all of our assets or do we want to outsource some or all of those layers? I think what you notice there is that for folks that don’t have an appetite to do it, working with a single vendor who’s going to drag along whatever tools they prefer,

It’s fine because it’s on them and you’re never going to get best in breed for every layer there because it’s the MSSP’s choice. If you do have an appetite and you have a team, then you have the ability to choose best in breed or customize based on your use case. So I think it’s really all about what does your bandwidth look like and sometimes simplicity will mandate that you don’t get the best solution.

Sagi Brody (17:56.745)
deeper if I have less resources.

John Verry (18:01.041)
When you say go wider define what you mean by that

Sagi Brody (18:04.814)
Well, what I mean by that is I’d rather find one vendor that can tick all the boxes for me, but maybe not tick some of the more obscure or sort of more on the fringe boxes instead of finding the best tool that can do the best set of tools and now I have to manage 10 tools.

John Verry (18:26.914)
Yeah, I agree completely. I agree completely. So I think we’d both agree that you need basic mail filtering capabilities in place to limit the amount of crap that gets down to the desktops and more advanced features like sandboxing and link review and things of that nature. But no matter what, we can do all the SAA training, we can do all of the phishing, but still, statistically, you’re lucky if you get your phishing, you know,

false phishing down to 4% in most organizations. So you’re gonna have people clicking on the stuff. Where do you see the next, all right, so if we kind of agree that that’s just table stakes, you gotta have that stuff, but it’s not gonna be foolproof. You guys specialize, I think, in more what I’m gonna call the detect and respond world. Is that the next most important thing in your mind? I mean, I think at the end of the day, you could argue that having backups is the single most important thing in the world and having them properly protected.

But beyond that, where would you put the emphasis? In that Detect and Respond realm that you guys have expertise in?

Sagi Brody (19:31.674)
Thanks for watching!

It’s interesting, where Optinine sits in the sort of security conversation is we are providing backups as a service and disaster recovery as a service, which you typically don’t, it’s not necessarily as part of the security conversation always, it’s maybe more of the infrastructure. I think a big thing that we’re seeing now is within organizations, those two teams or those two sets of people are sometimes not talking to each other or they’re not reporting to the same person. They can be very far away within the organization.

If you think about, hey, we just got hit with something, all of a sudden, those two teams need to work very closely together. When’s the latest backup from? Can we fail over to the DR site? Can we use the DR site to do forensics? And so I think what’s those two groups need to come together, you know, or those two sets of tools. And we’re starting to see that we’re seeing backup, backup software speaking to sim software, you know, and again, if you think about what is your incident response plan look like,

those sets of teams or people. So we are seeing those come together. But what we did at Optinine to help our customers who were getting hit with ransomware was we realized, you know, what I was talking about before was that the attackers are first getting into the backup and replication tools before they initiate the ransomware attack. We are managing those tools. We have access to them at our customer sites. So we started running the configuration changes that we were seeing in the activities through machine learning.

and AI, and we built this tool called Observer. And when we notice suspicious activity that is not normal for that site, it’s really, it’s potentially telling us, hey, there is an attacker in the environment, they’re in the process of trying to modify, or delete, or destroy the backups, or disable the replication, so that they can instigate an attack. And so if we can detect those actions, in some cases, we can stop an attack

Sagi Brody (21:31.652)
starts. So I think that type of preventative or predictive technology using AI, you’re going to see it happening in many other places. I saw a company the other day that’s doing something similar. They’re doing threat intelligence and they’re looking for situations when people are registering domain names similar to yours because obviously those could be used as part of a phishing attack, right?

We’re not working reactively. It’s all predictive to prevent the attack.

John Verry (22:08.222)
Yeah, so I think that’s fantastic what you’re doing, right? And we tell people the same thing, right? You want your DR tools talking to your SIM tools so that in the event something is going on, you’re gonna have some early warning to that, right? In isolation to the extent that we can, minimizing the levels of administrative access, et cetera. Is there anything we can do to the people listening on the extortionware side, right? So the good news on

you know, if you’re preventing them from getting to the backups, we know we can’t be ransomed from a conventional cryptographic perspective, but we can still be extorted, right? Is there anything that we can do or is anything that you’re doing as a company to help people from an extortion perspective?

Sagi Brody (22:54.832)
Uh.

Not really, I mean, because typically we don’t hear about it until it’s like it’s already it’s already happened. I mean, I think once they have your data, you’re you know, better go find a good, you know, ex FBI negotiator or something. But you know, I think one thing that I’ll mention on that is a lot of times you hear these statistics about how often an attacker is in an in an environment before they’re detected or initiate an attack, you know, I think it’s like somewhere between 30 to 60 days.

Sagi Brody (23:26.1)
obviously the faster you can cut them off and potentially restrict or reduce their access to that data. And so that’s probably the number one thing. You mentioned having different tools earlier, obviously consolidating all that information into one spot and being able to correlate what’s happening in one part of the environment to the other. So like the tool we built, Observer, we purposely set it up so that it can integrate with SIM.

It has MITRE ATT&CK framework based data. We support STIGS TAXI. And again, this is a piece of SaaS software that’s part of a backup software stack or replication stack. You typically don’t talk about MITRE ATT&CK mapping of events with backup software. But again, so now if you can correlate what’s happening in that part of the environment, which is sort of like a new ATT&CK surface that people typically don’t think about monitoring. And then other areas of the environment, now you get like a low alarm.

someone’s laptop or something and now we’re getting a medium in the backup software. We correlate those together obviously. Now maybe the alarm goes off.

So I think I think there’s better correlation, you know, is important. I also think, like I said before, there’s industries that have just like sort of they’re not as popular yet, but I’ve been doing some work with a company that’s focused on cybersecurity for physical aircraft. And it amazed me. It’s kind of scary, you know, how all these scenarios we just walked through. It’s very analogous for someone to like ransomware a plane and prevent it from taking off.

And why that is because you have like laptops, you know, traditional IT devices that are being plugged into very sensitive like avionics networks. And so ransomware strain is designed to look for some of that just like, you know, Stuxnet was designed to look for some Siemens hardware and you know, not terribly different. So I think vendor management and putting your vendors through cybersecurity audits is another good way to really protect yourself.

John Verry (25:33.198)
Actually, I think what you said, which is very interesting, is you use the term attack surface management. Very often we hear that used more from an external perspective. What you rightfully said is that the attack surfaces are changing. If you think of extortion ware as a different attack surface, so as an example, we do a lot of work in law firms. In law firms, they’ve got a document management system where client matters.

in theory, should be should all be stored, right? And they inherently understand that is the crown jewels of the organization and that any unusual access to said data, higher rates than normal people accessing data that they typically wouldn’t access, right, is alerted on. Yeah, I guess from an extortion perspective, right, we probably should be looking at the attack service a little bit different, right?

Sagi Brody (26:25.102)
Yeah.

John Verry (26:32.198)
As an organization, do I have data that if it was accessed, I could be extorted with? Which, you know, if you’re a manufacturing organization making widgets, the answer’s probably no. If you’re a law firm or somebody who handles a lot of sensitive data, obviously yes. And then we just look at that as a different attack surface and those same types of tools that you’re putting in place in front of the DR infrastructure, we should put it in place in front of the storage infrastructure, I guess.

Sagi Brody (26:59.854)
Yeah, we’re built into the application. I think that’s a great example. And I recall over the years, you’d hear these anecdotes about, there was a celebrity staying at a hospital or a hotel and somebody looked up their info that shouldn’t have and it set off an alarm and they got fired, right?

And so I think some of that, I guess, does potentially exist in some scenarios. But the example you gave is amazing, right? If someone is accessing, and maybe it’s not the exact data they’re accessing, but more of the pattern of the behavior. If all of a sudden, if someone is normally only pulling up three to five customer accounts a week, and all of a sudden they pull up 30 in a day, you know, yeah, that is anomalous, right? That is suspicious. And we have,

Sagi Brody (27:49.352)
that exist today like Splunk and the Sims and Elastic, you know, they have machine learning jobs built into them where all you need to do is sort of point the job at your data set and they will very easily point out and say, hey, this is anomalous, this is suspicious.

John Verry (28:06.75)
Interesting now you have me thinking Which is which is always dangerous? Because now I’m gonna spend the rest of the afternoon. Thank

Sagi Brody (28:13.886)
It was your idea. I mean, I think that I think it’s a great idea, you know, like, and where else can that be applied to probably so many places, but it’s all about, you know, predictive, you know, predictive and prevention. You know, it’s funny because in backups and backups in DR, we talk about the difference between restore versus resume. Like, do you want to sit there and restore all your data and take weeks or do you want to you want to hit a button, you know, hit a button and resume, you know, resume your operations right away?

John Verry (28:42.407)
Obviously I picked resume. Was that a multiple choice? I think I got it right, right?

Sagi Brody (28:44.35)
Yeah.

Of course, yeah.

John Verry (28:51.831)
Anything we missed, anything you would want to talk a little bit further about with regards to this subject.

Sagi Brody (28:59.074)
No, I think, I think, you know, when you mention different attack surfaces, that’s, it’s a very, it’s a very good point. And I think going back to the assumptions, we assume that that, you know, just because something has not been a focus of attackers in the past, we just sort of, you know, glance over it or just say it’s, it’s okay. But you know, every day, you know, every day we hear about new attack surfaces. This is something we just need to keep an eye on and not have assumptions about.

John Verry (29:27.65)
Sounds good. I sent you your agenda late, so I’ll ask you this question, but if you don’t answer it, we’ll get rid of it. Give me a real world or fictional character you think would make a great or horrible see-saw and why.

Sagi Brody (29:41.358)
Hmm. I did see it. I saw it like a minute before we jumped on the call.

John Verry (29:48.094)
We’ll see how fast you can take on your feet, Sigi.

Sagi Brody (29:50.974)
Yeah, I would say on my feet quick, I’ll say the dude from the big Lebowski would not be a good most of the folks in the security world that I know for better or for worse are super anal. Usually it’s a good thing in this industry.

John Verry (29:59.453)
Hehehehe

John Verry (30:13.006)
Yeah, and I don’t even think you need to explain why. Anyone who’s seen the Big Lebowski, I don’t think you need to explain the horrible part of it. So thank you. If folks want to get in touch with you and or Opta9, what would be the right way to do that? Best way to do that?

Sagi Brody (30:19.806)
No.

Sagi Brody (30:31.25)
I’m most active on LinkedIn, I would say. My name is a little unique, so if you search for Sigi Brody, there’s typically only, I’m only aware of myself and the world, so you’ll find me right away.

John Verry (30:43.33)
I also share a have the value of having a less common name although the funny thing is that there is one other guy at least that has my name and he’s actually in risk management, not quite cyber security but it’s funny every once in a while someone will say like oh yeah I was at that conference that you spoke at and I’ll be they’ll mention the location I’ll be like yeah.

Sagi Brody (30:55.233)
Mm.

Sagi Brody (31:05.694)
So it must have been that both of you came up with that name knowing, like you were searching for some sort of security by obscurity sort of thing.

John Verry (31:16.165)
I planned it years ago. I’ve got long-term vision where we’re going here. All right, man. Well, this has been fun. Thank you.

Sagi Brody (31:17.932)
Nice.

Sagi Brody (31:26.842)
Thanks, John.