Outsmarting the Cybersecurity “Bad Guys” | Taking on Cybercriminals

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:16] Hello and welcome to CyberPHIx, the audio resource for information security, privacy and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we'll be bringing you pertinent information from thought leaders, healthcare information, security and privacy. In this episode, we will be speaking with Brian Dykstra, who is an industry veteran and leader with a broad and impressive portfolio of accomplishments ranging over twenty five years in data forensics, investigations, cybercrime and e-discovery. Brian currently serves as the president and CEO of Atlantic Data Forensics and also has had roles with the Cyber Maryland Advisory Board, the Maryland Center for Entrepreneurship, and also supports current high school, early college programs and cybersecurity. Prior to Atlantic data forensics, Brian has started and runs several other successful organizations, including co-founding Mandiant and serving as Mandiant's CIO and director of Professional Education, where he personally trained over 600 FBI cybercrime special agents and investigators, among other activities. We're excited to talk to Brian today about the bad guys. What are they up to and how can we protect critical healthcare infrastructure from attacks and cybercrime activities? We would also like to hear from you as well, so if you have a specific topic or thought leader that you would like to hear from, just drop us a note at [email protected]. That's [email protected]. Now, let's get to our interview. 

Brian Selfridge: [00:01:49] All right, hello, this is Brian Selfridge, host of the CyberPHIx, the industry's leading podcast for information security and privacy, specifically for healthcare. I'd like to welcome my guest, Brian Dykstra. I'm excited to speak with Brian today about current trends in cybercrime investigations and forensics analysis generally. Our plan is to get everybody up to speed on what the bad guys are up to, and perhaps more important, how we can prepare and defend against the latest attacks and methods. So a lot to cover today. Brian, thank you so much for taking time to join us. 

Brian Dykstra: [00:02:17] Happy to be here or not be here. Virtually be here. 

Brian Selfridge: [00:02:22] Over here. We're all here in one way, shape, or form. 

Brian Dykstra: [00:02:24] We're all here. 

Brian Selfridge: [00:02:25] All right, Brian, so we've got a lot to pick your brain on. I want to talk about bad guys. So as I've got several small kids at home, and so we play superheroes a lot, and unfortunately, I have to be the bad guy all the time, which is really demoralizing. But I need to know what they're up to. I need to know the tricks. Fortunately, we're not we're not cyber battling yet. More wrestling for the most part. But so what I want to talk about is what are some of the real bad guys doing out there from what you're seeing in your investigations and otherwise? Now, our audience is healthcare-focused, so we'll probably sort of go down that rabbit hole a bit to start. 

Brian Dykstra: [00:03:02] Sure. 

Brian Selfridge: [00:03:03] But what are some of the more common attacks that you're seeing out there specifically around the healthcare industry? And maybe how does that compare or contrast to other industries? 

Brian Dykstra: [00:03:11] So specifically in the healthcare industry right now, we're seeing a lot of business email compromise, and it's getting better and more sophisticated. So we're seeing a lot of emails coming from trusted parties. Right. So they break into a CFO, a company A, and they don't mess with his mailbox at all. No spam goes out, no, you know, weird, go to this thing or else emails, none of that stuff. And then they might even do that for two or three more times. So they'll break into several CFOs, one after another, after another, before they finally land on like a location. And they're like, ha, this looks pretty good here. This customer has a large invoice base, you know, lots of kind of weak data points and stuff like that. 

Brian Dykstra: [00:04:02] And then they'll just send out from, again, you know, a trusted email source, ACH information, but not the old cruddy stuff we're used to seeing, you know, the Nigerian kings and stuff like this with, you know, 52 spelling errors in it. And, you know, good day to you, sir. None of that sort of thing. You know, really finely crafted emails that go out from a legitimate email source to customers with, you know, even follow up information and explanations of why they're changing their banking environment. And, you know, and even eliciting, you know, we really appreciate your help in this. I know it's always difficult, you know, just really complex business emails where you're like, oh, well, that sounds exactly like Jim. He's a great guy. You know, that's a bummer to hear about his problems at that bank. So those sort of things. 

Brian Dykstra: [00:04:58] And then what happens is, of course, you know, everybody sends their invoices in, you know, their money for their invoices to the new AHC location. And it doesn't get picked up for maybe sixty days. Right. Because everybody's on that thirty terms. It's sixty before you sort of really start to wonder about where the money is at, maybe seventy-five before you actually send out some notices like, hey just add a hundred. So that sort of thing. And by that time of course you know money's long past gone. Right. Money's probably moved in the first 72 hours and is well on to a, you know, non-recoverable situation. We've seen a lot of that in healthcare recently. And it seems to get harder to pick up. Right. Because, you know, I said again, it's coming from, you know, known trusted sources to known trusted sources, known trusted sources, and you just have this thing where nobody really twigs on it and says, oh,  that sounds a little suspicious. Now, it's all very clean. Including some of them actually had call-back numbers with them. Oh, you're having problems, call this, you know, blah, blah, blah special number we've set up for this, and it will walk you through the process. And you're just like, wow. And I've talked to people who've called it. They're like, oh yeah, super helpful. I talked to Angela. And I'm like, there is no Angela. They're like, wait, what? 

Brian Selfridge: [00:06:20] It's always good to have customer service. I worked for an attorney general years ago, and we would track down the bad guys. And I always loved the ones that had customer service. It was like the one fraudster, and then his brother was the customer service who would answer the phone. It's pretty impressive. And they know what to say. And they say, oh, yeah, of course I know you. And they know the account because they've been, you know, watching the attack themselves. It's very clever. 

Brian Dykstra: [00:06:42] And it just really kind of cements the fraud. Right. You know, you go, oh, well, there was a customer service number, and I checked with them for a lot of financial, you know, organizations, that would be enough, right? We made that call back. Not that, you know, it made sense or anything else. Just I call and checked and there was a person there. Boom. You know, that's the second factor. And, you know, we go ahead and send the payments, things like this. That's been really big at the larger organizations, the, you know, the big hospitals and healthcare. We've seen a lot of that. At the smaller I don't want to call it mom and pop, but, you know, smaller dental practices. Right. You know, four or five dental chairs, 2 offices, things like this, you know, small healthcare offices and things like this. Three or four docs, five docs, things like that. You know, anything under 100. It's still ransomware. It's just ransomware, ransomware, ransomware all day, all night. And they just don't seem to be able to deal with that. And that's, of course, a byproduct of poor IT. 

Brian Selfridge: [00:07:48] Is anyone going after the patient information? It sounds like we've got the traditional financial attacks. We've got the ransomware stick up game. You know, give me the money. Is anybody exfiltrating data and selling it on the black market as much? I know it's always talked about, but I don't know if it's actually happening as much, you know. 

Brian Dykstra: [00:08:04] Yeah. I mean, I think that's hard to quantify. I know from some of my larger healthcare clients and their SOCs and stuff like this that they do have, you know, straight up standard trying to get in, trying to gain a foothold type intrusion activity, you know, lateral movement and all that sort of stuff. You know, and that seems to be your more traditional, you know, break in, get control, exfiltrate documents, that sort of thing. But I think that's also become much harder at those larger locations. Right. They've got more and more and more controls in place. So it's more difficult to do that sort of thing where, you know, if you really want that sort of data, it's, you know, again, at the hundred healthcare professionals or less organizations, much easier chance of getting myself in there and things like that. And then we still see a fair amount of hands on the ground insider type of theft of that type data and insider sales of that type data. 

Brian Dykstra: [00:09:11] You know, it's frequently amazing to me about how many times healthcare organizations end up hiring known criminals. I talked to some HR people about this, because they run into this where it's like, oh, we hired the person because we were really in a pinch. And so we've sort of waived the background check thing and then, you know, and then, well, we never really got around to it because they were such a good employee you know, and then eight months later, a year later, they're like, oh, we have this huge fraud problem going on in our billing office. What the heck? Yeah. Or something like that. You know, when we go back and take a look, it's like, well, you hired a person that's, on at least three different occasions, been, you know, picked up for this type of activity. And it'd be weird if I'd found that once. But like after the 15th time you find it, you're like, this seems to be a real thing. You know, you get targets of smaller organizations, you know, and oftentimes they are just directly stealing credit card information, stealing, you know, patient identification information, you know, all those things. And in some cases, they were even stealing cash. Persons involved in directly taking copayments and things like this. 

Brian Selfridge: [00:10:25] Do you see healthcare being targeted more or less than other industries, or is it more just you know, we have a lot of small organizations and, you know, those are going after for those types of attacks or what do you think? 

Brian Dykstra: [00:10:36] Yeah, I sometimes wonder about that. You know, healthcare being, you know, a regulated industry, if you will. Right. And, you know, HIPAA being, you know, really big and an obvious thing. I wonder if it isn't just a product we pay more attention to that because of that data. I mean, let's face it, we pay a lot of attention to financial services. We pay a lot of attention to healthcare. You know, do we pay attention to manufacturing? 

Brian Dykstra: [00:11:11] They don't really have, you know, they've got some R&D data, some intellectual property and stuff like that, but they don't have what we all perceive as like regulated data. So I'm sure there's a ton of data breach type stuff going on there, ransomware stuff going on there. In manufacturing, it's just because they don't have data on me, right. In manufacturing, I don't so much care. Right. It really does all revolve around me. Right. Do you have my data? If you have my data, you'd better be protecting it. If you don't have my data, well, you know, good luck with that Internet thing. 

Brian Selfridge: [00:11:45] Let's talk about ransomware a little bit more. I know it's hard to escape, and we've certainly talked quite a bit about it as an industry over the last couple of years. But given the larger-scale attacks, the one cries that arguably hit the EU and England a little bit harder than the US, but still made us a little bit nervous. What I found interesting about some of those attacks was seeing different asset types be at risk than the traditional, we locked up your workstation ransomware or maybe a server or maybe it's joint, but we saw things like medical devices starting to get locked up. Have you seen any other types of assets being targeted or maybe not even targeted, but getting sort of locked up from ransomware beyond the traditional attacks? 

Brian Dykstra: [00:12:28] Sure. Just had a client who lost a bunch of point of sale systems to that because it was a, you know, some sort of window PE, you know, XP base, you know, embedded operating system that, of course, you know, isn't getting patched and it's running whatever that old, you know, base operating system was, you know, or a version of it on this POS system. Of course with an, you know, interface over the top of it. So you didn't really know that. And they typically, you know, you're not running any sort of endpoint on that. Or AV or antimalaria solution of those things. I mean, they're barely big enough to run the POS software. And so when they got hit, it just immediately ate all of them. And so boom, all their POS systems were down. And that, you know, of course, makes a really bad day to begin with, even more insulting when you can't even, you know, continue to process client transactions and stuff. 

Brian Dykstra: [00:13:25] As far as the large scale ransomware like a WannaCry, like and NotPetya, things like that go. I view those honestly as a management failure. I give presentations on this all the time. People don't always take it the right way. But, you know, it starts literally at like the CEO, CFO level where, you know, you haven't resourced your I.T. departments enough. Right. So CFO is like, no, we're not doing that this year, maybe next year. Get back to me again. You know, you don't have enough staff. I've never run into an I.T. department where they're just like, oh, we got guys falling off the truck in here. You know, it's always the opposite where I'm like, wow, you guys run all of this with three people. Really, you've got six data centers. How does that happen? You know, one of those sort of things. So that that under resourcing at that level.  

Brian Dykstra: [00:14:15] The next step down from that, you got, you know, chief operating officer, business leaders demanding that, you know, well, I realize this app's 14 years old, but it's critical to our operations. And so we need to keep it running. I actually came across a running Windows NT4 box the other day. It was critical to the mission of this finance department of this company. And it of course, was not having a good day. And the CFO was like, well, can you help us with this? Can you do something? I was like, no, that shouldn't even be here. Like, you know. And, you know, for those people listening, if you don't remember what is NT4 didn't even understand TCPIP. That's how old that is. Right. It had no idea what the Internet was. So for you to put software on it, so that it could have an IP address and actually understand how to do that. And this was running a critical part of their operations in their finance department. And so you have that level to where there's just this, you know, this layer of business driven apps that are just not up to date, not taking care of things like that and refuses to move on. And then you get into the CIO level where, you know, they just you know, we're not doing the things that we should be here. We don't have a good control over our assets. You know, we don't have a solid program for how things are taken care of. 

Brian Dykstra: [00:15:44] And then, you know, then it gets down to the CISO level where, you know, God help me. I actually find places, Baltimore is a good example of this. They simply hadn't patched in years. It broke in somebody's apps. One day they got you know, they got angry about it, and it came down from upon high. Well, no more of that patching stuff because that just wrecks everything. You know, so at all levels there, you have different levels of failures that contribute to something that they quite honestly, I mean, you know, I want to cry listen to this. They take advantage of weak IT systems. One of my healthcares talked to me right after their not petya yet, and their sister was like, yeah, you know, blah, blah, blah, board called me in, and they wanted a face to face meeting. And, you know, what about this not Petya thing and how are we going to prevent this? You know, what are we going to tell our clients? He's like, we don't have a not petya thing. And they're like, no, we heard on TV. Everybody's getting it. It's taking down the whole Internet. We want to know what you're doing about it. He's like, we're not doing anything about it, because we don't have any of it. You know, we take care of the network here. This isn't even a deal for us. But on the other hand, it cost FedEx, you know what, three hundred million dollars, you know, so it definitely did, you know, hurt organizations. And, you know, and I believe you referenced that the European National or the U.K. National Health System. Right. 

Brian Selfridge: [00:17:13] NHS, I think.  

Brian Dykstra: [00:17:15] And I think a lot of what contributed there is they were still running lots of Windows XP systems. I think one of the numbers just I was over 70 percent of their systems were XP based. It's like, well, you're still holding up an end of life operating system. So if you go back to management failures, why was this not resourced? Why are we still doing this? You know, what was the business case for this? You know, so on and so on. Kind of down that stack, you know, that's how a lot of that stuff gets really out of hand. 

Brian Selfridge: [00:17:44] And one of the tricky things we're trying to navigate on the healthcare side is the medical devices, because they're running 15, 20 years in service. Some of the new ones are still coming out with XP, which is exasperating. But the old ones that are in service, folks aren't investing in the inventory processes and understanding where the stuff is. How do we keep them updated? Manufacturers are a mess. So I'm not sure we'd be able to fix that here. But sort of that's the next echelon of problems. Then you've got patient's lives on the line as well. It's less about just mission critical systems, and you actually have patient safety involved. So welcome any ideas you have there, other than just investing, you know. 

Brian Dykstra: [00:18:22] It's funny. I was at a conference last Thursday up at Columbia University. It was the Journal of Law and Cyber Warfare. Excellent panel. It's just amazing panels. But one of the folks you had on one of the panels was Joy Johnson. He's the CISO for Premiss Health down in Nashville, absolute rock star. And he specifically spoke to that piece like, look, I have these things on my network that, you know, they require, you know, FDA, you know, they're FDA certified in this configuration. They have to be operated like this. You know, there's no updating, no patching, no putting anything on these. You know, you don't alter these in any way. I know from some of my other CISOs that have, you know, a big hospital operations. They have a lot of those systems out there. And it's like you said, it's about knowing where they're at, knowing what their weakness is. You know, we can't get beyond this level with them or they have, you know, this operating system that we can't do anything about or, you know, they're not protected from this and that. And then, you know, as IT security professionals go, OK, well, if I can't deal with that endpoint the way I would normally deal with any other computer endpoint, what's my alternatives? And most of them come to the same solution. Joy came to the solution. We start building walls around these things, you know, OK, if it's one of these systems, well, then it just can't be on the network with all these other things over here. Right. It's going to have to be on its own little island. We're going to cut it off, and we're not going to allow it to, you know, file share, whatever, you know, it might be that, you know, creates this weakness. We're just going to have to work out alternative solutions for dealing with this to protect it, which we know is weak from, you know, potential damage from or to the rest of the network. 

Brian Selfridge: [00:20:16] So it's kind of weird. They're almost turning and pointing the firewall at those devices and going, we just don't know what's going to go on with them. So we're not trusting that MRI machine anymore, you know, which seems like an odd thing to do. But it's effective, you know, a lot of old school techniques, segmentation of those things and, you know, putting them on networks that can't talk to other networks and things like this. And usually that's not a problem because those machines tend to operate fairly standalone anyway. Right. I was doing an MRI tech the other day that, you know, they just took in the DVDs of the MRI, and they put it in the machine and, you know, they didn't copy them or do anything with them anyway. They just, you know, pulled that stuff directly off the MRI. I looked at it locally, you know, the analysis they were doing and moved on. It really had no need to communicate with anything outside of that, which is great. Like, OK, well, it doesn't need an email, it doesn't need to be web surfing. It doesn't really need to be connected to the larger network or have a lot of these services that we would normally make available to regular machines. So we'll just cut them off from all that and thereby, you know, protecting them from the badness, too. 

Brian Selfridge: [00:21:27] I appreciate that you mentioned Joey. I have to give a quick plug for our CyberPHIx interview with Joey Johnson a little while back. So our listeners, do check that out. That's now two ringing endorsements for Joey's perspective. 

Brian Dykstra: [00:21:39] The guy looks like John Snow, and he's a CISO. I mean what more could you want? He's a total rock star. 

Brian Selfridge: [00:21:44] So, Brian, we know the bad guys are creative. We're still talking about bad guys here. And often they're the ones that start the chain of events by some innovative attack. And then we all scramble to build controls and processes and awareness training around the latest attacks. We talked about email attacks, talked about some of the more common ones. Anything real creative you've seen out there? Any sort of, even if it's a one-off, any types of attacks that have been innovating for the bad guys recently. 

Brian Dykstra: [00:22:13] All right. So I have two schools of thought on this. One, there's the traditional bad guy environment. Right. And they're doing their thing, and they're very good at their jobs. Recently, I've run into a lot of tools utilized by bad guys that were actually developed by the red team folks. And God knows I love them. If you're on a red team out there, lots of love for you. But for God sakes, do we have to keep putting these tools out into the environment and not looking at their impact? And I get that as a red team, you know, it's part of the job and stuff like that, I, you know, worked on that myself. And it's, you know, a lot of joy and breaking into something. But, you know, I hate it when I see a, you know, full on red team tool used to, you know, severely impact a client. And these tools are fantastic. I mean, they're sophisticated. They're meant to basically beat everything on the blue team, you know, including, you know, basic stuff like this. 

Brian Dykstra: [00:23:15] So, you know, we've seen some really sophisticated, you know, live off the land type shools, where they're taking advantage of all the powerful stuff and things like that. And then, you know, betting on that, you know, encoding and compression and stuff like this, it just makes it that much more difficult to follow, and stuff like this. And of course, it's always tougher to follow stuff that's, you know, gotten into your network and operating anyway. But then you put layers of obfuscation on top of it or, you know, coding, and it just makes it that much more difficult for things to detect. I recently pulled a bit of data off a client's network, where a traditional red team tool had been used against them. Let's say it was they've been attacked by a Russian attacker who was using a red team tool released a few years ago, a black cat called a power shell empire, just this whole like really well thought out attack framework. I mean, this thing is a very, very complete toolset. One of the payloads that the attacker used was base64 encoded and g zipped. And we noticed that none of the clients' endpoint stuff. It picked it up. And out of curiosity, I happened to toss the thing in the fire as told, just like, see, you know, OK, well, I understand how this thing's encoded, but underneath it's pretty common, you know, Power Shell. 

Brian Dykstra: [00:24:49] It should have been picked up by most things, sort of activity. But through the end of the virus total, and only two of the 74 engines, because of the combination of encoding and compression, picked it up. And I was like, whoa, that's a pretty low bar. There were some encoding and some compression is enough to beat the maturity of your endpoint detection stuff on signature. And if I remember right, it was like Kaspersky and Evera were the only two out of like all 74 engines they run there that we're able to, you know, and like I said, it's just a level of obfuscation over a known bad thing that once you got rid of that, they all went, oh, well, this is obviously bad, you know, like, yeah, but if you missed it. On the upside, I mean, the folks that had built Power Shell Empire and actually announced right after Def Con this year that, you know, hey, we're not doing that anymore. We're no longer updating this package. Maybe this isn't the best thing for the community and things like that. But we're seeing more and more of that where these, you know, red teaming sort of attack tool packages and these live off the land sort of techniques that are being developed and built-in that community are then being used against us by, you know, real external adversaries and things like this outside of the security environment. And I don't have any answer for that because I understand, you know, the folks on the red side have to do their thing, but it can make for real bad day on the blue side when it's, you know, coming out of Southeast Asia or someplace else. Like we don't have a red team scheduled this week. And it's a bunch of stuff in here. I don't like the way it looks. 

Brian Selfridge: [00:26:43] So let's talk about the ways to actually combat some of this. So we mentioned the shoestring budgets and lack of investment from especially those small to midsize organizations. Maybe we can sort of think about those with a sympathetic mindset, think about those organizations and the limited investments they can make. Obviously, we think they should make more. Do you have a perspective on sort of if you had to spend that one dollar or whatever it is, where's a good place to put your defensive budget into? Is it in incident response? Is it in this tool or that tool or, you know, or what do you think? 

Brian Dykstra: [00:27:21] So I'm a big proponent of it's about, you know, security is a process, not a product. So I'm not saying there's not great products out. There's fantastic products out there. But that should be part of your process. Right. So having a network maturity model that you can use to drive your process is really key to this. I like to show clients the Paid Martina's Model, PMM model, for network security, where you basically start at level one with some pretty basic stuff, like do I have patch management, do I have, you know, operating systems that are current? Do I have logs? Do we actually have an inventory and asset control of what we actually have here? You know, some really, you know, just basic IT stuff. Do I have an antivirus, you know, anti-malware package installed on everything and working? So really low bar type things. And then, you know, once you've got all that stuff in place, you step up to level 2, you know, do I have, you know, a SAM, do I have, you know, an I.T. security and so on up to the levels, up to level five, which quite honestly, most people never even need to get beyond three. You know, at five you're like, am I threat hunting and, you know, stuff like this, my purple teaming my systems, you know, which is all great stuff, but part of the value of the model is it also helps explain to people like, hey, you just decided that you wanted to buy and I'm just going to pick on this product, you know, FireEye and put it all over your network, except that's a level three product and you're currently struggling to finish off level, two and you don't even have an I.T. security team. 

Brian Dykstra: [00:29:14] So there's nobody to really watch the alerts for this. So, you know, so maybe that's not the right purchase for us at this point in time. And I run into clients frequently who are doing that. They're chasing after product going, well, this product's going to take care of all this. Yeah, it totally will. It's a great product. But is that your current problem? Can we tell from your, you know, from your SIM who logged in at 10:00 a.m. this morning? Because that should be our are lower bar priority. I should actually have good control over that stuff before I go off chasing this, you know, advanced endpoint solution or something like that, you know, or hey, last time we, you know, restored from a back up, fifty percent of our share files servers didn't restore properly. Maybe that's a higher priority than, you know, again. So, you know, threat hunting tool or something like that. So, you know, kind of trying to shift mindset for people because, as technology people, we do get enamored by the tools. Right. I have to fight it myself all the time. Like, I want to jump on the keyboard. It's like sometimes you have to step back from that. Does this actually makes sense, have I done all these really basic, dull, boring, you know, obnoxious things that need to get done, you know, before I move on to the next thing? And again, one of my favorite SOC managers said this to me, he's like, you know, I'm not trying to build perfect here anymore. He said he used to do that. He's like now I'm just trying to put lots of controls in place. So I just get a little bit better all the time so that maybe with all these controls that I've arrayed out there, I'm going to catch something over here and a little bit more of it over there. And it's just going to give me that little bit of an opportunity to get ahead of the bad guy. Because he tripped over something that I put in place that they didn't know about. It's like not even trying to get it perfect anymore. But on the other side of that, you want to have your you know, your underlying things like, you know, can I restore, do I have log coverage on that? You know, do I have, you know, actual endpoint protection on these things and stuff like that, you know, out there, which is a daily grind. Right? It's like everybody else in the organization. You have to come in as a security professional and be like, what are we working on today? You know, what am I going to be working on tomorrow and just keep working on it. 

Brian Selfridge: [00:31:41] So let's forget about prevention for a minute and assume that at some point we've laid our traps and they've sort of worked or, you know, maybe not at all. Are you seeing any missteps that organizations take either during a breach or post breach? I'm not sure when in the life cycle that hinder the ultimate outcome of the investigation, whether it's, you know, missing stuff along the way in the kill chain that they could have done or I don't know. What are some things or advice you would give organizations like, look, if you think you've got something going on and first off, I presume call the professionals as soon as possible like yourselves. But what are some of the things, the missteps, to avoid, you know, early on in that in that process? 

Brian Dykstra: [00:32:23] Right. So that's kind of stuff that you need to do in advance when everything's not on fire, when three different, you know, controls didn't just fire off and go, hey, we think there's a problem over here. You know, it's about getting in front of it and it's not really very difficult. So it's kind of three things that you need to get in place. You should have some sort of cyber insurance policy, get with your broker, you know, start to arrange for that. Cybersecurity insurance is amazingly inexpensive per thousand. Right. That's how they rate the dollars per thousand that they cost you and stuff like this. Just ridiculously cheap compared to a lot of other coverages companies have. So start there. That should then spin off to, you know, OK, I have, you know, legal counsel for that case. I have to do, you know, notification type stuff or I need to reach out to a bunch of attorney generals or, you know, things like that. And then, you know, I've got somebody on board to handle that for us that understands this breach situation. Mind you, not all attorneys are created equal. Right? The folks that are doing your contacts every day, I'm sure they're great at what they do with the contracts side and the M&A's and things like this. They're not the cybersecurity council. They're not familiar with breaches, things like that. You have to have professional attorneys for that. You know, it's like saying biology. Well, there's a lot of different things in biology. Not all biologists are the same. 

Brian Dykstra: [00:33:44] So, you know, and then separate from that, you have to have a relationship with some sort of incident response company. You know, any one of the ones you like. I like the Atlantic data forensics guys myself. But, you know, obviously the folks across the desk here, they're all great at what they do. And so you seem to have those kind of three things together. I've got my cybersecurity insurance. I've got, you know, my legal assistance there. I've got my IR team that's going to help me out when something goes wrong and all of that should occur in advance, you know, and then that group of people will help you put together your IR plan for, you know, when an incident happens, this is how we're going to handle it. It's been approved through management. Everybody's cool with it, things like that. 

Brian Dykstra: [00:34:33] And then lastly, you need to start practicing for that. So incident response tabletop exercises, where I don't have a good feel right now. I have a client sample. Some of my clients do one tabletop exercise a year. Some of them do one a quarter. I heard some talking head to the other day. They said, oh, you should be doing one every quarter. And I was like, yeah, maybe for the big companies I could see that it really makes sense. And they have the resources to do that, and they pull everybody out for a day. It's not a big deal. Smaller companies, you know, tougher to do that. Maybe the best you can do is one a year. 

Brian Dykstra: [00:35:09] But going through that IR tabletop process that you go, you know, OK, hey, we're going to, you know, play act today, that we had this type of insider thing happen to us. You know, we just found out that, you know, somebody was doing whatever and they have apparently been taking a bunch of data from us for the last eight months or they've been, you know, sending this out to wherever. So now we've got this whole, you know, awful scenario we have to deal with. Let's walk through our IR plan and see how we would handle that. And, you know, just go through the steps. Frequently, the first few times you do it, you discover, all right, our plan is completely unworkable. Why do we have 97 pages in this IR plan? Which page are you on? You'll realize all these sort of like little problems, mechanical problems, that you have with your response process. And it's important to bring in all the players too. So when you do this, you know, you have to, you know, OK, well, what would we do here? We'd reach out to our insurance care. Great, call that person. Hey, Bob, by the way, we've got tabletop exercise going on over here, but I'm calling to let you know we had an incident. What would you tell us to do next? You know, I think they're happy to play along with you. Things like that. 

Brian Dykstra: [00:36:21] You know, be sure to tag in your external vendors. You know, if you're in a big cloud environment, things like this, you know, and then actually do some of the things that you would do. This is one of the mistakes I see all the time with IRs tabletops. They run them as strictly a PowerPoint exercise, where everybody kind of ignores IR plan and goes, well, we would just do that, then we'd do this. As it turns out, it's like just a bunch of people just randomly saying things off of the top of their heads, which, you know, may or may not be good answers. But prove to me that you can actually do that, you know, so if somebody says, oh, well, we would pull all the logs from, you know, such and such systems and do that. Oh, all right. Cool. Why don't you go pull those logs and just get on the horn, get somebody to pull those logs for you? And if they can get them in the next two hours of the exercise, we'll call that a go. But if they call you back in 30 minutes and go, hey, you know, we don't really have logs for that, well, then we've identified maybe a little problem we have there. So kind of in incorporating some real into the game plan, so that you're improving things and you're finding those things. And that is the goal of a tabletop exercise. People sometimes get into this like zero defect. We were perfect in the exercise. It's like I am absolutely not trying to be perfect in the exercise. What I'm trying to do is learn something during the exercise that helps me improve, you know, my operations, so that when it actually happens, we're a little bit stronger than we were before. 

Brian Selfridge: [00:37:54] So looking back, Brian, over the last, I don't know, twenty, thirty years, whatever frame we want to take, are we getting better at this stuff? Are the defenders getting any better at this, or are we still just struggling to keep up with these attacks? 

Brian Dykstra: [00:38:10] You know, I have this, like, list of like ten things. This is like a fifteen year old PowerPoint presentation that I have that I've just been recycling for years. It's like, hey, here's the top ten things that, you know, will result in a breach for you. And I actually haven't changed those things in that fifteen years. I've just moved on to new PowerPoint themes and stuff. Because it's always the same old school boring stuff that gets us. Like you don't have enough people, you don't have enough resources, you have stuff that you didn't know about hanging off the outside of your network, you know, and you have legacy. And and one of the things I mentioned to somebody the other day was like, we have this thing now called cloud legacy. Right. We just leave systems running in our AWS or Azure environments and nobody goes back and shuts those instances down. 

Brian Dykstra: [00:39:02] Well, I thought somebody was using it, so I didn't want to, and we didn't patch it, and we didn't do anything, but it may have Kred stored on it. I don't know. So it's a lot of those, you know. Well, while the technology's moved forward and things like that and what we're doing has moved forward, it's still a lot of the same old things, you know, knowing where my equipment is. Do I have log coverage on that? Is it being taken care of? You know, and things like this, a lot of the same things are required there. Unfortunately, businesses, I think, at the leadership level are viewing things like cloud as like, oh, well, this is going to help me, you know, reduce my IT budget by... I'm going to push everything to the cloud, and then I don't need all these IT folks. It's like, well, that's just computers in a different place. You know, you still need to do all the same things with those cloud instances, as you needed to do with physical instances sitting here. You know, and we should have learned that through the explosion of, you know, virtual machines. Right. That, you know, just because you had the ability to fire up all these virtual machine instances didn't mean you needed less IT. You just shifted where IT was focused, away from the hardware to the virtual. It's the same thing in cloud environments and stuff like that. So, yeah, I mean, a lot of these same old everyday things that we've been doing for the last 20, 30 years have to be done with the new technology as well as, you know, old. We have clients. Just everywhere. Fantastic for dev ops and just like boom, throwing stuff up. It's massively scalable and things like that. And it has to be taken care of just like every other thing we always had. 

Brian Selfridge: [00:40:51] So when the breaches you've seen with this shared responsibility between AWS and the cloud provider and the vendor. Have the playbooks changed, where you mentioned tabletops, you know, you've got to get the vendors involved. Besides tabletops, I mean, in the real world, the real deal goes down. Are the vendors at the table for these things, for the most part, do you have to start pulling in three or four parties to figure this stuff out? 

Brian Dykstra: [00:41:14] Oh yeah, you're oftentimes pulling in 15 different parties and things like that. Right. Because, you know, there's a lot of I.T. operations nowadays that, you know, are outsourced to the point that they're really only managing vendors. Right. So I've got a backup vendor. I've got a storage vendor. I've got a, you know, my emails in O 365, but I've got a vendor that handles that because it's too complex for me to take care of myself and on and on and on. So, you know, I have lots of vendors that I rely on to work with every day to keep my massive enterprise operating. So those people need to all be in on your IR exercises. They all need to be part of your playbooks. They all need to know how, importantly, you as an organization, this is management down, you know, take the security of your data and your network. So you know, it's important for people to say that to people like, hey, we here at Company X value our network security, our data security and things like that. Everything you're doing with us, we want it to be done in the best, most secure possible way. So that people actually hear that and start to internalize it like, oh, that a company is very, very serious about their security over there. Right. Because that will work on people. Right. And then you have to make them part of your IR plan, so that, you know, not only do I just have, well, we know the name of the sales guy over there, and we have their one 1-800 number. It's like, yeah, that' cool. We should probably call over there and talk to them about, hey, I built out an IR plan here, and I really need to be able to know if I have an incident at two a.m. on, you know, the Saturday before Christmas, what's the number I call, what's the email addresses I reach out to. When those people don't respond, what's the next set of phone numbers and email addresses I reach out to? You know, make me, as a client of yours, feel comfortable that no matter how bad of a day I'm having over here, you're going to have somebody there to help me out and things like that. 

Brian Dykstra: [00:43:26] And that's a lot of just, you know, groundwork that you have to put in in advance as you're building out your security program. Like, I need to know all my vendors and all those points of contact and have that data collected up so that when an incident happens, I'm handling it really well, you know, and I've got all the right people there and I know who to get a hold of. And I know what I'm looking for from them. I've clients all the time that reach out to a vendor like we need logs for that. The vendor is like, we don't log that. Like we could have. I mean, if you wanted us to log that, you should have asked for it. We have a thing that does that. I can sell you that service. But you didn't ask for it, so we didn't do it, you know, and it's, you know, heartbreaking to find out. Right? It's like, oh, yeah, we had perfect log control. It just didn't get turned on. 

Brian Selfridge: [00:44:14] All right. So if we do nothing else, we got to inventory our stuff and find the contact information for our vendors. If we do nothing else, we'll be at a good starting point. 

Brian Dykstra: [00:44:23] Right. I mean, it's the standard everyday boring stuff, right? Patch your systems update your systems, you know, put your endpoint product in there, make sure it's got coverage everywhere. It's the really dull stuff that going to save you every time. 

Brian Selfridge: [00:44:35] Brian, thank you so much for taking the time to be here with us today. It's been a fantastic conversation. I could go all day with this, but I know you're a busy, busy person and thank you again for taking the time. 

Brian Dykstra: [00:44:46] Really appreciate it. It's been a lot of fun. Thanks for the great questions. 

Brian Selfridge: [00:44:56] Again, I would like to thank our guest, Brian Dykstra, the president and CEO of Atlantic Data Forensics, for a fascinating conversation about the current cyber crime trends and protections for healthcare entities. As always, we would like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of CyberPHIx. We look forward to having you join us for the next session coming up soon.