How To Rise To The Ransomware Challenge: NCSC For Startups

uh thank you all for coming for the last talk of the day and we are joined on the stage with validato and goldilock and they are part of the ncsc for startups ransomware cohort so we are basically just going to be a panel discussion there was meant to be more of us on stage um but unfortunately a couple of people couldn't make it due to uh being ill but yeah so i'll hand it over to um stephen to introduce goldilock thank you very much i'm gonna move around a little bit because uh get a little bit more energy i know it's the end of the day um so we're goldilock um we are we produce a device which you can

find in the back there um but i what first before i would talk a little bit about that i want to just to set the geopolitical context of what we're in um many of you have been watching maybe the undeclared war um which is uh a very interesting uh actually when jeremy fleming was meeting with us on wednesday he sort of says i don't really like the term war i like to talk about cyber force for good uh which which i understand it's its point but we're in a war that's a fact um and um yes we do want cyber force for good but the reality is we're we're in a war on three fronts uh we've got the

russians on one front uh that are a geopolitical disruption uh we have the chinese that are continuing to engage in a wholesale corporate theft a recent economist article three weeks ago would have told you that 75 of corporate theft is still being engaged by the chinese uh and by the chinese state state-sponsored actors and the third is ransomware criminals whether they're in syndicates or individuals or in different forms that war has a very different than the war that exists um on the ground forces in ukraine because uh it's not it's a different topology ukraine can't change its borders we can in a cyber warfare we can change our borders and what we can do is we can reduce the cyber attack

service that's the ministry of defense mantra we can reduce the cyber attack surface and change the topology so that the criminals and the war criminals cannot continue to engage um with us and steal our critical assets and disrupt our critical national infrastructure and the way that we can do that is we do not need to be online all the time you've just heard from microsoft and i think they did a great presentation here on it but she also highlighted how much were uh vulnerable the cloud is and all of that always being online all the time is ridiculous there is no need for us to be online all the time uh and if we are able to reduce our cyber

attack surface if we are able to control and take back our control to go online and offline when we need to then we can incredibly improve our ability to fight these three evil actors on all fronts uh and that's that's what our mantra is we've built a device that allows you to completely go offline without using the internet as long as you have and use the internet as a control device to allow you to go online or offline you're vulnerable to attack and that device back there allows you to actually disconnect your critical assets your critical national infrastructure whatever it may be and to ensure that you are reducing your cyber attack surface and have it only

online now if there are some things which are online all the time the other thing that you need is a ransomware kill switch what do we do when we're in a a situation if your colonial pipeline you scramble around for two and a half hours trying to find where the the cables are and you you you pull the cables eventually in different locations with our device what you're able to actually do send a text message and it has a physical disconnect it takes five seconds and and that's what you need to be able to do when you're under attack uh if you have left things online so um from our side uh one of the biggest ways to deal

with ransomware and we'll there'll be chris has some great questions uh regarding uh some of the legal liability issues with respect to ransomware and where we're moving towards in this sector we have to take a lot more control back of of our cyber attack surface um so that's our our mission thank you very much thank you very much um so andrew uh do you want to introduce yourself yeah thanks very much chris so my name is andrew brown i'm the cto of valedetto and what uh web is he doing to help address the uh ransomware uh scourge that is uh plaguing the world's businesses is we've put together a breach and attack simulation platform which quite simplistically what it does

is it tests your cybersecurity controls and i'm surprised that cyber has been around for so long without really this existing now you might turn around and say oh but we've got pen testers and we've got red teamers and stuff like that very much so do they test your cyber controls absolutely not okay i'm not saying that there's not a place for them there's a very good place for them what i'm talking about is when i qualified as an engineer i spend a lot of time in the instrumentation and electrical fields and the way we used to test things and make them work is is i had a pump for example i'd press the green button to

turn it on and i get a nice little light on that's saying it's running okay and then i'd have to test i can't press the red button and make the actual pump stop and there was always an emergency stop button somewhere and whenever you built something new you'd have an order to come along and actually you'd have to verify that all of this worked which is standard engineering practice okay to make sure that these controls actually work but then i got into the cyber field and it just seemed to be fine that you could take the software that some vendor had told you uh worked and you have another 10 vendors telling you that theirs

actually works better and you should buy their stuff because it stops more and it does better stuff and there's this whole competition out there and you just quite happily install it and you install all these security controls all over the place but you don't really actually get around to testing it so as an example by what i mean and how you test it think of something like your home security system and you put this really lovely infrared detector up in the corner of your room what what do you do you wander around and you see if you can find any blind spots in the room and maybe you adjust it so there's no blind spots

maybe you have to put a second one in the room because there's a pillar and there's actually a blind spot behind the pillar but once you've eliminated all of those blind spots you then go along and you look at the actual alarm panel and you say okay if i wave my hand in front of the sensor do i get a message on the alarm panel yes i do so going back to our original um you know looking at uh have i got rid of our blind spots that's very much the protection in cyber okay are you is your protection actually working when we sit and look at the message on the alarm panel think of that as your

seam solution your events and your cm solution am i seeing the event happening in the actual seam solution and then moving further on it's do i get a response okay so does the uh you know if i trigger this do i get the police coming do i get a response from a company that is going to come and inspect my premises or give me an actual uh you know visit or call to see if i'm okay so what we're looking there at protection detection and then response and that's exactly the same as what we're doing with our product being able to do that in an actual cyber field so once you've done all that you've got it all

working you can then call on the professional burglar which we like unto the pen tester and say absolutely now please do your thing and see if you can actually break in but there's no point in getting the pen test draw the professional burger along unless you've done all the simple testing and that's really the premise of our product and we know from uh looking at so many companies out there that they've got a lot of i.t people in them and it is about enabling business it's about helping them there's a lot of really good id people there but are they the cyber specialists no they take the actual product they install it but they don't have the test tools to be able to

understand is it doing what it's meant to be doing and they're also not they're necessarily the qualified cyber people and business to a large extent sees cyber as a necessary and or unnecessary expense on the bottom line or a business disabler rather than enabler so what we want to do is be able to enable business very cheaply very easily and help them have a better cyber posture okay so now we've had a nice introduction from both of the companies um we'll start with some of the questions so i'm going to start with something focusing on reconnaissance so what do ransomware groups look for in targets how do they select their targets and yeah why are the companies which are

selected selected

so there's a lot of uh different uh types of ransomware groups that are targeting different types of uh entities uh from the small to to the large uh one of the one of the most common ones that we've been seeing is um even putting bounties out for for credentials uh for for larger entities uh particularly uh government uh run or just those kind of entities that have have reached that critical mass where the amount of staff that they have and their infrastructure is starting to get quite outdated so there's a lot of vulnerabilities a lot of unsupported software's there um so that once they they've got in um they're able to move very quickly but

also because of that size of the entity as well the the internal security training in the security awareness for staffing becomes quite a difficult task to do so you have a lot of naivety from it from the it side of things and um seeing that as a as quite a a a common entry point these days so targeting the nhs for example or any of those kind of entities where they are struggling to keep their infrastructure up to date yeah um just to add to that i i see there's some quite young members of our audience as well out there go and have a look and just do a little bit of a search on google and do for us

a search for a site called showdown that's s-h-o-d-a-n if you search for showdown it's very useful resource out there there's something called open source intelligence and i talk to professionals every day and i'm quite amazed about the lack of knowledge about what is out there about an organization in open source intelligence and the beauty about showdown is i can sit there and i can go on to showdown and i can search the whole of the internet in a couple of seconds and i can find every single publicly facing server that has port 3389 open that's an rdp port that enables you to remotely manage that actual organization or that that server it doesn't take much to figure out or

find out who that actual server belongs to okay once i know who it belongs to i can very probably log into it with an email address a little bit of engineering okay and i happen to have an actual uh you know username and passwords follow quite quickly because i can brute force it so this is just one type of example where you know if we look at this and we look at uh the threat actors out there it's a business they earn money they see nothing wrong with doing this okay so you end up your low-level people using things like showdown out there to go and find easy targets all they're interested in is earning actual money so when you end up

then the receiving end of a ransomware attack um it's not necessary because you were directly targeted so it ranges from the one end where you're just randomly selected because you stood up a server in the cloud and you left port 3389 open and you didn't have a very strong password two exactly the other end okay where it's a state-sponsored actor and if you've got intellectual property um they're gonna want to get their hands on that and then they are going to put a lot of resource behind exploiting your organization cool thank you very much um so being on the forefront of uh ransomware and fighting against it uh do you have you come across any new

or interesting techniques you have seen being used more recently or being used more i've seen an absolute cracker quite recently so it's an evolution of the existing uh we've got some screenshots here of you looking at some monkey grumble and we're going to send it out unless you you pay us some money but where the way that they um they handle it is they send you an email or a direct message through social media as a concerned citizen and what they're doing is hey this this website or this service or this group has got some information about you and there's a um they're making statements about you and it could be something like uh uh they're accusing you of being a

pedophile or um they're digging out something that you may have tweeted in the past and with the the evolving sort of social standards that are expected today it seems quite controversial what you might have said and that's all i say and no call to action and what that's trying to do is invoke that emotional response from you and then you want to engage with it well what are they saying you want to naturally defend yourself don't you and then they'll give you the call to action they've got you then and what it'll be it'll be something like maybe like a website that's password protected so you have to sign up there's one method of getting your

credentials because you're not thinking straight you know someone's made an accusation about you your emotions are high so you're going to be maybe a little low on your defenses there and then the second is right here's the accusations and it's not a pdf or it's a word doc and that's where the payload is normally included and because again you've been accused but you want to defend yourself what's going on uh your defenses are quite low then and you're probably in a more an emotional state to not think so critically or quite uh in the right way so that's been quite an interesting development i've seen over the last couple of a couple of months that that kind of approach

uh andrew so um i've come across two very interesting ones and and one of them we've seen i i also do spend quite a lot of time on doing third party uh assessments and looking at you know uh vendors out there uh on behalf of companies and what we've seen during the pandemic is the rise of the rogue mobile application and the um ignorance around this or the uh unawareness about it is is um quite prolific i was having conversation with company the other day okay and they said well why should we be looking at our vendors why should we be assessing them and i said okay give me a list of your vendors that

that's just run through them and they interestingly gave me the company who they'd outsourced all their payroll to uh so i said okay um let's go through i said i've done the vendor assessment for you i said you know on the surface they look all great uh no you know issues around that um i said just one scary thing they said what was what's the scary item i said well i said did you know that uh your payroll companies actually got this really neat mobile application he said no he says they haven't told us about it i said okay i said let me show you this application i said it's really nice i said you can like you know submit

timesheets your expenses you get your pay slip through it okay you can change your bank details i said so really useful application he says well i'm going to make contact and find out why we don't know about it i said well i can tell you why you don't know about it i said because they don't know about it either it's a rogue mobile application that has been set up i said what it's designed to do as it is extract all of that information from people within your organization i said the way this exploit actually works is i said the threat actor will send your staff members an email saying hey we're the new payroll company please will you search for the

uh new app we've just released download it onto your phone and if you happen to get any type of two-factor authentication message please just acknowledge it and use your business credentials to log in i said the beauty about this whole exploit is i said the phishing email will work straight into your company it's got no malicious link it's got no attachment to it okay and the user's not going to think it's suspicious because they're not having to click on anything they're not being taken anywhere okay i said so they'll search they'll download the application they'll put in your details and they'll acknowledge the two-factor authentication the threat actor is now logged into office 365. i said we need

one okay one out of 2000 people and i'd probably be targeting your finance department first of all around this exercise i said now i'm in okay i said so don't ask the payroll company do they have any services out there that look for rogue mob applications are they telling their clients about them and are they getting them taken down and there was eyes opened all over the place so that that that was the first one that was a little bit obscure but then it got even further there was beautiful argue article posted this week and guys putting together raspberry pi kits with a little uh sim card in them and a wireless card and they're posting them

to companies and um because where's everybody they're working from home so it goes into the post room and the good british personal system you've got to love the british postal system okay it will deliver this item it'll get put on the person's desk it's inside the company what's targeting the wi-fi network how long is it going to be there for who knows could be a month or two before someone comes back into work and if you're on the 19th floor of the building how secure is your wi-fi because who's going to externally break into it it's probably not very secure [Music] cool thank you very much that was really interesting um so a question for stephen

now um so should you pay ransomware ransoms well right now uh the criminal liability for that already exists in law and um both for uh participating and uh being part of a crime and funding the crime uh as we know right now there is not much uh level of enforcement but that is moving in uh the different direction and there will be now more and more enforcement uh there is now a strict liability offense uh which means that you don't have actually necessarily have to have intent uh and that's when when you're paying somebody within a sanctioned country and as you know that those those countries have expanded especially with the russian invasion um so if you are paying to

russia uh then it's a strict liability offense now uh the other thing aside from just legalizability is is also a moral liability i mean are do you really want to be participating and involved in in these levels of crime and i mean the obvious answer is no uh because you're you're just funding essentially our enemies and this needs to be stopped essentially by having better ransomware techniques and i think that you will see more and more the us's moving towards uh enforcing these uh and preventing the ransomware payments being made thank you very much um so uh last question before i open it up to the audience um how if you do get hit by ransomware how

can you actually recover from a ransomware attack how can you actually get your business back on track um there's there's a lot of ways of looking at that and it depends how well you actually prepared for the ransomware attack um you know being on this ncsc startup program has been quite fascinating there's a couple of the solutions who weren't here uh weren't able to make it today absolutely specialize in that and just chatting to um you know these guys everybody says okay i've got backups i've got all of these great things until they get hit by the ransomware attack and then they find out that they don't have the keys okay to actually bring the

backup back and actually restoring from the backup wasn't so easy and the standby data center got hit as well and it's actually quite a long story so this very much ties in with the previous question should i pay the ransomware or not okay well if you pay the actual ransom do you know that you're actually going to get the keys to it i i it's such a challenging question around you know nation states turn around and say well we eliminated hijacking because we didn't pay the hijackers but you know it's like comparing hijacking and kidnapping if it's your child are you going to pay the actual kidnappers the ransom that they're demanding because it's kidnapping

it's where you need to get in a specialist company and it's best to understand that specialist uh company or find that beforehand and also if you've got the cyber insurance in place they're actually going to you know want to be involved so how do you recover you prepare well in advance and understand that it can happen to absolutely anybody talk to your insurance company find out how you could actually do that because really you're being very negligent with your business if you own a business and the business has done absolutely nothing about it in preparation okay so i think we've got uh two microphones either side so uh any questions for the panel

hi um do you see a clear path or like a timeline in terms of equalizing the playing field between small businesses in the uk and like state-backed foreign actors because it's quite an unfair fight right now

uh sorry do you mean uh in terms of the ransomware threat uh yeah in terms of like small businesses getting around some words and what what can they do to prepare how long will it take for like most businesses in the uk to be ready to kind of defend against that threat at all yeah well i think that there's uh that we've heard a lot today from uh providers of uh different solutions to protect against that and i think there's some fairly easy elegant solutions um just suggesting one of them which is uh keep a lot of your critical assets offline i mean we're moving towards a level of data sovereignty there's a level of

on-prem prem data and i think there's an analysis that you need to have regarding uh what needs to be kept online all the time the function of time and hackability is correlated so you really have to look at what level um everything needs to be and the other one is segregation of those assets any other questions [Music]

uh yep what's your opinion on community led groups such as vx hosting ramsenware samples available to everyone vx being vx underground like the view about uh ransomware as a service uh so this is uh uh groups uh hosting samples of ransomware for researchers and other people to look at is it necessarily a good thing is this helping other people uh is this helping other people create different types of ransomware by having those samples available or is it helping the security community defend against it um there's a lot of good use of of uh stuff hosted out there i think one of the larger threats that the community is suffering with is uh similarly to having

our ransomware samples out there if you go and have a look at the quantity of tools uh that are available which are open source tools to be able to hack crack uh red team tools uh that have been written by communities and they've been written for good purposes that are actually being used for bad purposes it's a issue right the way around so not only are we talking about you know stuff that's being hosted out there if you get onto the dark web you can buy ransomware as a service people are making money out of it unfortunately it's just the nature of the business uh with good comes evil cool thank you very much uh so any other

questions from the audience yep over there

i'm just curious about um so if security controls are going to be increasing to protect assets what's the threat model for those look like is that going to be the future replacement for ransomware

that's right can you can you elaborate a little bit more so um say enterprises sort of shift to protecting your assets with more security controls um does that become a a target for for attackers we can take an organization off the network by by attacking the security controls that make sense um i had an interesting conversation with a company the other day and um if they've got it right i i think they might be on to something um and the conversation that i had with them was um it was around quantum computing and the big issue with quantum computing is encryption and if you've got enough power you can break encryption because what you're doing is is your brute forcing

and you're figuring out what the algorithm is and they turn around and they said well they've moved a step forward from that and actually uh it's irrelevant how much computing power they've you've got the way they were doing their encryption gets around the uh whole quantum computing because of what they're actually doing and i said well it's actually friday afternoon okay and this is a bit much for my brain on a friday afternoon to go into the details of how you're actually doing this but basically if you move into the realms of encryption which cannot be broken using quantum computing you're going to solve the ransomware issue i'd say one other thing though is that

um there are a number of security controls that are more accessible and possible to be deployed at that level uh and i i think they're highly secure and so um if we fund innovation and that's one of the reasons why we're here is that ncsc for startups is for innovators um to bring solutions that are accessible at for uh as jeremy fleming says defending the digital homeland which is i think extremely important and as i spoke about that that the attacks are on individual unlike a a regular war which is among soldiers although putin obviously thinks differently um it's something which attacks every one of us and that requires us to empower all the individuals enterprises to take

back the control and take a level of security um and that requires a lot of british innovation um and solutions that we can have to have that control but we we have to work together and it has to be we have to empower the companies to do that so i think that's really important that there is a groundswell movement and we understand that every one of us is subject to those attacks so i think we've got time for one more question uh over there what's the panel's view on um government agencies and divisions actually going after like uh ransomware gangs that are in impacting national infrastructure you know with the colonial pipeline i think um

the threat actors were um suddenly very worried that they sort of got the uh certainly the american government's uh everything spotlights turned on them should european agencies governments with the us and stuff start going after an almost um attacking bank hacking back what's the panel's view so um i'm just going to put the disclaimer out there i represent myself and these are entirely my own views not abusively um absolutely uh you know why not it's it's it's a threat to you know national security um why should they not go after them and and take them down the question is where do you draw the line uh with regards to the law it's it's very much like turning around and

saying are we happy for our intelligence agencies to commit murder um you know is is that's going to be something that's condoned in the national interest so it then becomes sort of a something that ends up in the courts uh and who knows where it's actually gonna be my personal feeling help yourself let's take them down but i don't think uh we should be weaponizing i think it's very important for us to understand that we we are i do agree with a german fleming's point that cyber force should be a work force for good um and we should not be um getting down to those levels of of weaponizing and so it is important for

us to take action uh and respond uh but that doesn't mean that we we engage in that um i think we have to game it out we can't be naive uh about the response i mean i'm an ex-soldier i believe in the in the defense i think it's really important um but how we do that i think we need to be very we need to tread very carefully cool i think that concludes our panel um so uh if everyone can give a round of applause to all our panelists