Join Sean Martin and Marco Ciappelli as they explore the pressing issue of ransomware resilience in healthcare with Allan Liska, an intelligence analyst from Recorded Future, sharing practical insights on proactive defenses and preparedness. This episode, recorded for the HITRUST Collaborate Conference in Dallas, TX, highlights the critical importance of comprehensive tabletop exercises and leadership involvement in safeguarding against cyber threats.
Guest: Allan Liska, Senior Security Architect and Ransomware Specialist, Recorded Future [@RecordedFuture]
On Linkedin | https://www.linkedin.com/in/allan2
On Twitter | https://twitter.com/uuallan
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
In this episode of the On Location with Sean and Marco podcast, recorded for the HITRUST Collaborate Conference in Dallas, TX, hosts Sean Martin and Marco Ciappelli engage in a dynamic conversation around the theme of cybersecurity in healthcare, specifically focusing on ransomware resilience. Sean and Marco are joined by Allan Liska for an insightful discussion on the current state of ransomware and the importance of proactive defenses.
The episode begins with Sean and Marco acknowledging the hectic nature of their schedule, emphasizing their excitement for the upcoming events. Sean mentions his active participation at the HITRUST conference, working closely with risk management and compliance experts, while Marco expresses his envy yet supports Sean’s engagements.
Allan Liska, the guest of this episode, brings a wealth of knowledge as an intelligence analyst specializing in ransomware research at Recorded Future. Allan delineates the ongoing challenges faced by organizations, particularly in healthcare, in mitigating ransomware threats. He highlights the increase in law enforcement activities targeting ransomware groups, which has led to more internal drama within the cybercriminal community, making the topic more relatable and urgent for organizations.
A substantial part of the conversation revolves around the significance of tabletop exercises in preparing organizations for ransomware incidents. Allan stresses that effective tabletop exercises must involve representatives from across the entire organization, ensuring comprehensive preparedness. The exercises should be engaging and realistic, incorporating lessons learned to update incident response plans continually. Allan also recommends keeping out-of-band communication methods ready, such as using Signal, to ensure seamless operations during a ransomware attack.
The importance of leadership buy-in is underlined, with Allan explaining how having senior leaders understand and support these exercises can significantly enhance the overall security posture. The discussion touches on common pitfalls, such as the assumption that backups alone will suffice, highlighting the necessity of regular, holistic testing of recovery processes.
The hosts also reflect on the collaborative aspect of the HITRUST conference, noting that it provides an invaluable opportunity for participants to network, share best practices, and learn from each other's experiences. That's precisely the spirit Allan hopes to capture during his session at the conference.
In conclusion, this episode is a deep dive into the complexities of ransomware defense, offering practical advice and underscoring the collective effort required to protect healthcare systems against cyber threats. Sean and Marco invite listeners to stay engaged and informed through their podcast series, promising more enlightening discussions on critical cybersecurity topics.
____________________________
This Episode’s Sponsors
HITRUST: https://itspm.ag/itsphitweb
____________________________
Follow our HITRUST Collaborate 2024 coverage: https://www.itspmagazine.com/hitrust-collaborate-2024-information-risk-management-and-compliance-event-coverage-frisco-texas
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllSjVk_qSl7vkUafmICX9Rle
Be sure to share and subscribe!
____________________________
Resources
The Ransomware Threat and the Resilience Imperative (Session): https://www.hitrustevents.com/event/HITRUSTCollaborate2024/websitePage:645d57e4-75eb-4769-b2c0-f201a0bfc6ce?session=3448b1bf-3996-4945-95ed-bd957710b0ac
Learn more about HITRUST Collaborate 2024 and register for the conference: https://itspm.ag/hitrusmxay
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
The Ransomware Threat and the Resilience Imperative | A HITRUST Collaborate 2024 Conversation with Allan Liska | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Marco.
Marco Ciappelli: Sean. It's a busy month. It is busy. What is it, our third, uh, on location episode today already?
Sean Martin: I know, it's the third one today. Something like that. Anyway, this time we're What's that?
Marco Ciappelli: No, I just want to point out that we are covering two events coming up. There's more, but You're going and I'm not, so truth, I'm going to visit my family in Europe.
Sean Martin: Yeah, you're getting nothing against the events, but your parents are cool.
Marco Ciappelli: I know, yeah, of course, of course, of course. But I'm kind of jealous because you're going to meet a lot of cool people and attend really cool conferences. And I think you've done this before, a few times.
Sean Martin: I've been to collaborate quite a few times and it's always a treat to work with the I trust team and, and hear all about what's going on with respect to risk management and compliance and governance and, and, uh, managing [00:01:00] policies and controls to.
Keep ahead of all the bad stuff that's going on that impacts health care, the first base, but also broader into finance and retail and critical infrastructure. You name it, uh, high trust is helping folks to do better with their security and risk management programs and collaborates all about. Bring in that community together, the folks who write the policies, the folks who deploy the controls, the folks that assess them, the folks that attest to them and, and, uh, provide the assurance.
So it's the full circle of bringing everybody together within the organization to deliver, deliver high value in, uh, In assurance that protecting the business and the data and the people that, uh, leverage their services. So, I'm going to be doing a, uh, a fireside chat with, uh, Dan Nookus and a few others, uh, as part of the opening of the, of the first day and then, uh, shortly after, our guest on the show today, Alan Liska, is going to be talking about ransomware and [00:02:00] healthcare.
Alan, good to see you.
Allan Liska: Good to see you again. Thank you for having me on.
Sean Martin: Yep, it's good to have you on again. Our last chat was about the comic book you wrote, which is really cool. And, uh, so I would encourage everybody to listen to that, um, which is a fun, a fun topic and you put it together in a fun way.
Ransomware, maybe not so much fun, especially if you're on the receiving end of, uh, Of the alerts and the notices, um, before we get into the session and all the good stuff you're gonna be doing there, collaborate 2024, which is in Frisco, Texas on, uh, what day is it? The, I'll have to look that up here in a second.
Um, but, uh, a few words about what you do at Recorder Feature. I know you get to play with all, all kinds of fun stuff on dark web and threaten tell a lot of things that people don't necessarily know is going on, right? Because they're not in that world. So tell us about your role.
Allan Liska: Yeah. So I'm an intelligence analyst and I focus on [00:03:00] ransomware research specifically.
So one of the nice things about working in recorded future is because we have such a big intelligence team, I don't have to pretend to be an expert in what. Kim Jong Un is doing or what's going on between China and Taiwan. I get to focus just on ransomware, which after eight years of doing it, I'm really sick of talking about it, but nobody, but it's not going away.
So I don't get to stop talking about it just cause I don't want to hear about it. Just like I'm sure a lot of executives who are going to be at a ransomware. Um, but it's, Not stopping. So unfortunately, we have to keep talking about it.
Marco Ciappelli: Yeah, I hope you're gonna make it fun, though.
Allan Liska: I try.
Marco Ciappelli: Can you make ransomware fun?
Allan Liska: So actually, it's been interesting because this year, Unlike any other year, a lot of [00:04:00] the conversations that I have around ransomware normally involve TTPs. It's, you know, here's the technical thing that the bad guys are doing. Here is the, you know, here, here are the domains or the IPs or whatever you need to worry about.
But this year in particular has been Almost like a crossover between law and order and real housewives of ransomware. Um, and so that makes for at least a more interesting conversation because we really have seen more sustained law enforcement activity this year than we have at any point in the past.
And what that's done is that's led to, and this is intentional on the part of law enforcement. It's led to so much drama. Uh, In the ransomware community. And of course, like you said, you know, because we monitor these undergrounds forums and and the places where all the bad guys hang out, we get to see all the drama.
And that's something we don't normally get to see. So there is [00:05:00] that component of it that does make it at least a little more interesting to people who aren't kind of, you know, heads down embedded in it,
Marco Ciappelli: maybe a little bit more real. It doesn't feel like it's something that happens somewhere in the virtual world, but it's actually hidden very close to close.
Allan Liska: Absolutely. I mean, you know, it definitely feels that way for a lot of people because. Because we're seeing all of this drama and, and that spills out and that spills out with victims and, and, and everything else, I think it does hit a little, little closer to home and, and that stinks, but it's also great because the more people can relate to it, the more people understand that this is a serious threat that they have to be aware of.
Sean Martin: So you use the word stink for those listening. You can't see behind Alan, uh, the ransomware sommelier, [00:06:00] so hang on his door. Um, I can't help but connect those two where I'm swirling a glass of ransomware and given in a sniff. And the reason I'm doing that is there's a story there and I'm connecting this to your, your session as well.
But then you're going to talk about tabletop exercises. Right. And, and kind of running through what organizations need to do to become resilient, which seems to be a hot topic in the last few months, for sure. Um, how important is it for organizations to, I mean, use, use some TV show examples of like a combination of things to understand what's going on.
How important is it to maybe make, well, first off, just do tabletop exercises so you can understand how this might impact you, but perhaps make them So people actually remember what's going on and not just go through the motions.
Allan Liska: I tell people all the time, take a page out of D and D. Um, I know that's super [00:07:00] geeky and a lot of people aren't going to get that.
Um, uh, uh, but, but you want to make it. Entertaining because so tabletop exercises only work when the whole organization is involved. And obviously I don't mean for like a large hospital, everybody in the world has to be involved, but you have to have representatives from every department. And if you make it dry and bland and focus on the it stuff while they just kind of listen in, then it's not going to be entertaining.
But when a ransomware attack happens, It's a whole organization challenge that has to be dealt with, you know, and again, when we're focusing on hospitals, it's going to be nurses having to go back to pen and paper. It's going to be doctors having to manually run orders down to the lab and things like that, right?
So you cannot prepare your response in a vacuum just by talking to the other technical teams. You need to bring in these [00:08:00] other departments so that everybody understands. what's going to have to happen if you get hit with a ransomware attack. Now, ideally the tabletop exercises help prevent that, right?
That the idea is you take the lessons that you learn from a good tabletop exercise and you use those lessons to improve your security. So you're hopefully stopping the ransomware attack. But in case it doesn't, you need to make sure that everybody in the, in the hospital or whatever your organization is, understand what's going to happen if there is a successful ransomware attack so that, you know, nobody's kind of running around blind.
Everybody's prepared for it.
Sean Martin: And in your session description, the word assumption is in there at least once. And, uh, you find a lot of organizations make a lot of assumptions. I'm just the easy one that comes to mind for me is, well, if this [00:09:00] particular part of the healthcare network goes down. Um, we'll resolve that through communications and management over here, probably leverages some technology, which, by the way, An assumption that the technologies there may not be accurate, right?
To your point of manually writing orders and things like that. Are there a number of assumptions that you think organizations have to kind of shake themselves out of, or at least reevaluate them? Oh yeah, absolutely.
Allan Liska: Absolutely. I mean, so one of the, one of the biggest assumptions people make is, ransomware.
We'll get everything restored from backup. Now there are two potential problems with that. One is the bad guys know that and they try and encrypt your backups. But let's say that even there, they fail there. You've actually done the three to one role where you have three copies on two different media, one of which is offsite or, or at least offline.
And so you are able to restore. [00:10:00] The assumption is, okay, great. We'll be back up in a couple of days. Until you start actually doing the restoring and you realize that you've only ever tested a backup of one server Failing and restoring it and you can do that in a couple of hours Well, well, now you have 200 servers down and it's going to take a couple of hours per server To restore it because you only have so much network bandwidth and cpu bandwidth and so on Well now your couple of days has now turned into a couple of months And and so those are that's one big assumption that tabletop exercises can help.
Um, you know can help explain Actually having the people in charge of your backups. They're saying hey You What happens if 200 servers need to be restored? How long is that going to take? And you kind of see the light bulbs go off over people's head as they realize. Oh Oh, okay. It's better if we don't have to restore from backup I mean it's good if we have it there But you know It's better if we don't [00:11:00] have to restore from backup by preventing it in the first place And then the other one that you see a lot that you mentioned That that comes up a lot is oftentimes there's an assumption from like the security team that the it team does something a certain way and you find out, Oh no, we don't because we've outsourced that to this company.
Okay. Well, is that company here? Well, no, we didn't invite them to tabletop exercise. Okay. Well we need to bring them in so that we can make sure that this process is actually going to go the way that we all think. So, and, and, and that, that's a really good part of it. And the nice thing is. So many vendors want to help out with tabletop exercises.
One, it's a great way to show their value to you. Um, and it's a great way to show that, that you will be there for your customer in the time of, of an emergency. So make sure that, you know, like you're inviting vendors and you're inviting the teams that you've outsourced things to that are going to be part of this exercise.
Sean Martin: And that's one of [00:12:00] the reasons I love. Collaborated. Cause it's like, as I mentioned in the beginning, they have the full spectrum of these folks there to talk about prevention and detection and policy and controls and, and response, which, uh, is a key part of it. Insurance. I know there's going to be a lot of talk about cyber insurance as well during the event, Marco.
Allan Liska: And one important
thing, if you're going to
invite your vendors, make them pay for lunch,
Sean Martin: not pizza, something nice. Well, pizza
Allan Liska: pizza.
Marco Ciappelli: So based, based on, on. Picture that you're there. You're painting here. We sometimes often I think we even ourself. We talk about one topic, and it seems like that topic is isolated from everything else.
But when something happened, it's not just that one thing. It comes with a lot of other things. So I can see the idea of putting more vendors together to to help prepare because it's not just that one thing. Um, [00:13:00] is it getting better? To, to have a structure of different experts collaborating, you know, uh, cooperating into, into make our healthcare system in this case, for example, more resilient to stand off.
Let's see what happens.
Allan Liska: It is, you know, it's certainly better to have more experts there. You know, they, they, the old adage is too many cooks spoil the soup. Um, but. In this case, as long as everybody knows you are running it, whoever the you is, um, you know, whether it's somebody in your security team, whether it's your sisso, whether it's you've bought in a third party that specifically runs these tabletop exercises, as long as everybody knows.
who's in charge, having as many experts as possible there because you want that, that, that, um, that, that [00:14:00] domain knowledge. Um, so it is good. And I do see more organizations doing this. The problem is a lot of these are limited to the larger healthcare providers, which again, specifically talking about healthcare, but it applies in general to any industry.
The larger ones can afford to do that. If you're a small rural hospital or small, small manufacturing company. you don't have the time or it doesn't feel like you have the time to pull people away for a whole day for an exercise or even, you know, the recommended twice a year or whatever. That's why I do like that, you know, Sisa and a number of other places have these kind of, uh, tabletop exercise in a box thing where, okay, if we're not going to be able to pull everybody together in a way that we'd like for a whole day.
We can get a partial day over zoom. It's not as great, but at least, you know, using the, the sort of the pre sorted things, we can [00:15:00] get some of the basics out there and still get that knowledge. Again, having everybody in one place at the same time is always better, but you do what you can with the resources that you have, with the limited time and availability that you have.
Sean Martin: Yeah, something is better than nothing, more is better than less. Exactly. Do something, do something. Um, can you talk us through, obviously you're going to focus in on healthcare, um, a lot of healthcare folks will be attending the event, but um, I presume it's probably Because it's been a target, uh, very frequently and successfully.
And there's been impacts that have been reported on. So I can understand that. And you're going, you're probably going to talk through scenarios, kind of like we've touched on a few of them here. Um, but. Who, who are you speaking to? Is it, who is the audience? What do you hope they'll take away from the conversation?
And I don't know [00:16:00] if you can put it like an outline together of some of the things you'll, you'll touch on throughout the session. That would be cool.
Allan Liska: Yeah. So a tabletop exercises work best when they have senior leadership buy in. Um, and so ultimately while the talk is meant for everybody, I really hope that any senior leaders.
that are there will understand the importance of this. And I want to stress it to them because I want them thinking about it. Yes, your security team is probably telling you about, you know, various, uh, you know, various tabletop exercises and so on. But oftentimes I, unfortunately, and I hate that this is a fact of life.
You need some, you know, some jackass from the outside to come in and tell you the same thing that your team has been telling you before you listen. So I'm going to be that jackass.
Um, but yeah, yeah. So, so, but, but I also want to give a lot of practical advice, you know, [00:17:00] some of the things that we've already talked about here, making sure you have multiple teams together, making sure that you're trying to get together at least once a year while keeping the updates going, keeping the, like doing quarterly updates.
So again, You run through your tabletop exercise you find flaws. That's the whole point of a tabletop exercise Is to find what the flaws were, you know, you know come, you know, get through your assumptions and then do quarterly check ins And that's all remotely to the team saying, Hey, we've updated this, we've updated that and make sure that's documented somewhere.
And then very importantly, just in case everything goes wrong, make sure whatever that new documentation is, you've got a copy offline. Um, so that when it's time to respond, you've got that incident response playbook. And that's one of the things that this can help do. You start with the baseline of what your ransomware incident response is going to be.
Then as you make updates, you update that incident response, [00:18:00] keep a copy offline again. And, and you have that, that, that, that thing to refer to. The other thing that I'm going to tell people to do, and I hope they listening to hear do this is one of the things you should be setting up during this tabletop exercise is what is your out of band communication method.
Because the ransomware actors are going to be sitting on your mail server. They're going to be, we've seen it. They sit in your Slack channel. Like, so you don't want to use your team server. You don't want to use your normal methods of communication as you're doing your incident response. You know, uh, I recorded future.
We use signal for out-of-band. Um, and, and you know, you know, and that, that works great for us. You may have different requirements.
Sean Martin: I know. I'm kidding.
Marco Ciappelli: . Yeah, yeah, exactly. , I know. I'm the one.
Allan Liska: I knew you were on there, . Um,
Sean Martin: no, that's a great point. Great point.
Allan Liska: Yeah. Um, [00:19:00] and so setting that up so that you know what the call tree is and how you're gonna get ahold of everybody.
And again, that's part of that not scrambling day of. And the other thing is. Who is going to be your response coach? Like there's got to be somebody that's going to be the center point of coordination. It should probably not be somebody on the security team because they're going to be overwhelmed or the IT team.
They're going to be overwhelmed, but somebody who, you know, who can easily get a hold of them, talk to them, get updates to wherever those updates need to go.
Marco Ciappelli: Now, some folks are going to hate me now, but isn't once a year a little too little?
Allan Liska: Oh, yeah, I agree. No, I mean, so I think twice a year would be ideal.
Um, again, with quarterly updates. Yeah. I also know the reality of trying to get everybody together once a year is really hard. So let's start with once a year and if it turns out to work really well, [00:20:00] hopefully you can then do this to do it twice a year and again, keep those quarterly updates coming. But More importantly, use that.
If you only get that one year, use that to build relationships. Too often security teams are isolated. They're, they're in the corner separate from all the other business units. This is one way you get to introduce yourself to the other business units and then take advantage of that, to go talk to them, to understand what's going on because often we don't understand what the business requirements are, at least not as well as we should, because It then that makes it harder for us to prioritize incident response and protections and investments in additional security features if we don't understand what's going on in the rest of the business.
So even if you can only do once a year, hopefully you're using this limited time to build those relationships and getting to know those other teams so that you become one of their trusted partners. [00:21:00]
Marco Ciappelli: So pretty much collaborate,
Allan Liska: right? 100%. Absolutely.
Sean Martin: And that, and that's, what's cool. I'm going to bring it back to the, to the broader conference.
Cause collaborate, uh, which is October 3rd through the first, by the way, your sessions, uh, roughly midday on the, uh, on the first three o'clock roughly. And, um, I guess the point I want to make is clearly on your session, there's going to be a hit. I think it's It's a tough topic. People don't want to hear it, but I think they'll enjoy how you present it.
They'll get a lot of learning from, from how you present it. Share what you know from working with organizations and seeing what's going on underneath in the dark web and whatnot, but equally important, uh, the room is going to be filled people like our listeners and it's a chance to hear what Alan says [00:22:00] and.
I have a chat with the person sitting next to you. I have a chat with a few folks in the conference or in the hallway. I have a chat at dinner during the receptions about how they run their, their programs, their exercises, lessons learned. You're going to share a lot. Hopefully they'll, they'll engage with you and ask you questions.
More importantly, not more important, but equally important chat with each other, because that's the power of collaborative. It's a, it's a decent size group, but a very intimate and trusting set of folks that come together because they work with each other all the time. So it's a chance to chance to learn from each other.
So that's, I guess, my main point. Yeah, I'm sad we have to talk about it. I'm thrilled you are talking about it because we still need to get a better handle on it. And, uh, October 1st, 3. 05 main session. That's the STAR Ballroom. It's at Hytros Collaborate 2024, Frisco, Texas. That's the STAR, which is Dallas [00:23:00] Cowboys headquarters.
So that's going to be a cool, a cool place to be. And I'm sure we'll, we'll soak in some of the, uh, the NFL energy, maybe, maybe pick up some of the coaching, uh, the coaching experience there as well, or energy from there as well. So good stuff, Alan. It's a pleasure chatting with you and, uh, excited to see your session there in person.
And hopefully lots of people join us and I look forward to seeing you all there when we arrive
Allan Liska: Thank you, and thank you all for your time today. I really appreciate it marco. It's great to finally meet you
Marco Ciappelli: Yeah, unfortunately not gonna happen this year There but uh, you know virtual for me became part of reality.
So i'll take it as we just uh, We just hang out so and as we hang out and sean get to hang out with all of you I'm inviting everybody listening right now to hang out with us Subscribe to the on location with Sean and Marco and we have a [00:24:00] lot going on. This is one important piece and there are many others.
So subscribe, stay with us and that's it. Until the next one.
Sean Martin: Until the next one. Be sure to check out the first episode with the organizers. You'll get a nice overview of all the stuff that's going on those few days. Alright, see everybody there. Thank you.