1
00:00:01,334 --> 00:00:02,585
It's very easy to say

2
00:00:02,585 --> 00:00:04,170
never pay from a distance.

3
00:00:04,170 --> 00:00:06,214
But you know when your systems are down

4
00:00:06,214 --> 00:00:08,049
and backups are gone

5
00:00:08,049 --> 00:00:09,634
and millions are bleeding

6
00:00:09,634 --> 00:00:11,970
out of the business daily. It's survival.

7
00:00:11,970 --> 00:00:13,596
No one wants to fund crime,

8
00:00:13,596 --> 00:00:14,806
but sometimes you're

9
00:00:14,806 --> 00:00:16,683
buying your time to live and your

10
00:00:16,683 --> 00:00:18,560
your business has to do it.

11
00:00:18,560 --> 00:00:19,728
If it wants to survive.

12
00:00:19,728 --> 00:00:21,855
It's not about your reputation anymore.

13
00:00:21,855 --> 00:00:23,648
It's not about your clients even anymore.

14
00:00:23,648 --> 00:00:24,941
It's about survival.

15
00:00:24,941 --> 00:00:26,234
Welcome to The CISO Signal

16
00:00:26,234 --> 00:00:28,778
the true cyber crime podcast.

17
00:00:28,778 --> 00:00:30,280
I'm Jeremy Ladner.

18
00:00:30,280 --> 00:00:31,239
On this episode,

19
00:00:31,239 --> 00:00:33,575
the company that insures risk

20
00:00:33,575 --> 00:00:35,285
became the risk.

21
00:00:35,285 --> 00:00:37,662
In March 2021, CNA Insurance,

22
00:00:37,662 --> 00:00:39,914
one of the largest commercial insurers

23
00:00:39,914 --> 00:00:42,917
in the U.S., fell victim to a ransomware

24
00:00:42,917 --> 00:00:46,629
attack that encrypted 15,000 devices

25
00:00:46,880 --> 00:00:47,672
and compromised

26
00:00:47,672 --> 00:00:48,506
customer data,

27
00:00:48,506 --> 00:00:50,341
forcing the shut down of its systems

28
00:00:50,341 --> 00:00:51,676
for weeks.

29
00:00:51,676 --> 00:00:54,095
The breach didn't just steal data,

30
00:00:54,095 --> 00:00:54,846
it stripped away

31
00:00:54,846 --> 00:00:56,639
the illusion of preparedness

32
00:00:56,639 --> 00:00:57,891
for an organization

33
00:00:57,891 --> 00:00:59,809
built to model probability,

34
00:00:59,809 --> 00:01:03,188
quantify exposure and price protection.

35
00:01:03,813 --> 00:01:05,231
It was the ultimate irony.

36
00:01:05,231 --> 00:01:07,358
They didn't underwrite the threat.

37
00:01:07,358 --> 00:01:09,360
They underestimated it.

38
00:01:09,360 --> 00:01:12,155
Joining us is our CISO co-host Matan Eli

39
00:01:12,155 --> 00:01:14,407
Matalon, an incident response leader

40
00:01:14,407 --> 00:01:15,658
and security strategist

41
00:01:15,658 --> 00:01:17,494
with experience across the startup world,

42
00:01:17,494 --> 00:01:18,828
military intelligence

43
00:01:18,828 --> 00:01:21,456
and enterprise defense. Matan,

44
00:01:21,456 --> 00:01:22,624
welcome to the show.

45
00:01:22,624 --> 00:01:23,833
Can you tell us a bit about yourself?

46
00:01:23,833 --> 00:01:24,459
Awesome.

47
00:01:24,459 --> 00:01:26,669
So my name is Matan.

48
00:01:26,669 --> 00:01:29,672
I am CISO for OP Innovate.

49
00:01:29,714 --> 00:01:30,298
OP Innovate -

50
00:01:30,298 --> 00:01:32,258
We're basically a cybersecurity company

51
00:01:32,258 --> 00:01:33,718
that focuses on both

52
00:01:33,718 --> 00:01:34,928
preventing attacks

53
00:01:34,928 --> 00:01:36,971
and helping organizations respond

54
00:01:36,971 --> 00:01:38,556
when things go wrong. You know?

55
00:01:38,556 --> 00:01:40,058
Proactive side.

56
00:01:40,058 --> 00:01:41,684
We do a lot of deep dive penetration

57
00:01:41,684 --> 00:01:43,186
testing to help companies

58
00:01:43,186 --> 00:01:44,687
find and fix weaknesses

59
00:01:44,687 --> 00:01:46,231
before attackers do.

60
00:01:46,231 --> 00:01:47,398
But we also are the team

61
00:01:47,398 --> 00:01:48,316
that gets called up

62
00:01:48,316 --> 00:01:49,484
when fires already started.

63
00:01:49,484 --> 00:01:51,319
You know - incident response

64
00:01:51,319 --> 00:01:52,987
forensics, helping

65
00:01:52,987 --> 00:01:54,447
companies get back on their feet.

66
00:01:55,406 --> 00:01:55,824
Thank you.

67
00:01:55,824 --> 00:01:56,449
Matan.

68
00:01:56,449 --> 00:01:57,242
Now...

69
00:01:57,242 --> 00:02:00,245
Let's get started with the investigation.

70
00:02:00,537 --> 00:02:03,540
We are in the midst of a ceaseless war.

71
00:02:03,623 --> 00:02:06,793
Not of bombs or bullets, but of breaches,

72
00:02:07,252 --> 00:02:10,255
firewalls and silent incursions.

73
00:02:10,713 --> 00:02:11,589
The targets,

74
00:02:11,589 --> 00:02:14,384
our borders, our banks, our commerce

75
00:02:14,384 --> 00:02:15,760
and the critical infrastructure

76
00:02:15,760 --> 00:02:18,555
that underpins a free civilization.

77
00:02:18,555 --> 00:02:20,765
The enemy is cloaked in code,

78
00:02:20,765 --> 00:02:23,143
fueled by greed, glory,

79
00:02:23,143 --> 00:02:26,020
and a desire for chaos.

80
00:02:26,020 --> 00:02:28,314
This is the story of the unseen

81
00:02:28,314 --> 00:02:30,984
protectors, the nameless generals,

82
00:02:30,984 --> 00:02:32,402
the CISOs,

83
00:02:32,402 --> 00:02:35,405
chief information security officers.

84
00:02:35,864 --> 00:02:38,199
They are the guardians at the gate.

85
00:02:38,199 --> 00:02:40,326
Watchers on the wall.

86
00:02:40,326 --> 00:02:43,329
Ever vigilant and always listening

87
00:02:43,705 --> 00:02:46,708
for The CISO Signal.

88
00:02:53,256 --> 00:02:55,300
There's a kind of silence

89
00:02:55,300 --> 00:02:57,886
no company trains for.

90
00:02:57,886 --> 00:02:59,345
Not the silence of idle

91
00:02:59,345 --> 00:03:02,307
inboxes or frozen dashboards,

92
00:03:02,307 --> 00:03:04,893
but the deep, airless quiet

93
00:03:04,893 --> 00:03:07,896
that follows total digital collapse.

94
00:03:08,980 --> 00:03:10,481
In March 2021,

95
00:03:10,481 --> 00:03:11,983
CNA Financial,

96
00:03:11,983 --> 00:03:12,609
one of the

97
00:03:12,609 --> 00:03:13,943
largest insurance

98
00:03:13,943 --> 00:03:16,362
carriers in the United States,

99
00:03:16,362 --> 00:03:19,240
fell dark. Not a power outage.

100
00:03:19,240 --> 00:03:21,659
A ransomware attack.

101
00:03:21,659 --> 00:03:24,704
15,000 machines were encrypted,

102
00:03:25,079 --> 00:03:28,124
phones offline, email gone,

103
00:03:29,000 --> 00:03:32,003
an entire enterprise unplugged

104
00:03:32,170 --> 00:03:34,255
from itself.

105
00:03:34,255 --> 00:03:35,590
The attackers didn't boast.

106
00:03:35,590 --> 00:03:38,259
They didn't break things for fun.

107
00:03:38,259 --> 00:03:42,013
They came with a purpose and a number

108
00:03:42,764 --> 00:03:45,725
$40 million.

109
00:03:45,975 --> 00:03:47,227
At the time,

110
00:03:47,227 --> 00:03:48,228
it was the largest

111
00:03:48,228 --> 00:03:49,145
known ransom

112
00:03:49,145 --> 00:03:52,148
demand in history by multiples.

113
00:03:52,232 --> 00:03:54,901
But this wasn't just any company.

114
00:03:54,901 --> 00:03:55,693
CNA didn't

115
00:03:55,693 --> 00:03:58,696
just insure factories and fleets,

116
00:03:58,738 --> 00:04:01,741
they ensured cyber risk.

117
00:04:01,991 --> 00:04:04,410
They held the names of businesses

118
00:04:04,410 --> 00:04:07,121
already worried about breaches.

119
00:04:07,121 --> 00:04:09,582
Organizations that paid

120
00:04:09,582 --> 00:04:12,794
for protection to the right adversary.

121
00:04:12,794 --> 00:04:15,630
That's not just a customer database.

122
00:04:15,630 --> 00:04:18,883
It's a blueprint for who will pay next.

123
00:04:19,259 --> 00:04:22,262
A list of future victims.

124
00:04:22,512 --> 00:04:25,515
And if that list got out,

125
00:04:25,640 --> 00:04:28,476
it wasn't just CNA’s systems at risk,

126
00:04:28,476 --> 00:04:31,354
it was everyone they'd sworn to protect.

127
00:04:32,563 --> 00:04:35,525
This is the story of CNA Financial,

128
00:04:35,900 --> 00:04:39,612
a 100 year old giant brought to its knees

129
00:04:39,988 --> 00:04:43,533
by a breach no one saw coming.

130
00:04:43,533 --> 00:04:46,536
and this... is The CISO Signal.

131
00:04:48,871 --> 00:04:51,165
So let's talk about CNA,

132
00:04:51,165 --> 00:04:52,875
in general at first,

133
00:04:52,875 --> 00:04:53,793
and then we'll kind of dive

134
00:04:53,793 --> 00:04:54,502
into some details.

135
00:04:54,502 --> 00:04:59,590
But because you are this CISO for hire,

136
00:04:59,674 --> 00:05:02,468
or outsourced CISO,

137
00:05:02,468 --> 00:05:03,469
you're often called in

138
00:05:03,469 --> 00:05:05,179
when something's already gone wrong.

139
00:05:05,179 --> 00:05:05,805
I think you mentioned

140
00:05:05,805 --> 00:05:07,682
that as well in your introduction.

141
00:05:07,682 --> 00:05:10,059
What does that moment feel like

142
00:05:10,059 --> 00:05:11,894
when you get that call,

143
00:05:11,894 --> 00:05:13,563
that emergency panicked call,

144
00:05:13,563 --> 00:05:15,106
whether it's a late night,

145
00:05:15,106 --> 00:05:17,025
maybe it's on the weekend.

146
00:05:17,025 --> 00:05:18,359
What's that feeling?

147
00:05:18,359 --> 00:05:19,986
Yeah, I mean, it happens

148
00:05:19,986 --> 00:05:21,487
way more times than I can count.

149
00:05:21,487 --> 00:05:23,740
A CISO, especially the CISO as a Service.

150
00:05:23,740 --> 00:05:25,366
And then incident response,

151
00:05:25,366 --> 00:05:26,409
you know, manager

152
00:05:26,409 --> 00:05:28,119
is it's not only a technical role,

153
00:05:28,119 --> 00:05:30,246
but it's also like a psychological one.

154
00:05:30,246 --> 00:05:31,247
It's an emotional one.

155
00:05:31,247 --> 00:05:33,082
You were like their shrink.

156
00:05:33,082 --> 00:05:34,500
It's not only to come

157
00:05:34,500 --> 00:05:35,626
and solve the problem,

158
00:05:35,626 --> 00:05:37,795
but it's also to make sure they are

159
00:05:37,795 --> 00:05:38,755
relaxed enough

160
00:05:38,755 --> 00:05:39,714
and confident enough

161
00:05:39,714 --> 00:05:42,008
and trusting you into managing this.

162
00:05:42,008 --> 00:05:43,926
So so it's about coming in

163
00:05:43,926 --> 00:05:45,970
and build that initial trust

164
00:05:45,970 --> 00:05:47,055
between the parties,

165
00:05:47,055 --> 00:05:48,723
making sure they understand

166
00:05:48,723 --> 00:05:49,932
where you're coming from,

167
00:05:49,932 --> 00:05:51,434
what you're trying to achieve,

168
00:05:51,434 --> 00:05:54,437
that you're here for them, not for me,

169
00:05:54,645 --> 00:05:56,439
for anyone else, for the business.

170
00:05:56,439 --> 00:05:57,774
This is your main goal.

171
00:05:57,774 --> 00:05:59,984
And when you set that initial trust,

172
00:05:59,984 --> 00:06:01,778
it's easier to come in and

173
00:06:01,778 --> 00:06:03,154
and start working

174
00:06:03,154 --> 00:06:05,406
and get to the bottom of the incident.

175
00:06:08,951 --> 00:06:09,285
Do you

176
00:06:09,285 --> 00:06:12,372
remember a moment that really shook you,

177
00:06:12,372 --> 00:06:13,206
where the weight

178
00:06:13,206 --> 00:06:14,707
of the responsibility

179
00:06:14,707 --> 00:06:17,418
of being this guardian at the gate,

180
00:06:17,418 --> 00:06:20,046
protector, watcher on the wall

181
00:06:20,046 --> 00:06:21,047
landed with you,

182
00:06:21,047 --> 00:06:23,132
and you realized the responsibility

183
00:06:23,132 --> 00:06:23,800
and the magnitude

184
00:06:23,800 --> 00:06:24,550
of the responsibility

185
00:06:24,550 --> 00:06:25,968
in protecting these organizations

186
00:06:25,968 --> 00:06:27,804
and these companies.

187
00:06:27,804 --> 00:06:28,388
Yeah.

188
00:06:28,388 --> 00:06:29,430
Not too long ago,

189
00:06:29,430 --> 00:06:30,932
I would say, like, two months ago,

190
00:06:30,932 --> 00:06:32,975
we had, a very big incident

191
00:06:32,975 --> 00:06:33,476
response

192
00:06:33,476 --> 00:06:35,019
for a major organization

193
00:06:35,019 --> 00:06:37,647
in the US where we got approached...

194
00:06:37,647 --> 00:06:39,941
They saw malicious activity

195
00:06:39,941 --> 00:06:40,775
and wanted one of their

196
00:06:40,775 --> 00:06:43,027
development environments,

197
00:06:43,027 --> 00:06:44,028
and they didn't really know

198
00:06:44,028 --> 00:06:45,029
what was going on

199
00:06:45,029 --> 00:06:48,533
and what made me feel really,

200
00:06:48,866 --> 00:06:50,076
really surreal

201
00:06:50,076 --> 00:06:50,660
is that the fact

202
00:06:50,660 --> 00:06:52,537
that their security posture was good,

203
00:06:52,537 --> 00:06:54,163
their security posture was really good.

204
00:06:54,163 --> 00:06:54,872
It's 

205
00:06:54,872 --> 00:06:55,873
one that you,

206
00:06:55,873 --> 00:06:57,875
you know, expect to see at a client.

207
00:06:57,875 --> 00:06:59,377
You want to see at a client,

208
00:06:59,377 --> 00:06:59,836
they got

209
00:06:59,836 --> 00:07:01,546
every single tool in the book,

210
00:07:01,546 --> 00:07:03,714
they got their network segmented.

211
00:07:03,714 --> 00:07:06,175
They got the right VPN identity.

212
00:07:06,175 --> 00:07:07,051
They had everything.

213
00:07:07,051 --> 00:07:08,553
But they still got hit

214
00:07:08,553 --> 00:07:09,178
with something

215
00:07:09,178 --> 00:07:10,596
that at first,

216
00:07:10,596 --> 00:07:11,597
you didn't know what it was

217
00:07:11,597 --> 00:07:13,057
and how they got in.

218
00:07:13,057 --> 00:07:14,767
So that feeling is kind of it

219
00:07:14,767 --> 00:07:16,686
paralyzes you a little bit.

220
00:07:16,686 --> 00:07:18,354
You don't know where to start,

221
00:07:18,354 --> 00:07:19,647
why you want to check first.

222
00:07:19,647 --> 00:07:21,816
And this is the moment when you

223
00:07:21,816 --> 00:07:23,025
really get tested

224
00:07:23,025 --> 00:07:24,610
by your emotions, how you

225
00:07:24,610 --> 00:07:26,195
communicate with them,

226
00:07:26,195 --> 00:07:28,656
how you communicate with yourself.

227
00:07:28,656 --> 00:07:30,450
And what do you do first?

228
00:07:32,201 --> 00:07:33,494
We love making this

229
00:07:33,494 --> 00:07:34,662
podcast and we really hope

230
00:07:34,662 --> 00:07:36,164
that shows in the care

231
00:07:36,164 --> 00:07:37,665
and quality that we invest in it.

232
00:07:37,665 --> 00:07:39,125
And we would really appreciate it

233
00:07:39,125 --> 00:07:40,626
if you could take a moment to like

234
00:07:40,626 --> 00:07:42,044
and share it with your fellow

235
00:07:42,044 --> 00:07:43,296
security professionals,

236
00:07:43,296 --> 00:07:45,047
as well as dropping us a comment,

237
00:07:45,047 --> 00:07:47,717
letting us know what stories and guests

238
00:07:47,717 --> 00:07:49,552
you'd like to have on the podcast

239
00:07:49,552 --> 00:07:50,970
in future episodes.

240
00:07:50,970 --> 00:07:53,973
Now back to the story.

241
00:07:54,974 --> 00:07:55,933
Act 1

242
00:07:55,933 --> 00:07:58,936
The Risk Experts.

243
00:07:59,395 --> 00:08:01,814
CNA Financial didn't build cars.

244
00:08:01,814 --> 00:08:03,065
They didn't make software

245
00:08:03,065 --> 00:08:05,651
or manufacture microchips.

246
00:08:05,651 --> 00:08:08,112
They sold something harder to define

247
00:08:08,112 --> 00:08:10,698
and much harder to replace.

248
00:08:10,698 --> 00:08:12,575
Assurance.

249
00:08:12,575 --> 00:08:15,578
Founded in 1897, CNA

250
00:08:15,620 --> 00:08:17,622
had spent over a century building

251
00:08:17,622 --> 00:08:18,998
trust. Trust

252
00:08:18,998 --> 00:08:20,708
that losses could be managed,

253
00:08:20,708 --> 00:08:23,377
that disasters could be priced,

254
00:08:23,377 --> 00:08:27,006
prepared for and, if necessary, paid out.

255
00:08:27,882 --> 00:08:29,842
They were a backbone institution.

256
00:08:29,842 --> 00:08:31,552
They insured skyscrapers

257
00:08:31,552 --> 00:08:32,929
and shipping lines,

258
00:08:32,929 --> 00:08:34,514
but more recently

259
00:08:34,514 --> 00:08:38,100
they insured cyber. By 2021,

260
00:08:38,476 --> 00:08:40,436
CNA had become one of the largest

261
00:08:40,436 --> 00:08:43,439
cyber insurance providers in the US.

262
00:08:43,981 --> 00:08:46,025
Their policies covered ransomware.

263
00:08:46,025 --> 00:08:46,776
Their language

264
00:08:46,776 --> 00:08:48,611
warned of credential theft,

265
00:08:48,611 --> 00:08:51,447
lateral movement, exfiltration.

266
00:08:51,447 --> 00:08:54,242
Their job was to anticipate the breach

267
00:08:54,242 --> 00:08:56,118
before it happened. To study

268
00:08:56,118 --> 00:08:56,827
the attackers

269
00:08:56,827 --> 00:08:59,038
playbook and write policies

270
00:08:59,038 --> 00:09:02,041
that made the unthinkable manageable.

271
00:09:02,500 --> 00:09:05,503
But like many large, mature enterprises,

272
00:09:05,711 --> 00:09:07,088
CNA carried

273
00:09:07,088 --> 00:09:10,383
technical debt behind its sleek branding.

274
00:09:10,716 --> 00:09:13,719
Legacy systems, patchwork infrastructure,

275
00:09:13,761 --> 00:09:16,222
a hybrid of  ‘on-prem’ servers

276
00:09:16,222 --> 00:09:19,600
and cloud migrations still in progress.

277
00:09:20,685 --> 00:09:21,811
And somewhere

278
00:09:21,811 --> 00:09:24,605
inside that hybrid sprawl,

279
00:09:24,605 --> 00:09:27,608
a door had been left open.

280
00:09:27,817 --> 00:09:30,820
It wasn't negligence, it was complexity.

281
00:09:31,028 --> 00:09:34,365
Years of mergers, years of integrations,

282
00:09:34,740 --> 00:09:37,743
systems designed for resilience,

283
00:09:38,077 --> 00:09:40,121
but not necessarily for speed

284
00:09:40,121 --> 00:09:41,789
or visibility.

285
00:09:41,789 --> 00:09:45,418
And so while CNA managed risk for others,

286
00:09:45,918 --> 00:09:48,921
they quietly inherited risk of their own.

287
00:09:49,046 --> 00:09:50,840
Internally, security tools

288
00:09:50,840 --> 00:09:52,633
hummed in the background.

289
00:09:52,633 --> 00:09:54,343
Phishing filters, VPNs,

290
00:09:54,343 --> 00:09:57,638
endpoint detection, the modern stack

291
00:09:57,638 --> 00:10:00,641
checked, maintained and compliant.

292
00:10:00,683 --> 00:10:03,102
But in practice,

293
00:10:03,102 --> 00:10:05,479
security wasn't just a product,

294
00:10:05,479 --> 00:10:06,606
it was a race.

295
00:10:06,606 --> 00:10:09,442
And in March 2021,

296
00:10:09,442 --> 00:10:10,776
someone else crossed

297
00:10:10,776 --> 00:10:12,486
the finish line first.

298
00:10:12,486 --> 00:10:14,155
They weren't a nation state,

299
00:10:14,155 --> 00:10:17,325
not a known APT, at least not yet.

300
00:10:18,075 --> 00:10:21,037
But what they had was patience

301
00:10:21,037 --> 00:10:22,330
and precision.

302
00:10:22,330 --> 00:10:24,624
The malware came quietly,

303
00:10:24,624 --> 00:10:26,167
not through a wide open door,

304
00:10:26,167 --> 00:10:29,170
but through a subtle gap in the frame.

305
00:10:29,587 --> 00:10:32,298
And once in, it didn't blink,

306
00:10:32,298 --> 00:10:33,507
it didn't pause.

307
00:10:33,507 --> 00:10:35,593
It just spread.

308
00:10:35,593 --> 00:10:37,595
By the time CNA realized

309
00:10:37,595 --> 00:10:38,596
what was happening,

310
00:10:38,596 --> 00:10:39,555
it wasn't just about

311
00:10:39,555 --> 00:10:41,641
defending their systems,

312
00:10:41,641 --> 00:10:42,642
it was about whether they could

313
00:10:42,642 --> 00:10:44,352
still defend anyone's.

314
00:10:50,232 --> 00:10:52,818
What do you wish people understood

315
00:10:52,818 --> 00:10:54,528
about being a CISO

316
00:10:54,528 --> 00:10:55,780
that never shows up

317
00:10:55,780 --> 00:10:57,156
in the job description?

318
00:10:57,156 --> 00:10:58,449
You're not only there

319
00:10:58,449 --> 00:11:00,493
to solve the technical problems,

320
00:11:00,493 --> 00:11:03,496
you are there to solve more complex

321
00:11:03,496 --> 00:11:06,999
business and people related problems.

322
00:11:06,999 --> 00:11:10,002
It's not a checklist, it's about trust.

323
00:11:10,002 --> 00:11:12,672
You carry the weight of potential failure

324
00:11:12,672 --> 00:11:15,424
every day and sometimes even blame.

325
00:11:15,424 --> 00:11:16,300
So you need to be

326
00:11:16,300 --> 00:11:18,552
a very mentally strong person

327
00:11:18,552 --> 00:11:20,429
to handle stress

328
00:11:20,429 --> 00:11:23,766
from not only the specific problem side,

329
00:11:23,766 --> 00:11:26,435
but also from many parties

330
00:11:26,435 --> 00:11:28,354
in that specific business.

331
00:11:28,354 --> 00:11:31,357
Okay, so if you had to name one issue,

332
00:11:31,357 --> 00:11:33,192
one concern

333
00:11:33,192 --> 00:11:34,485
that keeps you up at night

334
00:11:34,485 --> 00:11:35,111
in regards

335
00:11:35,111 --> 00:11:37,029
to your ability to provide security

336
00:11:37,029 --> 00:11:39,407
and respond to an incident,

337
00:11:39,407 --> 00:11:41,992
what would that one issue be?

338
00:11:41,992 --> 00:11:43,327
It's rarely talked about,

339
00:11:43,327 --> 00:11:45,204
but during an incident

340
00:11:45,204 --> 00:11:47,289
and big incident, it's

341
00:11:47,289 --> 00:11:48,708
what really keeps me up at night.

342
00:11:48,708 --> 00:11:50,000
It's the resources

343
00:11:50,000 --> 00:11:51,460
getting the right resources.

344
00:11:51,460 --> 00:11:53,003
Because when you have the team

345
00:11:53,003 --> 00:11:53,838
of incident

346
00:11:53,838 --> 00:11:55,631
responders and analysts, it's

347
00:11:55,631 --> 00:11:57,758
all about getting the right people

348
00:11:57,758 --> 00:11:58,467
onto the job

349
00:11:58,467 --> 00:11:59,719
and managing the time

350
00:11:59,719 --> 00:12:01,595
well and the assignments.

351
00:12:01,595 --> 00:12:02,596
Because if you don't

352
00:12:02,596 --> 00:12:04,348
manage your research bank

353
00:12:04,348 --> 00:12:06,892
and the things that you want to achieve

354
00:12:06,892 --> 00:12:08,978
in that incident response well,

355
00:12:08,978 --> 00:12:09,854
the incident response

356
00:12:09,854 --> 00:12:11,522
is not going to go well.

357
00:12:11,522 --> 00:12:12,898
So for me, when I

358
00:12:12,898 --> 00:12:14,525
when I manage an incident response,

359
00:12:14,525 --> 00:12:17,695
I really get nervous about the resourcing

360
00:12:17,695 --> 00:12:19,321
because it's everything.

361
00:12:19,321 --> 00:12:20,322
In an incident

362
00:12:20,322 --> 00:12:21,824
when you see an organization

363
00:12:21,824 --> 00:12:23,951
like CNA go dark,

364
00:12:23,951 --> 00:12:26,412
what would your first step have been

365
00:12:26,412 --> 00:12:28,414
if they were your client?

366
00:12:28,414 --> 00:12:29,206
A smart man

367
00:12:29,206 --> 00:12:30,249
once told me that

368
00:12:30,249 --> 00:12:32,251
when a big incident happens,

369
00:12:32,251 --> 00:12:33,210
the first thing you do

370
00:12:33,210 --> 00:12:35,421
is to grab a cold glass of water

371
00:12:35,421 --> 00:12:36,338
and just breathe.

372
00:12:37,465 --> 00:12:38,924
You have to be relaxed.

373
00:12:38,924 --> 00:12:40,551
You have to be very focused.

374
00:12:40,551 --> 00:12:42,553
And the first thing that you want to do

375
00:12:42,553 --> 00:12:43,846
is assess the impact,

376
00:12:43,846 --> 00:12:44,930
because that's ethical,

377
00:12:44,930 --> 00:12:46,015
because that

378
00:12:46,015 --> 00:12:47,266
sets your tone

379
00:12:47,266 --> 00:12:48,392
and what you're going to do

380
00:12:48,392 --> 00:12:50,311
first and next.

381
00:12:50,311 --> 00:12:53,105
You have to understand what happened,

382
00:12:53,105 --> 00:12:54,732
what is the potential impact

383
00:12:54,732 --> 00:12:56,484
to the business going to be?

384
00:12:56,484 --> 00:12:58,152
How much money is this,

385
00:12:58,152 --> 00:12:59,153
you know, environment

386
00:12:59,153 --> 00:13:00,488
being down which costs you?

387
00:13:00,488 --> 00:13:03,407
How much money does the data being leaked

388
00:13:03,407 --> 00:13:03,949
gonna cost you?

389
00:13:03,949 --> 00:13:05,951
Is it personal information?

390
00:13:05,951 --> 00:13:08,037
Is it PII. Is it health information?

391
00:13:08,037 --> 00:13:09,997
What is the regulatory

392
00:13:09,997 --> 00:13:10,998
impact of this,

393
00:13:10,998 --> 00:13:13,167
this whole things of items.

394
00:13:13,167 --> 00:13:14,376
And answers that you want to get...

395
00:13:14,376 --> 00:13:15,252
they set the tone

396
00:13:15,252 --> 00:13:16,504
for the entire incident.

397
00:13:16,504 --> 00:13:19,006
So before you even do any technical stuff

398
00:13:19,006 --> 00:13:20,716
on the client's environment,

399
00:13:20,716 --> 00:13:21,759
you have to answer some

400
00:13:21,759 --> 00:13:23,093
very core questions.

401
00:13:26,138 --> 00:13:27,765
Act 2

402
00:13:27,765 --> 00:13:30,768
Contact Lost.

403
00:13:31,477 --> 00:13:34,480
There is a moment just before impact

404
00:13:34,980 --> 00:13:37,983
when the world goes quiet.

405
00:13:38,025 --> 00:13:40,986
No alarms, no flashing lights, just

406
00:13:41,779 --> 00:13:43,656
stillness.

407
00:13:43,656 --> 00:13:45,491
That's how it began

408
00:13:45,491 --> 00:13:48,494
at CNA. Not with chaos,

409
00:13:48,494 --> 00:13:50,830
but with subtle disconnection,

410
00:13:50,830 --> 00:13:51,997
a delay in response,

411
00:13:51,997 --> 00:13:53,541
a paused cursor. A call

412
00:13:53,541 --> 00:13:55,751
that didn't go through.

413
00:13:55,751 --> 00:13:58,170
The systems were still on,

414
00:13:58,170 --> 00:14:01,173
but something beneath them wasn't.

415
00:14:01,966 --> 00:14:04,760
The malware was already inside,

416
00:14:04,760 --> 00:14:07,763
moving, watching, preparing.

417
00:14:08,389 --> 00:14:10,766
And then it began to spread.

418
00:14:10,766 --> 00:14:13,269
Not wildly, not with noise,

419
00:14:13,269 --> 00:14:15,229
but with intent.

420
00:14:15,229 --> 00:14:18,232
One end point, then another.

421
00:14:18,774 --> 00:14:20,442
Desktops across departments

422
00:14:20,442 --> 00:14:23,112
locking into silence, servers

423
00:14:23,112 --> 00:14:26,115
blinking off one by one

424
00:14:26,907 --> 00:14:29,910
like lights going out in a distant city.

425
00:14:30,911 --> 00:14:32,496
By the time it was recognized

426
00:14:32,496 --> 00:14:33,998
as ransomware,

427
00:14:33,998 --> 00:14:37,001
it had already become everything.

428
00:14:37,209 --> 00:14:38,878
Phoenix locker,

429
00:14:38,878 --> 00:14:40,588
though the name came later,

430
00:14:40,588 --> 00:14:43,465
had claimed more than just devices.

431
00:14:43,465 --> 00:14:45,926
It had severed the company's spine,

432
00:14:45,926 --> 00:14:49,179
encrypted over 15,000 machines

433
00:14:49,847 --> 00:14:52,850
not just tools, but lifelines.

434
00:14:52,933 --> 00:14:56,228
Email gone. Phones dead. The network

435
00:14:56,228 --> 00:14:57,521
detached from itself

436
00:14:57,521 --> 00:15:00,399
like a body without a nervous system.

437
00:15:00,399 --> 00:15:03,736
What remained was analog. Footsteps

438
00:15:03,736 --> 00:15:04,278
in quiet

439
00:15:04,278 --> 00:15:05,529
hallways, flashlights

440
00:15:05,529 --> 00:15:06,780
sweeping across darkened

441
00:15:06,780 --> 00:15:08,866
desks, whiteboards,

442
00:15:08,866 --> 00:15:10,993
handwritten notes, radios.

443
00:15:10,993 --> 00:15:12,036
If you were lucky,

444
00:15:12,995 --> 00:15:13,996
the irony wasn't

445
00:15:13,996 --> 00:15:17,207
lost on anyone who understood the stakes.

446
00:15:17,791 --> 00:15:18,626
CNA didn't

447
00:15:18,626 --> 00:15:21,545
just insure companies against cyber risk,

448
00:15:21,545 --> 00:15:23,964
they insured against this.

449
00:15:23,964 --> 00:15:25,215
They were supposed to be

450
00:15:25,215 --> 00:15:26,300
the ones who understood

451
00:15:26,300 --> 00:15:29,303
how to prevent it, contain it, price it.

452
00:15:29,553 --> 00:15:32,556
Now they were living it in real time,

453
00:15:32,640 --> 00:15:33,849
in silence

454
00:15:33,849 --> 00:15:36,685
and worse files had been taken.

455
00:15:36,685 --> 00:15:38,395
Policyholder data,

456
00:15:38,395 --> 00:15:41,857
personal records, risk profiles, names

457
00:15:41,857 --> 00:15:42,900
and numbers

458
00:15:42,900 --> 00:15:45,903
and blueprints for future attacks.

459
00:15:46,070 --> 00:15:48,238
The ransom note came quietly.

460
00:15:48,238 --> 00:15:50,950
No theatrics, no countdown,

461
00:15:50,950 --> 00:15:52,701
just a demand.

462
00:15:52,701 --> 00:15:56,413
$40 million at the time,

463
00:15:56,705 --> 00:15:59,249
the largest known ransom ever paid

464
00:15:59,249 --> 00:16:01,919
and perhaps the most consequential.

465
00:16:01,919 --> 00:16:03,045
Because CNA didn't

466
00:16:03,045 --> 00:16:05,214
just hold sensitive data,

467
00:16:05,214 --> 00:16:06,757
they held the identities

468
00:16:06,757 --> 00:16:08,425
of other companies.

469
00:16:08,425 --> 00:16:11,428
Companies already afraid of breaches

470
00:16:11,845 --> 00:16:13,597
to the wrong adversary.

471
00:16:13,597 --> 00:16:15,432
That wasn't just a list,

472
00:16:15,432 --> 00:16:18,644
it was a target map outside the building.

473
00:16:18,644 --> 00:16:20,980
The world hadn't noticed yet.

474
00:16:20,980 --> 00:16:23,649
The headlines were all still quiet,

475
00:16:23,649 --> 00:16:26,276
but inside, CNA faced

476
00:16:26,276 --> 00:16:29,279
the most impossible question

477
00:16:29,279 --> 00:16:32,157
what is the cost of silence?

478
00:16:38,247 --> 00:16:38,872
During

479
00:16:38,872 --> 00:16:41,875
a major ransomware event like CNA’s,

480
00:16:42,042 --> 00:16:43,585
what's the right way

481
00:16:43,585 --> 00:16:44,795
to handle communication

482
00:16:44,795 --> 00:16:46,005
between vendors,

483
00:16:46,005 --> 00:16:49,425
insurers, legal and execs?

484
00:16:50,467 --> 00:16:52,302
One word that I would describe

485
00:16:52,302 --> 00:16:53,595
is orchestration.

486
00:16:53,595 --> 00:16:55,806
It's about every single person

487
00:16:55,806 --> 00:16:57,224
needs to know their place,

488
00:16:57,224 --> 00:16:59,143
and they have their place

489
00:16:59,143 --> 00:17:00,936
to state they're opinion.

490
00:17:00,936 --> 00:17:02,604
But at the end, it's

491
00:17:02,604 --> 00:17:04,565
going to be my recommendation of what

492
00:17:04,565 --> 00:17:05,733
the next move is,

493
00:17:05,733 --> 00:17:07,317
and it's going to be the CEO's

494
00:17:07,317 --> 00:17:08,444
final word.

495
00:17:08,444 --> 00:17:10,279
So it's all about orchestration,

496
00:17:10,279 --> 00:17:11,822
giving the person the place

497
00:17:11,822 --> 00:17:13,449
to say their piece,

498
00:17:13,449 --> 00:17:15,576
but it has to be in a respected way.

499
00:17:15,576 --> 00:17:18,579
It has to be in a well organized way,

500
00:17:18,579 --> 00:17:21,957
and it has to give that my way of giving,

501
00:17:21,957 --> 00:17:23,333
my recommendation.

502
00:17:23,333 --> 00:17:25,461
It's going to be the CEO’s final word

503
00:17:25,461 --> 00:17:26,879
and them accepting it.

504
00:17:26,879 --> 00:17:28,380
Have you run into any situations

505
00:17:28,380 --> 00:17:29,798
where you've given advice

506
00:17:29,798 --> 00:17:32,801
to the C-suite, to the CEO

507
00:17:32,801 --> 00:17:33,510
or someone else?

508
00:17:33,510 --> 00:17:35,179
And they said, you know, no,

509
00:17:35,179 --> 00:17:35,929
we can't do that

510
00:17:35,929 --> 00:17:38,348
because of a business situation

511
00:17:38,348 --> 00:17:39,516
that we can't share with you.

512
00:17:39,516 --> 00:17:40,851
But there are things that are going on.

513
00:17:40,851 --> 00:17:42,644
Maybe for whatever reason,

514
00:17:42,644 --> 00:17:44,021
they just didn't take your advice.

515
00:17:44,021 --> 00:17:45,939
Did you ever run into that?

516
00:17:45,939 --> 00:17:46,565
Of course.

517
00:17:46,565 --> 00:17:47,775
I mean, a lot of times

518
00:17:47,775 --> 00:17:49,318
when we come from the outside,

519
00:17:49,318 --> 00:17:52,154
we always don't have the perspective

520
00:17:52,154 --> 00:17:52,571
of an

521
00:17:52,571 --> 00:17:55,574
an employee or a C-level manager

522
00:17:55,741 --> 00:17:56,742
in that organization.

523
00:17:56,742 --> 00:17:59,203
We don't know every piece of information

524
00:17:59,203 --> 00:18:00,245
in that business.

525
00:18:00,245 --> 00:18:01,288
So when I come in,

526
00:18:01,288 --> 00:18:03,624
I give my unbiased opinion

527
00:18:03,624 --> 00:18:05,167
or recommendation.

528
00:18:05,167 --> 00:18:06,794
And sometimes, you know, it

529
00:18:06,794 --> 00:18:08,295
conflicts with other stuff,

530
00:18:08,295 --> 00:18:09,254
which I don't know about.

531
00:18:09,254 --> 00:18:10,881
When a CEO comes in and tells me,

532
00:18:10,881 --> 00:18:13,509
you know, we can’t do this, we can’t do that.

533
00:18:13,509 --> 00:18:15,177
Usually I would say, okay, look,

534
00:18:15,177 --> 00:18:16,720
you know, your business

535
00:18:16,720 --> 00:18:19,348
and I'm here to serve your business.

536
00:18:19,348 --> 00:18:20,849
And if you think this is wrong

537
00:18:20,849 --> 00:18:21,850
for your business,

538
00:18:21,850 --> 00:18:23,185
than I'm going with you.

539
00:18:23,185 --> 00:18:24,520
But for the record,

540
00:18:24,520 --> 00:18:25,354
and I always

541
00:18:25,354 --> 00:18:26,772
say for the record

542
00:18:26,772 --> 00:18:27,856
and we always make sure

543
00:18:27,856 --> 00:18:29,316
we document those things

544
00:18:29,316 --> 00:18:31,360
in a well-designed report

545
00:18:31,360 --> 00:18:34,154
that it was being recommended by us

546
00:18:34,154 --> 00:18:35,405
and the CEO chose

547
00:18:35,405 --> 00:18:37,157
not to go with that direction

548
00:18:37,157 --> 00:18:38,659
for whatever reason.

549
00:18:38,659 --> 00:18:38,951
You know,

550
00:18:38,951 --> 00:18:41,078
when you come in as a security person

551
00:18:41,078 --> 00:18:42,371
from the outside,

552
00:18:42,371 --> 00:18:44,623
you are the expertise on that.

553
00:18:44,623 --> 00:18:47,084
And you have your... you're entitled

554
00:18:47,084 --> 00:18:47,918
to say your opinion

555
00:18:47,918 --> 00:18:49,419
and your recommendation,

556
00:18:49,419 --> 00:18:51,839
and they are entitled to say no.

557
00:18:51,839 --> 00:18:54,133
But it always needs to be on record

558
00:18:54,133 --> 00:18:55,926
that you gave that information,

559
00:18:55,926 --> 00:18:58,720
because sometimes rare cases,

560
00:18:58,720 --> 00:18:59,471
They’re going to try

561
00:18:59,471 --> 00:19:01,098
to twist it against you sometimes

562
00:19:01,098 --> 00:19:01,807
because they're in

563
00:19:01,807 --> 00:19:03,433
a very stressful position.

564
00:19:03,433 --> 00:19:05,269
And if things go wrong,

565
00:19:05,269 --> 00:19:07,396
even after the incident,

566
00:19:07,396 --> 00:19:09,106
everyone wants to point a finger.

567
00:19:09,106 --> 00:19:12,401
CNA was somewhat unique in the fact

568
00:19:12,401 --> 00:19:13,235
that it's

569
00:19:13,235 --> 00:19:14,736
one of the largest insurance

570
00:19:14,736 --> 00:19:17,823
companies in the US, and what they insure

571
00:19:17,948 --> 00:19:19,241
are other companies

572
00:19:19,241 --> 00:19:21,326
against cyber attacks.

573
00:19:21,326 --> 00:19:24,163
So if the attacker gets inside,

574
00:19:24,163 --> 00:19:24,746
has access

575
00:19:24,746 --> 00:19:25,956
to all kinds of data,

576
00:19:25,956 --> 00:19:27,916
let's say a list of other companies

577
00:19:27,916 --> 00:19:29,835
that are paying for cyber insurance,

578
00:19:29,835 --> 00:19:31,128
that's their target list

579
00:19:31,128 --> 00:19:33,213
for who they're going to hit up next.

580
00:19:33,213 --> 00:19:34,256
Does that change

581
00:19:34,256 --> 00:19:35,465
how you would

582
00:19:35,465 --> 00:19:39,344
advise them, whether it's pay, don't pay,

583
00:19:39,553 --> 00:19:40,596
or is that even something

584
00:19:40,596 --> 00:19:42,055
that you would advise on,

585
00:19:42,055 --> 00:19:42,848
or are you just there

586
00:19:42,848 --> 00:19:44,516
to basically get their systems

587
00:19:44,516 --> 00:19:47,519
back online, retrieve their data, etc.?

588
00:19:47,644 --> 00:19:49,271
You know, it's about crisis management.

589
00:19:49,271 --> 00:19:50,522
And first of all,

590
00:19:50,522 --> 00:19:53,817
when you reach to a company like CNA,

591
00:19:54,067 --> 00:19:56,028
which they sell cyber insurance,

592
00:19:56,028 --> 00:19:57,905
you know, it's about reputation

593
00:19:57,905 --> 00:20:00,199
and if you, you know, ruin

594
00:20:00,199 --> 00:20:01,033
that reputation

595
00:20:01,033 --> 00:20:02,743
by getting hit by yourself

596
00:20:02,743 --> 00:20:03,619
in such a way

597
00:20:03,619 --> 00:20:05,829
and getting that ‘ransom ask’

598
00:20:05,829 --> 00:20:06,997
then it's a problem.

599
00:20:06,997 --> 00:20:08,373
First for your brand

600
00:20:08,373 --> 00:20:10,626
and second for the clients

601
00:20:10,626 --> 00:20:12,044
that are paying for you.

602
00:20:12,044 --> 00:20:14,046
And like I said before,

603
00:20:14,046 --> 00:20:14,713
you know, supply

604
00:20:14,713 --> 00:20:16,215
chain attacks are big these days

605
00:20:16,215 --> 00:20:17,257
because attackers

606
00:20:17,257 --> 00:20:20,719
not only target the end businesses,

607
00:20:20,719 --> 00:20:22,930
they target their suppliers

608
00:20:22,930 --> 00:20:24,723
so they can reach more.

609
00:20:24,723 --> 00:20:26,183
So that definitely changes

610
00:20:26,183 --> 00:20:27,434
the picture in regards

611
00:20:27,434 --> 00:20:28,435
to paying

612
00:20:28,435 --> 00:20:30,229
a ransom generally, you know,

613
00:20:30,229 --> 00:20:32,439
my position is usually not to advise

614
00:20:32,439 --> 00:20:33,732
if to pay or not to pay,

615
00:20:33,732 --> 00:20:34,608
because usually

616
00:20:34,608 --> 00:20:36,276
those companies have their own.

617
00:20:36,276 --> 00:20:39,196
You know, legal or financial advisors

618
00:20:39,196 --> 00:20:40,697
to guide them in that direction.

619
00:20:40,697 --> 00:20:42,741
But if they would ask me for my opinion

620
00:20:42,741 --> 00:20:45,744
it all adds up to the impact, you know

621
00:20:45,869 --> 00:20:47,537
what would be the financial

622
00:20:47,537 --> 00:20:48,163
and business

623
00:20:48,163 --> 00:20:49,456
impact of not paying

624
00:20:49,456 --> 00:20:50,290
of, let's say,

625
00:20:50,290 --> 00:20:51,166
the data

626
00:20:51,166 --> 00:20:54,378
being lost. Of that environment

627
00:20:54,378 --> 00:20:55,420
not being restored.

628
00:20:55,420 --> 00:20:57,005
If you don't have the right backups,

629
00:20:57,005 --> 00:20:57,965
if that

630
00:20:57,965 --> 00:20:59,633
business and financial impact

631
00:20:59,633 --> 00:21:02,844
exceeds that ransom payment,

632
00:21:03,178 --> 00:21:04,388
then I would probably

633
00:21:04,388 --> 00:21:05,806
suggest them to pay it.

634
00:21:05,806 --> 00:21:08,558
Although morally this is probably wrong.

635
00:21:08,558 --> 00:21:09,518
But you know,

636
00:21:09,518 --> 00:21:11,770
moral doesn't take you to the bank.

637
00:21:11,770 --> 00:21:13,563
And if you're looking at a business

638
00:21:13,563 --> 00:21:15,941
and the business goal is to maximize,

639
00:21:15,941 --> 00:21:16,858
you know, their,

640
00:21:16,858 --> 00:21:18,694
their financial capabilities,

641
00:21:18,694 --> 00:21:20,445
then probably paying

642
00:21:20,445 --> 00:21:21,363
is the right way to go.

643
00:21:21,363 --> 00:21:22,239
But again,

644
00:21:22,239 --> 00:21:23,073
it varies

645
00:21:23,073 --> 00:21:25,325
and it depends on a lot of variables.

646
00:21:27,286 --> 00:21:28,453
Act 3

647
00:21:28,453 --> 00:21:31,456
The Cost Of Control.

648
00:21:32,582 --> 00:21:35,419
There are breaches you respond to

649
00:21:35,419 --> 00:21:36,712
and then there are breaches

650
00:21:36,712 --> 00:21:38,380
you negotiate with.

651
00:21:38,380 --> 00:21:40,882
This was the second kind

652
00:21:40,882 --> 00:21:42,384
the attackers had said little.

653
00:21:42,384 --> 00:21:44,553
No manifesto, no countdown,

654
00:21:44,553 --> 00:21:46,805
just a lock on the systems

655
00:21:46,805 --> 00:21:50,475
and a number 999

656
00:21:50,475 --> 00:21:53,979
Bitcoin, roughly $55 million at the time.

657
00:21:54,396 --> 00:21:57,816
cold, calculated, and delivered in code.

658
00:21:58,358 --> 00:22:00,152
But CNA didn't pay.

659
00:22:00,152 --> 00:22:01,611
Not immediately.

660
00:22:01,611 --> 00:22:03,363
They engaged

661
00:22:03,363 --> 00:22:04,906
negotiators, third party

662
00:22:04,906 --> 00:22:07,242
and unbranded began the slow,

663
00:22:07,242 --> 00:22:09,328
tense ritual back

664
00:22:09,328 --> 00:22:10,871
channel messages, delayed

665
00:22:10,871 --> 00:22:13,874
replies, subtle signals, stalling,

666
00:22:13,874 --> 00:22:15,125
probing, testing

667
00:22:15,125 --> 00:22:17,294
the adversary's patience.

668
00:22:17,294 --> 00:22:18,920
But it didn't work.

669
00:22:18,920 --> 00:22:21,298
The demand increased

670
00:22:21,298 --> 00:22:24,343
1099 Bitcoin,

671
00:22:24,343 --> 00:22:27,971
now nearly $60 million.

672
00:22:28,305 --> 00:22:30,098
The price of recovery

673
00:22:30,098 --> 00:22:33,060
was going up by the day

674
00:22:33,060 --> 00:22:33,935
for two weeks.

675
00:22:33,935 --> 00:22:35,896
The back and forth continued

676
00:22:35,896 --> 00:22:38,982
not in war rooms but in encrypted chats,

677
00:22:39,274 --> 00:22:40,776
not with raised voices,

678
00:22:40,776 --> 00:22:43,779
but with slow typing ellipses.

679
00:22:43,904 --> 00:22:45,614
The attackers weren't amateurs.

680
00:22:45,614 --> 00:22:47,741
They didn't posture. They didn't panic.

681
00:22:47,741 --> 00:22:51,286
They knew who they had and what CNA

682
00:22:51,286 --> 00:22:52,954
stood to lose.

683
00:22:52,954 --> 00:22:53,997
Because this wasn't

684
00:22:53,997 --> 00:22:56,291
just a company brought to a halt,

685
00:22:56,291 --> 00:22:58,335
it was an insurer of cyber risk.

686
00:22:58,335 --> 00:23:00,545
It held the names, exposures

687
00:23:00,545 --> 00:23:02,214
and histories of companies

688
00:23:02,214 --> 00:23:05,217
who were already worried about ransomware

689
00:23:05,592 --> 00:23:07,636
policyholders, executives,

690
00:23:07,636 --> 00:23:09,930
industries marked vulnerable

691
00:23:09,930 --> 00:23:12,933
and now exposed.

692
00:23:12,933 --> 00:23:14,476
If that data was sold,

693
00:23:14,476 --> 00:23:16,603
it wouldn't just hurt CMA,

694
00:23:16,603 --> 00:23:18,730
it would prime the next victims.

695
00:23:18,730 --> 00:23:20,607
A roadmap of the insured.

696
00:23:20,607 --> 00:23:24,152
The pre-qualified. The likely to pay.

697
00:23:24,778 --> 00:23:28,740
That was the real leverage. Inside CNA

698
00:23:28,865 --> 00:23:30,826
The debate wasn't philosophical,

699
00:23:30,826 --> 00:23:32,452
It was operational.

700
00:23:32,452 --> 00:23:34,413
Every hour meant delayed

701
00:23:34,413 --> 00:23:36,206
claims, eroding trust,

702
00:23:36,206 --> 00:23:38,708
rising reputational cost

703
00:23:38,708 --> 00:23:40,419
systems remained encrypted.

704
00:23:40,419 --> 00:23:42,879
The business was functioning all

705
00:23:42,879 --> 00:23:46,341
but barely. Publicly, CNA said

706
00:23:46,341 --> 00:23:46,842
little.

707
00:23:46,842 --> 00:23:49,845
Privately, they ran every scenario

708
00:23:50,053 --> 00:23:53,056
legal compliance, regulatory exposure.

709
00:23:53,348 --> 00:23:54,516
Could they pay?

710
00:23:54,516 --> 00:23:56,059
Should they?

711
00:23:56,059 --> 00:23:57,394
They consulted the US

712
00:23:57,394 --> 00:23:59,104
Department of Treasury, specifically

713
00:23:59,104 --> 00:24:00,939
the Office of Foreign Assets

714
00:24:00,939 --> 00:24:03,400
Control, OFAC.

715
00:24:03,400 --> 00:24:04,693
The attackers were believed

716
00:24:04,693 --> 00:24:06,528
to be part of the Phoenix Group

717
00:24:06,528 --> 00:24:07,821
using a ransomware

718
00:24:07,821 --> 00:24:09,739
variant linked to Evil Corp.

719
00:24:09,739 --> 00:24:11,491
But unlike Evil Corp,

720
00:24:11,491 --> 00:24:13,743
Phoenix was not sanctioned.

721
00:24:13,743 --> 00:24:15,787
That cleared a legal path,

722
00:24:15,787 --> 00:24:18,039
but not a moral one.

723
00:24:18,039 --> 00:24:19,666
Still, with the backing

724
00:24:19,666 --> 00:24:21,042
of law enforcement

725
00:24:21,042 --> 00:24:22,794
and after vetting the threat actor

726
00:24:22,794 --> 00:24:23,628
through multiple

727
00:24:23,628 --> 00:24:27,591
channels, CNA authorized the transfer

728
00:24:27,883 --> 00:24:32,137
1000 Bitcoin, roughly $40 million,

729
00:24:32,471 --> 00:24:33,972
a negotiated reduction

730
00:24:33,972 --> 00:24:35,432
but still one of the largest

731
00:24:35,432 --> 00:24:38,435
known ransomware payments in history.

732
00:24:38,768 --> 00:24:40,437
The payment was made anonymously.

733
00:24:40,437 --> 00:24:41,146
As always.

734
00:24:41,146 --> 00:24:43,356
No receipts, no paper trail,

735
00:24:43,356 --> 00:24:43,982
just a

736
00:24:43,982 --> 00:24:47,277
cold transaction on a blockchain ledger.

737
00:24:47,736 --> 00:24:50,739
Value moved, and with it.

738
00:24:51,114 --> 00:24:53,783
The promise of a decryption key.

739
00:24:53,783 --> 00:24:55,452
The key arrived. Files

740
00:24:55,452 --> 00:24:57,329
began to unlock, servers

741
00:24:57,329 --> 00:24:59,206
blinked back to life

742
00:24:59,206 --> 00:25:02,209
and CNA’s systems stirred.

743
00:25:02,501 --> 00:25:04,002
But they did not celebrate

744
00:25:04,002 --> 00:25:06,588
because the recovery was not instant

745
00:25:06,588 --> 00:25:08,798
and it was not clean.

746
00:25:08,798 --> 00:25:10,592
Some files were corrupted,

747
00:25:10,592 --> 00:25:12,344
some had been copied,

748
00:25:12,344 --> 00:25:14,721
and no one yet knew

749
00:25:14,721 --> 00:25:16,598
what had been left behind.

750
00:25:16,598 --> 00:25:17,891
The business resumed,

751
00:25:17,891 --> 00:25:20,894
but not where it had left off.

752
00:25:20,894 --> 00:25:23,438
Something had changed.

753
00:25:23,438 --> 00:25:24,189
The breach wasn't

754
00:25:24,189 --> 00:25:25,690
just a technical failure,

755
00:25:25,690 --> 00:25:28,360
it was a reputational rupture.

756
00:25:28,360 --> 00:25:29,861
Word leaked of the payment.

757
00:25:29,861 --> 00:25:32,864
Reporters circled, forums buzzed.

758
00:25:33,406 --> 00:25:35,867
CNA wouldn't confirm the number.

759
00:25:35,867 --> 00:25:36,785
They didn't need to.

760
00:25:36,785 --> 00:25:38,495
Everyone already knew.

761
00:25:38,495 --> 00:25:39,829
And in cyber security

762
00:25:39,829 --> 00:25:42,832
circles, the questions began to echo.

763
00:25:43,041 --> 00:25:45,502
Had CNA done the right thing,

764
00:25:45,502 --> 00:25:48,630
or had they set a price for recovery

765
00:25:48,630 --> 00:25:51,466
that others would be forced to match

766
00:25:51,466 --> 00:25:52,467
for the attackers?

767
00:25:52,467 --> 00:25:54,427
The payout was validation

768
00:25:54,427 --> 00:25:55,428
for the industry.

769
00:25:55,428 --> 00:25:58,431
It was a line drawn in dark water

770
00:25:58,598 --> 00:26:00,183
and for CNA

771
00:26:00,183 --> 00:26:03,186
it was the beginning of the next phase.

772
00:26:03,478 --> 00:26:05,272
The breach was no longer

773
00:26:05,272 --> 00:26:07,357
about what had been lost.

774
00:26:07,357 --> 00:26:10,360
It was about what was still out there

775
00:26:10,527 --> 00:26:13,071
and who might be coming next.

776
00:26:18,159 --> 00:26:18,910
Yeah, it's

777
00:26:18,910 --> 00:26:20,662
a really interesting question

778
00:26:20,662 --> 00:26:21,955
because you're right,

779
00:26:21,955 --> 00:26:24,457
paying ransom is certainly

780
00:26:24,457 --> 00:26:25,667
not the moral thing to do,

781
00:26:25,667 --> 00:26:28,003
and it invites more attacks.

782
00:26:28,003 --> 00:26:29,170
But at the same time,

783
00:26:29,170 --> 00:26:32,048
if you have this corporate responsibility

784
00:26:32,048 --> 00:26:33,216
where you, let's say,

785
00:26:33,216 --> 00:26:34,801
have a thousand customers

786
00:26:34,801 --> 00:26:36,595
who've paid you for cyber

787
00:26:36,595 --> 00:26:38,221
attack insurance,

788
00:26:38,221 --> 00:26:40,473
and the attacker is threatening

789
00:26:40,473 --> 00:26:42,225
to make that list public

790
00:26:42,225 --> 00:26:43,393
so that other attackers

791
00:26:43,393 --> 00:26:45,854
start lining up to attack those

792
00:26:45,854 --> 00:26:46,730
your customers,

793
00:26:46,730 --> 00:26:48,023
because now they know they're insured

794
00:26:48,023 --> 00:26:50,108
and they're more likely to pay up,

795
00:26:50,108 --> 00:26:51,860
even if it hurts you morally

796
00:26:51,860 --> 00:26:54,863
to pay up the 40 million in this case,

797
00:26:54,863 --> 00:26:55,530
then you do it

798
00:26:55,530 --> 00:26:57,157
because in some ways,

799
00:26:57,157 --> 00:26:58,241
it's the right thing to do

800
00:26:58,241 --> 00:27:00,035
because you're protecting your...

801
00:27:00,035 --> 00:27:01,036
you think you're protecting...

802
00:27:01,036 --> 00:27:01,494
You believe you're

803
00:27:01,494 --> 00:27:03,163
protecting your customers. Yeah.

804
00:27:03,163 --> 00:27:04,956
If not, you have responsibility.

805
00:27:04,956 --> 00:27:05,874
You have a responsibility

806
00:27:05,874 --> 00:27:06,916
not only to yourself

807
00:27:06,916 --> 00:27:08,835
but to other companies as well.

808
00:27:08,835 --> 00:27:10,670
So I know we touched on this briefly,

809
00:27:10,670 --> 00:27:12,464
but is there anything you want to add in

810
00:27:12,464 --> 00:27:14,924
regards to the concept and wisdom

811
00:27:14,924 --> 00:27:16,426
of paying ransom demands,

812
00:27:16,426 --> 00:27:18,178
like the $40 million

813
00:27:18,178 --> 00:27:21,181
that CNA was forced to fork over?

814
00:27:21,681 --> 00:27:22,599
Yeah.

815
00:27:22,599 --> 00:27:23,350
So, you know,

816
00:27:23,350 --> 00:27:23,892
like I said,

817
00:27:23,892 --> 00:27:25,560
it's very easy to say

818
00:27:25,560 --> 00:27:27,103
never pay from a distance.

819
00:27:27,103 --> 00:27:29,147
But, you know, when your systems are down

820
00:27:29,147 --> 00:27:30,982
and backups are gone

821
00:27:30,982 --> 00:27:32,817
and millions are bleeding

822
00:27:32,817 --> 00:27:34,361
out of the business daily,

823
00:27:34,361 --> 00:27:36,237
I mean, it's survival.

824
00:27:36,237 --> 00:27:38,657
Basically, no one wants to fund crime.

825
00:27:38,657 --> 00:27:39,824
But sometimes you're

826
00:27:39,824 --> 00:27:41,785
buying your time to live and your

827
00:27:41,785 --> 00:27:43,620
your business has to do it

828
00:27:43,620 --> 00:27:44,788
if it wants to survive.

829
00:27:44,788 --> 00:27:47,290
It's not about your reputation anymore.

830
00:27:47,290 --> 00:27:48,583
It's not about your clients.

831
00:27:48,583 --> 00:27:50,085
Even anymore. It's about survival.

832
00:27:50,085 --> 00:27:52,170
So, it varies

833
00:27:52,170 --> 00:27:54,089
and it depends on a lot of variables.

834
00:27:54,089 --> 00:27:54,881
But, you know,

835
00:27:54,881 --> 00:27:56,091
sometimes you've got to do it.

836
00:27:56,091 --> 00:27:57,592
You have no choice.

837
00:27:57,592 --> 00:27:59,552
Do you think most of your clients

838
00:27:59,552 --> 00:28:00,553
could survive

839
00:28:00,553 --> 00:28:03,640
ten days completely offline, like CNA?

840
00:28:03,765 --> 00:28:05,141
That's a very good question

841
00:28:05,141 --> 00:28:06,184
because it differs

842
00:28:06,184 --> 00:28:08,228
between one client and another.

843
00:28:08,228 --> 00:28:11,189
I had an incident a few months back

844
00:28:11,189 --> 00:28:14,192
that an attacker leaked a lot of the data

845
00:28:14,442 --> 00:28:15,944
out of that organization,

846
00:28:15,944 --> 00:28:17,946
and we had to shut down the environment

847
00:28:17,946 --> 00:28:19,656
for like two days.

848
00:28:19,656 --> 00:28:21,908
And after few hours,

849
00:28:21,908 --> 00:28:24,035
clients already threatened to leave.

850
00:28:24,035 --> 00:28:25,286
And it was about

851
00:28:25,286 --> 00:28:27,205
not even about the cyber attack anymore.

852
00:28:27,205 --> 00:28:28,081
It's about restoring

853
00:28:28,081 --> 00:28:30,166
that trust and reputation.

854
00:28:30,166 --> 00:28:31,126
On the contrary,

855
00:28:31,126 --> 00:28:32,752
I had another incident

856
00:28:32,752 --> 00:28:34,003
where the client told me,

857
00:28:34,003 --> 00:28:36,339
look, the incident already only happened

858
00:28:36,339 --> 00:28:37,924
in the development environment

859
00:28:37,924 --> 00:28:40,552
and the attacker seems to not

860
00:28:40,552 --> 00:28:43,680
be able to get out of it - and it’s contained to this environment

861
00:28:43,680 --> 00:28:44,681
I don't mind

862
00:28:44,681 --> 00:28:46,141
shutting down the dev environment

863
00:28:46,141 --> 00:28:47,392
for how long as it needs

864
00:28:47,392 --> 00:28:49,394
to find a root cause for this incident.

865
00:28:49,394 --> 00:28:50,145
So I can shut it down

866
00:28:50,145 --> 00:28:52,355
and it has no business impact on me.

867
00:28:52,355 --> 00:28:54,232
So it really varies.

868
00:28:54,232 --> 00:28:55,525
But, you know, as

869
00:28:55,525 --> 00:28:57,610
as I saw in a lot of businesses,

870
00:28:57,610 --> 00:28:59,612
you know, ten hours, could even back them.

871
00:28:59,612 --> 00:29:00,405
So, you know,

872
00:29:00,405 --> 00:29:02,615
ten days could be very, very crucial.

873
00:29:02,615 --> 00:29:02,991
Yeah.

874
00:29:02,991 --> 00:29:04,451
That makes that makes perfect sense.

875
00:29:04,451 --> 00:29:05,076
Different companies

876
00:29:05,076 --> 00:29:05,827
are going to react differently.

877
00:29:05,827 --> 00:29:07,829
If all your business is online,

878
00:29:07,829 --> 00:29:08,413
it's going to make

879
00:29:08,413 --> 00:29:10,707
a big difference versus whether you

880
00:29:10,707 --> 00:29:11,499
you have a website

881
00:29:11,499 --> 00:29:12,459
up and a couple things

882
00:29:12,459 --> 00:29:13,209
and ya okay, it's

883
00:29:13,209 --> 00:29:15,879
an inconvenience. Okay, great.

884
00:29:15,879 --> 00:29:19,841
So what tools or tactics are underrated

885
00:29:19,841 --> 00:29:21,718
in defending against an attack

886
00:29:21,718 --> 00:29:24,304
like CNA. Visibility -

887
00:29:24,304 --> 00:29:25,263
I think for me

888
00:29:25,263 --> 00:29:26,473
visibility is everything

889
00:29:26,473 --> 00:29:28,057
because you cannot protect

890
00:29:28,057 --> 00:29:29,267
what you can't see.

891
00:29:29,267 --> 00:29:31,269
You cannot respond to what you can’t see.

892
00:29:31,269 --> 00:29:32,771
If I’m not able

893
00:29:32,771 --> 00:29:35,982
to see, and be able to alert

894
00:29:35,982 --> 00:29:36,816
on, you know, a

895
00:29:36,816 --> 00:29:39,402
suspicious activity or malicious activity

896
00:29:39,402 --> 00:29:41,321
than I cannot defend against it.

897
00:29:41,321 --> 00:29:42,405
And second thing,

898
00:29:42,405 --> 00:29:43,782
which I really think is important

899
00:29:43,782 --> 00:29:45,950
is about the segmentation.

900
00:29:45,950 --> 00:29:48,161
If you have the right segmentation

901
00:29:48,161 --> 00:29:50,121
between environments and

902
00:29:50,121 --> 00:29:51,748
and be able to say

903
00:29:51,748 --> 00:29:54,000
that your most [precious] crown jewels

904
00:29:54,000 --> 00:29:57,003
are being protected by that segmentation,

905
00:29:57,253 --> 00:29:58,630
then I am well.

906
00:29:58,630 --> 00:30:00,590
Rest assured that if you do get hit

907
00:30:00,590 --> 00:30:01,716
and one of your external

908
00:30:01,716 --> 00:30:02,967
facing environments,

909
00:30:02,967 --> 00:30:04,469
the attacker won't be able

910
00:30:04,469 --> 00:30:05,678
to move laterally

911
00:30:05,678 --> 00:30:07,972
into those more important production

912
00:30:07,972 --> 00:30:09,349
like environments.

913
00:30:09,349 --> 00:30:11,768
So segmentation is very important.

914
00:30:11,768 --> 00:30:12,560
But again,

915
00:30:12,560 --> 00:30:14,145
cybersecurity is all about

916
00:30:14,145 --> 00:30:15,563
defense in layers.

917
00:30:15,563 --> 00:30:16,815
You're building those layers

918
00:30:16,815 --> 00:30:18,274
to slow down the attackers.

919
00:30:18,274 --> 00:30:21,069
There's never that 100% protection.

920
00:30:21,069 --> 00:30:23,071
You always try to make it harder

921
00:30:23,071 --> 00:30:23,780
for the attackers.

922
00:30:23,780 --> 00:30:25,907
So you don't only need

923
00:30:25,907 --> 00:30:27,492
that segmentation of visibility.

924
00:30:27,492 --> 00:30:29,494
It has to be combined with,

925
00:30:29,494 --> 00:30:29,911
you know, that

926
00:30:29,911 --> 00:30:32,038
EDR. That identity control.

927
00:30:32,038 --> 00:30:34,123
Those DNS layer protections.

928
00:30:34,123 --> 00:30:37,001
The basics still win those battles.

929
00:30:37,001 --> 00:30:38,086
It's not about the zero

930
00:30:38,086 --> 00:30:39,170
days anymore.

931
00:30:39,170 --> 00:30:39,629
They are

932
00:30:39,629 --> 00:30:42,340
only they focus usually on the simple

933
00:30:42,340 --> 00:30:43,383
simple weaknesses

934
00:30:44,801 --> 00:30:47,804
Act 4 | Surface Tension.

935
00:30:48,263 --> 00:30:50,974
The lights came back on slowly,

936
00:30:50,974 --> 00:30:52,475
system by system, file

937
00:30:52,475 --> 00:30:54,936
by file and function by function.

938
00:30:54,936 --> 00:30:57,105
After weeks of darkness,

939
00:30:57,105 --> 00:31:00,275
CNA's infrastructure began to hum again.

940
00:31:00,567 --> 00:31:01,568
Work resumed,

941
00:31:01,568 --> 00:31:04,571
claims were processed and phones rang.

942
00:31:04,696 --> 00:31:07,699
But something fundamental had shifted.

943
00:31:08,032 --> 00:31:09,993
Internally, there was relief.

944
00:31:09,993 --> 00:31:12,620
Externally, there were questions.

945
00:31:12,620 --> 00:31:15,415
The breach, once invisible to the outside

946
00:31:15,415 --> 00:31:18,418
world, was now impossible to ignore.

947
00:31:18,585 --> 00:31:20,295
Headlines began to surface

948
00:31:20,295 --> 00:31:22,297
not just about the attack,

949
00:31:22,297 --> 00:31:24,048
but about the price.

950
00:31:24,048 --> 00:31:29,596
$40 million - 1000 Bitcoin. Paid in full.

951
00:31:29,971 --> 00:31:32,307
Reported but not confirmed.

952
00:31:32,307 --> 00:31:34,893
Echoed but not denied.

953
00:31:34,893 --> 00:31:35,518
The amount

954
00:31:35,518 --> 00:31:37,145
set a new watermark, one

955
00:31:37,145 --> 00:31:39,480
that towered above the others.

956
00:31:39,480 --> 00:31:40,857
Colonial Pipeline weeks

957
00:31:40,857 --> 00:31:42,358
later would pay $4.4

958
00:31:42,358 --> 00:31:46,237
million. JBS foods $11 million.

959
00:31:46,613 --> 00:31:50,241
CNA's payment was several times that,

960
00:31:50,575 --> 00:31:51,367
and the target

961
00:31:51,367 --> 00:31:53,828
wasn't infrastructure or food,

962
00:31:53,828 --> 00:31:55,204
it was trust.

963
00:31:55,204 --> 00:31:56,915
The industry took notice

964
00:31:56,915 --> 00:31:58,875
and so did regulators.

965
00:31:58,875 --> 00:32:00,877
There were no sanctions violations, 

966
00:32:00,877 --> 00:32:02,921
CNA had verified that

967
00:32:02,921 --> 00:32:04,255
they worked in tandem

968
00:32:04,255 --> 00:32:05,882
with federal law enforcement,

969
00:32:05,882 --> 00:32:07,216
followed OFAC

970
00:32:07,216 --> 00:32:08,843
guidance, made sure the attackers

971
00:32:08,843 --> 00:32:11,304
were not on the Treasury's blacklist.

972
00:32:11,304 --> 00:32:13,932
Legally, the path was clear, but

973
00:32:13,932 --> 00:32:16,976
ethically the terrain was unstable.

974
00:32:17,143 --> 00:32:19,687
Security professionals debated it openly.

975
00:32:19,687 --> 00:32:22,065
Had CNA prevented wider damage

976
00:32:22,065 --> 00:32:23,858
or funded a playbook

977
00:32:23,858 --> 00:32:25,777
for future attackers?

978
00:32:25,777 --> 00:32:28,780
Was this containment or encouragement

979
00:32:29,572 --> 00:32:30,907
inside the company?

980
00:32:30,907 --> 00:32:33,826
CNA began the hard work of rebuilding

981
00:32:33,826 --> 00:32:36,496
not just systems, but credibility.

982
00:32:36,496 --> 00:32:37,455
A full forensic

983
00:32:37,455 --> 00:32:38,873
investigation was launched,

984
00:32:38,873 --> 00:32:41,167
and they confirmed that the attackers

985
00:32:41,167 --> 00:32:42,210
had gained access

986
00:32:42,210 --> 00:32:44,379
to sensitive personal information.

987
00:32:44,379 --> 00:32:49,592
75,349 individuals were affected,

988
00:32:50,009 --> 00:32:52,595
mostly employees, past and present,

989
00:32:52,595 --> 00:32:54,222
and their dependents.

990
00:32:54,222 --> 00:32:55,723
The company offered credit

991
00:32:55,723 --> 00:32:57,850
monitoring, issued notifications

992
00:32:57,850 --> 00:32:59,686
and published statements,

993
00:32:59,686 --> 00:33:02,647
but they chose their words carefully.

994
00:33:03,064 --> 00:33:04,565
The message was always framed

995
00:33:04,565 --> 00:33:05,858
around restoration,

996
00:33:05,858 --> 00:33:09,320
control and compliance and not fear.

997
00:33:09,654 --> 00:33:10,405
What CNA

998
00:33:10,405 --> 00:33:11,614
didn't say publicly

999
00:33:11,614 --> 00:33:12,699
couldn't say

1000
00:33:12,699 --> 00:33:15,368
was what else might have been taken.

1001
00:33:15,368 --> 00:33:16,035
The value

1002
00:33:16,035 --> 00:33:18,788
wasn't in the files themselves,

1003
00:33:18,788 --> 00:33:20,164
it was in the patterns.

1004
00:33:20,164 --> 00:33:21,416
Insurers know

1005
00:33:21,416 --> 00:33:22,875
more than they say

1006
00:33:22,875 --> 00:33:25,753
about risk, exposure, liability.

1007
00:33:25,753 --> 00:33:28,214
That's what makes them valuable

1008
00:33:28,214 --> 00:33:30,800
and what makes them vulnerable.

1009
00:33:30,800 --> 00:33:31,426
In the months

1010
00:33:31,426 --> 00:33:32,176
that followed,

1011
00:33:32,176 --> 00:33:35,680
CNA initiated sweeping changes. Security

1012
00:33:35,680 --> 00:33:37,515
modernization, cloud migration,

1013
00:33:37,515 --> 00:33:39,934
new controls and new vendors.

1014
00:33:39,934 --> 00:33:41,894
Externally, they began advocating

1015
00:33:41,894 --> 00:33:43,312
for ransomware awareness.

1016
00:33:43,312 --> 00:33:44,939
Speaking on resilience,

1017
00:33:44,939 --> 00:33:45,982
positioning themselves

1018
00:33:45,982 --> 00:33:47,525
as a cautionary tale

1019
00:33:47,525 --> 00:33:50,111
but not a cautionary brand.

1020
00:33:50,111 --> 00:33:51,863
It was a careful return

1021
00:33:51,863 --> 00:33:54,407
to visibility. Controlled, measured

1022
00:33:54,407 --> 00:33:56,284
and very corporate.

1023
00:33:56,284 --> 00:33:57,785
But beneath the surface,

1024
00:33:57,785 --> 00:33:59,954
other conversations had started.

1025
00:33:59,954 --> 00:34:01,039
Insurance firms

1026
00:34:01,039 --> 00:34:03,624
reconsidered their underwriting models,

1027
00:34:03,624 --> 00:34:06,377
premiums rose, policies narrowed, and

1028
00:34:06,377 --> 00:34:07,920
some insurers quietly

1029
00:34:07,920 --> 00:34:09,589
began refusing

1030
00:34:09,589 --> 00:34:11,924
to cover ransomware payments altogether.

1031
00:34:11,924 --> 00:34:14,802
The market was changing, and CNA's breach

1032
00:34:14,802 --> 00:34:17,138
was part of the reason why.

1033
00:34:17,138 --> 00:34:19,182
Because this wasn't just another attack.

1034
00:34:19,182 --> 00:34:21,434
It was a glimpse into a high value,

1035
00:34:21,434 --> 00:34:24,187
low resilience target class.

1036
00:34:24,187 --> 00:34:27,190
The insurers of risk themselves.

1037
00:34:27,356 --> 00:34:30,359
No one in the industry missed the irony,

1038
00:34:30,610 --> 00:34:32,111
and no one was ready to say

1039
00:34:32,111 --> 00:34:33,571
it couldn't happen again

1040
00:34:33,571 --> 00:34:35,281
because the truth is, CNA

1041
00:34:35,281 --> 00:34:37,366
did many things right.

1042
00:34:37,366 --> 00:34:38,493
They followed guidance,

1043
00:34:38,493 --> 00:34:39,702
they contained the spread.

1044
00:34:39,702 --> 00:34:41,370
They worked with law enforcement,

1045
00:34:41,370 --> 00:34:43,206
they communicated with regulators,

1046
00:34:43,206 --> 00:34:45,374
and they took care of their people.

1047
00:34:45,374 --> 00:34:47,376
But even doing everything right

1048
00:34:47,376 --> 00:34:49,921
wasn't enough to stop the breach,

1049
00:34:49,921 --> 00:34:51,506
or to avoid the payment,

1050
00:34:51,506 --> 00:34:54,675
or to fully explain what had been lost.

1051
00:34:54,926 --> 00:34:57,762
Because not all damage is visible.

1052
00:34:57,762 --> 00:34:58,471
Not all

1053
00:34:58,471 --> 00:35:02,350
compromises leave logs, and not all truths

1054
00:35:02,558 --> 00:35:03,226
survive

1055
00:35:03,226 --> 00:35:04,393
press review.

1056
00:35:04,393 --> 00:35:06,104
CNA returned to business,

1057
00:35:06,104 --> 00:35:08,940
but the industry had changed around them

1058
00:35:08,940 --> 00:35:10,066
more cautious,

1059
00:35:10,066 --> 00:35:11,400
more expensive

1060
00:35:11,400 --> 00:35:14,195
and in some corners more afraid.

1061
00:35:14,195 --> 00:35:16,781
The ransomware economy had evolved,

1062
00:35:16,781 --> 00:35:18,699
and this breach helped prove

1063
00:35:18,699 --> 00:35:20,576
just how valuable

1064
00:35:20,576 --> 00:35:22,870
the right kind of victim could be.

1065
00:35:25,665 --> 00:35:27,375
When something does blow up

1066
00:35:27,375 --> 00:35:28,960
and maybe you've already been there

1067
00:35:28,960 --> 00:35:29,961
for a while,

1068
00:35:29,961 --> 00:35:30,795
or maybe you're called

1069
00:35:30,795 --> 00:35:32,630
in because it's blown up,

1070
00:35:32,630 --> 00:35:33,464
what would you say

1071
00:35:33,464 --> 00:35:35,424
would be the first conversation

1072
00:35:35,424 --> 00:35:37,552
you have with the CEO?

1073
00:35:37,552 --> 00:35:39,011
That's a very good question.

1074
00:35:39,011 --> 00:35:39,971
And as I mentioned

1075
00:35:39,971 --> 00:35:40,805
before, it's

1076
00:35:40,805 --> 00:35:43,015
all about building that trust.

1077
00:35:43,015 --> 00:35:44,475
he needs to trust me.

1078
00:35:44,475 --> 00:35:46,394
A lot of times you come from the outside.

1079
00:35:46,394 --> 00:35:47,728
The CEO doesn't know you.

1080
00:35:47,728 --> 00:35:49,522
Maybe he knows the company you work for,

1081
00:35:49,522 --> 00:35:50,940
but he doesn't know you personally.

1082
00:35:50,940 --> 00:35:51,732
And you come in

1083
00:35:51,732 --> 00:35:52,900
and you see him

1084
00:35:52,900 --> 00:35:54,610
usually at his most vulnerable

1085
00:35:54,610 --> 00:35:55,987
state. He’s broken.

1086
00:35:55,987 --> 00:35:59,073
They try to keep this business alive and

1087
00:35:59,115 --> 00:36:00,533
and it's all about keeping him

1088
00:36:00,533 --> 00:36:02,326
calm and trusting you

1089
00:36:02,326 --> 00:36:03,661
that you are here for them.

1090
00:36:03,661 --> 00:36:04,245
It's saying,

1091
00:36:04,245 --> 00:36:04,537
you know,

1092
00:36:04,537 --> 00:36:06,205
we are going to lead you through this.

1093
00:36:06,205 --> 00:36:07,540
We are not reacting.

1094
00:36:07,540 --> 00:36:09,125
We're going to find out what happened,

1095
00:36:09,125 --> 00:36:10,418
or at least try to.

1096
00:36:10,418 --> 00:36:12,253
But it has to be together.

1097
00:36:12,253 --> 00:36:14,338
No blame, just clarity.

1098
00:36:14,338 --> 00:36:16,841
Because, you know, if he panics,

1099
00:36:16,841 --> 00:36:19,010
then everything falls. Interesting.

1100
00:36:19,010 --> 00:36:20,136
You said try to.

1101
00:36:20,136 --> 00:36:21,095
Would you say it

1102
00:36:21,095 --> 00:36:22,597
from a sort of a forensic

1103
00:36:22,597 --> 00:36:23,639
analyst point of view?

1104
00:36:23,639 --> 00:36:24,724
What percentage of the time

1105
00:36:24,724 --> 00:36:26,350
are you just able to not solve

1106
00:36:26,350 --> 00:36:26,851
the mystery

1107
00:36:26,851 --> 00:36:28,060
of how they breached, how

1108
00:36:28,060 --> 00:36:29,979
they got in, when they got in,

1109
00:36:29,979 --> 00:36:31,564
is that most of the time,

1110
00:36:31,564 --> 00:36:32,899
or is that a tiny percentage of the time

1111
00:36:32,899 --> 00:36:34,817
that most CISOs just can't figure it out?

1112
00:36:34,817 --> 00:36:35,443
You just can't.

1113
00:36:35,443 --> 00:36:37,028
You can't find that hole

1114
00:36:37,028 --> 00:36:38,487
that they crawled in through.

1115
00:36:38,487 --> 00:36:41,115
I would say it's much more than you

1116
00:36:41,115 --> 00:36:41,741
would think.

1117
00:36:41,741 --> 00:36:42,200
I mean,

1118
00:36:42,200 --> 00:36:43,826
if everything was,

1119
00:36:43,826 --> 00:36:45,203
you know, being documented

1120
00:36:45,203 --> 00:36:46,871
and being configured

1121
00:36:46,871 --> 00:36:48,581
to be to have the right visibility

1122
00:36:48,581 --> 00:36:50,875
and the sufficient visibility,

1123
00:36:50,875 --> 00:36:52,251
then every incident

1124
00:36:52,251 --> 00:36:54,378
would have been solved very quickly.

1125
00:36:54,378 --> 00:36:56,172
But usually it's not the case.

1126
00:36:56,172 --> 00:36:57,173
Nothing is perfect.

1127
00:36:57,173 --> 00:37:00,218
And sometimes you just crawl your way in

1128
00:37:00,218 --> 00:37:02,053
and and you investigate

1129
00:37:02,053 --> 00:37:04,013
for days and weeks and,

1130
00:37:04,013 --> 00:37:05,306
you know, eventually the,

1131
00:37:05,306 --> 00:37:05,806
the company

1132
00:37:05,806 --> 00:37:07,058
says, look,

1133
00:37:07,058 --> 00:37:08,643
it's not that important to us

1134
00:37:08,643 --> 00:37:09,644
at this point.

1135
00:37:09,644 --> 00:37:11,437
We restored the services.

1136
00:37:11,437 --> 00:37:13,189
We kept the business going.

1137
00:37:13,189 --> 00:37:15,191
The impact was minimum.

1138
00:37:15,191 --> 00:37:16,442
We contained the incident.

1139
00:37:16,442 --> 00:37:18,486
We don't really care to know

1140
00:37:18,486 --> 00:37:20,196
exactly how he got in.

1141
00:37:20,196 --> 00:37:22,114
But, you know, sometimes

1142
00:37:22,114 --> 00:37:23,532
companies tell us, look,

1143
00:37:23,532 --> 00:37:24,617
take as much time

1144
00:37:24,617 --> 00:37:26,285
as you need to find that,

1145
00:37:26,285 --> 00:37:27,495
find that root cause.

1146
00:37:27,495 --> 00:37:28,496
And unfortunately,

1147
00:37:28,496 --> 00:37:29,914
sometimes you just can't because

1148
00:37:29,914 --> 00:37:31,874
you don't have sufficient information.

1149
00:37:31,874 --> 00:37:34,418
And, you know, that's why I say

1150
00:37:34,418 --> 00:37:36,879
make sure everything is visible.

1151
00:37:36,879 --> 00:37:39,131
Make sure you log everything.

1152
00:37:39,131 --> 00:37:41,592
Everything you can log log.

1153
00:37:41,592 --> 00:37:44,178
Because if some some things blow up

1154
00:37:44,178 --> 00:37:45,930
and you need to find

1155
00:37:45,930 --> 00:37:46,806
why it happen

1156
00:37:46,806 --> 00:37:48,391
if you don't have the sufficient logs.

1157
00:37:48,391 --> 00:37:49,767
You're just blind

1158
00:37:49,767 --> 00:37:52,770
and you wouldn't be able to find it ever.

1159
00:37:52,812 --> 00:37:56,816
If CNA had been your client pre incident,

1160
00:37:57,191 --> 00:37:59,735
what would you have pushed them to fix

1161
00:37:59,735 --> 00:38:01,487
or prepare for?

1162
00:38:01,487 --> 00:38:04,240
I think one of the first items -

1163
00:38:04,240 --> 00:38:07,201
the front lines, identity and access.

1164
00:38:07,201 --> 00:38:09,245
I mean you don't need ransomware

1165
00:38:09,245 --> 00:38:11,414
if you have a domain admin.

1166
00:38:11,414 --> 00:38:13,624
you need to have MFA everywhere

1167
00:38:13,624 --> 00:38:16,377
because MFA is your one wildcard.

1168
00:38:16,377 --> 00:38:17,920
An attacker can get your password,

1169
00:38:17,920 --> 00:38:19,463
they can get username,

1170
00:38:19,463 --> 00:38:21,340
but it's much, much harder

1171
00:38:21,340 --> 00:38:22,550
getting your MFA.

1172
00:38:22,550 --> 00:38:23,801
And basically you have to have

1173
00:38:23,801 --> 00:38:25,428
that anomaly detection.

1174
00:38:25,428 --> 00:38:27,430
You have to have the capable people to

1175
00:38:27,430 --> 00:38:29,682
even if they did get a hold of MFA,

1176
00:38:29,682 --> 00:38:31,684
you have to have the person that is able

1177
00:38:31,684 --> 00:38:33,269
to tell you that something's weird.

1178
00:38:33,269 --> 00:38:33,978
And afterward,

1179
00:38:33,978 --> 00:38:35,730
as we saw in the CNA incident,

1180
00:38:35,730 --> 00:38:36,856
they probably weren't

1181
00:38:36,856 --> 00:38:38,024
segmented right enough

1182
00:38:38,024 --> 00:38:39,358
because they got exposed

1183
00:38:39,358 --> 00:38:41,652
and everything got encrypted eventually.

1184
00:38:41,652 --> 00:38:43,154
And you have to be able to segment

1185
00:38:43,154 --> 00:38:44,697
so your attacker wouldn't

1186
00:38:44,697 --> 00:38:46,240
be able to move laterally.

1187
00:38:46,240 --> 00:38:47,533
Is there a multi-factor

1188
00:38:47,533 --> 00:38:48,409
authentication tool

1189
00:38:48,409 --> 00:38:49,493
that you live by

1190
00:38:49,493 --> 00:38:50,077
that you would say

1191
00:38:50,077 --> 00:38:51,454
you're not going to pry

1192
00:38:51,454 --> 00:38:52,788
that from my cold, dead hands.

1193
00:38:52,788 --> 00:38:54,081
I trust this tool.

1194
00:38:54,081 --> 00:38:54,790
It's awesome.

1195
00:38:54,790 --> 00:38:56,709
It's the best. It's never failed me.

1196
00:38:56,709 --> 00:38:58,169
Or they pretty much all the same.

1197
00:38:58,169 --> 00:38:59,587
Pretty much. I'd say all the same.

1198
00:38:59,587 --> 00:39:01,172
There's not a specific favorite.

1199
00:39:01,172 --> 00:39:02,590
The big ones like Microsoft

1200
00:39:02,590 --> 00:39:04,467
and Google and Okta,

1201
00:39:04,467 --> 00:39:06,052
they usually do the job.

1202
00:39:06,052 --> 00:39:06,761
But you know,

1203
00:39:06,761 --> 00:39:08,346
you usually need to be able to say

1204
00:39:08,346 --> 00:39:08,637
if you

1205
00:39:08,637 --> 00:39:09,680
even if you don't use

1206
00:39:09,680 --> 00:39:10,723
those authenticators

1207
00:39:10,723 --> 00:39:13,351
and you're able to only send emails

1208
00:39:13,351 --> 00:39:14,852
or SMS messages,

1209
00:39:14,852 --> 00:39:16,020
everything is something

1210
00:39:16,020 --> 00:39:17,188
you need to start somewhere,

1211
00:39:17,188 --> 00:39:17,855
and you need to be able

1212
00:39:17,855 --> 00:39:18,939
to add that layer.

1213
00:39:18,939 --> 00:39:20,816
As I said, it's all about the layers.

1214
00:39:20,816 --> 00:39:21,901
It's all about making

1215
00:39:21,901 --> 00:39:24,195
the attacker work hard for their money.

1216
00:39:24,195 --> 00:39:25,196
I guess it's 

1217
00:39:25,196 --> 00:39:28,240
similar to that sort of old story

1218
00:39:28,240 --> 00:39:28,866
where you don't

1219
00:39:28,866 --> 00:39:31,035
have to be fast enough to outrun

1220
00:39:31,035 --> 00:39:31,869
the bear,

1221
00:39:31,869 --> 00:39:32,995
you just have to be faster

1222
00:39:32,995 --> 00:39:34,538
than the guy next to you

1223
00:39:34,538 --> 00:39:36,165
so that the bear eats him.

1224
00:39:36,165 --> 00:39:37,458
So if you're making it,

1225
00:39:37,458 --> 00:39:39,168
if you're making it so hard

1226
00:39:39,168 --> 00:39:40,669
that the attackers like you know

1227
00:39:40,669 --> 00:39:41,212
it's not worth it,

1228
00:39:41,212 --> 00:39:42,046
we'll just go somewhere where

1229
00:39:42,046 --> 00:39:43,547
it's easier to to breach.

1230
00:39:45,007 --> 00:39:46,342
Yeah, that's that's something

1231
00:39:46,342 --> 00:39:48,135
that we, we tell clients a lot

1232
00:39:48,135 --> 00:39:52,181
that you don't need to be 100% protected.

1233
00:39:52,181 --> 00:39:54,433
You just have to make it hard enough

1234
00:39:54,433 --> 00:39:55,393
for the attacker saying,

1235
00:39:55,393 --> 00:39:57,186
yeah, it's not worth my time.

1236
00:39:57,186 --> 00:39:59,355
And and that's something that we do

1237
00:39:59,355 --> 00:40:01,107
see sometimes when clients look,

1238
00:40:01,107 --> 00:40:02,858
we saw that something trying to

1239
00:40:02,858 --> 00:40:03,692
to attack us,

1240
00:40:03,692 --> 00:40:05,194
but it didn't really go further

1241
00:40:05,194 --> 00:40:06,445
because we had the right

1242
00:40:06,445 --> 00:40:08,030
protection mechanisms.

1243
00:40:08,030 --> 00:40:10,157
So if you do it in a way

1244
00:40:10,157 --> 00:40:11,200
where you make it hard

1245
00:40:11,200 --> 00:40:12,785
enough for the attacker, then

1246
00:40:12,785 --> 00:40:14,161
then it should be good enough.

1247
00:40:14,161 --> 00:40:16,747
Nothing is 100%.

1248
00:40:16,747 --> 00:40:19,750
Act 5 | The Insured

1249
00:40:20,334 --> 00:40:21,335
Cyber insurance

1250
00:40:21,335 --> 00:40:23,170
used to be the safety net,

1251
00:40:23,170 --> 00:40:25,005
the final layer,

1252
00:40:25,005 --> 00:40:26,715
the thing you hoped you'd never need

1253
00:40:26,715 --> 00:40:28,801
but were glad to have.

1254
00:40:28,801 --> 00:40:30,469
It was built on logic

1255
00:40:30,469 --> 00:40:32,304
models, probability curves,

1256
00:40:32,304 --> 00:40:33,889
loss projections,

1257
00:40:33,889 --> 00:40:35,391
premiums priced

1258
00:40:35,391 --> 00:40:37,977
like seatbelts in a luxury car.

1259
00:40:37,977 --> 00:40:40,896
But CNA's breach cracked that illusion

1260
00:40:40,896 --> 00:40:42,231
because when the company writing

1261
00:40:42,231 --> 00:40:43,065
the policies

1262
00:40:43,065 --> 00:40:45,359
becomes the victim of the policy,

1263
00:40:45,359 --> 00:40:46,569
you're forced to ask

1264
00:40:46,569 --> 00:40:49,196
where does the risk really live?

1265
00:40:49,196 --> 00:40:51,115
For years, ransomware attacks

1266
00:40:51,115 --> 00:40:54,869
followed a script: 1. Attack   2. Lock   3. Demand

1267
00:40:54,869 --> 00:40:56,370
and then 3. Vanish.

1268
00:40:56,370 --> 00:40:58,873
But this one changed the conversation

1269
00:40:58,873 --> 00:41:00,583
that because of how it started,

1270
00:41:00,583 --> 00:41:02,668
but because of what it cost,

1271
00:41:02,668 --> 00:41:03,335
CNA didn't

1272
00:41:03,335 --> 00:41:04,962
just pay a ransom,

1273
00:41:04,962 --> 00:41:08,716
they reset expectations

1274
00:41:08,716 --> 00:41:11,719
40 million dollars - confirmed or not,

1275
00:41:11,719 --> 00:41:14,430
the number took on a weight of its own.

1276
00:41:14,430 --> 00:41:16,182
It was repeated in boardrooms

1277
00:41:16,182 --> 00:41:17,475
and underwriting meetings

1278
00:41:17,475 --> 00:41:18,392
and whispered

1279
00:41:18,392 --> 00:41:22,062
conversations between CISOs and CFOs,

1280
00:41:22,521 --> 00:41:24,857
and it signaled something dangerous

1281
00:41:24,857 --> 00:41:26,984
to both sides of the equation

1282
00:41:26,984 --> 00:41:27,902
to attackers.

1283
00:41:27,902 --> 00:41:28,694
It said.

1284
00:41:28,694 --> 00:41:30,613
Insurance companies are lucrative,

1285
00:41:30,613 --> 00:41:32,865
they're central, and when breached,

1286
00:41:32,865 --> 00:41:36,785
they have motive to pay fast. To insurers,

1287
00:41:36,785 --> 00:41:37,411
it said

1288
00:41:37,411 --> 00:41:38,954
we may have underestimated

1289
00:41:38,954 --> 00:41:40,623
our own exposure.

1290
00:41:40,623 --> 00:41:43,209
It wasn't just a CNA a problem,

1291
00:41:43,209 --> 00:41:45,669
It was a blueprint for how quickly

1292
00:41:45,669 --> 00:41:47,546
the tables could turn.

1293
00:41:47,546 --> 00:41:48,130
In the months

1294
00:41:48,130 --> 00:41:48,881
that followed,

1295
00:41:48,881 --> 00:41:50,799
insurers across the globe

1296
00:41:50,799 --> 00:41:52,510
revised their stances.

1297
00:41:52,510 --> 00:41:53,928
Some added ransomware

1298
00:41:53,928 --> 00:41:54,970
sublimates, others

1299
00:41:54,970 --> 00:41:56,472
introduced clauses

1300
00:41:56,472 --> 00:41:58,891
excluding ransom coverage altogether.

1301
00:41:58,891 --> 00:42:00,518
Premiums climbed,

1302
00:42:00,518 --> 00:42:02,603
but not because risk had changed,

1303
00:42:02,603 --> 00:42:05,648
but because now they'd seen it up close.

1304
00:42:05,940 --> 00:42:07,149
Cyber insurance

1305
00:42:07,149 --> 00:42:09,610
was never meant to eliminate loss.

1306
00:42:09,610 --> 00:42:11,195
It was meant to transfer it,

1307
00:42:11,195 --> 00:42:12,613
to redistribute it.

1308
00:42:12,613 --> 00:42:13,572
But CNA’s

1309
00:42:13,572 --> 00:42:14,323
breach

1310
00:42:14,323 --> 00:42:17,326
revealed something difficult to admit.

1311
00:42:17,368 --> 00:42:19,161
You can't insure against a system

1312
00:42:19,161 --> 00:42:20,538
you're part of.

1313
00:42:20,538 --> 00:42:22,164
If the companies pricing the risk

1314
00:42:22,164 --> 00:42:24,542
or also feeding the targets,

1315
00:42:24,542 --> 00:42:25,417
then the model isn't

1316
00:42:25,417 --> 00:42:26,669
just flawed,

1317
00:42:26,669 --> 00:42:29,380
it's compromised. And somewhere...

1318
00:42:29,380 --> 00:42:30,506
Quietly,

1319
00:42:30,506 --> 00:42:33,926
defenders began asking harder questions

1320
00:42:34,301 --> 00:42:37,304
“Are we enabling ransomware by covering it?”

1321
00:42:37,388 --> 00:42:40,266
“Are payouts fueling the criminal economy?”

1322
00:42:40,266 --> 00:42:41,392
“Should we outlaw

1323
00:42:41,392 --> 00:42:43,769
ransom payments altogether?”

1324
00:42:43,769 --> 00:42:46,188
There were no simple answers.

1325
00:42:46,188 --> 00:42:49,650
OFAC had already made its position clear

1326
00:42:50,067 --> 00:42:53,070
paying sanctioned entities was illegal,

1327
00:42:53,195 --> 00:42:54,738
but Phoenix, in CNA's

1328
00:42:54,738 --> 00:42:56,824
case, was not sanctioned.

1329
00:42:56,824 --> 00:42:58,325
So the payment was legal.

1330
00:42:58,325 --> 00:43:01,328
Ethically fraught, yes, but compliant.

1331
00:43:01,453 --> 00:43:03,038
So what does it mean

1332
00:43:03,038 --> 00:43:05,332
when a payment can be legal,

1333
00:43:05,332 --> 00:43:08,836
effective, and still feel like defeat?

1334
00:43:09,128 --> 00:43:12,089
This is the paradox of modern cyber

1335
00:43:12,089 --> 00:43:13,048
defense.

1336
00:43:13,048 --> 00:43:15,884
You can build well, you can detect early.

1337
00:43:15,884 --> 00:43:18,846
You can comply with every regulation

1338
00:43:18,846 --> 00:43:20,514
and still find yourself

1339
00:43:20,514 --> 00:43:22,808
with no good options.

1340
00:43:22,808 --> 00:43:25,436
CNA did what many would have done,

1341
00:43:25,436 --> 00:43:27,187
what many will do.

1342
00:43:27,187 --> 00:43:29,023
They contained the damage,

1343
00:43:29,023 --> 00:43:30,524
protected their clients,

1344
00:43:30,524 --> 00:43:33,902
restored operations and followed the law.

1345
00:43:34,028 --> 00:43:35,738
But the moment they pressed

1346
00:43:35,738 --> 00:43:38,490
send on that Bitcoin transaction,

1347
00:43:38,490 --> 00:43:41,076
they stopped being just a victim

1348
00:43:41,076 --> 00:43:44,038
and they became a signal. To attackers

1349
00:43:44,038 --> 00:43:46,415
It was a green light. To peers

1350
00:43:46,415 --> 00:43:48,000
It was a warning.

1351
00:43:48,000 --> 00:43:51,128
And to regulators a case study.

1352
00:43:51,128 --> 00:43:53,047
And maybe that's the cost

1353
00:43:53,047 --> 00:43:54,673
no one calculates

1354
00:43:54,673 --> 00:43:56,425
in the insurance tables.

1355
00:43:56,425 --> 00:43:57,509
Not just the ransom,

1356
00:43:57,509 --> 00:43:59,553
not just the downtime,

1357
00:43:59,553 --> 00:44:00,304
but the moment

1358
00:44:00,304 --> 00:44:03,057
a breach becomes a precedent.

1359
00:44:03,057 --> 00:44:06,143
CNA moved on, filed their disclosures,

1360
00:44:06,143 --> 00:44:07,603
closed the case.

1361
00:44:07,603 --> 00:44:09,563
But for the rest of the industry,

1362
00:44:09,563 --> 00:44:12,524
the breach never fully ended.

1363
00:44:12,524 --> 00:44:14,234
It left behind a question

1364
00:44:14,234 --> 00:44:16,987
still echoing in the background.

1365
00:44:16,987 --> 00:44:18,697
If the one who insures

1366
00:44:18,697 --> 00:44:20,741
against the worst case scenario

1367
00:44:20,741 --> 00:44:23,327
can't stop it, who can?

1368
00:44:27,706 --> 00:44:28,624
How do

1369
00:44:28,624 --> 00:44:30,125
incidents like CNAs

1370
00:44:30,125 --> 00:44:33,879
change the way CISOs today built trusts

1371
00:44:33,879 --> 00:44:36,882
with their boards or with their clients?

1372
00:44:37,216 --> 00:44:38,258
It's a good question.

1373
00:44:38,258 --> 00:44:39,927
The trust with the boards

1374
00:44:39,927 --> 00:44:43,597
 - they don't care about the excuses.

1375
00:44:43,597 --> 00:44:46,100
They don't care about the blame.

1376
00:44:46,100 --> 00:44:47,434
They want to see receipts.

1377
00:44:47,434 --> 00:44:48,811
They want to see your readiness.

1378
00:44:48,811 --> 00:44:51,397
They want to see how you learned

1379
00:44:51,397 --> 00:44:52,314
from the mistakes.

1380
00:44:52,314 --> 00:44:53,023
They want to see

1381
00:44:53,023 --> 00:44:54,149
what you're going to do next

1382
00:44:54,149 --> 00:44:55,359
and how you’re going to make sure

1383
00:44:55,359 --> 00:44:56,944
this doesn't happen again.

1384
00:44:56,944 --> 00:44:59,571
So when building that trust again

1385
00:44:59,571 --> 00:45:00,447
with the boards,

1386
00:45:00,447 --> 00:45:02,116
you have to be able to show them

1387
00:45:02,116 --> 00:45:03,367
that you are doing

1388
00:45:03,367 --> 00:45:04,618
everything in your power

1389
00:45:04,618 --> 00:45:06,453
to make sure this doesn't happen,

1390
00:45:06,453 --> 00:45:07,663
whether it's playbooks,

1391
00:45:07,663 --> 00:45:09,581
whether it's, policies,

1392
00:45:09,581 --> 00:45:10,958
whether it's

1393
00:45:10,958 --> 00:45:13,585
you know, buying more security vendors

1394
00:45:13,585 --> 00:45:14,920
and paying even more about,

1395
00:45:14,920 --> 00:45:17,005
you know, for cyber insurance,

1396
00:45:17,005 --> 00:45:18,340
you have to show them

1397
00:45:18,340 --> 00:45:20,050
what you're doing in order to,

1398
00:45:20,050 --> 00:45:21,176
to be prepared.

1399
00:45:21,176 --> 00:45:24,179
What should every CISO be doing right now

1400
00:45:24,179 --> 00:45:27,182
to avoid being the next CNA?

1401
00:45:27,307 --> 00:45:28,100
Two things.

1402
00:45:28,100 --> 00:45:29,351
Like I said, with the board,

1403
00:45:29,351 --> 00:45:31,770
you have to be able to run the playbook.

1404
00:45:31,770 --> 00:45:33,355
It's not about tabletop.

1405
00:45:33,355 --> 00:45:35,858
Tabletop is nice to do once in a while,

1406
00:45:35,858 --> 00:45:38,235
but you have to run the full simulation.

1407
00:45:38,235 --> 00:45:39,820
You have to test everything, run

1408
00:45:39,820 --> 00:45:40,362
the drills,

1409
00:45:40,362 --> 00:45:42,781
test backups. KILL your own services

1410
00:45:42,781 --> 00:45:43,949
and see who panics.

1411
00:45:43,949 --> 00:45:45,492
Make sure that someone besides

1412
00:45:45,492 --> 00:45:46,285
the CISO knows

1413
00:45:46,285 --> 00:45:48,704
how to initiate the IR, and also it's...

1414
00:45:48,704 --> 00:45:50,414
you need to be able to have someone

1415
00:45:50,414 --> 00:45:52,249
to try to hack you from the outside.

1416
00:45:52,249 --> 00:45:54,293
Whether it's red teaming exercises

1417
00:45:54,293 --> 00:45:56,003
or penetration tests.

1418
00:45:56,003 --> 00:45:57,296
You need to do that as well

1419
00:45:57,296 --> 00:45:58,505
because you know

1420
00:45:58,505 --> 00:45:59,965
where your weaknesses are.

1421
00:45:59,965 --> 00:46:00,632
But the attack.

1422
00:46:00,632 --> 00:46:01,884
But potential attackers

1423
00:46:01,884 --> 00:46:02,926
can know about weaknesses

1424
00:46:02,926 --> 00:46:04,178
that you don't know about.

1425
00:46:04,178 --> 00:46:05,929
And if you bring someone from the outside

1426
00:46:05,929 --> 00:46:08,265
which is unbiased in a white hat,

1427
00:46:08,265 --> 00:46:09,933
gray hat type of service,

1428
00:46:09,933 --> 00:46:11,518
then it can potentially

1429
00:46:11,518 --> 00:46:13,020
get you a much clearer picture.

1430
00:46:13,020 --> 00:46:14,021
And and we

1431
00:46:14,021 --> 00:46:16,064
we actually do that in OP Innovate as well.

1432
00:46:16,064 --> 00:46:16,899
We come to clients,

1433
00:46:16,899 --> 00:46:19,151
we expose those, you know, unbiased

1434
00:46:19,151 --> 00:46:20,527
vulnerabilities from the outside

1435
00:46:20,527 --> 00:46:20,903
and tell them,

1436
00:46:20,903 --> 00:46:22,404
you know, we found a lot of stuff

1437
00:46:22,404 --> 00:46:23,405
that you didn't know about.

1438
00:46:23,405 --> 00:46:25,032
And that way they come in

1439
00:46:25,032 --> 00:46:26,867
and they it usually changes

1440
00:46:26,867 --> 00:46:28,619
the whole picture in their organization.

1441
00:46:28,619 --> 00:46:30,496
Interesting. Okay.

1442
00:46:30,496 --> 00:46:33,207
You see a lot of different types of teams

1443
00:46:33,207 --> 00:46:34,374
across different verticals

1444
00:46:34,374 --> 00:46:35,626
in different sectors.

1445
00:46:35,626 --> 00:46:37,419
What's one mistake

1446
00:46:37,419 --> 00:46:39,129
you still see too often

1447
00:46:39,129 --> 00:46:40,214
coming up again and again?

1448
00:46:42,257 --> 00:46:43,091
One mistake.

1449
00:46:43,091 --> 00:46:44,301
As I previously said,

1450
00:46:44,301 --> 00:46:45,260
it's the visibility.

1451
00:46:45,260 --> 00:46:46,261
People just don't

1452
00:46:46,261 --> 00:46:48,138
turn on that configuration

1453
00:46:48,138 --> 00:46:49,473
when you're asked to

1454
00:46:49,473 --> 00:46:50,849
to log

1455
00:46:50,849 --> 00:46:51,642
the information

1456
00:46:51,642 --> 00:46:53,143
whether it's the EDR,

1457
00:46:53,143 --> 00:46:56,146
or it’s the firewall, the VPN, even if it's local

1458
00:46:56,355 --> 00:46:58,148
logs like on the server itself

1459
00:46:58,148 --> 00:46:59,358
or the endpoints,

1460
00:46:59,358 --> 00:47:00,901
because afterwards when you come in

1461
00:47:00,901 --> 00:47:02,027
and you investigate the instance,

1462
00:47:02,027 --> 00:47:03,570
you just don't see anything.

1463
00:47:03,570 --> 00:47:05,948
Another thing is our shared credentials.

1464
00:47:05,948 --> 00:47:06,740
A lot of the people

1465
00:47:06,740 --> 00:47:08,158
still share the credentials.

1466
00:47:08,158 --> 00:47:09,493
They send it in Slack,

1467
00:47:09,493 --> 00:47:11,078
they send it in Teams,

1468
00:47:11,078 --> 00:47:12,204
they put it in Google

1469
00:47:12,204 --> 00:47:14,289
Docs on the cloud, and even more,

1470
00:47:14,289 --> 00:47:15,457
they don't have the MFA.

1471
00:47:15,457 --> 00:47:17,835
So sometimes the attacker gets it so easy

1472
00:47:17,835 --> 00:47:19,419
and he just grabs that password

1473
00:47:19,419 --> 00:47:20,462
and just does what he wants.

1474
00:47:20,462 --> 00:47:21,338
And you're not even able

1475
00:47:21,338 --> 00:47:22,422
to see that anomaly

1476
00:47:22,422 --> 00:47:24,424
because it's legitimate activity.

1477
00:47:24,424 --> 00:47:25,509
You know, people

1478
00:47:25,509 --> 00:47:26,844
a lot of the time obsessed

1479
00:47:26,844 --> 00:47:28,554
over the zero days because it's cool.

1480
00:47:28,554 --> 00:47:29,555
It's sexy.

1481
00:47:29,555 --> 00:47:30,681
But it's

1482
00:47:30,681 --> 00:47:32,349
what I see from the past few years.

1483
00:47:32,349 --> 00:47:33,350
It's always the door.

1484
00:47:33,350 --> 00:47:34,726
Someone forgot to lock it.

1485
00:47:34,726 --> 00:47:35,644
That simple,

1486
00:47:35,644 --> 00:47:36,937
you know, mechanism

1487
00:47:36,937 --> 00:47:38,981
that it's so obvious that people

1488
00:47:38,981 --> 00:47:40,899
sometimes forget to turn it on.

1489
00:47:40,899 --> 00:47:41,525
Matan

1490
00:47:41,525 --> 00:47:43,402
thank you for those words of wisdom.

1491
00:47:43,402 --> 00:47:44,570
It was great having you on the show.

1492
00:47:44,570 --> 00:47:46,321
Looking forward to having you back again.

1493
00:47:46,321 --> 00:47:48,156
And now onto our closing.

1494
00:47:50,826 --> 00:47:52,661
Every breach leaves a mark,

1495
00:47:52,661 --> 00:47:54,371
not always in the systems,

1496
00:47:54,371 --> 00:47:56,039
sometimes in the story,

1497
00:47:56,039 --> 00:47:58,959
and sometimes in the mirror.

1498
00:47:58,959 --> 00:48:01,795
CNA wasn't the first company to get hit.

1499
00:48:01,795 --> 00:48:03,755
They weren't the first to pay,

1500
00:48:03,755 --> 00:48:04,965
but they were one of the first

1501
00:48:04,965 --> 00:48:05,382
to show

1502
00:48:05,382 --> 00:48:06,592
what it looks like

1503
00:48:06,592 --> 00:48:09,261
when the people who price the risk

1504
00:48:09,261 --> 00:48:11,054
become the risk.

1505
00:48:11,054 --> 00:48:14,349
For years, insurers spoke with certainty.

1506
00:48:14,683 --> 00:48:16,143
They modeled loss events,

1507
00:48:16,143 --> 00:48:17,352
calculated premiums

1508
00:48:17,352 --> 00:48:19,271
and forecasted frequency.

1509
00:48:19,271 --> 00:48:22,065
But cybersecurity isn't weather.

1510
00:48:22,065 --> 00:48:24,109
It doesn't move in seasons.

1511
00:48:24,109 --> 00:48:27,112
It shifts, it adapts, and it learns

1512
00:48:27,654 --> 00:48:30,240
and this breach made that clear.

1513
00:48:30,240 --> 00:48:30,866
The attackers

1514
00:48:30,866 --> 00:48:32,284
didn't need to break the rules.

1515
00:48:32,284 --> 00:48:33,493
They just needed to study

1516
00:48:33,493 --> 00:48:35,412
the ones that everyone else

1517
00:48:35,412 --> 00:48:37,164
was already playing by.

1518
00:48:37,164 --> 00:48:38,916
CNA paid the ransom.

1519
00:48:38,916 --> 00:48:41,251
They followed the law and they recovered.

1520
00:48:41,251 --> 00:48:42,669
But the breach was never

1521
00:48:42,669 --> 00:48:44,129
just about one company.

1522
00:48:44,129 --> 00:48:46,673
It was a signpost for the industry.

1523
00:48:46,673 --> 00:48:47,925
A moment

1524
00:48:47,925 --> 00:48:50,636
where the guardians of risk discovered

1525
00:48:50,636 --> 00:48:53,555
just how vulnerable they really were.

1526
00:48:53,555 --> 00:48:54,222
And now

1527
00:48:54,222 --> 00:48:55,599
everyone's policy

1528
00:48:55,599 --> 00:48:58,602
feels a little more fragile.

1529
00:48:58,769 --> 00:49:01,563
This is the world we live in now, where

1530
00:49:01,563 --> 00:49:03,857
safety is a negotiation,

1531
00:49:03,857 --> 00:49:06,276
where trust is provisional,

1532
00:49:06,276 --> 00:49:07,110
and where the people

1533
00:49:07,110 --> 00:49:08,904
who promise protection

1534
00:49:08,904 --> 00:49:10,989
sometimes need it most.

1535
00:49:10,989 --> 00:49:12,699
Today, security experts

1536
00:49:12,699 --> 00:49:16,536
must always be prepared, always vigilant,

1537
00:49:16,995 --> 00:49:19,998
and always listening for The CISO Signal...

1538
00:49:26,505 --> 00:49:28,340
All episodes are based on publicly

1539
00:49:28,340 --> 00:49:30,008
available reports, post-mortems

1540
00:49:30,008 --> 00:49:32,135
and expert analysis.

1541
00:49:32,135 --> 00:49:33,095
While we've done our best

1542
00:49:33,095 --> 00:49:34,262
to insure accuracy,

1543
00:49:34,262 --> 00:49:36,014
some cybersecurity incidents

1544
00:49:36,014 --> 00:49:37,057
evolve over time

1545
00:49:37,057 --> 00:49:39,810
and not all details have been confirmed.

1546
00:49:39,810 --> 00:49:43,021
Our goal is to inform and entertain,

1547
00:49:43,355 --> 00:49:45,273
not to assign blame.

1548
00:49:45,273 --> 00:49:46,566
Where facts are unclear,

1549
00:49:46,566 --> 00:49:48,527
we've used cautionary language

1550
00:49:48,527 --> 00:49:51,113
and we always welcome your corrections.

1551
00:49:51,113 --> 00:49:53,240
Thanks for listening to The CISO Signal.