Disruptionware: The 21st Century Weapon - Ep. 116
Jason G. Weiss is a retired FBI Supervisory Special Agent, digital laboratory director, and is counsel in the Los Angeles office of the law firm Faegre Drinker, Biddle and Reath's cybersecurity and incident response group. He has been doing cybersecurity his entire career. He pioneered a cybersecurity collaboration model 20 years ago still in use today. He shares his top cyber defense tips.
Episode Table of Contents
- [00:54] A Special Agent for the FBI Goes Deep on Disruptionware
- [08:18] Disruptionware Is the New Cybercrime
- [14:56] Top Four Victims of Disruptionware Attacks
- [21:21] The Main Way the Disruptionware Is Getting In
- [28:02] From a Business Continuity Standpoint
- [35:34] Social Awareness Training to Prevent Cyber Attacks
- About Our Guest
A Special Agent for the FBI Goes Deep on Disruptionware
Carolyn: I would like to ask a favor to our listeners. Please share episodes that you like of To The Point with your friends. Leave us a review on your podcast platform too.
Carolyn: We are joined today by retired FBI Supervisory Special Agent and Digital Laboratory Director, Jason G. Weiss. He’s a counsel in the Los Angeles office of the law firm, Faegre Drinker Biddle & Reath. He is also cybersecurity and incident response.
Jason: Good morning, Carolyn and Eric. Thank you so much for the opportunity to join you today.
Carolyn: I'd like to kick it off with telling us about what you did as a special agent for the FBI.
Jason: I spent 22 years in the FBI in San Diego in the Los Angeles office. It’s where I basically specialized in computer forensics and cybersecurity. I’ve spent my first year as I stayed out on the streets handling bank robberies, bank fraud, and violent crime. I had a reasonably decent background in computers. When I came into the FBI, they moved me over to the Cyber Crime Squad in San Diego.
Jason: That’s where I got involved in what's called computer forensics. I’ve spent the next 21 years and two months basically working in terms of helping agents handle cybersecurity cases. I did forensics on probably close to a thousand cases in my 22 years in the FBI.
Jason: I was promoted as supervisor of the computer forensics in Cyber Squad where I helped build two FBI. They are called Regional Computer Forensics Laboratories. I’ve started the San Diego and the Los Angeles labs and the Los Angeles labs in Orange County.
Threat and Other Types of Cyber Maladies
Jason: I was the laboratory director of the Orange County Regional Computer Forensics Lab for seven years. I also helped build a cyber task force called the Neighborhood Watch. We brought public and private entities together to share information on threats and other types of cyber maladies. Basically, we worked together to defeat cybercrime.
Carolyn: Is Neighborhood Watch that same program that is still around?
Jason: Yes, it is. It was pioneered and started in the Los Angeles field office. But it's spreading to other offices around the FBI. It's a pretty fantastic partnership between the FBI and private sector entities. What we do is we take these different entities and we put them in what are called neighborhoods.
Jason: For example, we have the ports of Los Angeles and Long Beach who although they're business competitors. When it comes to computer security, we're all on the same side. We share information, the FBI shares, they share. And we use that as a way to keep out and prevent cyber-attacks against the various neighborhoods.
Eric: Is that related, to McGruff the Crime Dog? Wasn't he involved in the Neighborhood Watch?
Jason: This is a different Neighborhood Watch, this is not staring at your front window. It's the Neighborhood Watch of the 21st century.
Eric: But are we overlaying? We still have people who are sitting on the porch and see things and then they call up. Are we overlaying the cyber side to it at the same time or they're distinct groups.
Jason: They're distinct groups. The Neighborhood Watch, that deals more with the local police departments, your neighborhood security and people. Neighbors looking out for one another, we call this a Cyberhood Watch. We call the different groups neighborhoods.
Computer Sniffing Dogs
Jason: We have ports, we have universities, we have banking institutions, we have entertainment industries. These are groups that typically compete against one another in a marketplace. But from a cybersecurity standpoint, we put that aside. We work together
Eric: Almost like the ICEX.
Jason: Yes, fantastic analogy.
Eric: But you don't have a crime dog.
Jason: No, we don’t.
Eric: Everybody's got to have a motto.
Jason: We have a logo and you don't exist in the FBI unless you have a logo.
Carolyn: What's your logo?
Jason: We have a Cyberhood Watch logo. Once you have the logo, you're real.
Eric: I know you're retired, but go with a mascot. Tell the boys and girls back there to get a mascot.
Jason: We do now have two computer sniffing dogs in the FBI. It is a great step forward for us. We have dogs that actually go in and search out. We’ve got one of them in Orange County and we have one of them back east. These dogs are close to an FBI mascot. We have bomb sniffing dogs and we have computer sniffing dogs.
Carolyn: What are they sniffing?
Jason: There are chemicals on computer parts that these dogs are trained to find. They are absolutely amazing at how effective they are. From people trying to hide computer evidence from the FBI when we used to go on search warrants. They can bury in the ground, they can hide it in the attic, but you can't. You can fool a person but you can't fool a dog. It is amazing.
Eric: We've pulled some crazy things out on this podcast, but I've never expected that one. A computer sniffing dog?
The Dog in the Orange County Named Ginger
Jason: The dog in Orange County is named Ginger. She's a sweetheart but she's never missed. We've had people bury stuff in the walls, hide stuff and electrical sock is buried in the ground. Ginger has found them all.
Carolyn: Who thought to do that? That's brilliant.
Jason: I'll take the credit for it although it wasn't me.
Carolyn: So now you're an attorney. How did that happen from FBI special agent to attorney? Were you an attorney when you were with the FBI?
Jason: I spent my first six years of working life as an attorney before I went into the FBI. During law school, I did the FBI honors internship program. It’s where I spent some time working at FBI headquarters. I actually wrote the brief on how to fire alcoholic agents under the Rehabilitation Act of 1973. That was my big thing. I was a lawyer for six years and burning out on it, so I put my application back into the FBI.
Jason: I was fortunate enough to be accepted. I then went into the FBI when I was about 30. Been 22 years there. When I got out, my father reminded me how much he spent on my law education. He really wanted me to go back and try to be a lawyer again. So I specialize now in cybersecurity incident response and forensics. I'm very fortunate because of of the skill sets I have.
Jason: That probably separates me from a lot of other cybersecurity attorneys. I spent 22 years in law enforcement. I’ve spent time in cybersecurity. I spent time in forensics. I’d like to say I speak all the different languages.
Disruptionware Is the New Cybercrime
Jason: I'm fairly good at translating the languages back and forth between clients and cyber folks and forensics folks. I can talk to all of them. That's my major skill set.
Eric: You've got both sides of the coin, essentially. You have spoken and have written about disruptionware. We've touched on it, but we haven't really spent a lot of time on disruptionware. I mean, ransomware, yes, which is a component. But would you explain what that is to our listeners and why they should care?
Jason: Ransomware, as much as I love to discuss it, I was not the brainchild behind it. It was discovered and coined by a group called ICIT. They were the ones that really brought ICT ware to the forefront. But I've really done a lot of work on it from a legal standpoint and a legal analysis standpoint. I’ve talked about how it affects people in a real world environment.
Jason: Disruptionware is the new cybercrime of the 21st century. It basically takes ransomware. Ransomware is a tool in the disruptionware toolkit, as are things called wipers and blockers and exfiltration tools. There's many different types of disruption ware. Disruptionware is designed not just to collect ransom. Unfortunately, it's also designed to destroy.
Jason: Most businesses have two types of networks and some don't even realize it. They have the traditional IT or information technology network, which is what we're all used to store our email. We store our data files. These are networks that typically get attacked in a cyber-attack. But what disruptions also goes after is what's called an operational technology network, or an OT network.
Disruptionware Is Turning Into a Multi-Billion Dollar Industry
Jason: That's the network that runs infrastructure for many businesses. Especially schools, government, and most importantly, hospitals in the healthcare industry. Those three are the biggest victims of the disruption ware world. Disruptionware is turning into a multi-billion dollar industry.
Jason: Companies are using disruptionware tools to threaten companies not just with theft of data or encryption of data. They’re literally physically shutting down businesses sometimes permanently. Sometimes these attacks are so destructive. If you remember Stuxnet, the alleged government attack on Iran. That was a disruption ware attack. Although at the time, we didn't have that term.
Jason: That's really what Stuxnet was. It attacked the operational technology networks of a foreign nation state. That is what disruptionware does, which makes disruptionware so dangerous. Unfortunately, ransomware is a big moneymaker and it's extremely successful for cyber threat actors, but disruptionware is killing people.
Jason: I can think of two or three instances in the last six months where hospitals have been shut down by disruption ware attacks. They are ransomware attacks, but they are attacking the operational technology networks within the hospitals. They're preventing the hospitals from using their equipment.
Jason: There was one case out of Germany, I actually wrote about that. A patient died on the operating table because they got hit by a disruption ware attack in the middle of surgery. They tried to move the patient to a different hospital, which was 20 minutes away. But the patient wasn't able to survive the move because of the timing.
Carolyn: Is that the attacker's goal? It sounds like a terrorist attack.
Jason: In that particular case, the cyber threat actor swears up and down. They didn't mean to shut down the hospital, they were going after the university.
A Criminal Offense Beyond Cyber
Jason: But when they attacked the university, they also hit the hospital. It could have been inadvertent, I don't know.
Eric: They found them though.
Jason: That's a German law enforcement question as to whether those folks were actually captured or not. Capturing those people is very hard because threat actors at that level of sophistication are very good at hiding info.
Eric: Attribution is tough. Let’s take your FBI background in both cyber and as an attorney. If somebody does that in a US hospital, we'll stay in America for a second, and people die, that's a criminal offense beyond cyber. Now you're dealing with somebody's life.
Jason: We're dealing with a felony murder type instance where you kill somebody in the creation of a felony. Every state in the country has a felony murder law. Plus, there's numerous federal statutes that deal with that. The biggest problem is, I could be wrong because I'm not the bad guy instituting the attack. I can tell you in the German attack, the German threat actors were incredibly apologetic.
Jason: They tried very hard to get the network back online after they realized they shut the hospital down. But they did kill a patient, and they're going to have to pay for that. There was a recent disruptionware attack against American hospitals. I couldn’t tell you the justification or the reasoning behind that attack other than they're generally financial in nature.
Jason: There are certain disruptionware attacks, when you use stuff like wipers and braking capabilities, especially wipers. Wipers are designed to destroy data, they wipe data. There's no encryption or decryption of data where you can get your system back online. If they wipe your data, your data is lost.
Disruptionware Attacks With Malicious Intent
Jason: There are some disruptionware attacks that are malicious in intent. The question is, are those what we called in the FBI script kiddies who go up to the websites, download scripts and run them, have no idea what they're doing. Probably 95% of your threat actors out there are script kiddies.
Jason: They're just stupid kids that don't know what they're doing. They just go to websites. They're able to do a port scan against a network. Figure out what your operating system is, and then they run an attack. There's also the more sophisticated type attackers who are in it for the money.
Jason: That's mostly ransomware attacks and those folks are in it for the money. They encrypt data, and they get paid to decrypt data. Then you also have the really bad folks or possible foreign nation states that have attacked us constantly. Those folks are malicious. Some of their attacks are threats in general.
Carolyn: You said you've seen more attacks towards energy and healthcare recently from disruptionware. Why do you think that is?
Jason: Right now, there's a huge disruptionware attack being aimed at the American energy industry. That's because quite frankly, they're an easy target. When the American energy grid was put together in the '50s, in the '60s, they didn't put it together with cyber-attacks in mind. They put it together with physical attacks in mind, so they put up fences. They have guards.
Jason: They do the things they need to do to stop people from penetrating these areas. Remember the old days of SCADA attacks. SCADA attacks were supremely successful early on because there were no cybersecurity controls put in place.
Top Four Victims of Disruptionware Attacks
Jason: It took years for the port industries to put the cyber defense controls in place to help defeat SCADA attacks. The American energy industry is extremely vulnerable to disruption ware attacks right now. I wrote a blog on that.
Jason: If you go to the Faegre Drinker blog website, you could read about that. Right now, the top four victims of disruptionware attacks are going to be municipalities. Because they have poor cybersecurity defenses, schools, hospitals, and the American energy industry.
Eric: We spend a lot of time on nation state attacks. These same types of techniques, these same types of attacks could be the prelude to armed conflict also. If a nation state wants to take another nation state down or look at capabilities, I mean. You run a wiper and the systems are gone.
Jason: The biggest challenge when we were in the FBI, and an equal challenge, it’s a harder challenge on the private side when you don't have access to the tools that the FBI had. But the biggest question we have is, are these individual privatized threat actors trying to make money? Or they just have a bone to pick with somebody or other nation states? There are a lot of nation state threat actors out there.
Jason: I worked on the Sony attack, which worked out of the LA office. I'm not telling you anything confidential anymore, but everybody is pretty confident that it was the North Koreans. Those types of attacks are hard. Is it North Korea? China? Iran? Is it even some of our allies? You don't always know who the nation's threat actor is. There's a lot of diplomacy and politics to get involved with that, which is way above my pay grade.
Advanced Threat Analysis
Eric: I’ve worked with a group at a prior employer where we did advanced threat analysis essentially. I drove them to get to attribution. One day, one of the senior researchers sat me down and said, "Look, let's talk about basic attribution. Let me tell you the type of things that I can tell you with confidence.
Eric: Let me tell you about the type of things that will probably never be able to 100% guarantee in." That attribution is so tough. You can't just get fingerprints and trace them back and say, "It was Carolyn Ford."
Jason: The FBI had an expression which is, we always catch the dumb ones and that's true. We always catch dumb criminals. The problem is there's some smart criminals out there and that's really a challenge. It's like bank fraud or mail fraud. If you rob a bank, but you don't steal so much money that we have to react.
Jason: It sometimes doesn't rate to the level where we have the resources to put into it from an FBI standpoint. If you steal some money, but not enough, then we call it a state crime. We ask the locals to investigate. It's like everything else. How serious is the attack? I worked on 9/11. I used to joke around a lot, if you blow up a building, the FBI will catch you.
Jason: Because at that point, we no longer have a budget. We no longer have any kind of controls from a financial standpoint. We used to turn what I used to call the Eye of Mordor on you. If we're actually able to get the Eye of Mordor turned upon you, we will catch you.
Moving the Eye of Mordor
Jason: The question is, is the attack serious enough? Enough to warrant moving the Eye of Mordor from a law enforcement perspective. From a private sector perspective, it's actually harder. Although we work in partnership with law enforcement a lot of times, law enforcement is limited in what they can tell and share with us. Because it's an ongoing criminal investigation as well.
Jason: Your point about attribution is just so spot on. But from a private sector standpoint, while attribution is important, we have to leave a lot of attribution to law enforcement. We have to focus on containment, retention, data recovery, notification, following the laws that are necessary.
Jason: If we have a HIPAA violation, if we have PII information stolen, we have timelines we have to deal with. Those are big challenges from a legal standpoint that we have to work with. Obviously, working with our cyber partners, our forensic partners, is also a big part of that as well.
Carolyn: What are you seeing in the energy and healthcare? Basically this is critical infrastructure. Is OT, that network, is what I would call critical infrastructure?
Eric: OT meaning operational technology.
Jason: That's a perfect analogy. It's literally shutting down the infrastructure, turning off elevators, shutting down operating rooms, turning off electrical grids. It isn't just encrypting data and asking for a ransom. It's literally physically shutting down a system. That's why it's called an operational technology. It's the operation of the business.
Jason: There are two types of cyber defense. There's operational defense, and there's information technology defense. There is a traditional type of cyber defense that we all think about. There's also what I call social awareness training.
Employees Are the Weakest Link
Jason: It’s the training that's super lacking in our society from a computer security standpoint. We don't train people well enough, and this is something we worked on hard in the FBI. But I can tell you, we don't do it in the private sector at all. Where we train people on how to prevent and recognize phishing attacks. Wailing attacks, spear phishing attacks, phishing attacks, SIM card swapping attack.
Jason: There are dozens of different types of social engineering attacks that become successful. Because employees are the weakest link in any chain. A network is only as strong as its weakest link. The FBI used to have an expression, "The only safe network is a network with no users." The problem is as long as you have users on a network, there's going to be a weakness to it.
Jason: When we talk about operational technology, you're 100% correct about the physical infrastructure. But that's only one part of the fence. Look at my writing on disruptionware. I'll be doing a CLE webinar at the end of March where I'll be talking about this as well. I talked a lot about social awareness training and defense.
Jason: The government has its own set of problems. But for the private sector side, the private sector businesses especially. If we don't recognize and identify the people, please don't click on this link. Because you can have the greatest spikes, firewalls in the world and the cyber. You can have the imaginal line of cybersecurity but look at what happened in World War II. It didn't work.
Eric: It wasn't super effective.
The Main Way the Disruptionware Is Getting In
Jason: The Germans just went around it, which is the same thing as a phishing attack. If somebody clicks on the phishing attack, they're now behind the firewall.
Carolyn: The main way the disruptionware is getting in are through these social engineered attacks.
Jason: I truly believe that in my opinion. 50% of all cyber-attacks come from phishing attacks.
Eric: Actually, most studies say it's quite a bit higher. It's north of 70%, 80% last I heard.
Carolyn: I thought it was up in the 80s.
Jason: I'll tell you another problem, and this is a big problem we had in the FBI as well. You can have all the security in the world, but 80% of cyber attacks have an inside presence. There's insider threats. I've written a lot about insider threats as well. You can do all the security you want. But if you've got somebody on the inside, and you don't have those defenses.
Jason: Companies and businesses spend so much time and money defending themselves from external attacks. But there's nothing to prevent them from internal attacks. If you want a good war story, this is one of my favorite cases when I was with the Bureau. We had a cyber threat actor who went to a business. He sprinkled USB thumb drives around their parking lot filled with malware.
Jason: Now, most humans are good people. You find a thumb drive on the ground in your parking lot. You’d say to yourself, "One of my coworkers has dropped their thumb drive. I should return it." So what do you think these people did? They took the thumb drive.
Kinetic Warfare Through Cyber
Jason: They put it into the computer system behind the firewall. The malware was instigated. Now the malware is populated behind the firewall. The cyber threat has gone. Now, that was an insider attack. Although it was inadvertent, it still worked like an insider attack.
Eric: If you find a USB drive in the parking lot, take the heel of your shoe or boot. Smash it immediately. Then be a good citizen of the earth. Pick it up, dispose of it properly, recycle it, whatever you need to do. But do not allow that to be used again. That is a clear sign that there's a problem.
Carolyn: When you're talking about these OT attacks with disruptionware, this is kinetic warfare through cyber.
Jason: If it's launched by a nation state actor, it's an act of war. There's no question about it. The politics of it is a whole nother matter and that's something way above our pay grade. But yes, you're 100% right. The problem is it goes back to attribution. We don't always know if it's a nation state actor. We don't know if it's a cyber threat actor. They're both out there.
Jason: They're both using disruptionware effectively. In my humble opinion, it's just going to get worse and worse. This is not something that's going away. Ransomware attacks have gone up exponentially over the last couple of years. They are the number one disruption ware attack, they do work.
Eric: They work and they're cheap. We've been talking about Sunburst a lot on the podcast. Imagine that an adversary got in. We were just talking about insider threats. They created usernames, they created accounts, they got through the multi-factor authentication.
Zero Trust Type of Security Mechanisms
Eric: The zero trust type of security mechanisms. But imagine instead of just exfiltrating data, they just wipe systems. Or they set all systems to wipe on March 13th.
Carolyn: Stay in there just so they can control the systems, so they can mess with the systems.
Jason: That's called a logic bomb. Those are very popular attacks, especially from insider threat attacks. One of my first cases as an FBI agent was an employee in a company who set a logic bomb. It’s a company payroll system. If your social security number didn't turn up in a payroll every two weeks, he launched the malware internally.
Jason: One day he was fired because he knew he was going to get fired. Fortunately, we were able to find the logic bomb before it launched. This was in 1998 and now we're in 2021. But the same game plan still works.
Eric: I was talking to somebody last week. I won't name them, but when we look at the insider threat, we were looking at Sunburst. We were talking about it, but who needs to pay a US citizen $100,000 to exfiltrate data? Or do something these days when you can just come in from a cyber perspective? You can just come right in on SolarWinds or some other infiltration mechanism then you can move laterally?
Jason: You almost don't even have to pay people anymore and increase that exposure and risk. That's expensive, and time, and money, and everything else. The new insider threat, in my opinion, is the adversary who gets in and creates user accounts. Gets them validated, and then starts operating.
Carolyn: Which is what Sunburst did.
What’s Better Than a Disruptionware Attack
Eric: That's exactly what happened. Fortunately, I don't think we have any reports of damage internally yet. When you look at the agencies, agriculture, commerce, energy, HHS, DHS, across the board. The agencies that were impacted and penetrated. Imagine if somebody ran on wiper, and just started wiping systems across the board in those agencies. What would we do?
Jason: Think about it from a business standpoint. You're in a competitive business area, and you want to destroy your competition. What’s better than a disruptionware attack to do that? Either shut down their operational technology network, or worse, run a wiper. Run a bricking capability type tool.
Jason: You can literally put those people out of business if they don't have their backups properly secured. A lot of companies don't. And a lot of companies still make the criminal mistake of leaving their backup systems accessible to these types of attacks. Then you could be out of business for weeks or months, and it would destroy your business.
Eric: We saw something similar with Saudi Aramco back a couple years ago. They had to rebuild their entire IT infrastructure, all new systems, everything. It was deadly.
Carolyn: Since time's beaten us, you've already told us the training is critical, backing up your systems. What other recommendations would you give agencies?
Jason: Do a cloud backup that has no connectivity to your IT or your OT network. At the end of the day, if they're somehow connected, you can lose everything. We had a client who suffered a ransomware attack. He was able to get his business back up in two days because they had an excellent backup system. That was a cloud based backup system.
From a Business Continuity Standpoint
Jason: Now, there were still other issues to deal with. It wasn't quite as simple as, "Okay, now we're done." From a flip side, at least from a business continuity standpoint, they’re re able to keep the business running. They were able to restore their entire network over a weekend. I can't stress the backup system enough.
Jason: I can't tell you how many people make backup tapes and then store them in their server room. Then if there's a fire, guess what happens to your backup tape? Or if there's a theft, guess what happens to your backup tapes? You don't store your backup tapes. Or your backup programs where you store your servers. You keep that separate or there's no point to doing it at all.
Eric: Multiple copies, multiple locations. The other thing we've talked about in the past is practice restoration. You could be backing up for years. If it's a bad backup job, or it's missing something, and you don't actually try to recover. When you go and try to recover, guess what? You're probably going to have a bad day.
Jason: People don't realize, tape drives are very picky sometimes. If you upgrade your tape drives, and you try to restore old tapes from a different tape drive, that doesn't always work. If you can afford it, I would go with cloud based backups as much as possible. That is by far the most secure and the safest way to back up your networks. Now, tape is drastic for lack of a better term.
Carolyn: I'm going to give you a few rapid fire questions, Jason. What are you reading right now?
A Nation-State Attack From the Russians
Jason: SolarWinds is a reading material today. Based on what I've read because I have no inside information any longer. I'm no longer with the government, but it appears to be a nation state attack from the Russians. Cozy Bear, a Russian intelligence unit appears to have. But I don't know that for an absolute fact.
Jason: I'm just telling you what I've read. The SolarWinds attack was a major wake up call to the cybersecurity gurus of our country. From a technical standpoint because they were allegedly able to exfiltrate and infiltrate the Microsoft network, corrupt DLL files. Right now, from a reading standpoint, I would read up as much on SolarWinds as I can. That's going to become a treatise on cybersecurity in terms of what went right and what went wrong.
Carolyn: I follow your firm on LinkedIn. You guys put out a lot of really good blogs. Next question. Do you have a cybersecurity must read book or follow somebody in cybersecurity, podcast, other than this one?
Jason: If I can pick my own podcast, I host the Faegre Drinker Blog Technology podcast. That is posted on our website where we talk about law and technology issues. Krebs is the guru of computer security. The Krebs Podcast and a lot of his newsletter stuff, he's a guru, I highly recommend him. I have a problem. In the FBI, we were under strict rules never to endorse.
Jason: I try hard not to endorse people because one person's trash is another person's treasure. I don't want to send people the wrong way. But any cybersecurity podcast that's reputable is going to be a good podcast to listen to.
Cybersecurity Is Always In Motion
Jason: You guys do a great job. We do a great job. Krebs does a great job. There are a lot of great cybersecurity. I enjoy podcasts a little more than perhaps reading blogs and articles sometimes. I can download podcasts to my phone and just listen to them when I take a walk or when I'm driving. So I can maximize the value of my time a little bit more.
Jason: But you have to stay up on cybersecurity. Cybersecurity is never ending. It's always in motion, it's always in flux. It's like when I did computer forensics for over 20 years. We were always a jack of all trades, prince of none because all we do is study, train, and learn. But you're always chasing technology.
Jason: One of the big problems the government has is the government chases technology works and everybody. When a cyber-criminal wants to buy a new computer, they steal a credit card and buy a computer. When we wanted to buy a new computer, it took us six weeks of inventory, logistics, and approvals to get that computer.
Jason: Already six to eight weeks behind before we even get started. We had a rule in the government that 20% to 25% of our time was just training. If you can afford that in the private sector with your IT gurus, your cyber gurus. They need to spend 20% to 25% of their time studying cybercrime. If you don't like disruptionware, a lot of people don't even know what disruptionware is. They don't even recognize the attack when they see it.
Multiple Tools In the Disruptionware Toolkit
Carolyn: I hadn't heard that term. I knew ransomware but disruptionware is a new term that I was introduced to.
Jason: People don't realize that ransomware is a tool in the disruptionware kit. Ransomware, while people think of it as a standalone attack, it is and it isn't. It is truly part of a disruptionware attack and there are multiple tools in the disruptionware toolkit. It's all a matter of who's using them and what the purpose is. If they're in it for the money or if they're just playing pissed off.
Carolyn: What have you watched lately? Binge-watched lately on TV, movie, whatever, that you've just loved?
Jason: The Mandalorian. There's Grogu right there. I'm a Mandalorian. I love Star Wars. After trying to survive the disaster that was Jar Jar Binks, I now have Grogu. I'm at peace with the world again, but I bought this. Plus my wife and I have been binge-watching The Mandalorian.
Eric: This could turn into a Star Wars podcast for the two of you. Carolyn, what's your dog's name?
Carolyn: Han Solo.
Jason: You know what my dog's name is? Chewbacca.
Eric: Listeners, what did I say? I warned you.
Carolyn: Best day of the month.
Jason: That's another podcast right there.
Carolyn: Do you have a guilty pleasure other than Star Wars?
Jason: Video games.
Carolyn: What's your favorite?
Jason: I’m a Skyrim/Oblivion fan. I love third party role playing games. I'm not a big first person shooter person. I've done that for a while but I love role playing games. I'm a big Dungeon and Dragons player. I have played Dungeons and Dragons since I was about 10 years old. But I love video games.
Social Awareness Training to Prevent Cyber Attacks
Jason: I still play, I have a PlayStation 4. Whatever PlayStation my son has, I have to have one better just to prove to him that there is a value to having a good job. So that I can afford better stuff than him.
Eric: I thought the five were coming out.
Jason: It is. The five are out and I'm going to be buying that very soon.
Carolyn: You can't get it right now.
Eric: I can't believe people are still playing D&D. I'm so much out of touch.
Jason: D&D is still as popular as ever.
Carolyn: If you had your magic wand that you could wave in the cybersecurity world. You could just change one thing, what would it be?
Jason: I would want to do more to help businesses train and prepare employees. For them to deal with social awareness type training to prevent cyber attacks. The biggest mistake we're making from a cybersecurity standpoint is we spend too much time putting up firewalls. There’s not enough time teaching people how to avoid phishing attacks, whaling attacks, business email compromise attacks.
Jason: Employees just have no idea what they're doing. That was a problem we had in the government as well. That brings up a great point. I don't want to kill the time, but we are way too reactive in the government. Even in the private sector.
Jason: One of the things we tried to do with the Regional Computer Forensics Labs, with the Cyber Task Force. I helped create three major task forces, trying to become more proactive. If I had a wave of my magic wand, I would want us to become more proactive in cybersecurity and less reactive.
Carolyn: We do that through training.
Action Always Beats Reaction
Jason: People have to remember when you deal with a gunfight, action always beats reaction. That's why we train constantly when we train in terms of self-defense from guns and from shooting, action versus reaction. Cybersecurity is no different. We have to be proactive, not reactive. If we're reactive, we'll always lose. You cannot win.
Eric: We've been reactive from the beginning.
Jason: We still are. Until we change that, we're always going to be playing catch up.
Carolyn: Last question. What do you think the biggest cybersecurity impact has been in the last 12 months?
Jason: SolarWinds is going to redefine cybersecurity for the next generation. It's going to be a case study. You're going to see books, magazines, articles, webinars, continuing legal education. I've already written an article on SolarWinds. It's so important as a learning tool as to what went wrong and what not to do in the future. I truly hope that people take SolarWinds as seriously as they need to.
Jason: On the flip side, it keeps me gainfully employed. Ultimately, as a resident of planet Earth, I want my children to grow up in a world where they don't have to worry about constant cybersecurity attacks. Their credit cards being stolen, and this being done. It's a tough way to live. It's only going to get worse.
Eric: Do you feel that the practitioners you've spoken with see it as such a significant monumental event as it is?
Jason: Not yet but they will.
Eric: That's what I'm saying. I'm not seeing people acknowledge Microsoft's source code was accessed.
Jason: People don't understand the implications of that.
People Don’t Know What Disruptionware Attacks Are
Eric: They tell us that a month after they said, "Hey, we didn't have any problems." That's the operating system of the earth.
Jason: The problem is it goes back to disruptionware. Disruptionware has been out there well over a year. ICIT first identified it, and I started writing about it. It's been over a year by now and people still don't know what disruptionware attacks are. People don't understand what SolarWinds is about.
Jason: People don't understand the threats we live in, not just from threat actors, but from foreign nation-states. They’re saying they have a real vested interest in destroying our economy. The way to do that is no longer shooting missiles, it’s to destroy infrastructure. It destroys information technology, operational technology.
Jason: If you can attack Microsoft and change their DLLs, you've got some stuff to worry about. Because that's the operating system of the earth. These are really fantastic questions, and I hope people take these thoughts to heart.
We’re Going To Survive SolarWinds
Eric: Windows, Azure, hopefully the only source code they accessed was some Windows Codec from 1998. I think that's the case.
Jason: In the end, we're going to survive SolarWinds. The question is, are we going to learn from it? Because SolarWinds could have been a lot worse than it was. There was some damage done, but that will be fixed. The question is not so much what's the damage and how much does it cost. But do we learn from it so we can prevent it from happening again?
Carolyn: All right. Well, thank you so much, Jason. A lot of good material today.
Jason: Thank you so much for the opportunity.
Carolyn: All right, listeners. Share this episode. Hit that like button, and we will talk to you next week.
To The Point Cybersecurity was recently named one of the 30 top Federal IT influencers 2019 and 2020 because of fantastic guests. We are always looking for great thought leaders to interview. Please email me with guests you would like to have on the podcast firstname.lastname@example.org.
About Our Guest
Retired FBI Supervisory Special Agent and digital laboratory director Jason G. Weiss. He is counsel in the Los Angeles office of the law firm Faegre Drinker, Biddle and Reath's cybersecurity and incident response group.
His practice focuses on cybersecurity incident preparedness and response. Compliance with information governance laws and requirements, as well as data analytics, investigations and e-discovery.
Previously, Weiss was supervisory special agent in the FBI Los Angeles cyber and forensics branch. It’s where he founded, designed and led a nationally recognized and accredited computer forensics laboratory.