Most CISOs understand that one of their key phone calls after a ransomware incident will be to the FBI, but what they may not appreciate is that it shouldn’t be their first to that organization. That’s because the emergency call will be much more effective, and the response much more efficient, if a relationship has been established ahead of time. And the outreach won’t be seen as a bother, but rather be embraced, according to Alan McHugh, Chief, FBI Cyber Division, Cyber Crime Tactical Intelligence Unit. McHugh, who recently spoke with healthsystemCIO Editor-in-Chief Anthony Guerra, also said organizations that reach out for help shouldn’t fear a loss of control, as the FBI is looking to support, not dominate, the situation.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 41:29 — 28.5MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
It might be chaotic, and it will be chaotic for the victim and for the incident handlers, but it’s not as chaotic for us because we’ve been there before and we’ve done that. So one of the things I’d like to think we would do is we could come in there and offer some sense of organizational sanity on a day that is completely insane.
So there are skills, there are unique, tailored technical skills, investigative skills, negotiation skills, and crisis management skills that we bring to the table that we think are invaluable.
I would say when to call the FBI is today. I know that sounds strange but you should call the FBI today to establish these contacts, establish these relationships, so that you can build up trust.
Anthony: Welcome to healthsystemCIO’s interview with Alan McHugh, unit chief of the FBI’s Cyber Division, Cyber Crime Tactical Intelligence Unit. I’m Anthony Guerra, founder and editor-in-chief. Alan, thanks for joining me.
Alan: Thanks to you, Anthony. I appreciate the chance to be here.
Anthony: Very good. All right, Alan, lots of fun stuff to talk about today. Serious issues but we’re going to have fun with it, right?
Alan: Sure.
Anthony: We should be able to do that. Okay, tell me about your role with the FBI.
Alan: Well, yes, you never know, we always like the opportunity to share who the FBI is, who we are and what we do, especially in what we’re going to talk about today, the cybercrime space, we have a very unique and I would say powerful role in this space. Today is a perfect opportunity because one of our strategy pillars is try to engage the public in understanding mutually understandable threats between public and private sector, and in this case, the healthcare sector.
I’m the unit chief of the Cyber Crime Tactical Intelligence Unit, essentially all of my resources are focused on analyzing and investigating cybercriminal incidents, threat actors, groups of individuals, ransomware gangs, or variants if you will, but we also build an information data resource that lends awareness to a defensive posture as well. We use our incident information to inform network defense strategies. My unit, our reason for being, is we are, in the cybersecurity parlance, intelligence as a service, we support operations, we also raise awareness on criminal threats to a lot of different audiences.
Anthony: All right, very good. So does the FBI have any resources broken down by industry? So for example, obviously we’re here, we’re focused on healthcare, that’s our audience. Do you have resources split up that way or is it not done that way?
Alan: It’s more focused regionally throughout the nation, right? So we have 56 field offices, we have overseas offices, our focus on cybercriminal activity is mapped more to a region rather than an industry, if you will. Now at our headquarters division, we will have groups of individuals focused on threats and vulnerabilities. Elections, for example, is an area where we would be focused on working closely with government facilities and subsectors, but more of our response and our intelligence and our engagement mission is more mapped to a regional construct.
Anthony: Okay, very good. So yes, one of the things I wanted to ask you is when you think of the FBI, you think dealing with the crime, which would be a post-event type thing, and that maybe CISA, entities like CISA would be more on the advisories side, best practices and that kind of a thing. But it sounds like you have some stuff going on there, some resources that you might want people to be aware of around threat intelligence and some other stuff. Let’s get people thinking correctly about what the FBI can do for them.
Alan: Sure. Yes, so I would say the FBI, look, we’re an investigative agency, but we absolutely play in the arena of prevention and mitigation and defensive networks. We have built what I’m very proud of, an FBI-CISA partnership for the stopransomware.gov platform. For us it’s a one-stop shop of prioritization, showing where the US government’s priorities are when it comes to ransomware, but also really tailored solutions for network defense. We started this project about a year and a half ago, where we’ll actually publish IOCs and TTPs for variants, tailored messaging for specific variants, but we’ll also issue very general alerts.
When we started this program about two years ago, we were doing pre-holiday messaging, trying to put people on notice that holidays are a very important time for cybercriminal actors to breach networks while businesses are vacant. So a lot of messages on stopransomware.gov, I would be really remiss in leaving this conversation today and not highlighting the value there. I think we’ll have some opportunities to talk more about it.
But from a mission, an authority’s standpoint, the FBI is an investigative agency, we’re an intelligence agency as well. But the opportunities that we have to conduct investigations affords us the luxury of information and relationships and engagement, and we try to use all of that in a messaging campaign, and we do it aggressively with joint partners like CISA, H-ISAC, MS-ISAC, and other partners like that, I’m certainly leaving a few out. But if you see the stopransomware.gov platform, you’ll see exactly the forward-facing messaging and the joint partnerships there. Are you familiar with stopransomware.gov? Have you heard that reference before?
Anthony: Probably, but there’s a lot of stuff out there. There’s a lot of entities in the government, there’s a lot of organizations, there’s a lot of stuff. So not to say what you’re doing isn’t important, but maybe that’s why it doesn’t totally come to mind.
Alan: That’s an important point and I’m glad you raised that issue, the space is flooded. It’s flooded with public messaging, it’s flooded with private sector companies that are also doing this in many ways for a paid subscription, but we’re trying to do as much as we can at what we would call the TLP Clear level, to get this messaging out, IOCs, TTPs, so that we’re preparing people pre-incident.
The goal is to increase security awareness, identify our priorities, and increase that engagement opportunity and the discussion. We’re trying to be as entrepreneurial as we can with all of our partners; private sector, private-public sector, nonprofit. Stopransomware.gov is probably the epitome when it comes to this conversation, how do we as the FBI balance the investigative side with the network messaging-defense side? StopRansomware.Gov, for my money, is the epitome of that.
Anthony: All right, that’s where you want to direct people. Let’s level set, our readers and people listening to this are going to be the CIOs and the CISOs at the health systems, so we don’t need to give them a lot of background on what’s going on, they’re living it. But with that being said, I want to get your opinion on how you think things are out there. Is there a steady state? We know there’s a lot of ransomware going on, we read about it. Is it a steady state? Do you think things are getting or going to get worse? Or do you have some reason to feel things are getting better?
Alan: Yes, look, it’s really hard to tell because of what we believe is a massive underreporting of the incidents themselves. We’re not being flippant about this question at all, but what we try to figure out within my shop and other shops in every field office is what is a steady state? If the question is, how much ransomware is there? Unfortunately the only answer right now is, yes. It’s hard for us to understand sector-based risk collectively. It’s hard to understand threat actor activity because of the way that this ransomware-as-a-service ecosystem operates.
We believe a few years ago we certainly saw a spike. We saw a spike in reporting, we saw a spike in awareness, and then from a reporting standpoint we think we have seen a little bit of a normalizing. But again, I would say any statistic I would provide you today is an underreporting. We have IC3 as one of our main reporting mechanisms in the FBI and we rely on some of those statistics, but we only rely on it as a measure of central tendency. And we have some collection across our investigations and other relationships, opportunities to talk with the private sector and what they’re seeing in their incident response. And we’re tracking, to the extent we can, ransomware payments.
We just know right now the monetization of software security flaws presents real opportunities to cybercriminals, and we are dealing with a real challenge when it comes to the ransomware crisis or epidemic, if you will. And these are strong words, but we know, especially in the health sector, there can be no downtime. And we’ve seen some of these incidents such as the Irish Health Service, for example, but we don’t have to go to Ireland because there are many that have been hit here in the US, there’s many examples of it.
So trying to get the message out on network defense, trying to work across all the sectors, healthcare as well as other sectors. Trying to build that trust with companies pre-incident, trying to build that trust and that communication with CISOs and CIOs pre-incident so that when the incident inevitably occurs; and as we were talking about earlier, a chaotic day in everyone’s life, but if we have these relationships and we have an understanding of the flow and the process, then maybe we can work around the margins to make incident response a little bit more efficient.
We’re not technically an incident response agency or a network remediation agency either, but as we do engage with our victims and those call-ins, we certainly bring specialized techniques, specialized understanding. In fact, that stopransomware.gov platform has a really nice overall Stop Ransomware guide with network architectural design suggestions in it, so we can bring a real specialization to those incidents.
Anthony: There’s a lot there, right? I mean, there’s a lot there, so let’s talk about one of the more sensitive issues here. You talked about the monetization, and what you mean by that is people pay, right? People are paying ransoms, this is what we mean by monetization. The best incentive you can have as a cybercriminal, that’s why they’re doing it.
Alan: Exactly.
Anthony: So this is a big problem. Because I believe, and I’m pretty sure, the messaging is don’t pay, you shouldn’t pay. I don’t know if it’s you can’t pay, and you’ll be brought up on some sort of criminal charges if you pay. I don’t think that’s the case, but it certainly is a, we’d really rather you didn’t pay because all these bad things happen if you do pay. We know people are paying, right? We know that’s happening. They’re paying because theoretically they could be out of business if they don’t pay. Nobody wants to pay but they’re paying.
Alan: Well look, Anthony, thanks, it’s probably one of the most important elements of this ransomware ecosystem. The criminality exists because the payments exist because the vulnerabilities exist. These operators, these actors are biased towards the flaw, they’re biased towards the vulnerability, they’re biased towards the payout. We do not recommend paying ransoms, paying ransoms incentivizes criminal behavior and invites potentially even more risk upon our current victims and potential future victims.
In fact, paying a ransom doesn’t even guarantee that your network will be restored and the integrity that you’re seeking and the availability that you’re seeking is even going to be back to where it started. And once potential data was exfilled, how do we understand that it’s still in the wind? And would we allow any trust with a threat actor who just breached my network to say, “Oh, well, here’s your data back, thanks for paying me”? So there’s a lot built into the decision around paying a ransom, we don’t recommend paying ransoms.
However, we’re very clear in our position of pragmatism as it relates to choices that boards have to make, choices that hospitals have to make to get back up and running. We want to be part of the process once this incident happens, we don’t want to be in competition with any decisions that the company or the board or the decision makers are making about paying a ransom. We will, as the FBI, react to any of those decisions and we will hopefully be able to pursue some investigative avenues even if a ransom is paid, and potentially as part of that payment there might be some tools and authorities that we can leverage.
However, like I said, it’s a fine line we try to talk about here. We don’t recommend paying, but if the decisions is made to pay, there is very little risk that we will come in and have some competitive decision making pressured upon those victims to somehow extend their downtime. Our goals are their goals when it comes to getting back up and running and understanding the threat that put them down.
The real sensitive variable is that if people do decide to pay, there may be an unfortunate situation where the payment is made to someone who is, unbeknownst to the victim, a sanctioned entity, maybe an OFAC sanctioned entity. So again, we would want to work with that victim to let them know, if that was part of the process, how could we mitigate that decision in the grand scheme of things from a strategic standpoint? So there is risk in paying from a data standpoint, from incentivizing criminal activity, but also from a potential paying out a sanctioned entity, which we would certainly work with victims to understand better.
Anthony: Really interesting. So what you’re saying is we’re not going to say, “We’re out of here.” If somebody wants to go down that path, we don’t say, “We’re done. Pack up, let’s go.” You don’t do that?
Alan: No, it’s a good point, because we want to stay as engaged as possible with our victims, and we want to treat their information as sensitively as we always do, and we are very discrete in the way we handle that information. And even if there’s a payment, we can stay involved in that process as a whole, as the investigative agency. And then like I said, maybe even if the ransom is paid, there are investigative tools and authorities that might allow some follow-up lead generation from that decision.
Anthony: Very good. As I think through these scenarios of a ransomware incident – I haven’t been in the room during one – but it does sound to me that there’s a lot of cooks in the kitchen when something like this goes down. You would have the emergency management department of the hospital that is supposed to manage large incidents.
If it’s a ransomware incident, you’re going to start with your CISO and your CIO, but if it can’t be quickly isolated to a manageable IT situation and you’re going to impact departments, you’re talking about shutting down clinical tools, eventually you could even talk about patient diversion. Then you bring in emergency management, they’re going to deal with the overall. You’re going to have your upper echelon of the health system, which would be the CEO, the COO, the CFO, there may be consultations with the board, I’m not sure about that but there may be.
Alan: Maybe.
Anthony: You’ve got privacy, you’ve got legal, you’ve got marketing and communications, you’ve got HR. You’ve got those clinical leadership folks which I mentioned, which would be the people you’d want to discuss with potential impact of, “Hey, we’re going to shut down your EHR in two hours,” or in one hour or in 20 minutes.
Alan: Right.
Anthony: So bust out the paper documents, right? That kind of a thing. You might have regional authorities, county and state if we’re talking about diverting patients. You could have the FBI if you’ve called them. You could have your cyber insurance company, they will certainly want to be at the table. And you could have, you mentioned before, a cyber incident management company that you may have had on retainer. That’s a lot of entities in a room, and there’s a lot of moving parts, and there’s information that’s changing by the minute.
So what are your thoughts there on, again, were talking to the CIOs and the CISOs, what advice would you want to give them about how to navigate this? And maybe, who’s going to have those determining voices in the room?
Alan: Yes, you lay out a very complicated picture there, and it’s exactly right. And I also heard your interesting conversation with Denise (Anderson) from H-ISAC, and you talked about this. Because at what point does then the CISO work stop, the IT work stop, and then it turns into a non-information technology problem of whiteboards and index cards and it’s a whole of hospital or whole of clinic response? I would say it’s the same on the responding side or the investigative side.
It might be chaotic, and it will be chaotic for the victim and for the incident handlers, but it’s not as chaotic for us because we’ve been there before and we’ve done that. So one of the things I’d like to think we would do is we could come in there and offer some sense of organizational sanity on a day that is completely insane. We always think we begin with the victim in mind, we work collaboratively with all those parties you mentioned by the way. Our preference would be we get called into that exact scenario you laid out and we all sit around the C-suite and discuss lanes in the road and how the FBI can add value, how we can work with HHS in the healthcare sector space, CISA, and the incident responders, and all of the insurance, legal, and the CEO, CIO, CISO.
So we think we can add some organizational health to the situation when it would appear there is no organizational health. But again, we have a track record in success of doing that. Collaboration is key for us, and collaborating with all those agencies. And maybe there’s information that we collect from this incident that we reach back outside of FBI channels throughout our law enforcement community, through what is now known as the Joint Ransomware Taskforce.
We can bring a strategic picture into a tactical situation, and hopefully that could help people get the network back up and running. Again, we won’t primarily be focused on that, but we may bring a decryption solution or idea into that room, we may have some decryption technology or know where to find it. So there are skills, there are unique, tailored technical skills, investigative skills, negotiation skills, and crisis management skills that we bring to the table that we think are invaluable. And like you just heard me describe, we don’t think effective protection and response is an FBI-alone job, it’s not.
Anthony: I’m picturing panic among these victims, and we’re talking sophisticated people.
Alan: Sure.
Anthony: These are executives at large health systems, in the scenario I’m thinking of, you could have any different size, but these are sophisticated people and I’m guessing you’re still going to see some degree of panic. Do you see that?
Alan: Yes, we do, and it’s not just the technical challenges, it’s the business of running whatever business you have, engaging your clients. In your case or in this sector’s case, it’s patient care, it’s no downtime. We see the panic, and certainly in some incidents where it’s an upstream provider and we have multiple victims from an upstream provider, so it’s not just a one-and-done incident for us, it’s actually hundreds or thousands of victims impacted because of an upstream weakness in a managed service provider update that was sent out to all of these victims.
So we have to have a coordinated approach to that. One victim in Omaha has to be dealt with the same way as a victim in Detroit, even if the FBI main investigation is, let’s say, in our Washington field office. So we can bring that collaborative nature, we can bring that technical skill into the picture there. But I would agree, there’s an element of panic involved.
Anthony: Let’s talk a little bit more about the underreporting. Are we assuming that there are organizations that go through something like this and decide not to contact the FBI?
Alan: Oh, sure.
Anthony: To me, that’s pretty scary. I’d rather call the FBI and have you guys on my side than go it alone, but I guess some entities are making that decision.
Alan: Well, Anthony, we agree, so let’s get that message out there. We don’t compel any cooperation with the FBI after a cyber breach or intrusion depending on the victim. There are some requirements, regulatory requirements for reporting depending on what the industry is. We would try to point to some really positive public feedback from when we were responding to an incident, a pretty well-known managed service provider incident. We had the CEO of that company come out very publicly and say, “Hey, my number one call was to the FBI, here’s why and here’s how it happened. Here’s all those questions and concerns that we had within our board or within our client base. We had a trust, we had pre-existing relationships, which is critical. We had done some testing in the wild, we had some guidance from the FBI already, and so when the incident occurred, we had a little bit of a runway that we could rely on.”
So there was a really important, well-known op-ed written by the CEO of Kaseya that talked about this exact notion of, “Hey, it’s already your worst day as a company or as a clinic or as a hospital. Okay, let’s start with that as the baseline.” And then people don’t normally think about inviting the FBI into their work environment to support their incident response issues, but I would tell you like you just heard me say for the Kaseya incident, we bring a specialized skill set, we bring a discreteness of working with victims.
We bring an understanding of the investigative process that can help us cut through some of the chaos and the confusion, and the technical challenges that the CIOs and CISOs are going to be dealing with, trying to isolate and identify the incident already is a technical challenge, and so maybe we can bring some of those resources of bear. When I say it, it sounds like it can be very complicated and it can be in competition with what’s happening on the ground. But we have the skill set to be in concert with all of these response incidents and not in competition.
Anthony: Let’s talk a little bit about that. The perception, if we don’t think about it too deeply, is that it’s always clear when to call, and that maybe people are not calling when they should. But I think you might have some of the opposite, you may have a lot of calls that are not warranted like, “Hey, we don’t do that. That’s not really our thing.” So sometimes it’s obvious, maybe if you get a flashing screen that says, “Your system’s shut down because of an international cyber gang.” Oh? FBI. But there could be a lot of variables, a lot of different ways, so when should an organization call the FBI? When should they not call the FBI? Some information around that?
Alan: Yes, and this can be complicated, and I would say when to call the FBI is today. I know that sounds strange but you should call the FBI today to establish these contacts, establish these relationships, so that you can build up trust. So that if and when the incident happens you can say, “You know what, I don’t know if the FBI wants to know about this, but why don’t I call my FBI agent contact and find out if they care about this incident?” So I think creating those relationships now rather than post-incident is crucial.
I think the dividing line between when to call the FBI and someone else is especially difficult on a day where your data is encrypted or data is exfilled and it’s out in the wild and people are selling it. It’s a very cloudy decision, the fog of war, the fog of cyber response. But I would say for the health sector of course, the HHS, FBI, and CISA is a three-headed monster. Who do I call? When do I call them? I’m very serious about saying call the FBI today and establish that relationship, because what we can do is we can collaborate with all of those agencies. We could even come out and work on some cyber hygiene practices with your clinic or with your hospital network or your managed service provider, your clients, whatever it might be.
There are no limits. Culturally we don’t want any limits on people contacting the FBI in relation to cyber incident reporting and follow-up, threat hunting, and artifacts that you might have on your network that you feel like you’ve come to an understanding of who did it, we would welcome that contact. We have, like I said, a technical understanding of, well, maybe your systems are encrypted, maybe there was exfil, maybe there was just exfil. Well, maybe we can come in there and we have experience with maybe preventing that information being leaked, so there are angles that we can address.
We can address these angles within our cyber strategy, and it doesn’t have to be some all-encompassing behemoth of, well, the FBI is now here, they’re taking over, and they’re going to handle this. That is definitely not our handbook and our strategy, but it is very tailored, it is very surgical, and hopefully it will help ultimately get people back up and running, and also defend themselves, and also help us understand who did it so we can chase those threat actors and their money and prevent future victimization.
Anthony: Well, I think that’s a really good point, and you just made me think of it a lot differently. I was picturing if you call the FBI, like the tactical SWAT team shows up at the hospital. No, no, no, right?
Alan: That’s usually not when they call us (laughing). We do that, but we don’t get those phone calls first.
Anthony: No, no, but it’s a great point, that if you build the relationship, if you get to know Alan ahead of time and something happens, it’s a lot easier to reach out to Alan and say, “Hey, Alan, what do you think? This just happened.” And you go, “Oh, that’s nothing.” Or you said, “Yes, we’re going to come down.” That’s a lot more calm and manageable than if I’ve never contacted the FBI before there’s much more trepidation on doing it, I don’t know what I’m going to kick off. I think that might be the fear, I don’t know what I’m going to kick off if all of a sudden I’m not in control anymore. And you talked about that, that’s not the case.
Alan: We understand that. We totally understand that, especially if you don’t have experience here, it’s the unknown of working with the FBI. What will we come in and do? And how much equipment will we show up with? Are we going to kick the company out and put crime scene tape around the building?
Anthony: That’s right. That’s totally right.
Alan: Right, right. So we want to just be able to talk this process through with people. In some cases we’ll just have one responding agent, we’ll have one responding agent with maybe a computer scientist. Depending on the level of incident, we could have a team come out, but we’re not going to do this without consultation with the victims. We’re not just going to say, “Hey, okay, you called us, we’ll be right there,” and then 25 people show up in a mobile command post. We don’t do that without the coordination and collaboration with the victims and the other agencies that we think need to respond.
We are very public about saying that we can put specifically cyber-trained professionals on any door in a very short amount of time in the US, and then as well as overseas, we usually talk about responding within a day. We have a big network overseas of technically trained agents and cyber agents overseas who can also be leveraged.
Anthony: I’m going to let you go soon, just maybe two quick ones. People want this to stop, everybody wants crime in general to stop, to be less. So what do you want people to know about your ability to get the bad guys, and to get the bad guys and maybe to have eventually some effect on the volume? If your organization has been hit with a ransomware attack, I’m assuming it might not always line up to, we’re going to get them for this attack, maybe it’s a gathering intelligence and information that will help us eventually get them when we’ve seen them attack six places.
I don’t know, your thoughts there? What do you want the victims to know? Potential victims out here are going to listen to this about our ability as a country, the FBI’s ability to make some headway on this. I know it’s tough.
Alan: Yes. Yes, I mean, there is an element of a volume challenge here, as we know. I really like the question because you didn’t say, “How many bad guys have you arrested?” That is a massive tool in the FBI toolbox, indictment and arrest. As it relates to the FBI and Department of Justice, these tools in our toolbox are great remedies for the issue that we confront every day, but they’re not the only tools and the only remedies.
We talk about joint sequenced operations, leveraging partnerships, we have had great success, notable, big-time wins in this space over the last couple of years. I point to a recent QakBot infrastructure takedown, using and leveraging partners and some FBI tools and authorities. These types of infrastructure takedowns or money seizures, indictments, arrests, extraditions, we want to leverage all of those tools and authorities, and maybe not just the FBI tools and authorities. QakBot is a great example, you saw that that was an international partnership, and we need to rely on that heavily.
We also want to put out as many advisories as we can. I can go through some numbers here. We’re talking about from an impact standpoint on the threat, we will go to any length to make an impact on the threat, and it can be across several pillars of strategy for us. Thousands of individualized threat warnings, disseminated hundreds of public threat advisories, joint cybersecurity advisories like stopransomware.gov, we’ve said that a few times. We have FBI unilateral messages, private industry notifications, public service announcements.
If you go to stopransomware.gov this week you’ll see by the end of tomorrow, three new advisories on Royal Ransomware, and then another coming out tomorrow on a very notable topic. So hundreds of arrests, convictions, indictments, yes, that’s a tool in our toolbox, but also thousands of advisories, and also infrastructure takedown, intelligence sharing across the globe, a lot of public-private partnership. That “Cyber is a Team Sport” thing, you hear that a lot, I hope. It’s not a platitude, we say that for a reason. Team sport is not just me and some other law enforcement agency or an intel agency, it’s our victims, it’s our potential victims, it’s private sector, it’s you, Anthony. These partnerships are essential to getting this message out.
Anthony: All right, Alan, final thought. Opportunity for a final thought, final takeaway, picture yourself speaking to the chief information security officer of, let’s make them a three-hospital health system. They’ve got the clinics, they’ve got the physician practices, this is a full health system. In reality, hospitals range from 25-bed critical access to health systems with 50 hospitals, but average, maybe two, three hospitals, what is your final takeaway, your thought for them, best piece of advice?
Alan: Yes, that’s a good point too, because the way you laid that question out is some of these networks are going to be better equipped to deal with this threat than others, right? And so we’re very sensitive to that, especially that rural hospital, maybe a disconnected network, and yet still highly critical patient care being delivered. So I would just say, building that trust with that CISO, CIO level, but also the practitioner, incentivize security in your business. Incentivize security in your business, disincentivize poor hygiene. Understand where your information is in your network and ensure that there are no misconfigurations or exposures, give yourself and your workforce phishing tests.
Look, training, cybersecurity hygiene is expensive and it’s annoying, but it’s essential. Not to be too dramatic about it, but it could literally save lives in some cases. So have a plan, create that plan in concert with the FBI, with HHS, with your board, with your incident responder, with your insurance company. Ensure that your supply chain, when you’re procuring software, that you’ve gone through some thought process or evaluation of the secure-by-design idea; there has to be an incentive around building security and building those virtual fences around your information and around your services.
Because as I said early on, these threat actors care about one thing, and it’s the vulnerability, because they can attack that vulnerability and that’s how they make their money. So how do we understand what those vulnerabilities are? Well, today, we go back and we test our mitigations, we test our system against things that the FBI has said on stopransomware.gov are the threat vectors. Okay, hey, let’s look at the threat vectors in the Stop Ransomware guide that I carry everywhere with me, and it’s right in front of me today.
We look at the Stop Ransomware guide that was pushed out in October and we say, “Okay, well, what is the government, MS-ISAC, FBI, NSA, CISA, what are they saying about what those threat vectors are?” Not just, by the way, to the health sector. What are those threat vectors? What are those mitigations that they recommend? Let’s test those mitigations against our live environment. It’s going to be costly, it’s going to be a few days of frustration, maybe, but you may find an exposure, you may find a vulnerability that if it hasn’t been exploited yet, it’s going to be.
Anthony: Alan, that was absolutely wonderful. I appreciate your time today, I think this is going to be really valuable to our readers.
Alan: Thanks Anthony, I appreciate the platform. Thank you so much.
FBI Contact Information:
- https://www.fbi.gov/contact-us/field-offices/
- https://www.ic3.gov/
- 1-800-CALLFBI (1-800-225-5324)
Share Your Thoughts
You must be logged in to post a comment.