The Cyber Jack Podcast: Gov Response to Nation-States, CI Security - ZeroFox, Adam Darrah

On The Cyber Jack Podcast, we sat down with Adam Darrah, Director of Intelligence Services at ZeroFox, to talk about the U.S. government's response to recent cyber-attacks and ransomware, nation-state cyber tensions, and the fragility of critical infrastructure security.

[automated transcript for accessibility and your reading leisure]

Jack 00:05

Today, Adam Darrah, Director of Threat Intelligence at ZeroFox joins us to talk about the government cyber response, nation-state tensions, and critical infrastructure security. All this and more on The Cyber Jack Podcast.

Adam, thanks so much for joining us today to talk about these really important topics. Let's kick things off with you telling us a little about your background and what you've been focused on recently.

Adam Darrah 00:39

Yeah, absolutely. I joined ZeroFox, about two and a half months ago from a company called Vigilante Vigilante was a member of the Allstate family. We specialized in the human intelligence side of cyber threat intelligence. You know, prior to joining Vigilante I was I spent a little over eight years in the federal government. I was an intelligence analyst specializing in Russian Foreign domestic policy issues and was able to, you know, learn a lot there about the business of intelligence, including some cyber, and then transition to the public sector to, you know, learn from the from what the public sector does right and well and marry those ideas with the great gifts that the private sector now can offer, you know, our clients.

Jack 01:23

Well, we're always excited to talk to folks with your type of background and get insights on what really is going on in terms of public and private sector collaboration. And I'd like to hone in on the government response portion. We know that ransomware, and nation-state threats are very front and center right now. Can you talk a bit about the government's response to recent ransomware attacks? And the bigger question is what they're actioning the right thing to do?

Adam Darrah 01:49

Yeah, the federal government is and continues to be very active in this space, specifically to ransomware just a couple of weeks ago, there were a couple things that happened. One, something called the International cybercrime event Prevention Act of 2021 is being touted it outlines at least six areas where the federal government's going to begin officially trying to enforce different laws, new laws to punish from a criminal standpoint, bad threat actors in the cyber underground. Moreover, the United States Department of Treasury also moved forward with officially sanctioning certain cryptocurrency exchanges known to facilitate ransomware payments. Now, again, you got to understand something. So there are there are a couple layers to this. There's the diplomatic layer that's happening between countries. So foreign officials are meeting and talking about these things, the United States government's fully involved in these talks, then you have the, let's call it the clandestine action side of any of these issues.

So there are there are likely things going on in the background that the United States government's doing to shore up its defenses, and consider ways to combat this threat in various ways. And when I say combat, I don't necessarily mean kinetic action against our cyberattacks, right, I want to be clear, that could mean, you know, increasing authorities to get, you know, really essential intelligence on who's behind this, figuring out the technical infrastructure behind this. And being able to, you know, more smartly take targeted action and targeted measures should the need arise, but mostly probably aimed at gathering better intelligence. And then there's what they're doing now, which is, you know, putting forth legislation to educate the business sector and the private sector on the red lines in dealing with these people are dealing with these ransomware groups. Now, my personal opinion is that although I applaud the effort to really come down on the ransomware groups that needs to be done, the ransomware groups should understand exactly what they're doing and that the United States should project its red line on this, you know, you can't attack our food supply.

You can't go after our energy and our infrastructure. And the way they've skirted this in the past – and when I say they I mean the ransomware groups -- is that technically a ransomware -- I know we say attack. But a ransomware incident in a company walks that fine line between cyber attack and hacking. So under, like our current military doctrine, a cyber attack against the United States, invokes different responses, right? So the United States military is obligated to respond and like that is considered an attack. And our adversaries don't necessarily want a military to military engagement over this, this is being done to skirt the line to kind of thumb their nose at us make some money and embarrass us at the same time.

Now, what I hope doesn't happen is a disproportion, disproportionately punishing American businesses who are acting within the law. I hope that you know, businesses that either don't have a mature understanding of what ransomware is or what it means to negotiate with ransomware I hope they don't get punished, you know, unnecessarily, you know, some people don't have the budgetary wiggle room, not all of us, you know, work for companies that can let you know pivot so quickly with these federally mandated the things that are coming down, right to mandate, you know, protecting people's data protecting networks against ransomware attacks. So, you know, you know, I don't question their intentions, I think the intentions are spot on.

However, let's just hope that there's there is some wiggle room to allow people with less mature understandings, less budgetary resources to, to learn, and also, let's not take away a tool to help fight back, you know, the private sector, I mean, you know, so, you know, negotiating with these with these ransomware groups is a tool, right? Because if I don't have a backup, and they've got my data, and I've got people whose lives may depend, meaning working lives, employment, food, like if I've got people's data, and I was what, for whatever reason, no oversight, I had a bad night, I didn't backup my data. I don't want the federal government to punish me as a law abiding citizen, when I am just trying to like feed the people that I love and care for. Right. And so I, you know, I hope there's some wiggle room there. The details are being worked out. So I think we're on the right track. Yeah,

Jack 06:17

There has been quite the debate over how a hard blanket directive will perform in the real world. A directive like no one, no company can ever, under any circumstances, pay ransomware. It will be really interesting to see how that decision shakes out. Now, shifting gears a bit, can you talk about how successful or unsuccessful the ransomware protection strategies we do have in place are working against nation-states and advanced adversaries?

Adam Darrah 06:48

You know, it varies from company to company, we've seen in the news, you know, some of these very seemingly mature mega gigantic companies become victim to these things, you know, it's very hard, especially if a ransomware group is in any way shape or form being supported, whether officially with training or a mandate or are like, you know, kind of unofficially wink, wink nod nod by a nation state actor with unlimited resources, seemingly unlimited resources, right? So a determined adversary is going to get in, even if it's as simple as social engineering somebody, right, so what we're seeing, especially in underground forums, is, you know, they're actively recruiting insiders. So they are, you know, North America, Western European, or European companies, you know, that not only do they have to defend their technical networks, but now we also have to figure out a way not only to educate the workforce, right?

Because then companies spend a lot of time and resources into educating the workforce. Don't click on that, for example, or, or Hey, you know, if you see something, say something, if something doesn't feel right, don't do it, contact somebody. But you know, what, if somebody has a bad day, they're not feeling well, you know, that there's something awful happened to them 10 minutes before they got to work, you know, they have a slip up. And they're socially engineered into doing something malicious, unintentionally, right? So the threat actors or the threat actors are incredibly agile, they pivot on a dime, and they always find a way to increase your pain. And just when you think you've got something, just when you think you have a part of your perimeter, okay, I got this, like, I'm locked down, I'm in compliance, everything's fine that they find a way to get in, you're not just talking about technically fortifying your your networks, you're also needing to fortify with education or training or whatever, insert whatever you want there, a workforce that, you know, humans are prone to have a bad day. And so it's, it's it's a constant battle, and it can be quite exhausting,

Jack 08:44

Right. And the more companies can mitigate human error with employee education, and best practices, like you said, the better off we'll all be. Now Talk to us a bit about critical infrastructure, whereas the United States in terms of critical infrastructure, cyber preparedness, and defense capabilities

Adam Darrah 09:05

Based on some insight I have, and some independent research that are that we've done, government's in charge of critical things like water purification, sewage, electrical, a lot of the systems are very fragile. So these people are in a no-win situation, they the individuals that are responsible for the security are always going to be at odds with people in operations, who are always going to be at odds with people in customer service. I mean, imagine if a security person came up to you and said, Hey, we're gonna take a chance of possibly shutting down sewage treatment for two weeks, just so we can patch this bug. Two weeks, no sewage treatment, right?

I'm getting using that as an example of like, it's very complicated to simply Oh, why don't you just update? Just update. So simple, right? It's not simple and So you've got this tension between, you know, us wanting to have a civilized life and not have, you know, and minimize our interruptions with some of the needs that may have to do with some of the technical needs, that should be or could be in place to help safeguard against a hack, an intrusion, a ransomware attack, you know, I do not envy people in those positions, because it's thankless and no matter what, you know, you've got you've got no matter where you look, there's a knifepoint, you know, a knife in your face to so it's hard, you know, you're going to inconvenience people with their water, their sewage, their electric, their, their, their gas, their oil, they're like things that get them to work, things that keep them clean things that keep us civilized, you know, it's, it's, it's hard.

And so, um, you know, that's, that's where I stand on that, it's but you know, there are smart people out there that hopefully will, will find a better way between complete disruption or complete compliance and security, you know, there's there's got to be a way to slow roll this and, and re examined, but again, it's it's a time resource budget and like, inconvenience, you know, issue that they're all juggling with, and then you got security on the other end going, it doesn't matter. Security is the most important thing in the world. Forget about people and their clean water. It's tough. It's tough out there, jack, it really is. Yeah.

Jack 11:21

And I can only imagine the stress of balancing security with those critical services on a daily basis, not to mention on a national scale, if you're one of these large service providers. So last question, how do you see this situation evolving in the next year or so? Do you think we're gonna see more devastating cyber attacks on critical infrastructure? Or are we starting to get a handle on this?

Adam Darrah 11:44

I think the United States government has been clear on this, which is, if you attack critical infrastructure, that is considered an attack on us sovereignty. You know, I look back at the I look back at a couple of a couple of ransomware attacks, you know, the colonial pipeline, for example, to be clear, colonial made the decision to shut their their operations down to mitigate the ransom, the fallout from the ransomware. Okay. not pointing fingers. I'm not saying whether that was right or wrong, they did what they had to do, which included shutting it down.

So technically, technically, a government that may or may not have been responsible for that could say, Well, hey, we didn't do it. You guys shut it down. We just ran some do. You turned it off. Okay. And just a couple of weeks ago, I was I saw the text exchange between the negotiator for the Iowa based food food company that was that was ransomed where the individual negotiating, said, don't you get what you've done? We provide like 40% of us food production. This is critical us infrastructure. You can't do this. Don't you know what you're doing? And the threat actor responded very flippantly. Nope, you're not? No, you're not. No, you're not, you're fair game. Right? Which leads me to believe a couple of things. Number one, they know the line. And they know that if they cross a certain line, the United States government has no choice but to respond in a much more aggressive fashion. And number two, they simply don't have the capacity to feel what they're doing is immoral, even if it's not a technically a military attack, right.

And I'm using that term because I, it is that real, which is another reason that I'm really happy to see what's happening within at least publicly, the United States messaging on this, which is like, it's time to get along, guys, it's time to stop this. And it's time to, like, figure out a way to coexist without shutting down food production, shutting down energy, or access to energy. It's, it's got to stop. And so it's, it's a so my prediction is, if it's a prediction, and again, like some of this is like reading tea leaves, but I've seen some things publicly, at least between United States and Russia, that leads me to believe that better things are coming between our two great nations, and hopefully things will the tensions will, tensions will just dial the maybe the tensions will get dialed back, hopefully a whole lot, but at least enough to where we can just stop playing with fire, because there's no need to play this dangerous game and, and to and to be silly, about very real lives that are, you know, that are affected by by what these hackers think is a game and to prove how smart they are. It's time to dial it back. And I think United States government's doing the right thing. So if the message gets through certain channels, I think we'll see them dialing it back. Unless We'll see. I remain optimistic that the right steps are being Take it.

Jack 15:01

There it is. We'll continue to stay optimistic. Adam, thank you so much for being on and talking about this. We'll keep a lookout for more threat insights from you to all of our listeners. We'll see you next time.