mWise Conference 2024 | Brett Callow | FTI Consulting

theCUBE.net

Clips
News
More from mWise Conference 2024

Brett Callow

Managing Director

FTI Consulting

Mandiant Threat Intelligence offers solutions as ransomware reshapes global cybersecurity

Ransomware has quickly grown into a multi-billion-dollar industry, forcing a shift in how cybersecurity is approached, including the development of solutions such as Mandiant Threat Intelligence.In the last five years, as profits for cybercriminals have soared, their operations have become more sophisticated, drawing more players into this expanding threat landscape, according to Brett Callow (pictured), managing director at FTI Consulting Inc.FTI Consulting’s Brett Callow talks with theCUBE about Mandiant Threat Intelligence.“In 2019, the average ransom demand was 5,000 bucks and small businesses and home users were most victims

play_circle_outline Ransomware as a profitable threat, evolving from small operations to multi-million dollar industry

play_circle_outline Impact of ransomware attacks on healthcare systems, leading to deaths

play_circle_outline Collaboration between private and public sectors to combat ransomware

play_circle_outline Need to increase risk to cyber criminals and decrease rewards to combat ransomware

Info
Transcript

Brett Callow | FTI Consulting

Brett Callow

Managing Director FTI Consulting

At mWISE, Brett from FTI Consulting discusses the rise of ransomware payments from $200,000 to $1.5 million, raising concerns about profitability and revenue increase in the industry. Different statistics create challenges for policymakers. Brett shares insights on ransomware attacks evolution, impacting industries and lives. Collaboration with Google and Mandiant helps in preparing organizations for cyber incidents. Some companies have seen payment decrease, while others have experienced severity increase. Healthcare systems are vulnerable to ransomware, wit... Read more

explore Keep Exploring

What is the reason behind ransomware becoming so profitable in recent years? add

What are some considerations regarding the impact of ransomware attacks, particularly in the healthcare sector? add

What led to the increase in cooperation between public and private sectors in recent years? add

What are some strategies to combat ransomware attacks? add

bolt Powered by CUBE AI

Brett Callow | FTI Consulting

search

>> Good afternoon cybersecurity community and welcome back to stunning Denver, Colorado. It's a gorgeous day outside, but it is absolutely frigid in here, so pardon my shivering. We are midway through our two days of coverage here at mWISE, and it has just been a thrilling event so far. My name's Savannah Peterson, joined by the infamous John Furrier. John, we're having a banner day.

>> Yeah, this has been a great show. There's so many topics. Just watch all the feeds. We'll have summary reports, but ransomware is this next session, which comes back down to the resilience discussions. Cyber resilience has changed the category of what we used to call storage, backup, and recovery, but ransomware has multiple vectors now. It's its own thing. It's continuing to be one of the biggest threats, and it's a money maker too, for the bad guy.

>> I know. I'm curious, and we might get the answer to your TAM question from earlier. Without further ado, I really want to welcome Brett to this stage. Brett, thank you so much for taking the time today.

>> Thank you for asking me on.

>> Yes, absolutely. Especially after such a long day of travel from Vancouver Island. FTI Consulting seems like the type of company that might stay a little bit under the radar given the types of consulting that you provide, can you tell us a little bit about what you all do and the problems you solve?

>> Yeah. FTI does multiple things in multiple specialties. The segment I work in is cyber security and data privacy, and particularly communications around those issues.

>> Yes. Ooh, I love that. I can imagine it's never been a hotter time for your role, especially with GenAI and everything else that's going on. I know for today's conversation, we're focusing a lot on ransomware, and we had Kimberly on before you who was saying that she had observed, or that in the Chainalysis report, that ransomware payments have gone up from $200,000 on average at the beginning of last year to $1.5 million just recently, this midway point this year. Why is ransomware so profitable?

>> That really is the million-dollar question-

>> Or billion-dollar question....

>> or billion-dollar question, yeah. This is a multi-billion dollar industry now, and I think to understand how it went from being very much a small business enterprise where ransom demands were 5,000 bucks, and that was only back in 2019, to the multi-million dollar business that is today, understanding that is part of understanding how to solve the problem.

>> Yeah, so why do you think we've seen, I mean, asking your professional opinion, obviously, without revealing any secrets, why do you think we've seen this escalation in the last five years?

>> It's been very much a snowball effect. We have the ransomware gangs making more and more money, and the more money they make, the more they can reinvest and scaling up their operations, and of course, the more attractive it comes to other cyber criminals.

>> We love reporting on our ransomware. We do a lot on the IT side, okay, VMWare, Azure containers, a lot of stuff obviously in that area, backup and recovery, now cyber resilience, but at the top line, it's a global phenomenon. So there's a lot of national security and/or global states involved. The economics are off the charts. According to chain analytics, it's about a billion dollars, they had a report came out in February that's just ransomware. That doesn't include other extortion, like deep fakes to have you wire money to a bank account. So we are living in a thriving ecosystem of bad guys. Can you give us a stats on how you see it? What's the landscape look like? Has there been any changes? Reconstitution of teams? Formulas or anything? Can you just give us the lay of the land?

>> Part of the problem is that we don't really have a good handle on what the landscape looks like. Different companies produce different statistics. Some say ransomware is trending up, some say it's trending down, and that really creates a problem for policymakers and law enforcement. To be able to combat this problem we need to understand which strategies are working and which are not, and obviously do more of what's working.

>> What do you see on an incident? You've been involved some high-profile incidents. Could you share, and you can anonymize the names, but can you share of the patterns? What have been some of the things you've seen firsthand or have dug into in terms of the kind of ransomware attacks, the fallout, the reporting? Take us through some of that day in the life of Brett.

>> Yeah, to give a bit of context, in 2019, the average ransom demand was 5,000 bucks, and small businesses and home users were most victims. Today, it's become a multi-billion dollar industry. As we've said, we see huge multinationals effectively being totally knocked offline. We see healthcare systems, entire healthcare systems of multiple hospitals being knocked offline. So ransomware now has morphed from being a small-scale operation to something that does put lives at risk.

>> Talk about your relationship with Google and your practice. What do you guys do? What are some of the things you engage with from a job perspective, clients you have, and how does that fit into Google and Google Mandiant?

>> We try to, well, we-

>> Do that for you.

>> We do two things. Firstly, we try to prepare organizations and particularly we try to help them foresee any holes that may exist in their emergency plannings and their communications plannings, because they often don't foresee things like how to communicate with stakeholders. If your email system is knocked offline, how do you communicate with the people you need to communicate with? And on the other end of the scale, when organizations do experience an incident, we help guide them through that.

>> Hey, I can imagine people are very grateful to have someone hold their hand through some of these very unexpected and prolific attacks. Your research has been cited all over the world, in Europe for our presidents, for the World Economic Forum, very impressive resume on your side. I'm curious, because John and I are always doing our own research, how are you staying up to date? What tools do you leverage? I'm assuming there's a lot of collaboration and other things, but how do you know what you know?

>> Yeah. I use a lot of web scrapers to automatically pull in data, and I also have a lot of people in organizations that share information with me, which makes the job much easier. As far as statistics go, I started collecting them in 2019 when ransomware wasn't really so much of a thing and people weren't paying attention to it. So I was really one of the few people gathering stats then, and that has just carried on ever since.

>> Yeah, it snowballed. So we heard from Kimberly earlier that the number of companies paying has dropped, but the size of these payments has increased. Do you think that's a trend we'll continue to see?

>> I'm not sure that is a trend.

>> Oh, interesting. I like this.

>> I agree with Kimberly, but different companies have different-

>> Like you were saying, yeah....

>> it all depends on who their customers are, what they see. For example, a insurer saw a 15% increase in the frequency of incidents from '22 to '23, and a, I think 28% increase in the severity of incident. And by severity I mean the amount of disruption and the amount of .

>> When do you get called in? Pre-ransomware prevention, post ransomware attack, education, communication, law enforcement, integration, airface?

>> All of those.

>> Like a true consultant.

>> As I said, we help organizations prepare and we help organizations that didn't prepare well enough and got hit anyway. And to answer your previous question about how we work with Mandiant, we often collaborate on incidents, and they're handling the forensic side, we're handling communications and other aspects.

>> Where's the hard part in the job? When you come into a ransomware environment where it's been something's happened, the worst possible thing you could imagine happens, what's the protocols like? I'm thinking CSI in my mind, splatter on the wall. I mean, you get all kinds of post-mortem activity. It's like there's a lot of evidence to go through. You said forensics. What is some of the state-of-the-art techniques to really kind of dig into one, get the data and two, to have a baseline to go forward and be protected?

>> Yeah. I'm not a forensics guy, so I can't comment on that side of the thing. That's more what Mandiant would do.

>> So they come in first or you come in first? .

>> It depends on the situation. Typically, a law firm will be appointed and the law firm will call in the response team, that will be forensics like Mandiant, communications like us.

>> What's the worst ransomware you've seen?

>> Worst in-

>> In terms of impact, dollar amount, damage, all three criteria. So dollar amount, biggest number, payload impact.

>> The biggest number in terms of the ransom demand that was paid is $75 million.

>> It's a chunk of change.

>> It's a huge chunk of change, and you can certainly understand how that acts as a motivator for the -

>> So yeah, we've got a side-hustle opportunity.

>> I know. John, don't reveal it on the , let's talk about over drinks tonight.

>> We'll be .

>> our team.

>> Life-changing sun for anybody, and especially for a cyber criminal in Russia.

>> Yeah, my God.

>> the economy is incredible. We are from Silicon Valley, so everyone's like, "Oh yeah, product-market fit." Okay, check, they got that. Big growing market, everyone's a target from consumer private photos to large companies with big potential payouts.

>> In terms of impact, the worst incidents are undoubtedly those involving healthcare because they do popularize the risk. In fact, a team from the University of Minnesota, I think it was, crunched the Medicaid data between 2016 and 2019 and calculated that ransomware had killed about 60 people.

>> Oh my God.

>> And that's probably a conservative estimates, and there were a lot fewer ransomware influence then than there are today.

>> I hadn't even thought about impact all the way down to that level. That is quite jarring. Oh my gosh, wow.

>> Kevin Manning talks about national security. Security around critical infrastructure has always been like, "Oh yeah, the nuclear plant and the electrical grid," here this is, again, critical infrastructure in the private sector, the deaths, the damage is significant.

>> And I think what really brought ransomware to the forefront was the Colonial Pipeline incident, which practically shut down fuel supply to the entire East Coast, and a subsequent study actually determined there only a few more days left before lots of things would've had to shut down. If manufacturers don't have trucks to get their products out, they can't produce any more products. So everything would have ground to a halt.

>> It's amazing how quickly we learn how much can be disrupted when something like this happens, which is pretty jarring. Just looking at your research and understanding your role, I would imagine you're working between private and public a lot, and I'm curious, I realize you can't reveal too much, so I'm trying to phrase this in the right way. In terms of the appetite and hunger from within various governments, are they super excited when you bring them information that allows them to do more prevention? What do those conversations and collaborations look like?

>> Yeah, a few years ago, there was very little cooperation between the -

>> That was kind of my understanding, yeah.

>> And that was a problem. Since then, things have changed drastically. There is far more cooperation now. There are public-private partnerships. When, in the lockdown take down, for example, the disruption, law enforcement actually reached out to private sector bodies to amplify the message, it was effect a fly-up.

>> Yeah. Wow. Okay, so basically the need, urgency, and the scale here is what really drove that partnership and that catalyst. One of questions I've been asking our guests today, and I'm curious to get your take, especially from the consulting lens, what do you think is the most over-hyped thing in cybersecurity right now?

>> The threat of AI. It's undoubtedly a possible threat in the future, we are seeing some use of it, but it is really not particularly alarming at this particular point in time.

>> Wow. Well, the media and the conversation certainly wouldn't lead you to believe that, so thank you for dispelling that myth for us, Brett. It seems like the landscape has changed significantly over the last five years, orders of magnitude in terms of how much ransomware payouts are and everything else. Where do you think, or what do you hope to be able to say when we are at mWISE next year, that you can't currently say today about any aspect of this? Could be collaboration, could be anything.

>> I would love to be able to say that we have made significant inroads in solving the ransomware problem. Unfortunately, I think it will be a very similar conversation to this year. We are not doing enough.

>> How could we do more? What should we be doing then to do more?

>> To combat ransomware, you need to either increase the risk to the cyber criminals, or decrease the rewards, or do both. So we need to find more ways to actually get hands on those who are responsible to arrest more people, to interrupt and disrupt the flow of funds. And we need to do far more of that than we have done. Thankfully things are changing to a degree. We are seeing law enforcement guessing better and better. They are doing... they're learning as they go along, as are we all. So hopefully eventually these things will start to have more of an impact.

>> Yeah, I hope so too. I like that as an ethos. I got a question, well last question for you, given that you are our first guest at this show who lives in Canada, is the cybersecurity conversation, the threat landscape, is there a big difference between our friendly neighbors to the north, and us here in the United States?

>> No, it's very similar, but I do think the States is actually doing more than the Canadian government. They are being more proactive.

>> Interesting, wow. Well, shout out to the U.S. government on that one. Brett, this has been absolutely thrilling. Thank you so much for taking the time to chat with us.

>> Thank you for asking me.

>> Yes, and I hope that when we have you on next mWISE we have solved the ransomware problem, or at least that billion-dollar question in the middle as to why this is becoming such an accelerant. John, always a joy to share the stage with you.

>> Ransomware is my favorite topic. I love this topic, cyber resilience, a big part of our coverage.

>> I'm just going to get you a ransomware mug or something clever -

>> I'm sure . Cyber resilience was a cottage industry that has... Rubrik changed their business model from storage to cyber resilience. Why? Because it's a security problem, storage data, it's all there. So resilience has opened up even further aperture. I was just commenting on Twitter just now about that same thing. So this is an ongoing conversation, and again, that's one extortion strategy. The new one is the deep fake, "Wire me your money." Brett, wire me your money, we'll go skiing up, and we'll take Taylor up to-

>> Yeah, up to Aspen or something like that, yeah.

>> No, he lives in Vancouver. He's got the up there.

>> Oh yeah. We can go to Whistler. I love that. Well, yes, so I know you love it. Obviously Brett's on the front lines. We appreciate you taking care of us. And we appreciate all of you who are tuning in to our fantastic two days of coverage here in Denver, Colorado at mWISE. My name is Savannah Peterson. You're watching theCUBE, the leading source for cybersecurity news.