[00:00:00] CS: Today in Cyber Work, Kurtis Minder of GroupSense tells us what makes a good ransomware negotiator. Why sending the right tone is crucial in a successful negotiation, and why in the right situation you can even get away with referring to a ransomware as grasshopper? That’s all today on Cyber Work.
I’m also excited to announce a new hands-on training series called Cyber Work Applied. Every week, expert infosec instructors and industry practitioners teach you a new cyber security skill and show you how that skill applies to real world scenarios. You’ll learn how to carry out different cyber attacks, practice use and common security tools and follow along with walkthroughs of how major breaches occurred and more, and it’s free. Go to infosecinstitute.com/learn or check out the link in the description and get started with hands-on training in a fun environment. It’s a new way to learning crucial cyber security skills and keep the skills you have relevant. That’s infosecinstitute.com/learn.
And now on with the show.
[00:00:59] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals while offering tips for those breaking in or moving up the ladder in the cyber security industry. As the CEO and co-founder of GroupSense, Kurtis Minder leads a team of world-class analysts and technologists providing custom cyber security intelligence to some of the globe’s top brands. The company’s analysts conduct cyber research and reconnaissance and map the threats to client risk profiles.
Kurtis arrived at GroupSense after more than 20 years in roles spanning operations design and business development at companies like Mirage Network, acquired by Trustwave; KMS Systems, acquired by Citrix; and Fortinet IPO. Kurtis noted something in our pre-show discussion that I thought merited the discussion here, and I never really thought about this before. But you know as it stands now, the job of ransomware negotiation is an industry with no certifications or professional associations. So anyone can call themselves a ransomware negotiator. And in some cases we’ve read that inept ransomware negotiators have left companies in worse shape than they found them by inciting threat actors to do even more damage.
For today’s show we’re going to discuss what makes a good ransomware negotiator, some red flags to avoid, bad and unferrified ones. When you should negotiate and how? And talk tips for folks who might not have thought ransomware negotiation was the career for them, but after this might have some serious thoughts about it.
Kurtis, thanks for joining us today on Cyber Work.
[00:02:27] KM: Yeah, thanks for having me. So we always like to start by getting a bit of your background, since I think a lot of people are not if they have it in them to become a cybersecurity pro. So like how long have you been in the cyber security industry and what grabbed your interest in the first place? Have you always been tied and drawn to computers?
[00:02:48] KM: Not always. When I was younger, we didn’t have a computer.
[00:02:51] CS: Okay. Remember the first day that it came into your house?
[00:02:56] KM: Yell, yeah. I was already moved out by that time. So yeah, what actually happened was when I was I’d say 16 or so, I went to visit my father’s work and I went to visit my mother’s work. And my dad worked in a flower mill. There’s no climate control. There’s manual labor. My mom’s work, she works in an office and she had a cup of coffee and she was typing on a calculator. And so I quickly realized like, “Hey, I need to learn whatever that is so I can be in an office space and not in this factory.”
[00:03:30] CS: Two roads diverged in the woods. And yeah, you chose the one with air conditioning.
[00:03:35] KM: Exactly. It was the cup of coffee that sold me. I was like, “Wow! That’s just great.” But on the cyber security side, I sort of fell into it right away. I started working for internet companies right after school and –
[00:03:48] CS: Okay. When would this have been?
[00:03:48] KM: Very early internet companies, like early 90s.
[00:03:52] CS: Early 90s. Okay. Okay.
[00:03:52] KM: Yeah. Yeah. And so we were building these throughout the Midwest, and I was the chief technologist for most of these at the time. And even back then, a lot of the stuff was hobbyist hacking. The subscribers would attack us, which was ridiculous. But also uh we did see a fair amount of foreign activity. At the time I just read the book The Cuckoo’s Egg by Clifford Stoll. I don’t know if you know this book, but if people are interested in getting in cyber security, it’s a pretty old book, but it’s a great book to get you motivated about solving the problem. And that really kicked it off for me. That’s 20 years before they had a name for the industry really.
[00:04:29] CS: Yeah. Tell me more about that book, The Cuckoo’s Egg. I don’t actually – I don’t know about it.
[00:04:33] KM: Well, Clifford Stoll was a researcher at a national laboratory, and he came across – He was not a security person or even necessarily an administrator, but he came across some activity in the network that led him to believe that someone was unauthorized in the network. And the story is about him tracking that down. It turned out to be a Russian actor. And this is in the 90s, or probably maybe even late 80s. So the internet was pretty new in the idea of having foreign actors hacking into government networks and things like that. It was kind of far-fetched back then. But you think about it now, it’s commonplace, but it took 20 years for everybody to realize that this is a real problem.
[00:05:18] CS: Right. Yeah, a lot of the first people who were sort of protecting against that sort of thing were really learning on the job in the sense that you didn’t really have a lot of precedence in terms of case studies or anything.
[00:05:28] KM: No. There was no books to read. There was no – Yeah, it was kind of fly by night. But we did things like chase down hackers out of router logs and did attribution work and stuff back then. And then I was an operator, a hands-on guy through my career for most of that. And then one of the startups I worked at, I guess my CEO thought I had a good wardrobe or something and decided to put me in the sales capacity.
[00:05:54] CS: Okay. Yup. Got the right tie. Yeah.
[00:05:57] KM: Engineering’s still my favorite job, but the sales job paid well.
[00:05:59] CS: Yeah. Sometimes you got to chase that too.
[00:06:02] KM: Yeah, exactly.
[00:06:03] CS: I mean let’s talk about that. So let’s get kind of a map of what your career development was. If you’re starting in the early 90s working with computers and security and stuff, like what were some of the major milestones that got you where you are today with GroupSense?
[00:06:19] KM: Well, I went through probably a cliche set of phases of my career where I like to think I was pretty humble in the beginning. I think I knew more than I thought I did. So my early days in the internet companies, like I said, was sort of iterative and sort of self-learning. I ended up working at SBC, Southwestern Bell right before they bought AT&T. I was there for about five years. That was the biggest company I’ve ever worked for, and they made me the five state, upper mid-west five state subject matter expert for security. And what I did there, they didn’t really have a big budget for training, surprisingly. And at that time there wasn’t a whole lot of security classes. The CISSP was there, and I actually got my CISSP in like 2001, I think, or 2002. And I was kind of teaching myself. But one of the things I did on a regular basis is I would buy used security equipment on eBay. I had this budget. I would buy use security equipment on eBay. Had a rack in my house. I would configure it, make it interoperate with other devices and everything and then I’d sell it back on eBay for what I bought it for. And I did that consistently for about five years until I knew basically every device on the market at some point. So it’s kind of a homemade lab scenario. My wife at the time was not happy about the amount of money that was being spent or the noise that these things generated.
[00:07:41] CS: Yeah, and just the wires everywhere I imagine.
[00:07:44] KM: Yup. And right after SBC, I started working at startups and cyber security startups and as an engineer, as a sales engineer, or a solutions architect. And that’s where I started the iteration of, “Hey, I need to do this on my own.” And no disrespect to the companies I work for. They were all doing the best they could, but one of the things I noticed in the industry, and I think this is some kind of a universal problem. There’re a lot of tools that get sold, but they don’t necessarily have the desired outcomes for the customer. And that was one of my biggest frustrations, is sometimes I’d sell these complex architectures to customers, and the customers are checking a box, like a compliance box or something like that to meet some compliance. But it’s not necessarily solving the problem, and it does take some effort from the customer to take it over that goal line. And a lot of the customers didn’t have the talent in-house to do this. And so that’s what really motivated me to build a business that is sort of outcomes-driven. Yeah.
[00:08:46] CS: Yeah. Can you walk me through uh an average day at GroupSense? Like what are the sort of projects you work on? What do you start with in the day? What time does your sort of to-do list go up in flames as you have to start putting out fires? How much client time? How much engineering work time are you putting in? What’s the sort of work balance in that regard?
[00:09:06] KM: Well, if you’re talking specifically about me, I don’t know if there is a normal day. I laugh about this, because I told my co-founder. I have a two really great co-founders. We’re really closely aligned. Tom, who’s our chief strategy officer, I tell them. I was like, “Hey, whenever this ends, like whenever we move to the next thing, I have no marketable skills.” I’ve been basically doing a little bit of everything, but not enough to be great at any of it. I think that’s maybe the actual pitfall of being the CEO of a startup, is you just kind of have to dig in wherever.
But the company itself, I think the most interesting day in the life is really around the analysts’ team. We built a technology stack. I use this metaphor, I say they bookend the technology stack, right? So on the frontend, our cyber analysts are creating what we call PIRs for the customers. Those are called prioritized intel requirements. This is us asking the customer pretty broad questions about what business problems they trying to solve? What risk are they trying to mitigate? And then we build a profile based on that that we use to ask the dataset questions. And the dataset is an intelligence collection and analytics system we call Trace Light. So the analysts are on the frontend of Trace Light. Trace Light – They input all this customer requirements in there. Trace Light does all the heavy lifting on the backend. We’re sending the customer what we call advisories. These advisories are directly related to the questions they asked, right? Which is sometimes it’s intellectual property-driven. Sometimes it’s counterfeit-driven. And then there’s I would say a bunch of table stakes things that are cyber intelligence that everybody wants. And on the backend, that second bookend, the analysts are almost acting like a customer success team. Again, I want to make this outcome-driven. So we have regular – In fact, I hired a customer success person years before I hired my first sales person.
So we’ve spent a long time just learning about like, “Well, what is helping them and what is causing problems?” And so we’ve got that dialed in now. But the analysts have awesome jobs, because they get to do – Some of it is mechanical. That’s just the nature of any analyst job. But let’s say 50 or more percent of it is research-driven, whether that’s attribution work on threat actors. Chasing bad guys is fun., and our guys are good at it.
Also finding out where the bad guys are operating is really important, because they move around. And so our customers need to know where these conversations are occurring and our system needs to know that uh to inform the customers when they’re mentioned in these illicit conversations. And so the researchers spend a lot of time embedded in these underground marketplaces and things like that listening in chat rooms and things like, listening to the bad guys. So those are real those are real fun. And we have an engineering team that is building Trace Light all day every day and adding features and automating and machine learning and AI and all that fun stuff.
[00:11:57] CS: So for the fun jobs, the researchers and stuff, like what things did you like want to see on the resumes of those people when you hired them? Like what kind of backgrounds were you looking for? What soft skills? What hard skills? If someone wants to do that kind of work, like what would you recommend that they get good at real quick?
[00:12:16] KM: Yeah, that’s a great question. And we probably made some mistakes early on. We definitely made some mistakes early on on recruiting.
[00:12:20] CS: Everyone does. Yeah.
[00:12:23] KM: And I think there’s some proclivity to hire people who came from the intelligence business we’re based in the Washington, D.C. area. As you can imagine, there’s a lot of people with intelligence on their resume. And coming out of the military or studying in schools, like I don’t know if you know Mercyhurst University in Pennsylvania that are focused on intelligence discipline. What we what we actually learned was those guys are good, but teaching them cyber skills is difficult. Taking someone who has cyber skills and teaching them intelligence process is a little bit easier. So we kind of switched the model. We basically brought in some heavy hitter intel people to build the program. And then most of our analysts have a bit of a cybersecurity background. And we like to hire folks who are on their way up and we train them. And the reason why is we find people that have been in the business for a long time have preconceived notions about certain types of tools. And we’re open to input, but in order to keep the machine well-oiled, we have a pretty refined process at this point. We’re seven years old. We’ve been doing this for a while. And so we have a pretty good idea of what the workflow should look like. And so we’re bringing in people usually out of college that have some cyber security classes more important than aptitude. Aptitude for us is attitude, and I think this is where we really focus on core values and make sure that the team members are coming here because they want to grow. They want to solve actual problems. They don’t just want to have a desk job. And they should enjoy it, like they should want to go get the bad guy. And so we’re looking for people with the right attitude. And if they got an attitude and the ability to learn, they do well in GroupSense. Most of our analysts stick around for a long time. And the ones that have left have gone to pretty prestigious positions in other companies in the intel space. Yeah.
[00:14:21] CS: Do you put a lot of emphasis on track record already? Or is it if you just show the sort of passion that we can teach you the skills?
[00:14:28] KM: That’s a key word, passion. So I mean we just hired someone who has a little bit of cyber background, but has for a long time been a proponent of cyber intelligence in the social media community. Tremendous amount of passion, enough background and enough technical skill to build on, that’s a perfect candidate for us.
[00:14:47] CS: Nice. Okay. So yeah, the main focus of our talk today is ransomware, and that certainly ties in with the threat actors that you’ve been speaking about and so forth. We’ve had a couple of guests talk about ransomware in the past. We had Christiaan Beek from Malwarebytes and others. And so I guess my first major question is to negotiate or not to negotiate. I know that there’s no one patent answer to all solution situations, but in general if you’re hit and you’re facing a painful seizure, destruction of valuable files, what are the things to consider when deciding whether to enter negotiations with ransomwares?
[00:15:24] KM: Yeah. Well, first I want to give a disclaimer, and that is I recognize that anytime we pay these people, we incent them to do it again.
[00:15:30] CS: Right. Right.
[00:15:32] KM: So I don’t want to pay them any more than the affected party does for that reason. But like you said, a lot of these companies are in a bad situation where it could be especially for the mid-market businesses that we’ve worked with. It could be a business ending event. So the question that you asked to negotiate or not to negotiate, it is a business and a financial question that the company needs to make. I don’t typically weigh in on this. I can offer feedback and advice. But for the most part, it’s a business decision. Look, do you think that you can weather the storm and rebuild? Or do you need to get back online ASAP? And if the answer is the second one, then we should come up with a plan to negotiate. It really comes down to the business.
[00:16:17] CS: Okay. What should uh potential victims know about the life cycle of the ransomware negotiation process? So like how much time do you really have from realizing, “We have ransomware. We need to contact someone. We need help like.” Yeah, what’s the sort of like 24 of the TV series like? Like what are we looking at? 24 hours? 72 hours? A week?
[00:16:40] KM: Well, the answer is it depends. And I know that’s a sucky answer, but it depends on the variant of ransomware. What systems are impacted? How that impacts your business? I don’t know if you’re aware of the ransomware shaming that’s pretty typical these days. So what the threat actors are doing now is they get into your network, they exfiltrate a fair amount of useful data. Then they lock the systems and deploy the ransomware note. And if you don’t respond in a certain amount of time, sometimes it’s a week, sometimes it’s ten days. They begin releasing that data publicly over time to sort of create a false sense of urgency on your side.
So it depends on that data also, right? So sometimes the data is rather benign and the company has to do a notification anyway from a legal perspective. But if there’s a lot of customer data or PII or healthcare information in there, in the interest of the company’s constituents, the consumers, it is best to move quickly. And the timing, you said, it’s kind of the phases of when you get that note, they’re going to give you – They typically don’t put the ransom amount on the note. They just say contact us, right? And when you make that contact, the clock starts. So the first thing that we typically advise folks is like don’t do that. Hang on until you have a plan. Even if it’s a few hours, let’s sit down together and come up with a plan and then we’ll start the clock on our terms, right? The other thing is sometimes the ransomware notes will give an example URL, typically a dot onion site or tor site that has examples of the data they stole. If you visit that site, the clock starts. Because they’re watching, right? So don’t visit the site. In general, just don’t go on tor from your business in general. Let us do that.
And so that’s the first phase. And then once that starts, it really depends on the type of actor group or individual threat actor you’re dealing with on what happens next. It’s like a choose your own adventure kind of thing. Many of the thread actors, which is it is a double-edged sword. They have a playbook, and we know the playbook. So sometimes we can sit down and go like this is who this is. This is what they typically ask for and they’re probably going to settle here and it’ll take two days. And so we can usually do that in advance. When you get the individual actors or the unknown actors, it’s kind of variable. You don’t know how they’re going to behave. Yeah.
[00:19:18] CS: I was just going to ask about that. We had another guest come on here and say it’s counterintuitive to imagine, but actually sometimes having an inept ransomware person is worse in the sense that like they don’t know the protocols either, like they just sort of did this as a prank almost. At least if you have like a major threat actor group, like it’s not great, but like you at least have sort of competent people that you can negotiate with.. Do you have any –
[00:19:43] KM: They have a process.
[00:19:45] CS: Do you have any thoughts on that? I mean have you had to negotiate with like real stooges where it was just like some goober kid and some weird country or whatever or –
[00:19:54] KM: Yeah. I won’t call them those names. Although I will say that I have called them names in in their own language, just in friendly banter. One of my favorite ones is I call them kuznichik, which means grasshopper.
[00:20:09] CS: Okay. Yeah. I’m sure you love that.
[00:20:13] KM: Yeah. Yeah. Yeah. Yeah. No. There’s a tone that you can convey where you become friendly and you can joke. But to your question, the experienced threat actor groups, keep in mind that they’re probably attacking or have on the hook a dozen or 30 companies at a time, of which you are one. And that changes how they behave. They’re less patient with the negotiation, because they have 29 others, and you could just go away and they don’t care, right? They have a pipeline. Almost like a sales pipeline. The individual actors are stooges, as you call them. They purchase this access from what we call an initial access broker that’s someone who’s broken to your network and is selling that access back to the ransomware operators. That’s pretty common. They’ve either spent money on that or they spend a tremendous amount of their own time infiltrating the network. And as a result, they are absolutely adamant that they get a return on their investment.
So they they’ve only got one fish on the hook, if you will. So this can work in your favor and against you, right? So they definitely want to get paid. But they’re a little bit more patient during the negotiation phase because you’re the only one they got and they don’t want it to go away. And so yeah, you get very different behaviors based on the threat actor groups.
[00:21:30] CS: Okay. So at this point, in the thing, we’re basically committed to hiring a ransomware negotiator. But I’m guessing most companies have never been in this position before and they don’t necessarily know how to window shop for a ransomware negotiator or know how not to hire a bad one. So can you give us some examples of some bad negotiating techniques that ransomware negotiators have used that actually make things worse for their clients?
[00:21:54] KM: Yeah. I’ve actually read the transcripts. We’ve gotten pulled in to do some cleanup a couple times, and I got the transcripts. The funniest part about that is sitting down with a CISO and saying, “Hey, bud. The bad guys aren’t going to differentiate between me and the people that were here before, not easily anyway.” So it’s going to be hard for me to do that.
But, yeah. I mean first of all, I don’t want to give away trade tactics too much, but I’ll tell you, first of all, there is no reason to remind the bad guy that he’s a bad guy. He knows that. It sets the wrong tone. It’s very antagonistic. The best way to approach this is to approach them as a business person that you’re doing a transaction with and conveying some sort of condescending tone. That’s what I’ve seen in some of these transcripts, is not a good idea. And also, be responsive. If they ask you a question, do not not answer for a week.
Now there – In negotiation, there is value and delays, and you can use those surgically. But generally speaking, if you ignore them, you’re going to make them angry. So you need to at least keep a heartbeat going with the communication flow. Yeah.
[00:23:06] CS: And I imagine a lot of the sort of condescension or the sort of antagonistic languages is just personal embarrassment on the part of the companies that got hit, right? Like you’re probably just sort of angry and confused and you’re just like, “Oh! I’m so mad about this.”
[00:23:21] KM: Which is why you should hire a negotiator to begin with.
[00:23:24] CS: Yeah. And also why you need to take a breath between like when they say something to you, you need to sort of like don’t just react with your gut, I imagine, right?
[00:23:31] KM: Right. Yeah. And a lot of the principles of standard negotiation apply. The currency is a little different. It’s not a hostage negotiation necessarily, but you can take pages from, say, Chris Voss’s book and apply them directly to this discipline. Yeah.
[00:23:50] CS: Okay. So what are some red flags you should be watching for when considering hiring a ransomware negotiator? I mean is there a Yelp for negotiators or how do you know that you’ve – Unless you use GroupSense, how do you know you got a good one?
[00:24:05] KM: Well, I appreciate the kind words. But you’re right, there’s no litmus test for this at the moment. The main one is is the firm on what they call the panel of any cyber insurance companies? So okay cyber insurance companies handle enough of these that they know who the good negotiators are and they have a list of approved negotiators. I will say that that’s not 100% fail proof, because some of the transcripts I previously mentioned, they were brought in by a cyber insurance company and that didn’t go well.
But generally speaking, either the law firm, your external counsel that is advising you on the breach, which you should have, or your cyber insurance company, or any cyber insurance company. If you don’t have one, you can reach out and say, “Who’s on your panel?” And that’s a good first step for sure.
[00:24:57] CS: Okay. So yeah, obviously, one of the things I said in the intro of the show and that you had noted is that there’s this wide variety of quality and ransomware negotiators and it partly stems from the fact that there’s no real way of indicating compliance or a baseline of knowledge for this type of job. Anyone can do it. Anyone can hang their shingle outside of their house. So if given the chance, how would you craft a ransomware negotiator certification that demonstrates baseline understanding of this task?
[00:25:25] KM: That’s an interesting question. I can tell you what I think has worked well for us, is coming from the intelligence space – backing up real quick. Let’s just recognize that negotiation in general of any kind is largely a soft skill, and those things are hard to train. So one of the things that I – One of the assumptions I made early when we got into doing this was that I thought the IR firms, the incident response firms were doing this. And they’re not. And it makes sense to me because who are the people who do IR? They’re malware reversal people. They’re very technical. They’re not soft skill people. They’re not negotiators.
[00:26:06] CS: Yeah, they’re solving problems in the machine –
[00:26:08] KM: They’re solving very technical problems, and you should absolutely involve them in the process, but they’re not the new negotiator. And so first there’s a soft skill part, but what really powers that or makes that dangerous, if you will, is access to information about the threat actors. And so our company has cyber intelligence as a discipline. That’s what we do. We have a lot of information about these threat actors. Who they are? Who they target? What tools they use? All of this is very useful information to bring to the table when you’re negotiating. At a minimum, it lets you know how dangerous these folks are and you can advise the company, “Hey, look. These guys can really do some damage,” or these guys are rather harmless. They’re just deploying you know a standard template tool set. They’re not going to re-hack your network and punish you.
So just coming to the table with some background knowledge, someone who has some background in in intelligence, cyber intelligence specifically, would be useful to have. But again, sometimes those folks are very technical and the soft skill is hard to transfer. And we struggle with that internally. I am the CEO, but I’m also the primary negotiator and we have a couple of folks that were training up from their former law enforcement. So they had some prior training on this when we’re training them up. But it’s difficult to do that live fire.
[00:27:33] CS: Right. Okay. Well, that leads perfectly to my next question, which is I want to sort of talk about the ecosystem around saving companies from ransomware. Obviously, negotiator is in some ways like the top of the list, but I’m imagining they also have kind of teams. Like you said, people with technical knowledge , or researchers, or sort of support staff. So like how do you break into this work without going into a hot situation like that? Are there tiers of negotiators? Are there places where you can start doing stuff like this safely? Should you have a technical baseline of knowledge about how ransomware works and how to sort of reverse it and things like that, or maybe all soft skill?
[00:28:13] KM: Yeah. I think that you could do tabletop exercises with someone who’s done this before, who knows what the typical response is from a threat actor is. That could be a fun b-sides project or something like that where we could build a red team where you’re negotiating. And so there probably are safe ways to do it. I don’t know if this is an organized thing yet. And no, and to be perfectly transparent, I got thrown into it. It was not something that I chose to do. I got asked to do it. In my defense, I said no twice. And then they said we literally have no one else.
[00:28:50] CS: And they wear you down. They’re negotiating with you until you unlock the files. Yeah.
[00:28:54] KM: Yeah, and in this case it was a high enough profile scenario where the law firm and the cyber insurance company that were involved liked the outcome enough that they asked us to do more and more and more.
[00:29:08] CS: Yeah. Yeah. Yeah. Yeah, I mean do you do you think more people probably transition to this type of job from soft skill type things negotiating or business or law or whatever or from like technical things like reverse engineering and things like that?
[00:29:24] KM: Yeah, I think it’s more on the soft skills side is more likely. Having those technical skills are always an advantage, having both. But finding someone who is really good at both is rare.
[00:29:35] CS: Yeah. Yeah. Well, because a there’s such a variety of strata of cyber security jobs. And we constantly hammer this home that you don’t have to know like all the guts of the machine to work in cyber security, whether you’re a threat modeler or a risk analyst or a ransomware negotiator, like you can do this. And obviously it helps to learn on the job and stuff, but you might already have the skills in hand.
[00:29:59] KM: Yeah. I mean, don’t underestimate yourself. Some of this stuff is actually just common sense. Like don’t berate the bad guy, for example. That’s sort of thing. Yeah. And I do, if I have advice for – If I can give advice to people getting this in their career is choose your workplace carefully, because what you want to do is – Having been in this industry for two decades, I’ve recognized there’s a lot of egos.
[00:30:28] CS: Yeah.
[00:30:30] KM: We actually have a sign in our office that shows one of my motorcycles. hand make all of our motivational posters. It’s really cheesy. And then we have one that’s like my motorcycle crash upside down in a ditch in Utah and it says, “Egos are expensive.” So my advice would be really look at the workplace and sort of the culture of the workplace, because what you don’t want is those egos. They tend to hoard information instead of share it. So you want to get into a place that’s very collaborative where people are very willing to share their knowledge with you. And we’ve worked really hard to build that here, and I’m really proud of it, yeah.
[00:31:09] CS: Yeah, love it. So sort of going to the other side of that, do you have any tips for – This obviously sort of puts you out of a job in certain ways, but like some backup tips and things for people so that if you do get hit with ransomware – We’ve heard stories. There was a school district that had like triple backups and were able to sort of like put things back together and just bypass the whole thing. Do you have any thoughts on that or any –
[00:31:36] KM: Well, I’ll go back to my disclaimer. I’m okay with not paying these people. I’m totally okay with it. Yeah, the backup strategy is key, and we’ve had a few scenarios where we’ve been able to restore some or all of the systems, which if it’s partial, we can still do the negotiation, but we have a lot of leverage because we’re like, “Look, you didn’t do the damage you think you did. And so we’re willing to pay something, but a smaller amount.” The key is have some sort of cold storage backup option even if it’s dated. It’s better than nothing. The automated backup system sometimes transfer the ransomware with them. And so that’s where a lot of companies get caught, is these cloud-based automated backup things, which is good from a daily backup standpoint where you need to revert a file or something like that. But to save you from ransomware may not work. And so you need something where it’s what we like to say a cold storage option where it’s not automatically backing up the systems every few minutes or something like that.
[00:32:36] CS: Okay. Yeah. Yeah. So moving into speculative sci-fi future stuff, do you see ransomware as a continued threat in the future? Because we see things like spam filters have – You get spam once in a while, but you don’t get like the five pages of it you did 10 years ago and things like – And malware, like it’s always kind of an arms race between malware and anti-malware. Do you think ransomware is going to continue in the future or is there a point where the tech kind of overtakes their ability to sort of lock people out?
[00:33:09] KM: Well, one of two things is going to happen for sure. There’re a fair number of companies working on this problem of anti-ransomware or ransomware recovery. But keep in mind that the threat actors are sometimes better funded than the tech companies that are fighting them. So you said arms race. They’ve got some ammunition.
On the flip side, I’ve actually been advocating for some time ever since the OFEC announcement came out about not paying ransoms. My thought was that’s really short-sighted, because it doesn’t give the companies an alternative path. And so what I’ve really been advocating for is if like, for example, the US government wants to dissuade or dis-incent ransomware operators by not paying them. Simply telling the companies you’re going to get a fine is not the strategy. What they need to do is build a program that gives the companies an alternative path, whether that’s some sort of subsidized program where they’re actually helping them recover with government funds or something like that. That could happen – I think they could solve that relatively quickly if they could come up with the funding.
I think there’s an ROI associated with it as well, because the economic impact and the amount of money that’s flowing, for example, to threat actors in Russia just every single day would warrant a program like that. I think we shouldn’t wait for the tech. We should probably do some policy as well and try to mitigate it with that first, or not first, but in parallel. Yeah, for sure.
[00:34:40] CS: Okay. So this has been super cool and super interesting, and I’m hoping that people who are thinking of getting into this field have gotten a lot out of your ideas and your insights. So as we wrap up today, do you want to tell us a little bit about GroupSense and some of the projects that you’re currently working on that you’re excited about?
[00:34:57] KM: Oh, sure. Like I said, we’re seven years old and I think we were a little early to the market when we first started developing our tool set. The market has since matured a lot. I think where we have led the pack in innovation is, again, going back to the – I like to begin with the end in mind, right? So the reason why we started the company is outcomes. So what we’re really focusing on over the next couple years is every bit of data that we’re providing the client, we’re trying to find the meaningful outcome delivery method for that. And sometimes that’s us. Sometimes we can do that for the customer. Sometimes that’s a third party. But we’re building out a full suite of remediation options for these tools or for the data that we’re providing the clients.
And our next mission is really around – The space that’s sort of emerging inside threat intelligence for this type of service is called digital risk protection. So in the digital risk protection space we’re doing things like monitoring your VIPs in your company. We will even do post-breach identity monitoring for the staff. So we’re finding like just a checklist of, “Okay, we’re providing this service. What is the next step to solve the problem for the client?” Because the clients just don’t have the time or the resources to do it in-house. So that’s really what we’re working on. And it’s fun, because we get to innovate, we get to try. Our customers are really cool. They let us run experiments and cool stuff.
[00:36:23] CS: Yeah. You’re finding issues that you didn’t know existed before and then solving them.
[00:36:27] KM: Yeah. They’re net new problems a lot of times, and it’s really fun to collaborate, like I said, with the customers. And we we’re running little skunk works projects with different customers, trying different things, and it’s fun. We learn a lot.
[00:36:41] CS: All right. Last question, for all the marbles, if people want to know more about Kurtis Minder or GroupSense, where can they go online?
[00:36:46] KM: It’s groupsense.io.
[00:36:49] CS: Okay. Kurtis, thank you so much for being our guest today on Cyber Work. This was a lot of fun.
[00:36:53] KM: It was my pleasure. Thank you so much, Chris.
[00:36:54] CS: Okay. Thank you all, again, as usual for listening and watching. If you enjoyed today’s video you can find many more of them on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials interviews and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice.
And this week I’m excited to announce a new hands-on training series called Cyber Work Applied. Every week expert Infosec instructors and industry practitioners teach you new cyber security skills and show you how that skill applies to real world scenarios. You’ll learn how to carry out different cyber attacks practice using common cyber security tools and follow along with walkthroughs of how major breaches occurred, and it’s all free. Go to infosecinstitute.com/learn, or check out the link in our description and get started. That’s infosecinstitute.com/learn.
Thank you once again to Kurtis Minder and GroupSense, and thank you all for watching and listening. We’ll speak to you next week.