Behind the scenes of ransomware negotiation

[00:00:00] Chris Sienko: Every week on Cyber Work, listeners ask us the same question. What cybersecurity skills should I learn? Well try this, go to infosecinstitute.com/free to get your free cybersecurity talent development eBook. It's got in depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employees and the team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans plus many more free resources for Cyber Work listeners. Do it. infosecinstitute.com/free. Now, on with the show.

Today on Cyber Work, Tony Cook of GuidePoint Security knows a lot about threat intelligence and incident response, but he's also used the skills while working as a ransomware negotiator. Tony's handled negotiations for all the big threat groups, REvil, LockBit, DarkSide, Conti, and more. He told me all about what a negotiation can realistically accomplish, which threat groups are on the rise, and why negotiating with amateurs is sometimes worse and harder than dealing with elite cyber criminals. You want to know why? You better tune in and find out on Cyber Work.

[00:01:33] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

Tony Cook is the head of threat intelligence on GuidePoint Security's consulting team, where he manages digital forensics and incident response engagement on behalf of the company's customers. His career background includes high level national security activities and cybersecurity operations for several clients over various verticals. Today's topic, in addition to all of these things, Tony, as it turns out, is a ransomware negotiator or has at least done that work at various points. This is a very interesting topic, because ransomware is pretty heavy. I haven't checked the news. It's pretty wild right now. So we are going to talk about what actually happens in the moment when you get breached. Tony, thank you very much for joining me today. Welcome to Cyber Work.

[00:02:33] Tony Cook: Yeah. Thank you very much, Chris. Appreciate it. Thanks for having me.

[00:02:35] CS: To start with, I like to get a little flavor of how you got interested and started in all this stuff. What was your first introduction to computers, and tech, and what drew you to security specifically?

[00:02:48] TC: Sure. I mean, as a kid, I definitely played around a whole lot with various different computers in my childhood. But actually, a funny start to mine, I really got interested in the Navy. I enlisted 2002, and from there, just was lucky enough to get a rate called IT. Was kind of new back then. Everything fell underneath of that, whether it was regular IT setting up networks or setting up active directory, which was – they were just coming out and implemented into the Navy to running firewalls. From there, it was just kind of a nice easy transition out of the Navy.

[00:03:22] CS: Okay. There was probably still a little bit of a disconnect, like you enjoyed computers and stuff as a kid, but you weren't necessarily thinking in those terms, and then you got to the Navy, and you're like, "Oh, yeah, IT, I'm pretty good at this." Was it kind of like that, it sort of rekindled it or sort of refocused it in different direction?

[00:03:39] TC: It definitely did. Then I got a dream job getting out of the Navy. I got to work transitioning out at Langley Air Force Base for NASA, and I got to be a part of their SOC for about four or five years. That really kind of lit up the security side of things. We're very focused into doing [inaudible 00:03:57] and all of that.

[00:03:58] CS: Right. Can you tell me a little about your current position at GuidePoint? You started in 2020 as the Head of Threat Intelligence, and earlier this year, you became Senior Director of Digital Forensics, and Incident Response, and Threat Intel. Can you tell our listeners what that job consists of? How many people you have on your team? What are your areas of research and expertise in this space?

[00:04:18] TC: Sure thing. Our team has about 20 people, give or take. Essentially, what my team does is we spread out across a few different verticals in this one. We have kind of proactive, where we do tabletops, and IR plans, and things of that nature, try to really make sure that people have the foundations there. Then we also have reactive side, obviously. that's what people think of when they think of incident response, right? The guys that are going to be rolling around everywhere. Then we have threat intelligence. That group is relatively new within the last few years and we've been building that out to really want help people build out their own threat and threat intelligence capabilities. Make sure people know what – you hear the word threat intelligence; it means a thousand different things to a thousand different people. So really trying to set that, level set that with people, but then also do a ton of threat research. We put out quarterly ransomware reports by GRIT, so you can go and read all those. But also, blogs, and threat bulletins, and things of that nature.

[00:05:12] CS: At this point, if you're the head of the department, do you still get your hands dirty with the research, or are you basically directing other people, and just sort of overseeing to make sure that everything lines up?

[00:05:25] TC: Yeah, not nearly as much as I'd love to. It's definitely a passion of mine. I make sure that I get involve as much as I possibly can. But with meetings and everything else, sometimes I just kind of get pushed aside so these guys can really do their job properly.

[00:05:37]CS: How do you cope with that? I like to ask people that all the time, because a lot of people in this space who are at the top level of the food chain ultimately have this kind of King Midas thing going of like, "I got where I wanted to go, but I don't get to do what I like to do anymore." How do keep the fire engaged when you don't get to actually do the sort of messy, exciting stuff that was originally your reason for wanting to join this?

[00:06:03] TC: Yeah, for sure. Luckily, I do get to work on like after hours with some of the guys, and we have some cool things put together where we can all put together challenges, things of that nature. But really, I love being part of the community as well. It's being able to kind of have various different conversations with people, whether that's B sides locally here in Charlotte and down in Charleston, or just being part of various different discord groups, things of that nature.

[00:06:25] CS: Now, can you sort of walk me through an average day of what are the sort of like clusters of meetings? And most days, how much time are you spending with clients, with your own team? Can you give me the structure of what an average day looks like?

[00:06:42] TC: Sure. There are obviously a ton of client calls, right? Either one has never heard of GuidePoint and want to be able to get into it, or two, our clients themselves. We definitely pride ourselves, GuidePoint as a whole to being like that trusted partner that you can just go to with anything security related. I mean, on a daily basis, I can be talking about anything from old vulnerabilities, to some very new things that are coming out, or just how some of these attack models would work in people's environments. More often than not, actually dealing with ransomware, in and of itself. I jump a lot on those scoping calls, get everything done, and turn it over to the team, and have everything moving from there. As far as being able to work with my team, I do love being able to have the availability to be there for them at any time, whether those are actual problems that they have, or just being a mentor back and forth with it.

[00:07:30] CS: Now, it sounds like you are in some capacity that you are sort of the – you're going to get the client calls, they're going to tell you what their vulnerability or their problem is, and then you – do you sort of disseminate that to the team in terms of, "All right, here's what the next assignment is," and you kind of give them the context, and then you just let him kind of run with it?

[00:07:50] TC: Exactly right. We'll have essentially an executive lead, that'll I'll hand over something to, and they have a technical lead that they'll be able to kind of roll through t. But I'll do that initial call through to make sure that everything kind of works, and then toss it over to them. Then obviously, anytime they need oversight, I'll be there for them as well.

[00:08:05] CS: And you're there probably at the end to sort of walk through it with the clients and stuff like that, to make sure that you gave them what they wanted and everything.

[00:08:13] TC: Yep. Well, after action, or mouthwash, whatever people want to call it, make sure that the client feels good after the fact. One of the things we pride ourselves on as the IR retainers is making sure we understand what's happening as we get signed on. You just want a retain that's just going to be there to be there. You want to learn your environment, make sure that you have the right processes in place, but also the right tech stack. Maybe there are just a couple of things we can change before we have to get into an incident that we can help out with.

[00:08:39] CS: On average, how long are you on like retainer with a client in terms of the depths of their problem? Because you're doing threat research and threat intelligence, is this something where you're looking at this stuff over the course of six months, or is a two-week thing or a year thing?

[00:08:57] TC: The average incident retainer is about a year long, and in that time, they can feel free to ping us. It doesn't have to always be an incident, sometimes you just want an escalation, somebody that has looked at these things in the past, and you can look quick, sniff on it. Is this right? Is this wrong? What should I be doing? We provide that level there. About a yearlong is what our average. Sometimes we have two- or three-year ones. But the average incident that we deal with, we're hoping to get it solved within two weeks. If not, we're done. Unless it's some huge outbreak where we might have to get a little bit longer, but that's about what we're trying to look at.

[00:09:28] CS: Got you. Got you. Thank you. In addition to your work as threat intelligence, and incident response, and the head of your company. The reason I really am excited, as I said to have you on the show is because you have also been a ransomware negotiator. You can pretty much pick up past episodes of this podcast at random, and there's like a one in four chance that ransomware is going to be one of the key topics. Why not? Effective as it's been, it's no surprise that it's one of the most used and successful use tools in cybercrime. The first thing I want to ask you about is the ransomware threat group landscape. In your introduction, it was noted that you have negotiated with all of the major ransomware threat groups over the course of your career, Conti, LockBit, REvil, DarkSide, et cetera. Let me start by asking you about the ransomware threat group landscape at this minute. Who are the major players and which groups are on the rise, and which groups if any have been taken down or neutralized?

[00:10:23] TC: Yeah, sure. I think everybody can be on the same page over the last quarter, or two, or three over those. LockBit by and large is just crushing it. I mean, over 200 I think hits in the last quarter alone. They're doing big work out there and making some money off of it. But their operation is very specialized in what they do. Obviously, we saw Conti kind of break apart, and everybody trying to fill that space, or maybe, depending on who you ask, the developers or the things of that nature that broke into their own groups. We're looking at Boston, we're looking at Hive Leaks, Sabo's Locker, some old school one, Medusa Locker. But some new ones, like Vice Society. You know what I mean? Each one of them have their own kind of flavor to things, some have very specific, I'll just call them rules that they have. Like, "Hey, you're not going to hit various different organizations. We might be able to export data from them, but you are definitely not going to encrypt them." Others just don't have anything like that, but also different payouts for each one of these as well.

[00:11:26] CS: Sure. My eyes went up because I have a guest who specifically going to talk about Vice Society in a few weeks here. I was like, "I remember them." Okay, so yeah, and specifically about how they have sort of made it their goal to target K to 12, and lower education and stuff like that. The last time I had ransomware negotiator on the show was back in December 2020. It was Kurtis Minder of GroupSense. Back then, I asked him the big question of the time, which in 2020, was to negotiate or not to negotiate. It seemed like a question with a straightforward answer at the time. But as read ransomware has gotten more prevalent, and more vicious, more opportunity for outright destruction of data, and the possibility for double extortion schemes. Where do we stand in 2022, 2023 on the decision to be made about establishing connection and what have you?

[00:12:15] TC: We've definitely seen kind of a transition where people are trying to make sure that their backups are in such a state or some immutable in some way that they're not going to have to pay for that reason for just a fact, or just to make sure that you can restore from some reason. Now, you're going to negotiate or not negotiate, I don't think it will ever be just a simple yes or no. I think it's always going to be an actual question where, it's a risk base for the company. If you're going to be down for 10 days, even if you got the crypter, and you're trying to get things back up and operational, and you're losing millions of dollars a day. I mean, depending on what you have to do, you might just have to figure out like, do I pay or do I not pay based off of something that's going to make sense for your company.

Obviously, OFAC sanctions and things of that nature. Even in that part, it's just another fine essentially to get things through it. I do think a lot of times nowadays, whether it's insurance or external counsel, or things of that nature, they might just have you negotiate just to be able to or start that connection, just to be able to kind of stall a little bit to see if – and get that timeframe moved out a little bit. So you have some wiggle room to be able to figure that out. Making some connections up front aren't bad. But I mean, we're even seeing what some people call triple extortion and things of that nature, where even if you decide to not pay, and then you don't get a grip, you're restoring things back up, they might try to DDoS you right to try to bring things [inaudible 00:13:42]. I think it's Vice Society might be another one, that if you don't do that, that's going to be their next step of thing.

[00:13:51] CS: Wow. What should potential victims know about the lifecycle of the ransomware negotiation process? What are the stages and timelines in an average successful negotiation process? Are we talking a week, 72 hours, 24 hours, two weeks?

[00:14:05] TC: Yeah. Again, I think it's going to depend on the group itself. Some are very

0responsive, some had – like LockBit has things set up so easily, that they're working back and forth with you on basically on a minute-by-minute basis. Others, still or have email that you're emailing some proton mail thing or some various anonymous email, and you're going back and forth. You might not hear back for a day or two. The sophistication of the groups has definitely come forward a lot. Like two, three years ago, sometimes you wouldn't hear from them for two or three days and you think that maybe they're not going to respond back. Then all of a sudden, you get back something on it. I would say, on average, usually, we can get some negotiation done within 72 hours, sometimes quicker within 24 to try to get things down.

Again, towards the groups themselves, sometimes there's not a lot of wiggle room. They know what they have. They have X field very specific information that they know, whether it's your insurance policy or what your profits were last year, things of that nature. They've done their research enough to know you can pay this. If you don't want to, then you're just going to have all your data leaked, or we're going to try to continue to do [inaudible 00:15:11] in your environment.

[00:15:13] CS: Yeah. I was going to ask something else about that, then it fell apart again. Going to into the next question here. Once someone hires you as a ransomware negotiator, how exactly does the negotiation process work? We're really trying to sort of demystify the way cybersecurity things work versus how people see them in movies. Like if someone asks us a question like, "Can I be an ethical hacker if I can't type fast?" Because I think they're just so used to the image of like – I want to make sure that we're really, really transparent about all of this. What do you do once you've established a connection with the threat group?

[00:15:54] TC: Obviously, there's a several different tactics that you can use with being a ransomware negotiator. You can try to initially make the conversation like, "Hey. I'm a small company" or you're trying to basically set up the initial conversation between you and the actor himself. Sometimes that breaks apart pretty quickly. If they know what they have, and they're trying to get you to do something very specific, like, "We want you to pay this amount" and you're not going to go back and forth on it. Try to be able to utilize everything you have, whether that's your insurance policy, or profits, or "We can kind of move back and forth. You could try to figure out timelines on things to say, "Hey! If we get you this this fast, can we do it that way?" There are some various things you can do.

By and large, it's really going to come down to the threat actor and what they believe they have. It might be something. They might look at this. It might take – what might be the first few things that they're willing to share with you for data X bill saying, "This is nothing. We aren't going to pay this because this has absolutely nothing." But in the threat actor's eyes, that could be, "This looks like it's worth a million dollars and we're not coming down from it."

[00:17:02] CS: Okay. I guess that was kind of my next question is, whether you're – what is negotiation per se in this matter? I mean, are you saying things like, "Come on. We don't have as much money as you think we do"? Or are you saying, "What is it you think you have?"? Or are you saying, "Can we get the money later on?", whatever? I mean, because you said that some of it is a controlled stall as well.

[00:17:28] TC: Sometimes it's real things as well, right? Banks over the weekend, right? Or often than not, things happen every Friday afternoon. As we're trying to do some of these things, some banks aren't willing to do that level of stuff over the weekend. Now, there are other groups that can. We offer negotiation services up to a certain amount, Coveware and others that can just offer you the money towards then until the banks can open up and pay back. But there are very real constraints that are around that as well. We try to utilize those as much as we possibly can. But at the end of the day, if the actor really wants you to pay that amount of money, then they're not going to back down, or they might come down like 1% or 2%. I think probably, two, three, four years ago, you could probably negotiate down even some of the major groups, 50% or more. Now, that's not case in most circumstances.

[00:18:20] CS: This is almost more like if you're going to – you don't represent yourself in court, get a lawyer, because they know – it doesn't guarantee you're going to beat the rap or whatever. A negotiator at this point is just there to make sure that everything is kind of going by the book. Is that reasonable to say? And just sort of sniff out different options.

[00:18:44] TC: Exactly, and to be able to make the payment itself, like being able to transact on that Bitcoin. But some actors specifically hate dealing with negotiators. If they find out that there's a negotiator, it can fall apart pretty quickly.

[00:18:57] CS: Right. Have they recognized you as that guy who does all these different negotiations?

[00:19:05] TC: Fingers crossed, that has never happened to me personally. I guess it happened to people.

[00:19:10] CS: I just thought of the question that came to mind before. One of the things I remember hearing years ago, and it sort of plays out with what you said here, that it's almost more dangerous to be ransomed by a bunch of incompetent kind of script kiddies because they just have no infrastructure, and it's real sloppy. Whereas like, a big company like this, they might not even have your data, but a big company like this or big threat actor group that are automated. Like you said, they have a strong channel of communication, and this, and that, and the other thing. Is that still the case? I mean, have you ever had to negotiate with total – I don’t' know how to say it. Total goobers?

[00:19:54] TC: Yeah, absolutely. I mean, there's definitely some threat actor groups out there, and some that aren't really named I suppose, like just trying to start some things up. You can always tell as soon as you see the ransomware note, or as you start to talk to them that they're just not really great at what they do. They're very tough to deal with. Most of the time, their ransomware is awful, and it will stop various different things, whether that's Windows processes that will kind of crash the entire system or stop some database servers or web servers that just can't get back up and operational.

Where other ones, like LockBit and others, especially when Conti was up and running, you have again a complete help desk. They can say, "Hey, we stopped here. This is exactly how we got in. Here's one who ran it. Here's how you can change it to make it work. So yeah, there's very specific thing that you want to be able to allow. I'm not sure if you really want ransomed, but if you do, you don't want somebody who doesn't know what they're doing.

[00:19:54] CS: Yeah. I imagine there's got to be at least a few of them who are almost surprised that it happened, and then they don't know what to do next. Like, "Oh my God. They actually –"

[00:20:51] TC: It worked. Oh my gosh!

[00:20:53] CS: Yeah, right. Now, what? I guess, in more of like an industry-wide thing, can you give us some examples of bad negotiating techniques that ransomware negotiators have used that might have actually made things worse for their clients? Do you have like a flowchart in your mind for where to take the negotiations as each message and instruction unrolls.

[00:21:12] TC: Yeah. I think some people will try. Well, they at least in my experience, there's some people that initially just try to go way too low, way too fast. This is $2 million ransom, and you're going to try to say," I'll pay you $800,000 or the $2,000. That's all we're going to pay you." Sometimes that's just not applicable. There are other ways that you can try to figure things out to begin with, setting a baseline down for how you're going to be able to communicate and what these things are actually dealing with. I think there's some others that – and this might not always fall on the negotiator itself. It might fall underneath external counsel or sea level management. Sometimes they want to know exactly what you're saying, and how you're saying it, and going back and forth. They want you to have to say their message.

I'm usually kind of opposed to that, mainly because you're hiring smart people do smart things. Don't tell him how to do those things. Sometimes in that light, they'll just say, "Hey, we're not paying. We're not doing XYZ," and that will obviously not be the right foot to get off on as well.

[00:22:17] CS: Okay. That's more of the issue sometimes is if they want – they're like, "Tell them we're not going to pay the ransom" and you're like, "Oh, I don't recommend doing that." They're like, "Do it."

[00:22:27] TC: Maybe just let me have a swing at this first, and for the most part, you're only going to have maybe, depending on the ransomware group, like five or six interactions back and forth with this person before a decision has to be made. You want to make use of those time.

[00:22:42] CS: Yeah. Well, that dovetails nicely to my next question. Even apart from – if you have like a resistance C-suite or whatever. While you're engaging in the negotiation process, what support should the company being ransomed be giving to you from the behind the scenes. Again, like I said, we see in movies and TVs, the investigators talking with the criminal on the phone, and they're sort of gesturing to other people in the room, "Turn on the wiretap, or trace the call" or whatever. Do you have a support staff of negotiators or is this part of the process all done one-on-one between you and the threat group? Then, in the case of smaller and less well-orchestrated attacks, I think of like organizations like No More Ransom that can maybe be helpful in providing codes or mechanisms to unlock the ransomware without having to pay. Second part of the question, do you have anything similar going on with high level ransomware attacks? Have you ever been negotiating and had someone on the team say. "We unlocked it, tell them to scram"?

[00:23:32] TC: I wish that was the case. We do have a little flowchart, though. We know all the actors that we deal with. We have threat actor profiles for each one of them, how many times we've negotiated with them, what the process has been there, and what their TTPs are as it go through it. If there is something that we know that there is a decrypter for it already publicly known, we can just stop there and kind of go our own way. But there is an investigation going on side by side as this kind of ransomware goes on. If we can determine, like scoped out, and know that you have known good backups, and it's only affected this part of the environment, and you don't have – that brought back up in a day or two vise seven to eight days. Or, "Hey, this is not really sensitive data. I don't really care if it got exfiltrated out or not."

There are several questions that can get answered while we're going through this negotiation. Hopefully, we know that before we even start in the negotiation. Sometimes it takes a little bit of time to figure that part out. Once we kind of figure out what's happening or what has happened in the environment, then we can make much more targeted decisions as we kind of go through those. Maybe I know that I don't really care if this thing got exfiltrated, but I do want to be able to get it back up and operational sooner, and my IT staff just can't support being able to bring all this backup, so I'll just pay for the decrypter versus or vice versa. Maybe I already have a backup on operational, but that's PHI, and I need to know exactly what it was, so maybe we need to figure that part out.

[00:24:59] CS: Got it. Now, I'm sort of speaking to the all the different types of ransomwares out there. I know this is an escalating arms race. You figure out how one works, and then they make another one, and make another one. But when – with each sort of ransom, if it's a new piece of ransomware, is there kind of like ongoing research happening with that piece of ransomware? To the point that like, if someone else tries to use that exact same thing, a week from now that you might well have been able to dismantle it in a way that you might be able to mechanically break it apart? Or are they just – I don't know I mean, are they that complicated?

[00:25:39] TC: Some are, some are that complicated, that you're just not going to be able to make sure that it doesn't happen on another system. I mean, there are obviously defenses that you can put in place to kind of stop things from happening, or restore it back to a known good state kind of quickly. There's an EDR that can do that pretty quickly. But as far as research into it, a lot of what we end up doing on our side, and I'm sure there's other groups that might be doing more or less. But we try to be able to look at the code samples in between those and try to see what's similar to what. Like maybe be able to determine what, developers might be the same, or code reuse in some of these to kind of put things down. But I mean, as far as stopping the ransomware from happening again, and again, I mean, really, a lot of times, it's going to come down to like what defenses you have in place to stop it before it starts, and trying to figure out what we can do with it.

[00:26:25] CS: A related topic that's come up on the show a few times is cyber insurance. You can put 100 CISOs in a room and get 100 different opinions on the time and place for it. I'm curious about your thoughts on it. Because on one hand, there's that sort of throw money at the problem-ish aspect of it. The past guest, Elissa Miller pointed out that if your security team is constantly parroting boilerplate like if it's not – it's not if we get breached, but when. Then, some boards might feel like they need cyber insurance. Obviously, the security team can't be trusted. Then of course, insurance companies like to only insure things that are unlikely to need to be paid out. The rise in cyber insurance payouts is starting to make the whole thing a little shaky, I think. Tony, can you talk about the changes to cyber insurance that have changed up the way that ransomware threat groups do their work?

[00:27:13] TC: Yeah, absolutely. I'll start with just my definition of cyber insurance. To me, it's just another risk mitigation. It's just something you're going to pay for. So that in the case something does happen, I have a way of being able to move that risk out. I'm going to get money if something like this happens, right? I think, by and large, and this is probably a heartache or on a popular opinion. Ransomware has really kind of shown people how insecure they really are. Cyber insurance is just another way to be able to get people to move that risk to something else. But now, that cyber insurances have had to pay out so much, it's almost like, "All right. Well, if this is going to be a risk mitigation, then I'm going to make sure that you are probably not going to have to pay it out, by making sure you have backups, by making sure that you have immutable backups, I should say." That's something [inaudible 00:28:01] that they just want to make sure you have, or an EDR solution, or a tabletop or a laundry list of things.

Four, five years ago, to get cyber insurance, you maybe had to fill out four questions, and then they'd give you something. Now, that's almost a week-long process of trying to figure out, do I even have half the things that they want to make sure that it happens to get low premiums? Because if you don't have half of these things, you might get cyber insurance, but you're probably going to end up paying out over two or three years more than you would have paid for the ransom to begin with.

[00:28:29] CS: Yeah. Okay. I was wondering if it was just something like, they're raising the premiums, but there's also a lot more due diligence in the sense of like, if we're even going to give this to you, we want to make sure that you're not just – don't have like an open for business sign, and all your personal data files, or something like that. You got to make sure – it's almost like a compliance framework or something like that for them to even think you're uninsurable non-risk, I suppose.

[00:28:56] TC: For some of our larger clients, they've kind of said that they're not going to do cyber insurance anymore. They're just going to set apart the money that they would have paid for cyber insurance and hope that they don't get [inaudible 00:29:04]. Year over year, that fund will just kind of build itself.

[00:29:09] CS: Like a ransomware HSA, yeah. Take it out of your check each week. For listeners who are trying to break into cybersecurity or move into a different facet of the industry, and who might be intrigued by this type of work, how does one get involved with ransomware negotiating or anything related to this area of interest? Are there secondary roles with a position like this, i.e., like one person to do negotiating and a team of staff who does research or on the threat actors, et cetera? Are there tears of new negotiators or a place where you can kind of start safely? Or is this more of a prize that you get after you've been in threat intelligence for a long time?

[00:29:45] TC: I do think it helps to kind of have been in the industry for a little while, just so that you know what you're actually getting into with some of these things. I highly suggest before you get into security that you understand IT as a whole to begin with. It's a very large changing industry right now. Choose cloud, or choose on-prem things, things of that nature, but know the fundamentals first, then get into security. Once you understand both sides of those things, whether it's blue or red, you kind of get to a place where you both understand a little bit of the business side, because you've done – or had to support IT through things, security on that side of things. Then when you go to negotiate, you actually kind of get more of a feeling around why you're doing what you're doing.

Now, negotiation in and of itself, that's definitely something where you want to have soft skills. There are things you want to be able to know. The person that you're sending in there has some sort of feelings back and forth that they can, essentially, talk to somebody, and even if they get something sharp back to them, or if they don't really understand exactly what they're doing, they could take a second, and understand that they have to respond back in such a way that it's not personal for them. It's more something that they're doing for a company.

[00:29:45] CS: Right. Now, a lot of the job roles that we talked about on this show, I'm always trying to get people in who aren't cyber or tech backgrounds. It's been well established on here that some of the best digital forensics people come from psychology who are able to sort of parse out what's going on in a mobile phone of someone who's been attacked or whatever. Can they sort of decrypt the text messages? I think just because there's so much to the cybersecurity industry, there's such a skills gap. We're always looking for ways to get non-tech folks in here. But I mean, is this something where, if you were in, say, like hostage negotiations, or something like that, is the IT tech cyberspace really crucial piece of the puzzle? Or if you already have the sort of negotiation background, is that something that would translate?

[00:31:49] TC: Yeah, sure. Obviously, I think it kind of depends on the business itself. If your sole job is going to be to be ransomware negotiations, absolutely. I mean, it takes just soft skills to be able to do these things. Understand the risk that somebody's taking on as they hire you to do this, and being able to deal with various different, not great English, but also being able to deal with people that are going to try to get you to pay something higher than you want. If you're just doing that, I think as long as you have soft skills, you'd be able to do this really well, or if you have that background in negotiation.

[00:32:22] CS: Okay. Can we sort of expand on a little bit of some of the soft skills apart from, like you said, not taking things personally? If you're hiring someone for this type of job, what do you want to see on their resume or their list of completed projects that indicates that indicates that they're not going to get in their head, or they're not going to be rash, or what have you?

[00:32:41] TC: Yeah, sure. I look for people that have been in high stress situations. One guy on our team that we kind of – I wouldn't say raised up, but more like helped mentored up to where he is now. He came from a SWAT team. I mean, he's used to a very high stress, high demand job. Then once he got into incident response, and got into ransomware negotiations, I mean, that's something that was just kind of came natural to him. He had soft skills that kind of went back and forth with some of those things that came on to it.

We also have some people that were from the FBI that were on there, and these are, LE type portions I'm going into right now, but a lot of those things kind of transition very nicely to that. I honestly have been kind of looking for that psychology majors that can kind of come into it. But at our team, that's just one of the functions or one of the roles that are into it. You also will be doing thorough research. You'll also be doing all these other things that are in there. We want to do the multifaceted portion of it, so that you understand, like, "Hey, we're going to do threat research on this particular group. Then, maybe if a ransomware comes in, you're going to be the one that's responsible for going into that."

[00:33:46] CS: Okay. Can we can we sort of wind back a little bit in that term? If you're looking with a goal of being on the frontline with ransomware, and negotiating, and stuff like that. Can you talk about what – like you said, it's not a full-time job unto itself. Can you talk a little bit about the work of threat research around that and threat intelligence, and what you would be involved with in those phases as well?

[00:34:13] TC: Yeah, sure. Absolutely. On our team, there's a whole lot that kind of goes into being able to make sure that you are doing your threat research properly. There are some things that are kind of obvious, like following blogs, making sure that you're getting our tip up to date, and making sure that everything that we have – all the knowledge we have is kind of centralized. But then there's also making sure that the personas that we have out on the dark web, making sure that there's various different ways that you're getting in all of that intelligence, and kind of sorting through it. Making sure that you understand what activity might have been happening, whether that's getting on the dark web, or the shaming side, I should say. And seeing who they hit and why they hit them, tracking the vertical, making sure that you understand what the goals are for this group, and what data might have already been leaked from these things.

Then also, following them on the dark web or the forums that they're on, making sure that everything's comes down from that. But tracking cybercrime in and of itself, there's a ton of trying to figure out what their C2 looks like, seeing if we can actually figure out what their boxes are out in various different levels of the tiers [inaudible 00:35:14]. We might be able to get like a tier three box, but can we track that the whole way back to see what their actual infrastructure looks like? A ton of stuff that kind of goes into that.

[00:35:27] CS: Well, that's cool. I mean, that's exciting to hear too, because I think, in terms of disposition and stuff, I think people who likes you sort of get the whole picture and get a sense of what – because you were asking – I was asking, what threat groups are on the rise and which are falling? You're not just sort of coming in, and handing you the dossier, and then you're learning about this group for the first time? You have a sense of like, so and so is doing this week, and then this is happening over here and stuff. Again, I'm sort of speaking to the audience here. But if you're the sort of person that likes to track the Marvel Universe or track large sort of interconnect, or Lord of the Rings, or whatever, there's a similar mindset there. I'm sure you, specifically Tony have intimate knowledge of how all the different threat groups communicate with each other, or are rivals, or competitors, or stay out of certain territories and stuff. Is that reasonable to say?

[00:36:27] TC: Yeah. Absolutely. That makes you up within to that level.

[00:36:31] CS: Yeah. Okay. Well, this has been a ton of fun. I'm going to let you go here pretty quick. But as we wrap up today, Tony, tell us about GuidePoint Security, and some of the projects, and developments that you're eager to sort of unleash and talk about going into 2023.

[00:36:46] TC: Yeah, absolutely. We've released out a ton. I should say, the GRIT team, we have the DFIR team that has been doing great things for quite some time. We're expanding on a lot of the capabilities that we have there, and we'll be releasing a lot of blogs on how to be able to do incident response a lot faster, with various different open-source tools to make sure that anybody can kind of come out here and make sure that you're doing it the right way. But on the on the GRIT side, on the GuidePoint Research and Intelligence Team side, they came up with a whole new set of services that people can be able to utilize to do the things that we're talking about right now, whether that's helping track or basically put together your entire threat intelligence capability. Whether that's tracking various different actor groups, or threat modeling that in your own group, or just helping you run your TIP, your threat intelligence platform. Or understanding what attack surface monitoring looks like, as well as combining that kind of intelligence with some of the stuff that you can find on the dark web. To really see what you look like from an attacker's mentality.

[00:37:45] CS: Yeah. Oh, that's awesome. One last question. Very important. If our listeners want to connect and learn more about Tony Cook and GuidePoint Security, where should they go online?

[00:37:53] TC: There's guidepointsecurity.com. We also have grit.guidepointsecurity.com, which will take you straight to a nice little blog post of everything that we have out and threat [inaudible 00:38:02] that we've released. Feel free to do that.

[00:38:05] CS: I like the threat report that you sent me, like stuff like that's over there, right?

[00:38:10] TC: Absolutely. I'm @CaptainCook 32 on Twitter, if you want to be able to reach out from there.

[00:38:16] CS: Nice. Tony Cook, thanks for your time and all these great stories. It's been a pleasure.

[00:38:20] TC: Thanks, Chris. I really appreciate your time.

[00:38:22] CS: As always, I like to thank you all for listening to and watching the Cyber Work podcast on a record-breaking scale. In 2022, we've broken off all possible stretch goals, and we've just had a ton of new people come on board and we're delighted to have you all along for the ride. Before we go, I want to remind you to go to infosecinstitute.com/free to get your free Cybersecurity Talent Development eBook. It's got in-depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, risk information, risk analyst, privacy manager, secure coder, and more. We took notes from employers and a team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is, or customize them to create unique training plan that aligns with your unique career goals.

Once again, if you're interested in any of the stuff we talked about today, go to infosecinstitute.com/free, or click the link in the description, I assume is down here, and get your free training plans, plus many more free resources for Cyber Work listeners. Do it. Infosecinstitute.com/free. Thanks very much once again to Tony Cook, and GuidePoint Security, and thank you all for watching and listening. We'll speak to you next week.

[00:39:28] TC: Appreciate it. See you.