Cybersecurity Incident Response at Thermo Fisher: How the Ransomware Landscape Has Evolved

In this week’s episode of the Future of Threat Intelligence Podcast, Eli Woodward is joined by Matt McKnew, the Senior Manager of Incident Response at Thermo Fisher Scientific. With over 25 years of experience in the IT and security space, McKnew has seen it all—from cutting his teeth in response to the Nimda worm in 2001 to current security initiatives against DPRK remote workers. 

In this week’s pod, Eli plunges into the depths of McKnew's experience. Together, they discuss how incident response and threat intelligence has evolved, how the ransomware landscape has shifted, what organizations need to know about insider threats, and more. 

How incident response and threat intelligence has evolved

Over the decades McKnew has been involved in the security space, he has seen a first hand evolution in incident response and cyber threat intelligence. As these fields matured, a deeper sense of correct procedures were implemented—a far cry from the Wild West days of how these conversations used to take place. 

When McKnew was first starting out, conversations around intelligence would go something like“hey, there's something wrong, what is wrong? I think it's security related, what do we do now?" he shared. Similarly, incident response was in a similar scramble state. 

“Incident responses were like driving the race car down the track while you're trying to change the tires on it, and by the way, the car's on fire,” says McKnew. 

However, as the fields evolved and practitioners gained more experience, the policies and procedures in place greatly improved. This was, largely, a forced evolution as McKnew notes that a lack of structure, standardization, consistency, and documentation in IR plans, policies, and procedures leads to a longer tail on an incident.

Better structure, and in particular playbooks and documentation, has helped to greatly speed up IR efforts and calibrate intelligence gathering and sharing. 

How the ransomware landscape has shifted  

Throughout McKnew’s tenure, he also noted a significant shift within the ransomware landscape. When ransomware first emerged onto the scene, it was often clunky and unreliable. Extortion and encryption attempts did not always succeed. It was a known occurrence that encrypted files would often become corrupted and could not become unencrypted, even if a victim paid the ransom. 

This has changed as the ransomware and extortion actors have become more sophisticated and turned their operations into full fledged businesses. This shift coincided with the ever increasing operational tempo of ransomware operations, as well as the financial incentives of the crime. This, in turn, creates a feedback cycle in which ransomware operators can continue to become more sophisticated. 

McKnew points to Clop as an example of a ransomware group that, despite being financially motivated, has the sophistication of a nation-state APT group. Within the last year, McKnew notes, Clop used six zero-day vulnerabilities to achieve their objectives. This marks a significant rise in sophistication from typical ransomware groups and a maturation of the landscape. 

These changes have likewise led to the deeper sophistication of the ransomware-as-a-service model. This ecosystem borrows heavily from the software-as-a-service model. It typically involves multiple layers, including ransomware developers and owners, who then lease out their ransomware to different attackers. This allows for increased targeting and operational tempo, a decrease in risk for the ransomware developers, and an increase in attack capability for threat actors who may not otherwise be able to develop their own ransomware. 

What organizations need to know about insider threats

McKnew notes that there has been an increase in insider threat cases, and that case counts appear to be continuing to rise. This activity can be devastating to an affected organization. Recent examples McKnew highlighted included a cybersecurity executive selling zero-day vulnerabilities to a Russian contact, consultants running ransomware as a side business, and employees exfiltrating sensitive intellectual property before leaving for a competitor.  

In general, most examples of insider threats are due to financial motivation. Although there are examples of insiders carrying out their activities due to feelings of anger or revenge against the targeted organization. 

In general, though, insiders carry out their activities for money and through successfully targeting weak processes. For instance, McKnew notes that threat actors learn quickly and evolve, targeting process vulnerabilities like HR and employee engagement that may not have technically savvy participants. 

This is also a feature of DPRK fake IT worker scams. These scams often target the hiring process to get a foot in the door of the targeted organization.

In general, McKnew believes that the focus on usability over security has created vulnerabilities that threat actors can exploit. 

McKnew left us with one final takeaway. Stay curious. If something in your environment doesn't make sense, interrogate it until it does.

‍Listen to the full episode of the Future of Threat Intelligence Podcast with Matt McKnew, Senior Manager Incident Response at Thermo Fisher Scientific HERE.