Repelling A Ransomware Attack: James Campbell Of Cado Security On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
… Ensure vulnerabilities and external-facing services are patched and secure. Vulnerabilities leave organizations exposed to data breaches, financial losses, and compromise — deploying patches as soon as they are issued is essential to keeping an organization secure.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing James Campbell of Cado Security.
James has over 14 years’ experience in helping global organisations tackle sophisticated cyber espionage and criminal campaigns. James has a deep passion for cyber incident response, forensics and cyber crisis. His background includes a career in intelligence previously leading Australia’s National Incident Response capability as the Assistant Director of Operations at the Australian Signals Directorate.
After moving to the UK in 2013, James started working with PwC to help build and lead the Cyber Incident Response service. As a Director within the PwC cyber practice, he worked with his team on unveiling the APT10 Cloudhopper cyber espionage campaign, as well as helping many global organisations investigate, isolate and mitigate significant compromises.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Sydney, Australia, with my incredible dad. We moved to a small surfing town just north of Sydney, known as the Central Coast, when I began high school. The Central Coast is not known as a place where people grow up to be cybersecurity professionals, and it was certainly one of the last places to get decent internet; however, the sun and beaches made up for it.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I was inspired to pursue a career in cybersecurity back in high school. During that time, several of my mates were also into tech. We loved playing with computers and learning how cyber attackers operated. As I grew older, I became very interested in figuring out how to STOP hackers from infiltrating systems, which is what led me to my career.
Can you share the most interesting story that happened to you since you began this fascinating career?
Other than starting a company during a global pandemic which is certainly a highlight, it’s hard to choose the most interesting story. I think at each stage of my career, I have met so many amazing people and have had countless crazy moments, many of which I can’t publicly disclose. However, picture getting a call that requires you to be on an airplane within 40 minutes and calling your girlfriend apologizing because you won’t be able to make it for dinner (but you’re unable to share where you’re going or for how long). Exciting, yes, but not great for relationships. I’ve helped put some really bad people in jail, contributed to decisions that had national and global impacts, and even acted as a shoulder to cry on for organizations that fell victim to major ransomware incidents — so many great stories, worthy of a beer at the pub. And I know there are many more to come, so I am looking forward to that.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
Three character traits would be curiosity and passion, resiliency and being unafraid, and knowing strengths/embracing others.
Curiosity and passion
I was curious and passionate about computers from an early age. And this was a time when not everyone had a computer and even those who did not necessarily have easy access to the internet. My mates and I loved setting up little networks — our local area networks (LANs) — and playing with computers. We learned how computers worked in our free time and familiarized ourselves with hackers’ tactics and strategies to break into them. As I grew older, I became very interested in how to STOP hackers from infiltrating systems. My curiosity and passion not only shaped my career path, but continues to drive how Cado Security operates today.
Resiliency and being unafraid
Despite the fact that it was hard to leave my comfortable job in the midst of a global pandemic, my co-founder and I had the energy and vision to start a cloud security company. Don’t get me wrong, it was scary, and everyone told us we were crazy. But we had a plan — so nothing could stop us. I think it’s important to understand that there will always be ups and downs in really anything you do. And to see this as an opportunity to learn quickly and achieve greater success because of it.
Knowing your strengths and embracing others
I’ve found that the most successful teams I’ve built are comprised of team members with very different, but complementary strengths. It’s important to know your strengths, so you can maximize them. Also, know your weaknesses, so you can utilize the resources around you to help you tackle them. The great thing about the cybersecurity community is that everyone is always sharing their experiences, the valuable lessons they’ve learned, and best practices for continuously improving and evolving.
Are you working on any exciting new projects now? How do you think that will help people?
My co-founder, Chris Doman, and I founded Cado Security in 2020 to revolutionize cloud investigations and incident response. By building the first cloud investigation platform that effortlessly delivers forensic-level detail and unprecedented context at cloud speed, our mission is to empower security teams with a smarter and faster way to respond to cyber incidents in the cloud.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
With over 13 years of experience helping organizations tackle sophisticated cyberattacks, I have a deep passion for incident response. Before founding Cado Security, I helped build out the Cyber Incident Response service at PwC. Prior to that, I led Australia’s National Incident Response capability as the Assistant Director of Operations at the Australian Signals Directorate. Throughout my career, I’ve assisted many businesses that were impacted by ransomware — everything from traditional ransom, double extortion cases, and even disruptive ransomware campaigns that sought to disrupt and degrade systems and services.
Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
In the early days, ransomware typically targeted individual end users (via phishing emails and drive-by downloads) versus companies and businesses. This wasn’t extremely lucrative, of course, leading to a shift in target. Ransomware actors began targeting enterprises, encrypting business data at scale, and completely disrupting their services. Initially, the attacks were relatively basic, but later on, attackers began to learn about the victim’s network in great detail, enabling them to spread ransomware more efficiently, make the largest impact, and increase the likelihood of playout. From there, there was an evolution to include data extortion and exposure. This entails ransomware actors exfiltrating large amounts of data before executing the ransomware and threatening to leak the data if the ransom is not paid. Ransomware has also become a commodity business, such as ransomware-as-a-Service.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?
Ransomware doesn’t play favorites in today’s society — so both enterprises and individuals need to be on the lookout and protect themselves. Attackers generally target their victims based on the following criteria, which are helpful to keep in mind:
Revenue — looking to target victims that can pay the ransom.
Geography — located in countries that the ransomware attacker doesn’t operate in.
Sectors — where the victim stores data that is sensitive and critical to business operations, including support to other companies or organizations.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
This depends on a number of factors and the level of impact. Consider first briefing your own internal teams and activating your incident response and crisis plans. This will likely also activate communication with your insurance firm, legal department, and any retained cyber security experts. It also may be beneficial to notify your local law enforcement or national computer emergency response team.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
Performing a thorough forensics investigation is absolutely critical to identifying the true scope and impact and preventing future breaches. As we’ve seen, ransomware operators are known to execute repeat-ransomware attacks by targeting the same victim twice using the knowledge they gained or the tools they left behind from the initial intrusion. I can’t stress enough how imperative it is to retrace the attacker’s every move and identify how the attacker gained entry and how they were able to set up the ransomware distribution and execution. In addition, it’s essential to identify all accounts, systems, and credentials that were compromised and the method of exploitation to ensure you’ve resolved all vulnerabilities and completely removed the attacker’s access.
Should a victim pay the ransom? Please explain what you mean with an example or story.
No! We strongly advise against negotiating with criminals unless the threat could substantially impact operations or is a threat to life. It is important to note that paying the ransom and receiving the key doesn’t make recovery easier. It can be a long, treacherous journey to get back up and running regardless — it’s not an automated process. Further, paying the ransom is not always a guarantee you will retrieve all your data back or that the data won’t be corrupted.
With that said, in one of the ransomware cases I worked on, the encrypted data and the backups that were destroyed were so critical to the company’s day-to-day operations that they had to pay the ransom. There was truly no other option. However, in most other cases, it’s more about the speed at which you bring the system back up, and paying the ransom is not going to change that.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
Three mistakes come to mind:
Not patching vulnerabilities. Log4j is a fitting example of the severity of a vulnerability and the impact such vulnerabilities can have on companies.
Not doing thorough investigations. For example, you could receive a detection that doesn’t look very high severity and wipe the box, but the attackers have already moved on and obtained credentials for other systems.
Poor identity and access management. Zero-day vulnerabilities have shown how vital it is for organizations to have practical security foundations in place and the tools to maintain a strong security posture.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
The community can continue to raise awareness around security best practices and share ransomware tips in general. With these efforts, it is always important to ensure shared advice is easily understood and consumable for less security-mature organizations. Additionally, the community can help by disclosing information with the government and law enforcement to disrupt and prosecute attacker activity. Lastly, I’ll add that the community should discuss the benefits vs. the adverse impacts of paying the ransom. If ransomware continues a lucrative endeavor, there’s no end in sight.
Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)
Educate the organization. Educating users on cyber threats, what they need to be mindful of and on the lookout for (i.e., phishing campaigns, drive-by downloads.) This alone can make a huge difference.
Ensure vulnerabilities and external-facing services are patched and secure. Vulnerabilities leave organizations exposed to data breaches, financial losses, and compromise — deploying patches as soon as they are issued is essential to keeping an organization secure.
Be prepared. Have a well-thought-out incident response/crisis and communications plan with defined roles and responsibilities mapped out to limit the overall impact should the worst occur.
Be careful of alert fatigue. Don’t let the volume of alerts discourage you from performing thorough investigations more often.
Educate your security teams or external incident response service providers. Ensure they know how ransomware operators operate. You can’t just rely on detection tools. After initial access, we generally see attackers “living off the land” vs. using malware to progress their attack. It’s also important to keep an eye out for the early signs of ransomware such as CobaltStrike, lateral movement, data exfiltration, etc.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be?
The advancements in technology, particularly the cloud, have made life much better. However, the new tech landscape has caused security concerns for the general population. I would love to make security easier, more accessible, and less scary for everyone.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!