WatchGuard CSO: ‘Hackers Don’t Break In, They Log In’

‘Nowadays I’m so sick of talking about ransomware, but let’s face it, it’s the payload of choice if I’m a cybercriminal,’ says Corey Nachreiner, CSO for WatchGuard.


There’s no single defense that will protect a company completely, but having multiple layers of defense is the best bet to stop a ransomware attack, according to Corey Nachreiner, CSO of Seattle-based network security firm WatchGuard.

Nachreiner gave an overview of supply chain attacks, big game ransomware and how end users can better protect their companies from falling victim at The Channel Company’s Midsize Enterprise Summit in Dallas, Texas.

Defense platforms include endpoint protection and response, multi-factor authentication, advanced anti-malware and user and entity behavior analytics.

Sponsored post

“Hackers don’t break in, they log in,” he said, explaining why multi-factor authentication is critical and how every employee within a company should be required to use it.

The reuse of passwords is also an easy way for a threat actor to get in and laterally move around a domain.

[Related: These 33 Top Tech Companies Put Employees First: People Magazine]

“Security is no silver bullet,” he said. “You want them all, so look for companies that have a single pane of glass.”

He pointed to larger ransomware attacks, like SolarWinds and Kaseya, and how those supply chains attacks “trickle down to everyone.”

“Nowadays I’m so sick of talking about ransomware, but let’s face it, it’s the payload of choice if I’m a cybercriminal,” he said. “If my goal is to monetize, I can steal your software keys. I can throw a crypto miner on your computer…but that’s chump change. Ransomware is the way they make money. The biggest evolution is big game ransomware.”

He said three years ago, ransomware attacks were shotgun attacks where threat actors “would shoot everyone in its path.”

“I don’t care if a grandma in Kansas got it or an organization got it,” he said. “I would ask everyone for $300 in cryptocurrency, and even the grandma has pictures of her grandchildren she wants to get back.”

But all that has changed, he said. Threat actors have become much more sophisticated in who they target and when.

“When I say big game ransomware, they‘re specifically looking for profiles of victims,” he said. “They started with health care. If I can encrypt all your patient records at a hospital, your surgeons can’t do surgery. They may not be able to know what allergies you have for the anesthesia or whatnot.”

And anyone that has a high uptime of need has a high likelihood of paying a ransom, he said. Before, cyber criminals only demanded a few hundred dollars worth of bitcoin. Now they’re demanding millions.

Today, the average ransom demand is between $5 million and $15 million, he said. And they’re not just encrypting files, they practicing double and triple extortion.

“They steal all your files and they will put up proof of your files,” he said. “They’ll share excerpts of it and show screenshots.”

They then threaten to leak the data and/or screenshots to the public so that everyone can see your customer’s sensitive information.

To prevent that from happening, he stressed the importance of business continuity and disaster recovery plans.

“Making sure you have a way to do business in the worst-case events where you lose all your production servers is very, very critical,” he said.

Having backups and a legal counsel on hand is also sound for when, not if, ransomware attacks happen.

End users also learned about the paradigm of three: always have two or three copies of data, have two backups and have one offline copy.

“Ransomware attacks, they could they come in in so many different ways,” Nachreiner said. “It could be a simple phishing email, it could be someone going to the wrong website, or it could be these more advanced attacks.”

For Jim Hicks, IT leader for Flair Airlines Ltd., a Canadian budget airline, what stuck out to him was the multi-factor authentication aspect.

“It’s one area that I think a lot of us are just taking for granted,” he said. “We really need to preserve and protect our resources that way by providing that additional layer.”

Nachreiner’s session also made Hicks realize how evident ransomware attacks are at the MSP level.

“The threat is really real,” Hicks told CRN. “So I’m looking at some hardened ideas that we can change within our own network. The biggest concern is we protect not only our people and files, and I think that’s really where a lot of the risk is, but we have a lot of assets such as aircraft. Everything is electronic. If we do not protect things from a safety perspective and a security perspective, then those can affect lives. That’s really, really evident in the industry that I’m in.”