NetDiligence® is excited to announce its newest virtual program, the Cyber Risk Canada Series. Beginning April 26, this four-day program features 37 experts from industry and government. In anticipation, NetD interviewed Jen Miller-Osborn, Deputy Director of Threat Intelligence for Unit 42 at Palo Alto Networks. PANW acquired Crypsis Group in September 2020. Miller-Osborn will appear on the panel, “Security Threat Trends in the Canadian Market,” on April 28.
NetD: Good afternoon, Jen, and welcome! Let’s start with an introduction. Can you tell us about your background and how your expertise meshes with the other panelists?
JMO: Of course. I’ve been in cyber threat intelligence for over 20 years, beginning in the US Air Force and eventually becoming a subject matter expert to multiple US federal agencies. At PANW, I lead a team tasked with detecting, identifying and differentiating between cyber espionage and cybercrime actors and groups, and with sharing that threat intelligence with the world.
My expertise is focused on how and why a threat group operates, how to stop them, and – ideally – how to get them arrested. I’m looking forward to chatting with peers in related industries to understand what the threat landscape looks like from their perspectives, especially regarding cyber insurance, which is becoming an increasingly important and complicated issue.
NetD: How do you see recent events such as SolarWinds and Microsoft Exchange changing the conversation around threat vectors and vulnerabilities?
JMO: Security in the supply chain is critically important, and vendors providing technology products and services must be held to a high standard, because companies rely on technology solutions to perform as intended. We at PANW are keenly aware of this and embrace those standards. That being said, supply chain attacks on technology products and services aren’t really new — a case in point is the way remote services used by MSPs were exploited in early 2019 and 2020. The SolarWinds compromise and MS Exchange vulnerabilities are recent examples, but we expect this trend to continue, since it provides an aggregated source of potential victims for threat actors deploying commodity malware and ransomware to quickly monetize their efforts. The attacks highlight the necessity of zero trust architecture and solid security posture spanning different parts of a network.
NetD: Tell us about the 2021 Unit 42 Ransomware Threat Report.
In March 2021, PANW published the 2021 Unit 42 Ransomware Threat Report, an analysis of the ransomware threat landscape in 2020, based on insights from the Unit 42 threat intelligence team and the Crypsis incident response team. It details the top ransomware variants, average ransomware payments, ransomware predictions, and actionable next steps to immediately reduce ransomware risk.
NetD: Can you share some details?
JMO: First, cybercriminals got greedier in 2020. The average ransom paid nearly tripled from 2019 to 2020, a 171% year-over-year increase. Similarly, both the highest known demand and the highest known paid ransom doubled in 2020. Second, we saw an increase in “double extortion,” where gangs not only encrypted data but also threatened to post stolen data on leak sites. Finally – and no surprise here – we see healthcare as the most targeted sector, in part due to COVID-19. The US government has recognized this, with the FBI, HHS, DHS issuing a joint advisory warning of ransomware activity against the healthcare industry. On a positive note, the joint international takedown of Netwalker infrastructure and the Microsoft-led interdiction of Emotet infrastructure point to an increased international focus on stopping these attackers.
NetD: How is PANW building its capabilities to better serve the insurance carrier market?
JMO: The Crypsis team works closely with the Unit 42 threat intelligence team to elucidate the latest cybersecurity risks and trends and to provide this insight to insurance carriers, their policyholders, and any direct customers shared by insurance carriers and Palo Alto Networks. Sharing this level of threat intelligence with the wider security community and the insurance industry increases awareness of the types of threats that insureds face. It also assists the underwriting community to drive actionable dialogues with potential applicants and current policyholders as the need for cyber insurance increases each year within the larger corporate community.
NetD: Do you have insights specific to the threat landscape in Canada?
JMO: Our work in response to ransomware incidents impacting Canadian companies shows a recent increase in CLOP, Conti, Sodinokibi and DarkSide ransomware variants. We’ve observed variants like Black Kingdom, DearCry and others using Microsoft Exchange vulnerabilities as a means of obtaining initial access to environments; however, intelligence captured through Expanse shows a much smaller population of vulnerable Exchange servers in Canada relative to the larger international footprint.
There has been a recent increase in the exploitation of MS Exchange vulnerabilities in Canada, but the initial methods of access remain consistent across all ransomware cases internationally, primarily consisting of remote services like RDP or phishing with malicious links or attachments distributed on a wide scale.
Canadian companies have encountered the “double extortion” threat. The 2021 Unit 42 Ransomware Threat Report showed 39 cases where Canadian companies – ranging from construction to financial to aerospace/defense – suffered data leaks.
On a positive note, we have found Canadian companies more open – relative to their US counterparts – to post-incident dialogues which can reveal how an incident unfolded and can create actionable steps towards improving security posture. The security community in Canada has seemingly created an arena where improvements in security are shared and discussed openly, a model which we also value at Crypsis and Unit 42.
NetD: Thank you, Jen, for your time and insights! We are looking forward to hearing more from you on April 28, and to checking out the other series topics throughout the week. We also want to thank Palo Alto Networks for sponsoring this event.
The series will be available on-demand at the same link after its initial broadcast.