The ransomware landscape is ever evolving and it can seem as though there is a new headline about a breach, extortion demand or fallout after an attack every day. But how can security leaders build cyber resilience?
Here, we talk to Justin Shattuck, Chief Information Security Officer (CISO) at Resilience.
Security magazine: Tell us about your title and background.
Shattuck: I currently serve as the CISO for Resilience, a cyber risk company bridging the divide between cyber insurance, risk management and cybersecurity. I’ve been at Resilience since 2020, previously serving as Vice President of Security Operations and Principal Security Engineer.
I’ve been a threat hunter for most of my career. Prior to Resilience, I served in threat research leadership roles at Baffin Bay Networks and F5. I also founded Loryka, which was later acquired by Baffin Bay. With more than 20 years of experience in security product development and threat research, I’ve always been drawn to hard problems — they’re what get me out of bed in the morning. Understanding how we help companies stop chasing threats, but also strategically shift the game, is as hard a problem as it gets.
Security: How has the ransomware landscape changed over the past few years? What do these shifts mean for the cybersecurity industry?
Shattuck: The ransomware crisis has expanded both in scale and scope over the last few years. It’s impossible to read the news each morning without seeing a headline about a new breach, extortion demand or lingering fallout after an attack.
In fact, based on internal data of client incidents and public extortion demand data from Chainalysis, 2023 is poised to be one of the most prolific years for ransomware. Even though fewer companies across the board are choosing to pay ransoms, hackers are shifting their strategies accordingly, with a renewed focus on targeting bigger companies that can afford bigger payments. It’s likely that 2024 will be even worse. The geopolitical uncertainty we’re witnessing could bring new state-backed threat actors into the fold, and generative AI may continue to make hacking operations easier than ever to carry out.
The bottom line is that ransomware is worsening — but mitigation strategies have remained stagnant. As a result, ransoms keep getting paid, threat actors become more emboldened and we continue to live in fear. This is a difficult cycle, and I believe we need a complete paradigm shift to halt it once and for all.
Security: How is this evolving threat landscape shifting how you think about cyber risk?
Shattuck: Cyber risk has traditionally been thought of in black-and-white terms: have we been hacked, or are we safe? But the ransomware playbook keeps changing, and hackers manage to stay several steps ahead of us. We need a more nuanced approach. Specifically, we need to start conceptualizing cyber hygiene as an integrated component of a broader risk management strategy.
The first and most important step in this process is recognizing that ransomware is inevitable. We can try to prevent attacks at the source all we want, but the truth of the matter is that becoming 100% secure is an impossibility. Once companies can learn to live with this reality, they can finally start building a truly comprehensive mitigation strategy. They can make informed calculations about how at-risk they are, based on industry and typical attack patterns; how critical and therefore limited their operations would be after a hypothetical attack; and what the financial repercussions might be. Based on those variables, each company can confidently invest in the cybersecurity tools necessary to plug any existing gaps — and go forth knowing that even in the event of an attack, they would essentially be immune to the most devastating fallout.
This kind of risk calculation requires increased internal collaboration. Across industries, cybersecurity has historically been siloed from risk management and financial operations. But this segmentation has only led to deep disconnects that make cyber risk planning infinitely harder and more inefficient. Actively breaking down those barriers and prioritizing joint cyber hygiene work is the key to reducing risk and unlocking comprehensive attack mitigation.
Security: How can companies limit financial fallout from a breach?
Shattuck: Cyber hygiene is a crucial factor when it comes to limiting financial fallout after a breach. If a company thinks of ransomware as inevitable, and has proactively put the proper controls and strategies in place, the frantic need to pay a ransom decreases significantly. This enables companies to display a show of force against hackers, who are primarily motivated by monetary gain.
Threat actors thrive on notoriety, public fear and ultimately, financial gain. But if companies can build up their cyber hygiene, assess their real risk and put the right controls in place, they can essentially become bulletproof to any inevitable attack that arises. Hacks will still happen — they just won’t make headlines. And as a result, hackers themselves will lose their main incentives to continue wreaking havoc on society.
Security: What do you predict for the cybersecurity industry in 2024?
Shattuck: Resilience’s own data shows that threat actors are constantly evolving and getting smarter. In 2024, I predict that hackers will uplevel their attacks against identity providers (as we saw with the recent Okta breach), and continue to target third-party vendors (so they can significantly increase the scale of an attack to hit hundreds or even thousands of companies at once). This is all cause for concern, because adversaries are learning to target infrastructure that many companies trust to secure them.
In addition, I see both concern and promise when it comes to AI in cybersecurity. On the one hand, hackers are likely going to continue to leverage large language models (LLMs) for social engineering in order to accelerate time to ransom. But on the other hand, generative AI can help organizations identify potential security vulnerabilities more efficiently, and even help notice new tactics or patterns that threat actors are using.
Lastly, I predict more attempts from hackers to extort victim organizations without the use of ransomware, but rather by applying pressure elsewhere through regulatory and compliance levers. For instance, we recently witnessed a malicious actor supplying the SEC with a complaint against an organization they were extorting in an attempt to pressure or to retaliate.