Mark Fabro works in a small but critical cybersecurity niche. He’s president and chief security scientist of Toronto-based Lofty Perch, which helps companies that are part of a country’s critical infrastructure protect operational technology. But his ideas are broad and wide-ranging, and the implications will be of interest far beyond his clients—or the engineers he teaches at places like Carnegie Mellon University’s Heinz College.
In a lengthy interview, Fabro talked about the differences between companies he’s worked with that were well prepared to deal with ransomware attacks, and the businesses that were not. He also described how those differences played out.
The longer we spoke, the more apparent it became that his job requires not just technical skills, but an understanding of psychology. The reason is simple. Executives unwilling to entertain new ideas can inhibit their companies’ ability to adopt new solutions. For example, when some people hear the word “blockchain,” they immediately think of the cryptocurrency that enables ransomware payments. And they never consider the innovative ways different blockchain technology can be used to protect against the same attacks. Fabro endeavors to help his clients explore all of their options, he said.
Since its founding in 2005, Lofty Perch has helped clients understand and respond to risks that may not be picked up by traditional cybersecurity programs. Most of Fabro’s 15 colleagues are engineers, and their work often begins with advanced assessments and analyses designed to help clients understand what damage a competent adversary could exact, given the opportunity. “And this is unique in the landscape,” Fabro said, “because it helps uncover things that may have been traditionally seen as benign by an organization.”
Different Responses to Ransomware
Ransomware attacks continue to command the attention of security teams, who have reason to feel vulnerable. Companies that are ill-prepared to defend against them often spend a lot of time trying, Fabro said. Many have a response protocol in place, “but it hasn’t been vetted and tested in a scenario-driven environment,” he noted. “They haven’t run a tabletop to actually see whether or not things were going to work.” The result is often “chaotic,” he said. “It’s difficult to watch because you are seeing the ramifications of an awful lot of preparatory work not fulfill its promise.”
By contrast, the organization that’s prepared for a ransomware attack has practiced, has run through the scenarios. In some cases, Fabro said, the preparation was a previous attack that occurred when the company was not primed. As a result, it modified its response plan and worked out the kinks. When it happens again, the defenders are likely to be much more calm, he said.
Their preparation and emotions produce divergent reactions. The ill-prepared firm often reacts with frustration, Fabro explained. “I don’t really want to know what happened,” they say. “Let’s just get back up and running.” The team that’s ready is likely to get back faster, “and almost concurrently they can begin to do the analysis specific to, ‘How did it happen?’” And then they “plug those holes and mitigate that risk,” he said.
In one respect the two groups are similar. They do not spend time ruminating on who did it, or why, Fabro said. As far as he can tell, their focus is on dealing with the reality they’re facing.
Lofty Perch does not advise clients whether to pay the ransom demanded. “We don’t really deal with that at all,” Fabro said, “because they’ve got some other function with law enforcement or lawyers. That’s not us.” But the consultants do offer advice about the crucial matter of backups. And this may involve delicate conversations.
Blockchain for Backups
Clients in heavily regulated industries sometimes find that auditors and regulators want to see verification that the backup a company has restored is sound. Fabro has found that clients sometimes field a series of probing questions: “What’s your level of attestation? How can you confirm that this data that you’re bringing back hasn’t been seen, hasn’t been touched? And when you put it back in the system, it’s actually going to do what it’s supposed to do?”
There’s one method that Fabro said is failsafe: backing up using blockchain technology. A company can decide to take its data, whether it’s medical information, or contracts or design secrets, and back it up locally (as most already do). Then move the same data to a blockchain. And then take the information that explains how to access that data, and secure it in another blockchain.
What’s the payoff? “Nobody can see it. Nobody can touch it. Nobody can read it. Nobody can get it,” Fabro said. This provides “a mathematical guarantee that the data hasn’t been seen and hasn’t been touched.”
Fabro quickly added some caveats. This pitch doesn’t appeal to all companies. Some don’t want that level of security. Or need it. “There’s a lot of people that just want some data back up and running,” Fabro said.
But Lofty Perch is constantly looking for new solutions, he continued. And this approach is not designed “to replace your backup or your storage solution. This is something to augment and complement a preexisting backup capability for a larger, more secure archive.” It’s a protection, he said, against a ransomware attack or some physical event—whether natural or human-made—that destroys a company’s servers.
As far as the nuts and bolts, it’s easy to do. It can be set to automatically update every day at 5:00, or every 10 minutes, Fabro said. He would not offer a range of costs, but he did say that “storage is not very expensive”—especially compared to the potential price tag of lost data.
A Matter of Psychology
This doesn’t make the concept an easy sell. Fabro acknowledged three reasons why. First, when executives hear “blockchain,” many associate the technology with bitcoin, the cryptocurrency you must pay to unencrypt your data after a ransomware attack. That’s an unmitigated negative. Second, they already have cloud storage and backups. The executive may be thinking, “I’ve already got that in place. I paid for it. I checked the boxes. I know it works and it’s reliable.” When told of this new idea, the executive may think (whether or not it’s articulated): “You’re using words I don’t actually know. And I can’t quite understand how it supports anything that I would actually need.”
It’s that third hurdle—the novelty—that requires a delicate conversation. And that’s where psychology enters the picture “because there’s no question of the technology,” Fabro said. “It’s how to get the buy-in from the senior level executives to think a little bit differently.” What drives the need for innovation, he explained, is the “rapidly changing threat landscape.” The adversaries have led the way, consistently catching defenders off-guard. Getting executives to consider new options, however, involves luring them out of their “comfort zones.” This requires a dialogue in a language they understand, he said.
The technical conversations can come later, and they’re easy because the Lofty Perch engineers are comfortable talking with the client’s CISO and IT professionals. That’s their sweet spot. “When we’re delivering our work,” Fabro said, “our customers who are engineers are interfacing with actual engineers.”
But none of that happens unless the C-level leaders are willing to move beyond conventional wisdom and older approaches. He believes the current climate is helping convince executives to consider new options and do just that.