Rachael Lyon:
Welcome to To the Point cybersecurity podcast. Each week, join Jonathan Knepher and Rachel Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon here with my co host, Jonathan Knepher. John, hi.

Jonathan Knepher:
Hi. Hi, Rachel. How are you doing?

Rachael Lyon:
I'm doing well. But I I have to say it's been one of those weeks. I don't know if it's like that for you where on Tuesday, I thought it was Friday because so much had already happened.

Jonathan Knepher:
Oh, yeah. Same over here. We have been busy, busy, busy with lots going on. It's, you know, come coming, through the end of the new year with all of your all of your projects getting into high gear to to show that, you know, q one got everything done. Right?

Rachael Lyon:
That's right. That time of year, everything kicks in on on steroids for sure. But I love it. It's good to be busy, you know, kinda keeps you out of trouble. So we'll so we'll take it. So I'm really excited to welcome this week's guest, Trevor Hilligos. He is senior vice president at SpyCloud Labs. Now they are a cybercrime research group dedicated to uncovering and analyzing intricate patterns from the criminal underground.

Rachael Lyon:
How cool is that? But he's also a member of the joint ransomware task force and a recipient of the president president's volunteer service award for service aimed at countering cyber threats among his many, many awesome awesome, expertise. So welcome. Welcome, Trevor.

Trevor Hilligoss:
Hey. Thanks for having me, Rachel and Jonathan.

Rachael Lyon:
Alright. Yes. So let's jump into this.

Jonathan Knepher:
Yeah. So, Trevor, thanks for joining us today. I'm super excited about our discussion here. But let's kick it off with, you know, reviewing the, the report that your team published recently. And, you know, can you go over, like, some of what were your biggest findings? And very importantly for our listeners, how do these findings, apply to organizations' approaches to cyber hygiene?

Trevor Hilligoss:
Yeah. Great question, Jonathan. And the report you're referencing is our 2024 malware and ransomware defense report. This is a yearly report we try to put out, to kind of educate the community, and, you know, use some of our core insights, from the data that we're collecting from the deep and dark web, and our interactions with threat actors that we all know and love. Just to kind of highlight some of the things that we think are new and novel, and are impactful. So my biggest takeaway really this year is infostealers. I think for the past couple years, it's interesting to see kind of when I started looking at infostealers back in, I guess, 2018, '20 '19, they weren't super I don't know. Maybe I'm the infostealer hipster.

Trevor Hilligoss:
That's a horrible thing to say. They weren't really, like, cool yet. Right? It was it was they weren't used all that much. People weren't all that concerned with them, at least the majority of the community. And now we've seen this massive shift. Right? In 2024, we saw the likes of Lumacy two, just absolutely exploding. We saw older info stealers like Redline, still holding strong. Obviously that changed.

Trevor Hilligoss:
Very happy to see last October in Operation Magnus where there was a very significant disruption of Redline and Metastealer. But what we've seen is largely a shift. These are tools that are very attractive to a certain type of cyber criminal. They're very easy to use, they're very cheap. So when one falls, it's a bit of a hydra. We saw Redline go down and LumaC two and Steel Sea popped up. So that's really my biggest takeaway is, it's all about the access. And whether you're talking about, you know, something like ransomware or, even lower, you know, tier things, we we tend not to focus on too much like BEC or, you know, some of the other kind of lower level scams.

Trevor Hilligoss:
It all starts with access. It's it's an information game. And and when you can run a a stealer that is I mean, it's in the name. Right? Infostealer. For for cheap, you know, it it, it unfortunately scales quite well.

Rachael Lyon:
So I'm I'm kinda curious, and I I feel like it's a topic we've talked a lot about, but you can't ignore the sophistication and evolution in tactics, you know, with things like AI. But, you know, malware. Right? I mean, the prevalence of this. Right? You can use AI to create new malware. We had someone at our company do that, you know, using, I think it was like ChatGPT when it first came out. You know, but what can what can organizations do to kind of mitigate this risk of, you know, kind of losing the personally identifiable information, you know, is I think there's things like key loggers and and things like credential harvesting malware, but I think it's more much so much more sophisticated and broader than that, Trevor. And I'd be really interested in your perspective there.

Trevor Hilligoss:
Yeah. Yeah. Well, I think you hit the nail on the head. You know, for a long time, we we sophistication has kind of been a a a buzzword in the community, I guess. You know, we always want to talk about how sophisticated an actor is, or, you know, this is an APT, and they're they've got a, you know, cyber range set up. They're so highly sophisticated. They've replicated your network on their, you know, in their in their office in in St. Petersburg or whatever.

Jonathan Knepher:
Right?

[05:49] Cybercrime's Evolving Accessibility

Trevor Hilligoss:
I actually, I kind of like turning that on its head a bit though. Because I think what's very interesting today and what has changed dramatically, I would say, over the past four to five years, is that sophistication is no longer quite as good of a barometer of success on the part of the adversary. And the reason that that is true in my view is you have so many commodity tools. We talk about the cybercrime enablement services or the cybercrime ecosystem. Right? And really, what we're talking about is a very decentralized network of criminal tooling, malware and malware adjacent tools and services that are highly available, very cheap, do not require much, if any, sophistication to really be quite dangerous with. And so what that does is it really lowers the barrier to entry. Right? So when I started in cybercrime, you know, over a decade ago, most of our threat actors, even the cybercrime threat actors, not looking at the nation state folks as much, but they were highly sophisticated. I mean, these guys were smart.

Trevor Hilligoss:
Right? Really, really smart. And and we certainly still have those those actors today that are that are quite intelligent and quite dangerous. But the the change is that you can be just as dangerous, if not more dangerous, as a very unsophisticated actor, with just a, you know, couple Bitcoins, not even a couple Bitcoins these days. You know, couple hundreds of a Bitcoin. Roll it around in your crypto wallet, just enough to gain access to these tools and deploy them. So what that means for the enterprise, especially, is that, you know, your risk profile just got a lot more complicated. Because we're no longer just

Rachael Lyon:
worrying about the very sophisticated adversaries.

Trevor Hilligoss:
We're worrying about those. We obviously got to worrying about those. You know, we obviously got us to worry about those, but we're worrying about the ones that are have access to tools to be successful and really have no concern for what they damage on the way. And so, it's the little things. It's making sure that you get good at the little things. Make sure you enforce MFA, have very short cookie timeouts. You know, don't allow BYOD policies, bring your own device policies, because those are what's going to be impactful against the 99%. Right? And then ideally, that kind of frees you up financially and time wise to focus on the 1% that are the the real real outliers, the real sophisticated folks.

Jonathan Knepher:
So you're talking about, like, the, like, you know, the availability of these tools to basically anybody who has criminal intent. Like, can you give us an idea on, like, what you're seeing that total scale means? Like, how big is this? And then from that, like, what kind of new technologies do we have, to protect ourselves from those? Like, you mentioned policy things, but, like, are there broader things we should be doing as well?

Trevor Hilligoss:
Yeah. Yeah. Great question. So scale's scale's hard to analyze. Right? I mean, SpyCloud, I'm biased. Right? But I think SpyCloud has pretty, pretty good visibility. And, you know, from what we can see, I mean, we're seeing hundreds of thousands of infections a day. Those are mostly targeting Windows, operating devices running the Windows operating system.

Trevor Hilligoss:
Although past couple of years, we've seen some commodity, by commodity, I just mean that, you know, you can go out and buy it. Commodity info stealer is targeting macOS. Atomic is one that's gained a lot of press, and and we do see that to this day quite often. But, you know, we're we're we're talking about billions of devices. Right? So what does that actually mean? Well, it's really a risk profile, I think, of the victim side. Right? Like, I've never been infected by malware, at least not intentionally. I've certainly infected a lot of VMs with malware. But, you know, I'm not in that risky category.

Trevor Hilligoss:
When we look at victims that are especially of the lower sophistication of quantity malware, you know, we see a pool that is roughly analogous to society, but definitely focused you know, we trend younger. A lot of these infection vectors we see are gaming related. A lot of them are using things like ad services. So if you're clicking on ads, right, that puts you at a higher risk. So a lot of that is kind of behavioral indicators, I guess. And it's obviously, it's very difficult. I could say that. It's fun to say that on a podcast.

Trevor Hilligoss:
I'm not a CISO. I don't have to I don't have to actually figure out how to solve that. But the behavioral side is really important. As far as what technology wise, what you can do, I am both optimistic and pessimistic in different ways on AI. I do think AI can augment the human analyst and be used as kind of a force multiplier. You got a set amount of hours in a day, you got a set amount of analysts. You give them access to tools to kind of do some of the preliminary, maybe the triage level of analysis, so that they can save that time. Well, that's fantastic.

Trevor Hilligoss:
What concerns me is I am seeing some and I won't name names, but I've seen some companies, vendors, come out with AI tooling that does it all. Right? And this whole notion of like, well, maybe you don't need an analyst. Maybe we could just hand that to an AI. And that's where things get dangerous, in my opinion. I know a lot of great analysts, and I've used AI. And those two are not the same thing. You really can't replicate human insights and experience with a complicated if else statement. So I think it's a balance of those things.

Trevor Hilligoss:
But I do think AI is gonna be a really, really significant part of, the long term how do we how do we counter threat actors for sure.

Rachael Lyon:
So I wanna dig a little into your background, Trevor, and what you do because it's incredibly fascinating to me. It almost feels like a movie, but a better movie than, like, Breach. Right? Because that was just no comment. You know, but you you cut you have to get into the criminal underground, right, to kind of understand what's going on and be able to analyze patterns and and and what's going on. I I think there was, a reporter, an expose that you guys did on, like, the Chinese cybercrime ecosystem. And I I just think that is so fascinating. And so I I not that you have to reveal any trade cap trade craft secrets, but, you know, how how do you do all this? Like, where do you even start and and and how do you kinda infiltrate and and get to these gold mines of information where people can start, how do we start addressing this problem?

Trevor Hilligoss:
Yeah. Yeah. Well, I mean, it's honestly, it's not all that complicated. And it goes back to the human analyst. This is another example of how amazing human beings are. SpyCloud has some fantastic researchers. I would, again, highly biased, but I would say best in the business, what they do. And, you know, really it's about building relationships with these threat actors.

[13:18] Rethinking Criminals: Humanizing the Threat

Trevor Hilligoss:
At the end of the day, you know, it's easy for us to kind of create a caricature for what a criminal is and have this probably Hollywood inspired view of some guy sitting in his basement in Severodonetsk, and he's got 17,000 screens around him and Matrix terminal windows. Realistically, it's just a person, just like you, just like me, that's made different choices. Right? So, if you approach it from that perspective and you look at it from the perspective of let's build a relationship with this person, they're still a criminal. Obviously, I don't intend them well. I would very much like to see them given a gift of silver bracelets at some point in their life. But until then, the most important thing for us is to maintain visibility. And what that means for SpyCloud, because we collect a lot of data and that's how we've decided is the best way for us to protect others, That means being as close to the threat actors we can, obviously, while remaining morally, ethically, and legally safe, and get access to that data before they can use it, and then get that data to the victim so they can remediate. And we find that that's a very successful method.

Trevor Hilligoss:
The Internet's forever. You can't get rid of the data. It's still going to be there. But if you're aware of it, you're able to apply countermeasures. Right? And I think that is a lot more impactful than just, you know, putting your head in the sand and and praying that your, expensive tooling is gonna protect you.

Rachael Lyon:
And was it you say hope's not a strategy? Is that what

Trevor Hilligoss:
you're saying? No. It's not. It is not. And, the best plan will will always fail, upon contact with the enemy. So Absolutely. Yes.

Jonathan Knepher:
Can you talk about any of the findings, you found through participating in these digital underground collections and so on?

Trevor Hilligoss:
Yeah. Yeah. I mean, it's really interesting. So my background, I served in the military and then I went into law enforcement. And I've always been really interested in kind of the psychology or the sociology of crime or delinquents, I guess, in general. And so if you look at it from that perspective, there are some really interesting things that we can learn about the adversaries. You know, like I already said, they're they're they're people just like us. They got hopes, they got dreams, they have plans, you know, they have roadmaps of their own.

Trevor Hilligoss:
There's a whole section of this that's very interesting of kind of the intersection of different services and different actors. Talk about the cybercrime enablement services a lot. And really, that's how these different things that are built by different people work together. And what we find when we talk to these people is that it's not just by happenstance. There's actual relationships that are being built between threat actors where they will essentially have I mean, sometimes it's to the degree of profit sharing. But even if it's not fully to that, I mean, it's like, Hey, your crypto works fantastic. I have an info stealer that I'd very much like to offer thirty days of free access to your crypto, and then maybe they're going to renew it. There's these really interesting analogies to how legitimate business functions.

Trevor Hilligoss:
Right? Like, Hey, I'm going to go on your podcast and people are going to listen to this. And they're going to say, Oh, SpyCloud. That's kind of a weird name. Let me Google that. Right? And so those same kind of human interactions, they're occurring within the cybercrime ecosystem and really helping proliferate that. So I think that was one of the most interesting things to me personally, is just kind of like, you know, pulling away the caricature, caricatured nature of of the of the criminal and, like, looking at this as, you know, another ecosystem, another marketplace with shockingly, many parallels to, you know, what we do, in the legitimate world.

Rachael Lyon:
Absolutely. It's, you know, I always thought it was fascinating how they do operate as, real organizations. Like, I think they have HR departments, you know, some of these these criminal you know, very organized, very organized. And I kinda have this, you know, I like a lot of movies, but I imagine being able to go on the dark web and, like, I could sign up for, like, wine of the month and malware of the month. I love it. Subscription services. So easy for me. But I'd be interested in kind of your perspective as we look at the future of these, you know, kind of enablement services and how they're going to evolve and and kind of what that means for for the future of cybersecurity.

Trevor Hilligoss:
Yeah. Well, it doesn't mean anything good. I guess it means we'll stay gainfully employed. Right.

Rachael Lyon:
I think that's a good thing,

Trevor Hilligoss:
depending on how you look at it. Yeah. You know, really, it goes back to what I was saying earlier with the that sophistication is is not as necessary as it was. There's a there's a guy, that so the the term is trapper. Some of your listeners may be familiar with this. It's basically a a group of of criminals that will, pool their resources together and access so they can access more, more malware, more services to deploy that malware at scale. And then they kind of share the proceeds to some degree. So, I was talking to this guy guy that was running a Trapper team, pretty significant, I think about half a million infections a month.

Trevor Hilligoss:
So pretty, pretty high up there in terms of, you know, how successful he was. But I was talking to this guy and it became very clear that, he had absolutely zero programming knowledge. In fact, it was funny. He was trying to, figure out how to parse the logs that he was he was you know, logs being data that was stolen from from victims. And and he was he was trying to get ChatGPT to write his parsers for him, and he couldn't figure out why it wasn't working. And it it just really struck me. It's like I mean, it's it's funny, but not like funny Right? Like, it's it's funny concerning because you've got this guy who has a half a million people around the world every single month are are victimized, untold amount of identity theft, probably some ransomware in there. I mean, just all the horrible experiences this guy is causing.

Trevor Hilligoss:
And he's, like, as competent as my mom. Right?

Rachael Lyon:
Right.

Trevor Hilligoss:
I love my mom to death, but, like, I would not name her the linchpin of a criminal organization. Right? So, you know, it it is really, it is really interesting to look at that. And I think from the perspective of, like, what does that mean for the larger community, It means we're going to be busy. You know, when the pool was smaller and populated by a smaller number of more sophisticated actors, it becomes a lot easier to track. We can name groups, we can analyze our TTPs, we can build countermeasures. It's a lot harder when it's a bunch of random people on the internet that have complete varying, from nothing all the way up to Uber Hacker skill levels, and they all have access to tooling that's being updated constantly, that has all of these cutting edge features to it makes it really a lot more dangerous for us. It means we we need to be much more on our game. So, yeah, good time to come into cybersecurity for the good guys.

Trevor Hilligoss:
And if you're listening to this, please do because we need help.

Rachael Lyon:
Good time.

Jonathan Knepher:
Yeah. Yeah. We definitely need all the bright guys joining this team instead of that team. Yeah. Maybe, like, can can you go into a little more detail on, like, what are these these info stealers and these tools they're using? How do they operate? And and, like, what are they particularly targeting? Right? Like, I mean, we we get it. They're after your identities. But there's so many things we have on all of our machines. Like, how do they find the right things to steal? Yeah.

Jonathan Knepher:
Right.

Trevor Hilligoss:
So, yeah. So in info stealers were I I always laugh because, you know, people in computer science, we are probably the least inventive people on the planet when it comes to naming things. What's an info stealer? Well, it's something that steals information. Right? You gotta look that one up. So no. But, basically, info stealers are just just malware. Just I mean, software. Every Every malware is just software.

[21:52] Endpoint Data Theft Threats

Trevor Hilligoss:
Right? It's just depending on if it's a, you know, purpose is legitimate or one that's not. And they're they're built to steal information from an endpoint. Usually, we're talking about, you know, Windows or macOS. There are stealers that target mobile devices too. Typically, we refer to those as banking trojans because they tend to focus much more on financial information, but not exclusively. But, you know, generally, we're talking about the passwords that you saved in your browser, the credit card numbers and other related financial information that's saved on your computer. Many of the modern steelers are actually able to exfiltrate full files. So there is this interesting, like, it's not to the degree of of ransomware by any means, but, you know, we have definitely seen extortion of of of individuals based on the files that were stolen from them.

Trevor Hilligoss:
Other things like, you know, what have you entered into Google, for example, your search history, your download history, what bookmarks have you made. And in the case of macOS, you know, we see stealers that actually steal the entire keychain too. So, you know, what that means for the end user is, and end user, I mean, criminal, is that they have access to basically your entire digital life. If you think about what's on your computer, I mean, it's very much, it's you. It's how we all, comport ourselves online. So they can become you. They can take your cookie information, and load it into a browser. They typically advertise as anonymous.

Trevor Hilligoss:
I'm doing air quotes for those listening. Anonymous browsers, right? Things like Multilogin or Lincoln Spear. And those will allow you to configure yourself as as the victim. My screen size is this. My operating system is this. My keyboard language looks like this. Here's a set of cookies that are valid. And if you can do that, well, cool.

Trevor Hilligoss:
Congratulations, you have multi factor authentication. I don't care. I'm using an already authenticated session. Right? I'm passing that authentication cookie to that website. I am you. And then, you know, pulling that even farther out, right, looking at the other services, we have things like residential proxies. It's a great case. A few months ago, nine eleven s five was a big proxy network run by a guy, a Chinese individual, that had literally billions of dollars worth of fraud traced back to it.

Trevor Hilligoss:
And and it was allowing criminals to use your device, your phone, your laptop, whatever, as their own proxy and proxy their traffic through you, through your Charter Comcast or whatever residential ISP to do their crime. And I remember talking to the case agents of that years ago and all kinds of horrible things came from that. Right? People getting their doors kicked in because you're doing things online that the FBI doesn't like. Well, it's not you. You're a victim. You're being victimized. Your computers are being used against your will, essentially, in that case. So, yeah, so it's super complex.

Trevor Hilligoss:
I could talk for hours about this, but the, you know, the the bottom line is, like, the the amount of of different it's it's like Legos. Right? You just you can build whatever you want. You you just have to buy the right pieces and make sure they fit together. And you come away with something that, you know, it's not unusual at all to see these actors getting literally thousands of infections, successful infections every single day. Tens of thousands, hundreds of thousands a week.

Jonathan Knepher:
I mean, when you when you combine, like, what you've talked about together. Right? I mean, you're basically talking about unwinding browser fingerprinting, unwinding authentication, unwinding just your identity even as your source IPs. Like like, a bad guy who can combine all of these together, I mean, it sounds kind of hopeless to be able to to fight against that. Like like, how do we continue to exist against such an adversary with like you said, it's like Lego pieces to them.

Trevor Hilligoss:
Yeah. Yeah. I wouldn't say it sounds hopeless. Thankfully, it's not totally hopeless. There are things you can do. But yeah, it is. I mean, honestly, it's an information game, Right? It's it's an information game on the on the part of the the criminals to gain as much information as they possibly can and use it against you. But it's just as much of an information game on our side, on the defender side.

Trevor Hilligoss:
Right? If if I if I know that, my employee excuse the enterprise perspective here. Right? I know my employee's personal device was infected. And I made an OOPC during COVID. I let them log into enterprise services from their personal device. Whoops. Right. We all did it. Okay.

Trevor Hilligoss:
Well, now I can begin to remediate. Right? It is basically at that point, it's a race to the finish line. Who can fix you know, can I fix the vulnerabilities that I have before the threat actor can use those vulnerabilities? There are definitely some things you can do from a prevention side. I mean, the example that I used, I just listed with cookies. One of the problems, one of the reasons that's such a horrible problem is a lot of cookies have extremely long expiration times. I've seen cookies, like especially email cookies, they're the worst. It's like a year. Right? Well, I can get into your email box.

Trevor Hilligoss:
I mean, I could do whatever. I could maybe I don't know your password, but I could reset your password. Right? It's going to send it to your email that I have access to. You know, that that that alert that, hey, this is an anomalous login activity. Well, guess where that's going? Right in the spam. Right? So, you know, but but but you can fix that. Right? A lot of times, you can change that, and you can make your cookie time out very, very short. You know, make it fifteen minutes or less.

Trevor Hilligoss:
Highly unlikely that somebody is going to be able to get in there. Not impossible, but, you know, make it a lot harder, on the adversary. And then, you know, use other types of notifications or use other types of recovery processes. I have about, this is not an ad for Yubikey, but I've got about 20 of those suckers sitting on my desk right now, which is the height of irritation, of course, and it's entirely my fault. But there are products out there that can fix this, right? Or maybe not fix it fully, but certainly make it a lot harder for the adversary. And it's a game of inches. The harder you can make it on on the threat actor, the less likely they are to succeed.

[28:35] Identity Protection Strategies

Rachael Lyon:
So to that point, and, you know, and I think about people you you hear these stories of people who've been compromised and just how hard it was to restore things, you know, to restore their identity back to what it was. And I'm I'm kind of trying to look in the future here, Trevor, and, you know, how do we mitigate these things? Right? Or how do we kinda insulate or protect ourselves? And is there a future where, you know, I talk a lot about unplugging. Right? You know, let's let's go old school and do everything manual. But do you do we need to start creating these online kinda doppelganger personas, you know, almost like as bait, you know, steal what you want, but in the background, I'm me doing doing stuff offline, and and that's how we could kinda have the best of both worlds. I don't know. I'm I'm just riffing here, but I I'd be interested in your thoughts.

Trevor Hilligoss:
Yeah. I well, I won't mention his name, but a friend of mine coined the term, identity honeypot.

Rachael Lyon:
Yes.

Trevor Hilligoss:
So, yeah. I mean, you know, at SpyClip, we talk a lot about holistic identity. Right? And that's exactly what we're talking about. Right? Like, how how much of how much of you do I know? Right. And and it's it's sort of a sliding scale. Right? If I have your email address and your password, well, you know, maybe I can get into your Netflix account. Maybe not. But if I have your email password, social security number, date of birth, and address, well, now I can file your taxes.

Trevor Hilligoss:
Right? So so so, yeah. So so so, you know, what you can do about that is make yourself your own identity honeypot. Can muddy the water a lot. A lot of these criminals, what they're doing is they're aggregating data. They're finding different sources of data, maybe malware, maybe breaches, maybe phishing results, whatever. And then they're kind of doing their own little SQL joins to figure out how that fits together. Well, you can make it a lot harder on them if you use a different date of birth wherever you go. Or, you know, maybe when you sign up, sign up under a pseudonym if if it's something that's that, you know, you can do legally.

Trevor Hilligoss:
Certainly don't do that for taxes. But, you know, obviously, don't put your Social Security number to places that that, you know, are not gonna properly secure those. So you can definitely I really like the idea of having kind of an identity honeypot and and, you know, muddy water for them. Make it harder for them to figure out, you know, is this actually Rachel or is this somebody else? I don't know. I'm going to I'm going to ignore that record just in case it's not. Right?

Rachael Lyon:
I like that. I'm writing that down.

Trevor Hilligoss:
I can't blame it. It's not mine.

Jonathan Knepher:
So it's it sounds like too, like, like, what you're talking about. Right? Like, this this is kind of the first step of multistage attacks on these bad guys. Like, where where do they go in their in their escalation process? Like, how many of these get to ransomware? Where else do they go? And then what do we do to protect against that?

Trevor Hilligoss:
Yeah. Unfortunately, the answer of how many go to ransomware is unfortunately higher than I would like. You know, we we do we do have a section in our our malware report that that deals specifically with ransomware. We looked at the, correlation between infostealers and, ransomware events that we know about. Right? There's a lot of ransomware events that we will never know about, whether they were not published for whatever reason or the ransom was paid. And it's high. Right? I mean, we know there's a correlation here. We know that that which makes sense.

Trevor Hilligoss:
Right? Ransomware really at its heart is an access problem. If the ransomware actors can't gain access, well, there's never gonna be a ransomware. Right? Especially these days when we look at a lot of the ransom, ransom events that happen, have a component. It's not just encryption. Encryption might be a part of it, but, you know, a lot of them are are there's exfiltration. There's, you know, it's kind of the name and shame way of doing it. I'm gonna post your information on my leak site, and I'm gonna threaten to release your your data unless you pay me. You know, it's proven very successful.

Trevor Hilligoss:
So that's why the actors are doing this. But if you can go back in time, I mean, obviously, none of us can, but if we can imagine that, hey, if they didn't have that access, then they would not have been able to do that. There was nothing would have been exfiltrated. You know, effectively, you've mitigated the the event. So, that's not to say that access only comes from infostealers. Certainly does not. There's many other ways that the ransomware actors get access to a network. But infosuallers are definitely on that list.

Trevor Hilligoss:
And they're one that is probably the easiest to remediate. Right? You know, somebody's going to launch some zero day against you. Well, it's a zero day, right? Like, how are you going to By definition, you are not going to know about that before it happens. But, you know, if I know that, hey, I have this really risky admin panel that's been hanging out there for the past ten years and doesn't have MFA and it's issuing cookies that are valid for three sixty five days, well, that's something that you can fix. Right? You can fix that in your environment. Or if you have the ability, you know, through a company like SpyCloud to identify that infection as having occurred, well, then you can remediate it for that employee. Right? So there are ways to to approach this, that are that are very successful. It just requires the knowledge for from from the defender perspective, and the intent to to do that to take those steps to really fix it.

About Our Guest

Trevor Hilligoss, SVP of SpyCloud Labs, SpyCloud

Trevor served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He is a member of the Joint Ransomware Task Force and serves in an advisory capacity for multiple cybersecurity-focused non-profits. He has spoken at numerous US and international cyber conferences, holds multiple federal and industry certifications in the field of cybersecurity, and is a recipient of the President’s Volunteer Service Award for volunteer service aimed at countering cyber threats. Trevor is the Senior Vice President of SpyCloud Labs.

Check out his LinkedIn!