Good morning, good afternoon. Good evening. Wherever you are. I hope you've smiled today. My name is Tricia Howard, aka Tricia Kicks SaaS. And I could not be more excited, truly, to be hanging out with two of my favorite people here at Akamai talking about one of my favorite things to talk about, which is ransomware. Thank you, everybody, for joining. I am so excited to introduce you two. Well, not introduce. I'm sure that you have seen these two, before. But Roger Barranco and Garrett Weber, my two friends here today. Before we jump in, would y'all please let the audience know if they don't already, why they should listen to you? I'll start with you, Garrett.
Sure. Thanks, Tricia. So, Garrett Weber. I'm Akamai's solutions engineering leader for our Enterprise Security Group. And I spend most of my time focused on talking to customers about the threat of ransomware, where it's come from, how it's evolved, where it's going next. and the mitigation actions and things you can do to kind of help yourself in your own environment with improving that security posture. So hopefully I can reflect some of that in today's conversation. Love it. And Roger.
Hi, everyone. Roger Barranco, responsible for global security operations for Akamai. So it's a very tactical role of what is actually happening. So managing the alerts, fighting the attacks. Not me personally, but an awesome team that I have. So my contribution in this discussion is more about what we are seeing actively occurring. Love it.
So if you have not had a chance yet to read our SOTI report, this link and other things that we will be discussing today are available in the attachments tab. So definitely check those out. Whether after, after we start talking, hopefully. But, while, even while if you want to pull that up as well.
But to get started, there were some key themes I think we saw as part of the ransomware report and other things that we have seen, Ransomware has had quite a year in 2025, would y'all agree? It's kind of, kind of been going. Something that was particularly interesting, and we're going to talk about this a little bit more, each one of these in more detail. From my perspective, one of the most interesting things I thought was the quadruple extortion. We are seeing the evolution of extortion just going. Right. I mean, I guess evolving. Right. Even though the double extortion we saw was still the most common, we're getting into the weeds, and this has some pretty big impacts, I think, on people who are hit by ransomware or people who are afraid to. Garrett, do you want to talk a little bit more about, what customers are saying with regard to extortion or other fears, I guess?
Yeah, sure. I think what's interesting here with the evolution is we've seen organizations and the government and government agencies tell everyone, don't pay the ransom, don't pay the ransom. So the attackers have had to get more creative, quite honestly, with what they're doing to extort the organizations that they've breached in order to get them to pay the ransom. So we've seen it evolve from encrypting systems to stealing data to now DDoS attacks, if we're talking about triple extortion. And then quadruple extortion is particularly interesting to me because while it's only a small set of groups that are doing this, if we think about what's happened going back to like Target and Home Depot, if an attack occurs, your consumers, per se, aren't the ones that are going to lose faith, and you're going to lose business from, per se. So if you look at what happened with like, Target or Home Depot years ago, people went back and started shopping there again. There was a short period of time where people might go shop somewhere else. But you eventually went back and shopped at Target and Home Depot and these other brands that have been impacted. What if I'm the attacker, the more brittle part of your kind of business could be your business partners. So if I can reach out to your business partners and put a bug in their ear that, hey, we've breached this organization, they won't pay us the ransom, they're down, here's their flaws In their security posture, etc. I might impact your business in different ways by having those business partners go and find another third party to work with. So this kind of evolution of the the attempt at extortion has gone from getting the data out to taking down the business operations to how do I go to third parties you interact with and impact your day-to-day operations with them. So they start to question whether or not you're the right organization for them to interact with. So it's just another approach the attackers can take to make organizations more vulnerable and probably more likely to pay the ransom at the end of the day.
Yeah, I think it's important to remember when we're talking about ransomware, that they are a business, right? And we're seeing that I think, a lot also with hacktivism, even I thought that that was particularly interesting, the how the lines are crossing, namely with, of course, ransomware as a service. Roger, what are your, did you have anything you wanted to add to that point or any of the others here?
You know, Tricia, as you know, general attack metrics are, you know, streaming upwards and, you know, we're always having to adjust on that front. But specific to ransomware, what we're seeing an increase on is the engagement level from the customer. So in the past, it was, oh, we got this alert, we saw this attack, we mitigated it. Here's your report on, you know, what we did to it to protect you, as an example. Now we're getting more engagement from the customer to say, hey, I just got this threat of malware and/or I just detected this malware in my infrastructure. So, hey, Akamai SOC, be prepared because I expect, you know, like Garrett was saying, I expect a DDoS. I expect some Layer 7 attack. I expect some contributing cyber malware to go on top. So can you please join a bridge for the next four hours and just be eyes on glass? So we're definitely seeing a dramatic increase of customers proactively reaching out to us because of malware-related activity, under the assumption that there may be other cyber events that would require our response.
Oh, that's a that's a great point. I think also, to the point, of course, of the multiple types of extortion, a lot is something that people need to be aware of also is the smoke and mirrors angle of this. When we're talking about ransomware, we're talking about pretty what I would said are quote unquote basic controls, right. Like the ransomware wants to, it wants to have access and it wants to move. These are pretty basic things, with regard to malware. So if I can do something super shiny over here and like, let's get to the point where somebody calls your team Roger and says, hey, can you hang on with me for four hours? Imagine what a cybercrime group can do in that four hours, if they're being, if their attention has been directed elsewhere. So it's rough out there, folks. It's rough out there.
That's where people should depend on their vendors to help them. Right. So their infrastructure can stay focused on that shiny thing and then say, hey, vendor XYZ. If this is happening, I expect you to look at these other items that may be a a distraction to my core resources.
Oh, that's a great point. That's a great point. Anything before we move on, Garrett just anything you would like to add?
No, I was going to comment that it is a good point that I don't see organizations partnering with their vendors enough and when things occur in the environment, they tend to say, we can handle it. Or maybe they'll have an incident response organization that they work with or a third party that they reach out to. But for getting to that line of communication to the individual vendors that run the security products themselves to help be a little more proactive versus reactive. Because I know when we engage with some organizations from, like our Akamai Hunt team, where we will get on calls, like Roger said with the SOC and work through what they're seeing and help identify what's going on. We can definitely be more proactive. So think of the vendor as a partner in these situations, whether you're pre-incident or in the middle of the incident, it doesn't always need to just be the incident response team you're working with. Also, the security vendors can play a part in helping, you know, monitor alerts and take actions for you instead of having to leave it all on your team to manage that. So yeah.
Oh, yeah, that's a great point. I mean, it's a shared responsibility model, right? That shared isn't only, it's your fault if something messes up. It's also a team effort. I think it's very important. And proactive defense really is, should be the norm at this point. It's assume breach and be as proactive as you possibly can. Especially with these threats that can literally affect your bottom line. Right?
I think that's where ransomware has always been so noisy, so to speak, within the industry, because there is a hard number associated with it, not only from a remediation cost, but your actual, there is an actual number associated with a ransom. Of how much data is lost? Could you even retrieve it? I mean, wow, like, we talk about backups. Was it a couple of years ago, the number one response to deal with ransomware was make sure you've got your backups set up. Well, now they're going after the backups. So, woof, here are some, stats, I think, from the report that were particularly, stood out. I mean, ransomware is going up. I don't think that's necessarily a surprise. But the downtime, 21 days. This really made me sad. Just between us friends here, 21 days, that's a really, really long time. And we had some pretty major incidents earlier this year that took down some major retailers. And those have real-world impacts. Right? I think when we talk about ransomware, it's not only the bottom line, but depending on the industry being attacked, people can be affected in their real lives. Which can be quite scary and why it costs so much to get it back up.
Let's see. But just Tricia, I can say, just think about like 21 days of downtime. That is such a long time in the business world. And it's not just, then you combine it with the recovery costs of 2.73 million just to recover and get back online. But then you think about what are all the other things you could have been doing in those 21 days that you now had to reprioritize and refocus and what when I look at this number what jumps out at me, is like, we're going to talk about mitigations, but there's things you could be doing that can shrink that 21 days down to a day or less. And organizations are almost in analysis paralysis sometimes with what are the top things I should be doing to make sure I can recover quickly. But 21 days is a very long time to be out of business, and trying to get operations back online. There's so many things that are not built into that recovery cost that you're losing money on as a business in that 21-day time window.
Oh my gosh. Yeah. So I mean, Roger, imagine talking to a customer and saying, okay, we'll get you back online in 21 days. How do you think they would react?
Oh my gosh. Yeah. Our SLAs run between 0 and 5 minutes max to make cyber pain go away, but that's for an internet borne attack towards a customer origin and not ransomware, which obviously has a much higher dependency on the infrastructure of the customer and hey, Tricia, I don't remember if I mentioned this before, but I was at a conference in Europe not that long ago and talked to a couple of people. I didn't even realize that this existed, that there are ransomware negotiators as a profession out there, and I thought that was pretty cool. This person had a great personality and talked about, hey, you know, this is how you negotiate, and try to, hopefully in advance, right? You receive the threat first, right? Then you see, yes, this ransomware is there, but they haven't turned it on yet. You have a small window of negotiation out there. So I thought that was pretty interesting.
Yeah. You know that's a that's a really nice point. It's not only the, the, sorry, the adversaries are evolving, but the defenses are evolving too, right? We, it's easy for us in security get too stuck on the doom and gloom. Because if you look at these numbers, you're just like, oh, man, what is the point? But things are actually evolving too. And that is a really great example of it. You know, a lot of people for a while relied on insurance as well. Cyber insurance. They came up and then the insurance providers were like, no, no, no. Okay. You this cannot be your strategy. It's us paying for ransom. And with the multiple extortion techniques, anyway, it probably wouldn't do as well as they think. But did you, what were some key takeaways that you remember of the of the negotiator? I'm curious.
You know, as you were talking, I was wondering what I should share on that front because I, I want to be a little careful. Right. Sure. I think I'll summarize by saying, the majority of it was psychological manipulation. Yes. Right? So there's a cyber manipulation against the victim. And these individuals who are in the negotiation portion of it, they want to be your friend first. They want to form a relationship. Right? There's a lot of pieces. It's not just. Okay. What? It's not playing poker, you know? What cards do you have and what's your number? It's quite complicated. And it's very effective, by the way. You know I've seen situations where you know, Garrett you were saying never pay. But you know there are situations where someone has said hey you know we started off with you know 10 Bitcoin and got it down to one, you know or something right.
Yeah. I mean it's not unlike, I mean I watch a lot of true crime and they talk about talking to perpetrators and stuff. And that is a tactic, is a really well-known tactic to use, is to kind of befriend the, but befriend the perp, as they say, you know, the lingo, and, and try and get them to, get them to talk. Right? Because they are coming in at an assumed position of power. If the ransomware group comes in to, if a customer comes in that's been hit by ransomware, they're already behind the 8 ball, so to speak. So how can we work toward that if they, if these groups are using all of these advanced techniques and they know that they have them on the hook, not only do they have their data, number one, they have their backups. Now they're reaching out to their partners like they know that they have them in a in a vulnerable position. So how can we how can we kind of, mitigate, I guess, and that is a, that is an effective tactic. It's better to pay one than 10, I guess.
Yeah. If you're in that position, unfortunate, yeah. Totally agree with Garrett. Don't pay, because you're just setting up you know, the next thing. But if you're going to be, oh my business, I'm going out of business. Yes. I'm in the corner with no response. Yeah. Negotiating down is something to consider. Yes. In a perfect world, we would never pay because that is why they continue to do what they do. Right? If you, if you, if there is a potential for them to make their money, they're going to continue doing that. And the reality is not every business has the dollars to hire a negotiator. Let's start there, much less to actually deal with the, all the soft costs. So earlier when we were talking about the huge numbers, and Garrett, you pointed out like there's the downtime costs, there's also your personnel costs that you are you are paying these people to be there and do nothing. You are paid. They can't work. So that's, that's a soft cost. Then trying to work with the mediators, trying to work with your incident response. Hopefully you have an incident response team or vendor that is helping you find out how it happened. What if you don't even know? And the social engineering is a is an aspect of that, it's probably how they got in, so yeah.
Great. If you're a medium-size business or, really a hospital of many sizes that are operating on really thin margins, how do you survive that financially? Like, you really need to look at the upfront mitigations and the partnerships and what you can put in place, because the reality of it is it's so detrimental to the business that there probably will be at least bankruptcy at a minimum coming out as a result, if not just losing the whole business entirely, so.
Oh my gosh. Yeah. Well, and with health care, now you're dealing with potential lives being lost. And what, at what point do you make that call of okay, I guess I'm going to pay the ransom versus having patients die. I think that most of us, I would hope anyway, would err on the latter of those, of those two options. So, yeah, it's, There used to be honor among thieves. But alas, there were some, particular strains I wanted to push to you, Garrett, a little bit here on, one of them, of course, it was also in the in the first slide we talked about, which was a TrickBot, TrickBot. Sorry. And Wizard Spider. They have some kind of interesting TTPs. Do you want to talk about those a little?
Yeah. So TrickBot itself has been around for a long time. I think 2016 is the first time we saw this strain of malware, and it was really a Trojan, banking-focused solution or malware at the time. And it's evolved into kind of a really nasty ransomware as a service and runs under the Wizard Spider group now is sort of who we associate with it the most. We've seen it evolve to stealing credentials, and all the things you'd expect out of a ransomware attack, but we've also seen it become a way of once they have access into a victim network, they're selling that access as another stream for their business to allow other attackers and other groups into your network. Which is particularly awful when you think about it, that they're gaining access commonly through spear-phishing attacks, which we know have become easier with the use of AI. But once they have that access, they're now selling it to the highest bidder or bidders to get access to the systems in your environment. One thing we saw recently that actually our Akamai Hunt team found was they were disguising the TrickBot malware under an executable named Windows Update, and we found it across five, four different customers and five different systems, I believe, in the customer environments. And what they were actually doing was it was executing a batch script that created a, interactive SQL shell. So not only were they getting into the environment, the assumption is they were creating that shell and actually hands on keyboard, able to run commands and, you know, actually execute different steps, maybe to move laterally within the environment to other more interesting systems. But disguising it under the Windows Update executable makes it look like it's non-suspicious, just a mundane process running in the environment. We normally let Windows Update do whatever it needs to do because we want to apply patches and updates, etc. And it's an easy-ish way to evade common endpoint security solutions. EDRs can be effective in identifying this. There's other ways to do it. But on the environments we saw, these were dormant bat files just sitting there waiting to be executed. Again, we can only assume that they were executed previously. But disguising it under a common process name is a new technique we've seen is this kind of TrickBot malware and Wizard Spider continue to evolve.
Yeah, it's particularly nasty, isn't it? And a very, I guess forgive the word choice here, but clever form of social engineering. If I am a busy, a busy person, and I'm trying to manage the just myriad threats that are coming out every day, and the ones that were important, like two years ago that are now way more important again, because of LLMs and GenAI, then now, of course, if I see Windows Update, I'm going to move past that. I mean, I can't, I can't fault anybody who would rather just, it's sad. Oh, man. Yeah.
I think, when we're talking about the, we see this a lot in the research that we do with the botnets and stuff that the SIRT does, they find a bunch of these, this is a newer tactic that is working quite well. They will just disguise one little thing, and all it takes is to disguise that downloader just cleverly enough. And it won't get caught. It won't get caught. Because if you don't know what to look for, or you don't have the time to look for it, then, I mean, it's it's pretty easy to be missed. Roger, anything you want to add on there?
You know, I know we're, we're super focusing on the risks, which are very real. And, I invite everyone, if you haven't yet, to go ahead and read that report because it has some really good technical detail in there, you know, very specific attacks, very specific trends. It's a wealth of really good information. But at the end of the day, it's not all doom and gloom. There are a ton of things that you can do, that either wholly prevents this from happening in the first place and/or at a minimum, controls the blast radius. Right? So did this go through my whole infrastructure or was it restricted to one machine or one immediately adjacent machine. And how am I controlling the reach of that malware? And the subsequently weakened machines that would come along with it, right? So, later on, Tricia, maybe you can pick a time slot and we can drill a little bit more onto that.
Yeah, that's right, feed me, ransomware! That's what they want. They want to move. So if you can keep it contained, it's a great call out. The next thing I wanted to hit on, which I personally, I feel like I've said this, not everything, but I do actually find ransomware interesting. That stood out to me was how the threat actors are weaponizing compliance. So compliance, depending on who you're talking to, might be a dirty word already. But it's particularly bad whenever the threat actors know the compliance regulations and standards and are able to use them as a as a tool in their toolbox. One of the, one of the case studies that's discussed in the report talked about how a I think it might have been a few years ago, I don't remember off the top of my head, that the ransomware group actually messaged the customer, or the victim, and was like, hey, by the way, if you don't take care of this, if you don't pay us the ransom, we're going to tell the commissioners here, and you're gonna have to pay a fine that's like 10 times what we're asking you. So I've got you a bargain here. Pay me the ransom. And what's sad is that it's true. Not only that, but using, using the knowledge of, there was another one that they went and reported it that the the victim did not report the event, the incident, in time. And so the threat actor group went and sent that to the government entity and was like, yo, guess what? They didn't do what you said. So now the, not only are they talking to partners, not only are they talking to their customers, now they're going to the government agencies too, I mean, it's just, they know how to get their money.
Right. You know, I'm glad you brought that up. And, just as a side note, the, check out your local, if you're not already, your local InfraGard group, because they are a huge help. And guess what? You'd reported it as soon as you bring them in, typically. Right? So that reduces any risks to you for noncompliance because you have promptly reported it and you're pulling in people that can help you and have pretty good depth within the FBI organization through InfraGard to help you in these horrific situations.
Oh, that's a great callout, great callout. Write that down, y'all. If you didn't, if you haven't already. Garrett, anything you want to add here? What are you hearing from customers with regard to this?
You know, I don't know I hear a lot from customers in regard to this, because compliance is one of those things that you just have to do, you know, and we've, what's frustrating with this is we've tried so hard to improve these regulations over time to improve your security posture in your reporting and all of those pieces to the compliance puzzle. But yet the ransomware attackers are so, sadly, business savvy that they have figured out a way to weaponize compliance in these standards that we put in place against us. And it's such a frustrating thing because compliance is supposed to help us. Ultimately, it may be a pain to implement some of these controls and check all the boxes, but it's supposed to help improve your security posture. And at the end of the day, you have the ransomware groups just exploiting the fact that you're trying to comply with government regulations. It's just, it's frustrating being on the security practitioner side. But I'm also oddly impressed with the business savvy of the ransomware groups to start doing this. So, yeah, it's I mean, it's unfortunate, but it's terribly creative. Again, it's so important. There were a few, a few years ago, I saw a presentation at a conference, I can't remember which one it was. And it was effectively a D&D campaign of like a ransomware's, a ransomware group like business meeting. Right? And it was talking about how, they had a CFO, they had a they had a chief sales officer, they had all these things. And it was it was clever, but it was it was accurate, because they are, they do think about this business stuff, and they don't have the compliance regulations that they're trying to keep into, which is something that people have to have to consider. And there was, a campaign, I guess we were running, a marketing campaign, to be clear, we were talking about how, if you start and focus on great security, then compliance will happen. And I love that message, because if you focus entirely on compliance, it can be used against you. You need to be thinking about what the actual threats are, today and tomorrow. Hopefully you can figure out what those are and, and keep it keep it going to try and fight some of this stuff. So yeah. And follow the rules, because they will use it against you if you're not.
With that being said, let's go into the more happy stuff, which is how we can help! We being the community, security community as a whole, and of course, Akamai, specifically. I'm going to start with you, Roger. We don't have to read these. I'm very confident that the audience can read. But what are some of the recommendations that you would particularly want to expand on?
So I think that, you know, anybody on this seminar understands the history on this, but social engineering is by far the vehicle to subsequently launch malware and other types of attacks, and can be very effective onto itself. And it's this challenge is exacerbated greatly by the advent of AI, deepfakes, and everything else around it. Now, what can you do about that? You have to wrap your processes around it. So for example, authentication. So I was talking to a customer recently said they had a dramatic increase in the number of deepfakes that had the image of their CEO, the voice of their CEO, requesting information with, a stern flow of communications. I need this now right. So you can see easily where anybody would be under pressure and feel like, hey, I need to, you know, provide this information to them. But what saved them was the very simple internal process of authentication that was MFA based. So their process was, hey, if someone calls me on the phone, if it's a known customer, I have them in my database. If it's an employee, I have them in my database, and I'm going to use my MFA push, my multi-factor push, and then the other person who is a known entity, including you, obviously, you know, your CEO, should be able to pick up their mobile and hit one button and say, yes, I'm now known and trusted. And they were able to stop multiple attempts simply because of that operational control. So it's not only the technical controls, the, you know, the blast radius containment, the microsegmentation, the API, the WAF, all of the other pieces that contribute. It's really the operational response for humans to feel comfortable. Oh, I have no pressure. I know it's my process and acceptable. There's no way the CEO is going to be mad at me for simply following our HR-established, IT-established process to send an authentication MFA request.
Love, love that. Make security part of your culture. It is one of my, I have been harping on this for years now, but that's a great point. I love that you said like HR-mandated. Because it doesn't, it can't just come from the security team. It has to come from the culture as a whole. It's a great call out. What about yourself, Garrett?
Alright, Roger went operational, I'm going to go technical here. Nerd it up. And this is, I will die on this hill. I will die on this hill, completely. That organizations, we said it earlier, We have to operate under assume breach. But then there's, what do you do after you assume breach? And if you look at the kill chain of an attack the most orphaned, forgot about, less-addressed part of that kill chain is preventing the lateral movement. And that blast radius. And if you read any postmortem report from any attack over the last 10 years, there's always a comment about improving better network segmentation. And this is an area where organizations have been hesitant to approach because they haven't paid attention to the evolution in the way you can segment your network and how that's become a simpler process. And, while I won't say it's foolproof, but it's a way that you can contain the breach and have an ability to limit how far that attacker can go, because it's unlikely the first system that they breach is the interesting one. You know, they want to move through five, 10, 20 systems within the environment before they get access to the right database server, or have enough systems with ransomware loaded that they can encrypt at, you know, a large scale that impacts your business. So if I'm an organization looking at my technical controls and where I might have a gap in the kill chain, I'm looking squarely at that, addressing the lateral movement and the opportunity the attacker has to move through my environment. And how can I take action on that technically, within the infrastructures that I operate in? So. I love it. Yeah. I mean, Roger was talking about it earlier as well. The blast radius. It's, it's really, really important.
One of the things that I have harped on for a very, very long time. So if you've ever followed me, you've probably heard me say this. Not only like patch management, but continuous testing. So especially now with how quickly and it is really upsettingly fast. How quickly these things can be pushed out and at what scale, especially with generative AI and LLMs and all of that fun new stuff, is you don't you can't rely on that pen test that you got four months ago to tell you what is vulnerable in your environment. You need to know today, and you need to be able to do that continuously, and that can get very, very expensive. And it's why one of my favorite tools, and it has been for many years, is our Infection Monkey, which actually acts like ransomware. It actually does act like ransomware. And it's free and open source. So this is my marketing plug for all of you right now. If you have not played around with our Infection Monkey, go on to GitHub and find it. It is very, very helpful. Okay. That's it. I promised I was only going to do one. But it's really important. And what it will do is it, it allows you to see what your assets are, where they are, and what is vulnerable because something that you may have not thought was an issue, and we talk about prioritization a lot, of something that might have been deprioritized. Now there is an attack group out there that knows that it's been deprioritized and now is going to evolve that to make it more of a priority moving forward.
Some more, mitigations, of course. We talked a little bit about, well, we didn't say the words, but what Garrett was talking about, of course, falls into the Zero Trust stuff. And the MITRE ATT&CK. I think that's very important. Oh, and awareness. Awareness. How often, Roger, do you think that the customers that you talk to actually know where all of their assets are?
Oh, the customers are very open to say they have no idea. Right? You're aware of your primary systems, but are you aware of employee X, who probably doesn't think he's doing anything wrong because there's no governance in place that restricts them, and they just spun up an LLM because that's going to help them code faster or automatically fill spreadsheets out. And, you know, everything else that's very cool with that, but you've just created an entry point that extends your blast radius. And who knows if that malware reaches that LLM and you've already assigned permissions to that LLM that says, hey, you can access all this HR, health care, you know, whatever other type of data. You know, it's not a good situation. So, how do you balance those things out? Obviously get governance in place so employees understand what's allowed or not allowed, that there's a governance board that approves or disapprove certain types of actions. And I know that slows things down, and that definitely sucks. But, at the end of the day, you know, those are things that are going to protect you. And how much peacetime effort are you putting in? Every customer, every single customer that has been absolutely hammered with an attack and was not impacted or had a good experience, I'd say after the fact, was because it is correlative to how much peacetime effort they put in place to make sure, hey, I have my microsegmentation in place. Hey, I've run the right tools to understand the inventory of my environment. How many LLMs, how many databases. I have my APIs protected not only from the network level, but at the protocol and system level. Right? So it's that API should say I don't necessarily trust that IP, but I trust that system. And these are the tells for this system. There are tremendous amount of things that are readily available for enterprises today to put those types of basic controls in place that will protect them going forward.
Now to quickly share a stat. And Garrett, this goes back a little bit to what you were talking about. And about, the hunt type concept. Right? So you put all these controls in place, you have everything. You have to also carve out time for generic hunt efforts. And I will let you know that with, you know, customers that we work with that have extraordinarily tier one systems in place with excellent alerting response teams and very powerful responses and protections in place. About 17% of the time, we find something that's actionable, right? So if a customer, like I was saying before says, hey, I'm under threat, can you guys just peruse, you know, the environment and see what's going on, 17% of the time I'm not saying it was necessarily an attack. It could be an attack that's ongoing, but there's some vulnerability, some weakness, some discovery that's needed. And that is only found through those peacetime hunt type efforts that someone should perform.
Yeah, that's a great stat. Thank you for sharing that. And yeah you're right. It's important to hopefully you do have some peacetime in your environment so that you can go do these things. Because that is again, assume breach, assume breach, assume breach. It sounds dark, but it's true. No that should be, assume breach is in your top three risks. It shouldn't be down on the list. Right? Because it's very easy to get into that day to day. Oh I've patched, oh I've read MITRE. Oh I've done these checks. Those are known things. And the reality is most CVEs, actually what, Tricia, been in the world for a year and a half before they're actually recorded as a known public CVE? Yep. Yes. That is shrinking because of things like LLMs. And actually, proofs of concept. Right? So researchers will come out and be doing the right thing. They're trying to show the defenders how to protect themselves. But the threat actors, have a little bit more time on their hands sometimes, and they can find ways to, to take advantage of it. So, yes, we're seeing a lot of that in the, out in the wild. A lot of what is happening is CVEs that haven't only just been around for like a year and a half, we're talking like 10 years ago. They've been out there for a long time. And because of how systems are built on top of each other and evolved, on the defense side, there are new holes. They get built. And, and that means that the attackers can you can also play around and find what's what's up. I think that's a nice segue as we're nearing the end of our time here, is kind of talking about what is coming next. So when we talk about ransomware, we've been focusing on ransomware but I think we can kind of distill all of this down to risk and defense in general. Like how are you, how is an organization planning their defenses not only for today and yesterday, sadly, but also for tomorrow? And the report goes into very, very good detail about what's happening now and the evolution of it and can kind of point toward where we're headed. And obviously, you can't go anywhere forward thinking without talking about AI and LLMs. So, do you, do you want to start there? I'm going to start with you, Garrett. Like, what do you what do you think is going to be the impact of GenAI and LLMs moving forward?
I'll start with one specific form of AI, which is agentic AI, which I think particularly scares me because of how uncontrolled it is and how much access that we're giving it within the environment to operate as if it is a person on a keyboard taking actions. And we're, a lot of organizations are, the app teams are building or implementing these things without consulting the security teams to understand what is the risk associated with providing this agentic AI solution access within the environment. So I think it's on the security teams, if you haven't already, to start taking stock of what is being used by your app teams in terms of AI within the environment, and what is the access that that AI has within your environment, because there's going to be risk there that those app teams didn't think about. You know, they're always focused on how do I build the next widget that improves the customer experience or saves cost or does whatever to drive the business? Security teams need to figure out how to inject themselves into that conversation, much like we did maybe five years ago with trying to inject ourselves into SDLC processes. It's time to look at how do we do that for all these agentic AI solutions that are maybe not developed in-house, purchased third parties that we're implementing, and how do we assess that risk? For me, that's a target for ransomware and attackers in general to figure out how do I leverage these agentic AI applications running within an organization's environment?
That's a great point. And have these conversations with your vendor partners as well. A wonderful conversation I had with Ofir Shen of the Hunt team on a SIG Download episode a little while ago was talking about how there are there are vendors, security vendors, who are communicating back with these large LLMs, and they aren't necessarily being forthcoming with this to the customers, about where their data is actually going. So start that conversation too, because, to Garrett's point, you can't fully understand your risk until you know what your radius is, what your possible threat landscape is. From an operational perspective, Roger, do you have anything you wanted to add here?
Yeah. So again, you know, you said operational, and you're absolutely right. So I'm impatient with wanting to roll out protections and respond to anything that's a threat. Right? Get ahead of it. Stay ahead. Right? So I, I'm not saying this is the right thing for everything, for everybody. But in my world, avoid analysis paralysis. Right? It's like, oh, let me totally understand my entire infrastructure before I put a defense in place. That is a mistake, in my opinion. My opinion. Right? There are things that you can absolutely do that make a difference that's controllable. So one of the things I hear, oh, microsegmentation, very hard to roll out. It may be more true for a legacy network, but if you have new networks, if you have new environments, start there. Get that microsegmentation in place in a very basic way. Hey, I don't have WAF in place other than you have a small hardware firewall in front. We'll get that cloud WAF in place and put it in alert mode, put it in some. You get basic protections and awareness just by having it in place, even though it's not fully tuned. And then when we talk about LLMs and AI, yes, the approach, like you said, do your inventory, understand what's in your world, but don't, you don't have to make it 100%, get some protections in place with what you have now, because there are some really strong firewalls for AI out there for that specific segment. Why not put that in place and say, you know what, I'm going to put a simple rule in place that Social Security numbers, HIPAA. You know, whatever your sensitivity is, is not allowed to cross borders, or at least let me know when something like that is out there. So don't hesitate. Get those protections in place, even if it's not perfect. Don't get stuck with analysis paralysis that prevents you from protecting yourself at the end of the day.
Oh, I love that. Perfect is the enemy of done. Okay, I know, coming from a recovering perfectionist, it is certainly true. I can't believe we're already out of time. We certainly could have had, we could have extended this for a long time, but I will let everyone have their time back. Thank you so much for joining. Here are the links to the actual SOTI. And then, of course, our security research, which is very all encompassing. Any anything from malware analysis to threat statistics and everything that we've talked about here today, not only what's going on today, but what's happening tomorrow. So please check that out. Any relevant links you can find in the attachments tab. And if you have any questions, comments, concerns, jokes, even a song. Love to hear it. Reach out to us directly and we will get back to you. Thank you everybody. Cyber nara. Good one.