More often than not, the first thing that comes to mind with the term “cyber threat” is something external. But did you know that internal threats are just as serious as external ones? In this episode, Matthew Stephenson sits down with technologist Kurtis Minder, the Founder of GroupSense, to discuss how to watch out for cybersecurity attacks from the outside and issues that happen inside your team. Tune in and learn the best game plan to protect your business from those problematic internal threats!
—
Listen to the podcast here
Kurtis Minder- Whisper To The Insiders To Protect Them From The Outsiders
Welcome to the show brought to you by Elevate Security. Hopefully, we’ve spent some time together talking about cybersecurity, insider threats, and a few different things over the years. Here in the show, we’re bringing you the top experts in the industry for a chat about anything interesting in keeping our world secure. Speaking of keeping our world secure, I say this all the time. I’m excited but every once in a while, I need you to know that it’s in a different font than what you’re reading because we have Kurtis Minder.
Kurtis is the CEO and Cofounder of GroupSense. He is the Managing Director of GoodSense Cyber. He has spent 25 years in IT and on many sides of the security world, including as a Founder and Startup Advisor. If you watch television or scroll the internet, you’ve probably seen him everywhere, including a TED Talk called What You Need to Know about Ransomware.
He has been called the Ransomware Whisperer by no less than New York Magazine when he is not working to save the world from alternative business people. He is a Former President of the BMW Bikers of Metropolitan Washington and an active member of BMW Motorcycle Owners of America. Kurtis, welcome to the show.
You’re too much. Thanks for having me.
This is just your thing. I’m reading a list of things that you have in one of those weird pocket notebooks like, “That’s what I did today.” Let’s open up first. We ran through the CV. I love to shout those things out because we’ve had some incredible guests. You are continuing the lineage of these amazing people. You’ve got two major operations going on. One is GroupSense and one is GoodSense Cyber. I’ll let you pick where you want to start. Give us a little bit of info about what’s happening over there.
Thanks for the opportunity to do that. I founded GroupSense years ago. It was a questionable life choice at the time to start a business. It’s primarily a bootstrap business. We didn’t go down the venture capital route. That allowed us to build a business that focused on customer outcomes because there are a lot of cool security products but sometimes they don’t exactly solve things.
I came from the security space. I’ve had many years working for several vendors. I could see where some of those were missing the mark for a lot of companies. We build GroupSense to deliver digital risk protection and managed intelligence products that are very focused on delivering outcomes for the customers. The GoodSense that you referenced was a side effect of that and arguably another questionable life choice, which turns out you’re not running a nonprofit but still running a company.
What a great idea. Let’s not make any money when we are doing things and trying to make money.
We’ll probably get into it later, but some of my ransomware work illuminated some problems that weren’t getting addressed with the commercial approach. I came up with a way to solve that to the best of my ability that’s always iterating. GoodSense’s mission is to help businesses that don’t have the facilities or capabilities to protect themselves or make some of these basic cyber hygiene changes while simultaneously helping universities with the cyber skills gap problem. That’s what we’re doing there.
The cyber skills gap is still a thing. We haven’t filled those 4.7 million jobs.
There’s a supply and demand issue. The talent that we have commands high salaries. The folks that can afford to pay those salaries are the largest companies. They bubble to the top of the pyramid. That leaves a huge gap for everybody else.
You are in an interesting position. I’m not saying you’re the only one, but you’re the one that I know so I’m going to ask you about it. Between GroupSense and GoodSense Cyber, you have fingers in a lot of pies and feet in a lot of grape things where you’re stomping out into wine. You’re working with organizations that run from massive large enterprise estate local government and also down to very small businesses. When you are doing the things that you do, how do you bounce that back and forth? Where do you find the things that one could benefit from the other that maybe they haven’t considered looking in that direction?
It’s funny you ask it that way. I do prefer the wine metaphor overall. A lot of times, large enterprises can act almost like a product R&D or solution R&D clearinghouse for everyone else because they’re going to experience the problems first. Their attack surface is much larger. The technology stacks do filter down eventually. The spectrum is large. On the GroupSense side, especially in the ransomware cases, I’m dealing with some of the largest companies in the world. I’ve flipped my hat around. On the GoodSense side, I’m helping a local print shop with the same problem. It takes some content and text-switching ability to do that.
As you can imagine, the audience that you’re dealing with is quite different in a multinational company. It’s the board, the CISO and deputy CISO, the internal and external counsel, and the cyber insurance representative. The print shop is dope or merry. In both cases, you’re operating as a bit of a counselor, almost a therapist, but it’s a very different approach in one versus the other.
You are what we like to refer to in the industry as a “good person.” When you come into some of these towns, you and I bonded because we came from a geographically pretty close thing in Central Illinois. Some people are like, “This guy is dealing with giant corporations across the world. How is he going to understand how to help me?” When it’s time to have those conversations, what do you learn from bringing big business into small business, also on the other side of that, small business into big business and remind people, “Once upon a time, you were the ‘IT guy.’ Now, you have a team of 300?” How do you make people understand that there is value in negotiating?
When I started a small business, I’ve done it multiple times. I know what that’s like. I came from a small town. My friends and family work for and/or own small businesses so I understand that space. That helps. The thing that I can pull out as a nugget for the audience out of what you asked is universal. As far as cyber threats are concerned, large companies are making almost identical cyber hygiene mistakes as small businesses are. It’s less defensible.
As far as cyber threats are concerned, large companies are making almost the same cyber hygiene mistakes that small businesses commit.
When I started GoodSense, one of the mantras I was saying is, “We want to de-risk technology adoption for the small business and individual.” The reason why I chose that phrase is that if you think about it, it’s unreasonable to expect the average person to understand and mitigate the risk associated with their technology adoption, which is necessary to run their business.
I have an iPhone. I’ve been a tech guy my entire life. Since I was a kid, I’ve been in tech. I have no idea what it does. I don’t know how it works. It’s magic. Put that in the context in places like a print shop, a small accounting firm, an eight-person accounting firm or a small architecture firm in a small town, they’re using all kinds of tech. It is unreasonable to expect the practitioners of that business to understand and mitigate the risk associated with it. It’s changing all the time. Even if they did for a minute, they’ve got a business to run. That’s the challenge for them.
For the larger companies, if anything is defensible for them, it is the number of people that are involved because people as we know are a huge risk area. They’re the entry point but also the attack surface, the number of devices and equipment in a company. It’s a volume problem for them but it’s not a knowledge problem. They know what they should be doing. They just don’t do it sometimes. Even some of the ones that we’ve heard on the news like the ransomware attacks where they say, “Our evil hacks X company,” I’m not going to use names, they didn’t even hack them. They just logged in. That’s frustrating because that’s the easy thing for you to solve.
Do we need to talk about the vocabulary word of hacking as opposed to anything else? “We just logged into your thing. We didn’t hack it. We had the password. It’s not that hard.”
When we do the ransomware response stuff, if we decide to engage a threat actor at the end, we’re asking a threat actor for a bunch of stuff. The obvious ones are, “Don’t distribute our files. Delete the data you took and give us the decryptors.” We also ask, “How did you gain access?” Sometimes they’ll give us detailed reports because they’re proud of what they did. They’ll be like, “We found a Windows 95 machine that runs the multimedia system that you never updated. We pivoted off of that using the domain creds that were in memory using Mimikatz, and then we used Cobalt Strike to pivot around your networking.” They’ll tell you all that. Sometimes they just say, “You use stupid passwords.”
It was a WMV file because it was Windows 95.
Sometimes it’s that simple. You do use stupid passwords. That’s it. We just logged in. That’s tough.
You have had a very interesting experience. How do we even describe you? New York Magazine did it best. The Ransomware Whisperer, you are the guy that everyone calls upon like when a Liam Neeson-esque movie villain is calling on things. When you look back on it and this is important back to the notion of insider risk, how do they know how easy it is to pick the right person? I say easy, not meaning people are dumb but they know whom to choose for these types of things to get in there. This doesn’t feel like cracking systems with hackers. This is about emails, social media, and texting. You’ve had a lot of experience with this. Good for you, but sadly for everybody else, how do we know?
The best way to look at it is the ransomware threat actors are running some version of a business. They have a go-to-market strategy and a target market.
They have a marketing team. They probably have logos on golf shirts.
Certain groups are opportunistic. There is no answer to your question. For those guys, they’re just casting a wide net. If you have poor cyber hygiene as a business, you’re going to get hit. They’re going to get you. Big game hunters might be focused on a particular vertical or a company even specifically. They’re going to do what you described. They’re going to look for people whom they can manipulate but also gain the most impact quickly. The deliberate hackers are targeting organizations but they also practice in what data they prioritize.
They’re going to look for people in the financial department and HR that have access to valuable records. They are going to target those people because that’s the people who are going to have access. If you’re negotiating with a ransomware actor and they have a copy of your finances, that’s a lot of leverage. They know how much money you made last time. They’re going to go for that. They’re going to look for a copy of your cyber insurance policy if you have one. They then know how much the cyber insurance company will pay out. That’s another big piece of leverage. They’re going to target folks who make the biggest impact possible. I’m not an insider risk person expert. You guys are.
You’re negotiating with ransomware people in Russia while on stage at RSA.
It was DEFCON.
We’ll get to that. That’s coming up in segment three.
They may not be looking for certain personality types. I don’t think they’re that sophisticated. They are looking for the folks that they feel will have the most impactful access as quickly as possible. Part of the reason they do that is I go back to the business analogy. They do have a cost of goods and an amount of time they spend. They have margins and goals. They would spend as little time as possible doing this. They have developed rigid programs around the target organization.
You’re more of a post-mortem guy. You’re the guy who comes in after the thing has happened. People are dying for you to help them save whatever they can save. Have you noticed any types of trends? When you look at this stuff, do you think, “Here’s where my weaknesses lie? I can offer you this information because I’ve been called into these types of things previously. This tends to be people, technology or culture,” pick your buzzword. Maybe tighten that one up a little bit.
I was not going to correct you but I was going to elaborate. When we started doing this in GroupSense, I was the only one doing it originally, but we have a team that does it now. It was 100%. I’m in DC, and I’m having all these meetings and they use things like left of boom and right of boom. The right of boom is where I was operating. You learn a lot and see the same attack vectors and mistakes over and over from sophisticated organizations.
What we did over time is develop a ransomware prevention program where we do things like help you triage those gaps but also look at your incident response planning. What I observed is the incident response plans that a lot of companies have had are incident response plans written for cyber incidents from years ago.
The thing about it is that years ago if somebody broke into your company, it was annoying and embarrassing. They took something, had you pay a fine or somebody got fired. It was not great. That’s what you wrote your plan for but that’s not what this is. This is 100% business operational interruptions. If you look at your plan through that lens, those plans break in a lot of places that you wouldn’t expect. A lot of companies were coming around and doing actual ransomware-specific tabletop exercises and things like that where they test this through. We facilitate and help in those.
We have learned a lot about what happened to the right of boom. We are applying it to the left of boom. It is a cool lens to see. When you distill it down to a handful of basic changes that companies can make and a lot of them don’t cost a lot of money, you don’t have to buy a lot of products and there are basic policy and planning changes, you can make an impact on the front end.
Our producer Sharon is going to be ripping the hair out of her head off when I asked you this question when you talk about technology versus people. It feels like the last couple of years have not had a whole lot of innovation. We’ve seen some dot releases of stuff and we’re like, “That’s cool. We can do this.” People continue to evolve. With what you’re doing at GroupSense and GoodSense Cyber, you have to address the idea of people.
How do we come into a scenario and say, “We need you to get better?” People are people and they’re going to react in a way. You’re like, “Don’t click the link.” They’re like, “I never clicked the link.” “You did.” How do we get them to understand in a way that it’s all of us versus all of them? What can we do? You’re a technology guy but also a culture guy. How do we bridge that gap? No pressure. Let’s solve this problem for all of us.
I have two answers to that but I want to tell you a funny anecdote first. We use a bunch of the typical security training and awareness program. We fitch ourselves like everybody else. One of my executives is not in the engineering organization but he’s a technical guy. He got one of these phishing emails. He suspected it was but he didn’t want to click on it. He’s smart. He is like, “I’m going to test it.” He thought the right way to test it was to copy the link and visit it in a Tor Browser. He thought that would save him from getting caught.
Readers, I know that you can’t see this but if you could see the look on Kurtis’ face while he’s telling this story, it’s amazing.
It was so much fun. We shamed him forever. We tried to walk through like, “Tell me the logic of how you thought this was different from clicking on it in any other browser.” I want to tell you that anecdote. First, psychologically, people have to understand the why. Where you were alluding to is how we get them to understand the why. Why should they care? People are inherently concerned about themselves first. I wasn’t going to use the word selfish but that’s human nature. The why has to involve how it impacts them specifically.
Let’s go with the Oxford English dictionary definition of what self-ish means. It’s changed over the last 170 years but in 1850, it was self-ish. It makes sense.
The other part is once you’ve communicated the why, you have to have a way to measure it in process. You can’t improve what you don’t measure. You have to be able to measure if it is improving. You have to somehow take this very soft thing and make it somewhat quantitative. It’s those two things combined that can make an impact in an organization.
You can’t improve what you don’t measure.
Going back to the why, you mentioned my TED Talk. At that TED Talk, I make this overreaching idea at the end where I challenge the audience and say, “Doing some basic cyber hygiene changes at the personal and professional level deliberately at your cost and time is a form of civic duty and patriotism.” You stress that out and say, “Think about what’s happening. Who are our adversaries?” In almost every cyber incident case, it is a foreign actor from typically an unfriendly country. If we’re going to stick with ransomware, what are they doing? They’re interrupting our operations, taking copies of our data and demanding ransoms some of which get paid. That money leaves the US economy forever. It will disappear and be gone.
They’re stealing from us, impacting our economy, taking our data and interrupting our operations, which is warfare. If I as an individual knew that there were 5 things that I could do that would make it 90% more difficult for that person to achieve that goal, that would be a patriotic thing to do. It’s a big part of the why. That’s the national security why and then there’s the business why. Everybody’s going to lose their jobs and money if we keep getting ripped off. It’s happening. Companies are going out of business over this.
We’re going to click a little bit hard on this. For those who have been with us a little bit, they know that we do hard segues that are embarrassing in their ham-fistedness. Industry legend Richard Steen said this about you. I wish that this was a video just to watch you blush. This is a quote. “Kurtis is the most empathic cybersecurity CEO I have worked with. He leads and nurtures his team to build a healthy company culture. His self-effacement manner serves him well with employees, customers and partners alike.”
I’m trying to remember if I bought him dinner or something.
I don’t think you did. He probably just said that because you are you. I want to ask the question about empathy because that’s interesting. An employee has passed all of his or her video security things and is all up to date, sometimes they get beat. When you have to come in as a CISO or as a company hired by a CISO and say that you just were part of a massive data breach, what do you do? Can you even rescue that employee from his or her position? Can you rescue the team?
That’s why being a CISO is a hard job. The answer to that addresses the business culture and how they would prosecute that inside the organization. From a human level, it’s so subjective. If it’s blatant negligence, you have to be punitive to the person because it sets an example that negligence is dangerous and costs the company money. People will lose their jobs.
You’re a scenario that you built out as the person did everything right and it still happened. The fact is if someone is targeting you or an organization, they’re going to win. The adversary has infinite time and if it’s a nation-state with probably infinite resources, that’s not a fair fight, which is another reason why a CISO’s jobs are hard. I always make this joke, “If you’re a CISO, your enemy is Russia. Here is $5. Good luck.”
You have had the experience of coming into a lot of different types of companies. It’s been private, public, massive enterprise and small business. When you’re looking at where the weaknesses are when it comes to insider threats like winning, unwitting or malicious and sometimes you get beat, is there something that you have seen that runs the gamut that you can offer these ideas to the dentist office in Central Illinois and the Department of Defense in DC?
This is why you and I need to write a 1,200-page infinite jostle novel on this stuff because there’s too much to talk about. Yeah. Is it defense? Is it your overall preparation for culture? You don’t have to play defense if you’re already set. If the zombies in Walking Dead come walking up and realize they’re not getting in there, they are going to go somewhere else. In your experience, can you put people in a position to not even have to play defense?
I don’t want to use a buzzword but the least privileged approach and zero trust approach is one way to protect yourself. This is going to sound awful but you can’t necessarily trust your employees, even the good ones. Sometimes it might be malicious.
Trust is a hard word too though because it has historically had this positive meaning to it. Where we are, it’s not about, “I can’t trust them to not cheat.” It’s more like, “I can’t trust them to not know that they’re just getting beaten by somebody better.”
That’s my point. A lot of times, it’s not even malicious. They’re human beings interfacing daily with complex technology that they don’t even understand. The least privilege and zero trust, from a technology perspective, are important. It’s an area that we operate in daily. People underestimate the amount of solicitation there is for insider threat activity. Being aware of that and how it might be proliferating in your particular discipline or industry is important. For example, there are whole telegram channels where people pay for people to click on things. The likelihood that these people get caught is very low and it looks like an accident.
People underestimate the amount of solicitation present for insider threat activity.
It’s pretty low risk to somebody who maybe has hospital bills that they can’t pay. When the economy’s down, people get desperate and do desperate things. They do tend to target industry by industry. During COVID, we did a lot of anti-fraud stuff. There was a whole marketplace of people who worked inside the banks who were advertising how you could get a PPP loan that they would rubber stamp and get paid back channels. Understanding the mechanics of this underground marketplace soliciting insider behaviors is also important. I’m bent toward that because we spend a lot of time doing cyber espionage. We used to spy on bad guys all the time. Alternative businessmen keep you awake at night. It’s not a great job, honestly.
We are going to end this segment. It’s fun for you. It’s not necessarily fun for everybody else but you got some stories. It’s been a couple of months since you and I did the last thing. Someone was like, “You do like cybersecurity with ransomware? Tell me something cool.” I’m going with that style of question. Tell me something cool. What is a fun story that you have had to deal with over the last couple of years?
One of the things that we have to be good at is following the alternative businessmen around to make sure we understand their tools and tactics. Being on the front end of that, we’re able to recognize other operators. It’s been fun to make friends with other researchers who are doing the same thing we’re doing. We recognize each other in these very nefarious places.
It’s like cloak-and-dagger. I’ve had some fun connecting with people in that space in person where it’s like, “That was you.” It’s fascinating how the cyber and the real-world Venn diagram overlap like that. What I was going with the whole thing is getting in front of where the threat actors are going from a strategy perspective is fascinating.
To throw the predictions out there, the number of ransomware attacks seems to decline. I want to be careful about that because it does seem to do this rollercoaster thing. It’s been on a steady decline for a bit. Fewer people are paying the ransoms, which is probably part of that. What we’re also seeing is a threat actor is ditching the encryption part and going full-on extortion because it’s easier and cheaper. That’s the direction this is headed where we’re going to see less of the encryption and more of the extortion component as the bulk of the attacks. We’re seeing discussions about that from a strategy standpoint from the bad guys.
I’m going to harken back to our Central Illinois days when I was working at the legendary Co-Op Records and Tapes and you were undoubtedly coming to buy not vinyl but CDs. It was the transition from hair metal to grunge. Come with me readers. This is where we are evolving too. It’s not so much ransomware. It’s just straight-up extortion. If you don’t do this, I’ll do this.
Watching how this is all playing out in Australia is fascinating, how Australia is handling it and the fallout from that. I don’t have an opinion yet on whether that’s a good idea the way that they’re handling it but it’s an interesting approach. It’s evolving daily.
Make sure you subscribe, rate and review the show because when Kurtis has an opinion, he’s going to drop it here and it’s going to be awesome. Let’s shift a little bit. You and I have done a few different episodes on a few different things over the last couple of years. This is a question I’ve asked you before. We are in a very strange period on earth. No pressure. Is there anything that you’ve got your eye on that ‘s in your peripheral vision but you’re thinking, “Maybe we should focus a little more forward on this?”
First of all, I have all kinds of stuff I want to try and do and problems I want to try to solve. I have to be careful not to oversubscribe. I’ve already done that.
You opened your second non-profit company after you’re already running the other one.
It’s lunacy. One of the things I talk about is how we stop foreign cyber incidents from occurring. I had a list of four things. There’s prevention. Getting in front is the cheapest. There’s technology, which we’re getting dot releases or not getting real innovation. I have a whole theory on why that is. That’s a different show. I make a bunch of enemies in the venture capital space when I do it.
The third one is policy. That is something I am working on. If this is truly a national security issue, the government needs to play a role in solving it as well. They can’t all fall on us as individuals. I’ve been working on that. I’ve been interviewed by the Senate and spoken to the small business committee chair in Congress. I’m trying to influence the government and it is slow. That’s a long game.
The fourth one is consequences for the threat actors. They’re mostly operating in countries where we don’t have extradition. We’re not going to be kicking in their doors easily. I do think there are some ways to address that as well. I’m looking at creative ways to make an impact across all four of those. Things are crazy over the top but I’m pursuing all of them.
Let’s move over to the Leadership Corner. You’ve established that you are moving in that direction. What are you doing when you’re not doing this? We talked about motorcycles before. You got books on the coffee table and magazines in the bathroom. Are you cooking or is it just too much? I have to get on my motorcycle. I have to go and drive to and from security things.
I have been home. I want to ride my motorcycle but I can’t. I’m working a lot and that’s taking up most of my time. I am a fitness nerd. One of my outlets is meditation and journaling. Fitness is part of my daily routine, which keeps me relatively sane. The wine helps. I don’t have much of a personal life at the moment.
Let’s be straight with each other. There’s nothing sane about your approach to anything. Sane is relevant.
I enjoy what I do and it has a purpose. The purpose is important to enjoying life. It’s not about a paycheck necessarily. It keeps me going.
You are keeping things going. This is an elegant segue into Shameless Plugs. When you are out doing this, where can people find you? You are going and speaking in front of people. There are TED Talks, social media, websites and multiple companies. If people want to find out more about what you’re doing, where can they go? I found Kurtis because he popped up in my Apple newsfeed and I was like, “Central Illinois. I’m from Central Illinois. Let me send an email to Info@GroupSense.com.” He got back to me right away because he’s awesome. If folks want to steal more time out of your life outside of me, what are you up to?
You can go to GroupSense’s site to see where I’m speaking. I also have a speaker page on my personal page, which is KurtisMinder.com. I have some blog entries there. If you care about my fitness, you can read about it. There are other people in the industry including you who enjoy that stuff. As for my speaking roster, it’s GroupSense.io or GroupSense.com. Both works. It tells you what we’re working on at the company as well as my and other team members’ public appearances.
Readers, this is not false modesty. I am pulling things out of him on some of the things to talk about because it is super relevant. The fitness thing is super relevant for any of us who have wrestled with any type of body dysmorphia or any type of thing that you’ve gone through. There is an amazing blog that is on his site.
It talks about reducing friction. It is a relevant and interesting read on how you approach anything that you want to do. This happens to be written about fitness and health but it can be about anything that you want to do. I’m not going to cry because that would be embarrassing. Elevate would not be happy and Producer Sharon would be like, “That’s the last one we’re doing like that.” That’s it. Kurtis, I reached out to you late. I’m like, “Can we record fast?” You’re like, “Yes. What do you want to talk about?” I was like, “I don’t know. What’s on your mind?” Here we are. Thank you.
Thank you for having me. It’s always good talking to you.
Trust me, we have so many more things to do. We established three more episodes just on what you talked about in this episode. Thank you for joining us on the show. For more information on all that’s good in the world of cybersecurity, make sure that you check us out on LinkedIn, Facebook, and the mothership, ElevateSecurity.com. You can find me at @PackMatt73 across all the socials. Kurtis, one more time. Do you want to tell anybody where you are or have we done this enough?
No, that’s good.
Subscribe, rate, and review. Give us five stars. If you only give us four, I am inclined to think you are a hater. We’ve got guys like Kurtis and women like Masha. We’ve got many amazing people coming to the show. As long as you come around, you’re never going to miss what’s going on. We’ll see you next time.
Important Links
- ElevateSecurity.com
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Kurtis Minder
- KurtisMinder.com
- GroupSense
- GoodSense Cyber
- What You Need to Know about Ransomware
- Info@GroupSense.com
- @PackMatt73 – Matt Stephenson
About Kurtis Minder
Kurtis is the founder of GroupSense and has successfully raised the company from the ground up. Kurtis has over 20 years of information security experience spanning operations, design and business development. A disciplined and focused leader, Kurtis has ably guided the company in the development of an innovative approach to cyber intelligence.