Michael Hamilton. PHOTO: Stellar Cyber.

A Discussion with Michael Hamilton, Founder of Critical Insight, and Stephen Salinas, Stellar Cyber

The latest trends, challenges, and solutions in the cybersecurity landscape

Stephen Salinas, Head of Product Marketing, Stellar Cyber

San Jose, Calif. – Mar. 1, 2024

Steve: Good morning, good afternoon, good evening. Thanks for joining us today. My name is Steve Salinas. I’m the head of product marketing here at Stellar Cyber. And today I’m joined by Michael Hamilton, the founder and CISO at Critical Insight.

Today what we’re going to be talking about is this really terrible new tactic that attackers are taking: targeting patients and threatening them with potentially spilling their confidential information, and doing other bad things to them unless they get paid some money.

Mike’s done a lot of research on this and knows a lot about this type of attack or type of technique. So, Mike, what can you tell the audience about what you’re seeing out there?

Mike: Well, Steve, I think it’s an evolution in tactics that’s driven by a number of things.

First of all, yes, they’re contacting patients themselves and saying, “Hey, pay us, and we’ll give you your record. And just like we make it exclusive for anybody else that buys it, if you buy it, we won’t sell it to anybody else.” So you’ve recovered your information. This is, of course, freaking people out.

Some of these are accompanied by threats of SWATing — we’ll send a SWAT team to your house. Again, the change in tactic, I think there’s a couple of things at play here. Number one is there are a lot of stolen records for sale in a lot of dark markets. How do you differentiate your records from somebody else’s on anything other than price? What they’re trying to do is find new ways to monetize these records.

This one doesn’t seem to scale, right? Trying to go to every patient individually and get 50 bucks from them is a whole lot of work. So I think the other thing that’s at play here is it’s a way of using our own statutory underpinnings against us. Let me explain that.

It’s common today — right after there’s an unauthorized disclosure of protected records — for a class action suit to happen nearly immediately. And I think all the bad guys know that they can threaten the victim organization with stirring up all of the sentiment here, the psychological torture, with the victims whose records were actually stolen to get them interested in being a plaintiff in part of a class.

And that organization is going to want to stop that immediately. They don’t want to be subjected to a class action suit. The insurance companies don’t want to be subjected to class action suits.

So I think it’s, yes, a way of additionally monetizing these records. But it’s also a way to further incentivize or coerce the organization into paying them the ransom. Pay us, it’s cheaper than the class action that you’re going to get if we go terrify all of those patients.



Steve: Yeah, that’s wild. I mean, that is definitely an attacker, unfortunately, being forward-thinking and trying to get to the actual victims of the breach itself.

Let’s say you are someone who gets this call. I would imagine the recommendation is, don’t trust the attacker, don’t send them any money, contact the organization where the data may have come from. Or, what would you tell someone that did get one of these calls?

Mike: Well, first of all, it’s not up to me. It is up to the organization to manage that communication plan. It’s very hard to have a blanket policy and just say, don’t pay. Because people are going to be in all kinds of psychological hurt around this.

Organizations need to start thinking about these new tactics, and what will you do? And work with your insurance company to say, what is our policy going to be? How are we going to minimize the impact to us, the organization, when this kind of thing is going on?

I think that they’re going to recommend reporting to law enforcement, so that law enforcement can aggregate how many cases of this there are, and start to really investigate. And if this does turn out to be domestic, get some apprehensions, and some prosecutions and some convictions that will act as a bit of a deterrent.

Steve: These organizations, what kind of things are they trying to do to protect themselves, or their patients, from really?

Mike: When you’re talking about managing risk, there is the likelihood of a bad outcome, and the impact of that outcome. And buying down risk, addressing that likelihood, is preventive controls, right? Firewalls, train your users, all of that.

However, once you’ve exhausted all of the possibilities of buying down that risk through the application of preventive controls, you turn to that impact term. And that impact can best be moderated, mitigated, and minimized by good detection and response. Your monitoring platform, how you aggregate events, what kind of eyes you have on them.

You need some kind of SOC solution; your SOC needs to have great tools. You have to have eyes on, and it’s got to be 24/7. And that is the way to minimize risk, by addressing that impact term.

Steve: So, from a critical insight perspective, what sort of things can you offer these organizations that are going to start to look at: I need better detection response, I need better tools, I need better ways to mitigate this risk?

Mike: Well, we are that SOC solution for those organizations that are just not financially prepared to go hire enough people to have a 24/7, 365 operation. You need to have eyes on.

And as you know, we have invested in the Stellar platform so that we can maximize our ability to detect these things. The detection analytics built into the platform are, if I could say this, stellar. With UEDA, and the machine learning, and the development of a statistical baseline of average behavior.

The EMOTET Trojan — we didn’t see it, but you’re acting weird enough to where we think someone ought to investigate this. That nuance right there, no more just signature-based detection analytics, now it’s about behavior and things like that, and your deviation from your norms.

That is what allows us to get in front of these things faster than anything else and make sure that, again, we contain the impact to, oh, somebody had to clean up a workstation. And not, oh, the FBI called, and all of our records are for sale online.

Steve: Absolutely. And I think for a lot of organizations, it just makes a lot of good sense to not try to build your own SOC from the ground up. It takes a lot of resources, and it’s going to take a lot of time before you’re even going to become operational.

Well, thanks, Mike. And thanks everyone for joining us for this short, little vlog today. And if you have any other questions about Critical Insight or Stellar Cyber, definitely reach out to us. And have a good afternoon, good evening, or good morning.

Mike: Thanks, Steve.

– Stephen Salinas is the head of product marketing at Stellar Cyber.


About Stellar Cyber

Stellar Cyber’s Open XDR Platform delivers comprehensive, unified security without complexity, empowering lean security teams of any skill level to secure their environments successfully. With Stellar Cyber, organizations reduce risk with early and precise identification and remediation of threats while slashing costs, retaining investments in existing tools, and improving analyst productivity, delivering an 8X improvement in MTTD and a 20X improvement in MTTR. The company is based in Silicon Valley. For more information, visit https://stellarcyber.ai.