Platform

Insights You Need

ColorTokens Named a Forrester Wave Microsegmentation 2024 Leader Badge

Download Report

By Industry

By Use Case

Services ZERO TRUST AS A SERVICE

Let's Win Together!

Partner Program Overview

Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.

Learn More
Become a Partner

Resource Center

View all Resources

Asset Type

Customer Success Stories

View all
What's New
Analyst Mentions, Awards, & Certifications
View All
platform-forrester-badge

ColorTokens named a Leader in the Forrester Wave™ Microsegmentation Solutions report.

Download Report

ColorTokens named a Leader again. The only vendor among 15 to achieve a perfect 5.0 across key feature categories.

Access Report

Xshield™ earned a spot on Constellation's Shortlist™ for Microsegmentation

Learn More
arrow Back
January 28, 2026 | 37 min

Cybersecurity in Transition: From Defense to Resilience

Cybersecurity isn’t just about stopping attacks anymore. It’s about surviving them.

In our latest episode of Breach Ready Dialogues, Ira Winkler – former NSA analyst, multiple-times CISO, author, and one of the sharpest minds in cybersecurity talks about what really happens during breaches and why “perfect defense” is a myth.

Key takeaways from the conversation:

  1. Nation-state attacks aren’t new. They’re just more patient.
  2. Many “headline breaches” aren’t technical masterpieces, they’re human failures.
  3. Attackers don’t need to hack you if they can hack your vendors.
  4. Logs, preparation, and communication before a breach matter more than tools after it.
  5. Cyber defense alone is no longer enough: resilience is the new requirement. It’s not “if” you’re breached, it’s whether your business can keep running when it happens.

Listen to Cybersecurity in Transition: From Defense to Resilience to hear why breach readiness, segmentation, and human awareness are now mission critical. If you’re responsible for security, operations, or risk, this episode is for you.

Agnidipta Sarkar: Hi, everyone. Welcome once again to B Breach Ready Dialogues. I’m Agni and I have IR with me and, uh, to me he’s a, he’s a guru, he’s a visionary. And you know, I, I don’t want to spoil his standard, but. Uh, there are times that people have, you know, targeted him instead of targeting the company. So, IRA, all over to you.

Agnidipta Sarkar: Welcome to, uh, dialogues.

Ira Winkler: No thanks for having me. I. Oh, did you want me to introduce myself now or what? That would

Agnidipta Sarkar: be nice. That would be great.

Ira Winkler: Okay. So anyway, um, IRA Winkler, I’m currently the CSO at s um, and a company that focuses on CT EM and CRQ. And anyway, uh, my background, I started my career at the National Security Agency.

Ira Winkler: I was an intelligence analyst, then got cross-trained. As a computer systems analyst, as they described, um, I did a variety of things. After I left the government, I ended up investigating, I, I became a government contractor and as a fluke, I ended up investigating the Citibank Breakin in 1994, which is dating me, but it was the first large scale publicly announced cyber crime for lack of a.

Ira Winkler: Better way of phrasing it. And you know, we end up catching the guy after a while and did a variety of different things. I’ve written eight books. Um, I was over my time, I was Chief security strategist at hp, chief Security Architect at Walmart. Um. And on my side, my passion project is I run Cruise Con, which is essentially a cybersecurity conference on a cruise ship.

Ira Winkler: That’s kind of like a retreat that venture capitalists hold for the Fortune 100 CISOs. But I open it up to everyone. ’cause the people who need something like that, the least are fortune 100 CISOs, in my opinion.

Agnidipta Sarkar: Uhhuh. Yeah, that’s a great thing. I mean, uh, I’ve been hearing a lot about Cruise Con and the kind of feedback that comes from there is extremely positive.

Agnidipta Sarkar: But, uh, you know, tell me about your, uh, experience with breaches. ’cause you’ve got some very, very, uh, great stories to tell.

Ira Winkler: Yeah, I mean, depending on, like going back to data breaches, it goes, I mean, frankly. You know, I mentioned the Citibank break-in was my first foray into PI guess you’d say com, the commercial world.

Ira Winkler: Um, I ended up going ahead and essentially being, you know, one of the lead investigators on the project where we were going up to New York, going through logs and. We had to invent mechanisms to actually examine data breaches and things like that. How to go through data, how to figure out how to prioritize what’s coming in, how to figure out, okay, how do we recreate sessions that might have happened months ago, if not weeks ago or, or days ago.

Ira Winkler: And so that became, um, fairly interesting to figure out, okay, here’s actually. In the world of cybersecurity. It’s interesting to see something tangible of such a scale, and so anyway, that became part of my original data breach experience. Then over time, you know, I’ve helped, I remember getting a call, for example, from a Fortune 30 CISO who was a friend.

Ira Winkler: And he was like, IRA, what does it mean when the FBI walks into your office and says, you know, we just wanna let you know that there’s malformed DNS packets coming out of our network and they won’t tell us anything more about it. And I’m like, well, it basically means you’re screwed. And he’s like, what do you mean?

Ira Winkler: I go, basically malformed DNS packets probably means that. You are being, you know, you have been infiltrated by China as an example, and the FBI was monitoring known nodes that China uses and so a traffic coming from your network and is now telling you this. So then I got involved in helping to do a response for that.

Ira Winkler: Um, you know, there’s been different types of responses I’ve done through the years. There’s been technical responses. For different types of data breaches. And there’s been actual, I would call it more operational responses. ’cause you know, my passion in many ways has always been the human aspects of cybersecurity.

Ira Winkler: And then actually it’s a little over a decade ago, the Syrian electronic army was pretty. Prolific, for lack of a better way of phrasing it. And they were compromising the White House, or I think they didn’t compromise the white. I think they did compromise the White House, come to think of it, but they were compromising.

Ira Winkler: And remember a big deal about compromising Oprah Winfrey, compromising Harvard, compromising the associated press, one of their compromises costs. Caused a big dip in the stock market. ’cause what they did was they hacked the Associated Press Twitter feed and said there’s an attack on the White House. I can’t remember the exact details, and that President Obama might have been impacted.

Ira Winkler: And all of a sudden that tweet caused a major drop in the stock market. So anyway, I got involved with a few of the responses and then I gave a presentation calling them a bunch of cockroaches, which they are. And they ended up hacking RSA, um, or hacking the RSA conference website because of me. It was kind of funny.

Ira Winkler: Um, and they’re like, who’s the cockroach now? I’m like, what the hell? What do I care if you hack RSA? You know? And then they hack the Wall Street Journal Twitter feeds to call me a cockroach. And then, you know, ’cause I investigated why. You know how they were able to do the RSA hack and I wrote up a summary of, eh,

Agnidipta Sarkar: it’s,

Ira Winkler: you know, it was, took a lot of effort, but it was really just a very trivial accomplishment in the grand scheme of things.

Ira Winkler: All they did was redirect a third party who handled their DNS of a vendor. That, uh, they hand, they basically, just to give you an idea on how breaches actually happen, nobody hacked RS a’s conference site. What they did was they realized that the RSA conference site, when you went to the site and initiated a software program that was initiated by a call.

Ira Winkler: To another system. So it was like, I can’t remember the exact name, but it was like something, you know, like WW one, do you know? I forgot the name of the company. They ran Lucky R Software, but you know. Anyway, so what happened was the people in the Syria electronic Army saw that there was that line of code.

Ira Winkler: They went ahead, figured out who was the ISP for that Lucky Orange provider. And then they went ahead and hacked this small ISP in the middle of the United States. By just going ahead and sending them a phishing message, getting access to one of their salespeople’s e you know, logins. And then they were able to go ahead and essentially log into the administrative system and cha and redirect what ww uh, or what some like NSF one or whatever it was, two.

Ira Winkler: An GER site. And so all that happened was, the way this massive hack theoretically looked was you went to the RSA conference site and it just put up a graphics page. You know, it just put up a page saying, who’s the cockroach now, IRA Winkler, when all they really did was not hack RSA conference, not hack the software vendor, but basically hack a small ISP and redirect a subdomain to go to an image file.

Ira Winkler: And this is the problem with a lot of data breaches. And then I’ve done other ones through the years that involve different sorts of like, you know, intellectual property, you know, that involved a whole bunch of, um, you know, potentially you. Sensitive data for customers and things like that, but a lot of these things are happening in that.

Ira Winkler: In that case, it was like a RSA conference, lucky Orange ISP. So that was essentially a fourth party compromise to hack another website and then the serial electronic army after I said how trivial their hack was. Then they went ahead and hacked, basically hacked the Wall Street Journal Twitter feed by guessing passwords there, and then they hacked Buzzfeed’s Twitter feeds to call me a cockroach again.

Ira Winkler: Then I wrote another article saying how lame they were and still cockroaches. And then what happened was I knew they would attack, in this case it was IDG, who was the home for computer world that I wrote the article for. So we prepared. Computer world staff as well as IDG staff of a potential hack that would happen.

Ira Winkler: And what happened was like clockwork, four hours after the article went live, these people were trying to go ahead and hack IDG by sending lane phishing messages. They tried to make a claim that it was their B team, but the reality was. There is no B team for them. ’cause I got inside information on them and we were basically like their, A team was just sending phishing messages ’cause they had a standard method.

Ira Winkler: Of finding out who were executives in the company, sending out executives in the comp, sending out emails as executives in the company, telling people that they should read an article, which they had to log in for. And you know, essentially everybody detected it because in the great irony of things, somebody left the company, they retired, they never changed their LinkedIn page, so they were getting an email message from somebody who left the company five months before.

Ira Winkler: This is how these hacks occur. You know, in this case, let’s face it, it was a fairly comical thing. You know, there have been data breach I’ve investigated that have been more involved and more critical. The people who are actually professionals seem to be able to be, uh, how would I phrase it? So, you know, just did a recent one, Ragnar locker, you know, where they were going ahead and trying to compromise a power utility.

Ira Winkler: Ragnar Locker. It’s a Russian hacker group?

Agnidipta Sarkar: No, the, the Syrian, uh, army. Is it the same group or are you talking about a new group?

Ira Winkler: Oh, no, it’s a different group. The, the Ragnar Locker people are highly professional.

Agnidipta Sarkar: Actually, until now, whatever you told me, it’s difficult for me to recap. So let me go one by one.

Agnidipta Sarkar: I think you are a wealth of information for me. So the first thing that you told me was. That when you do cyber, um, forensic analysis, it used to be tough in the early days, but now I think there are tools that do it in a, in faster way. But even then when, when, this is my experience that whenever there is a cyber forensic analysis.

Agnidipta Sarkar: People need to access all the logs, and if the logs are easily accessible, then good for you. If they’re not, then okay, that’s a different experience. But more importantly, until the forensics are done, you really can’t access any system that’s on the same connected path whether attack has happened. This was my first thing that I learned from you.

Agnidipta Sarkar: The second thing that you talked about was how hackers hack, and one of the biggest takeaway that I have from that. Is that you had prepared the IDG guys, that there’s going to be a potential hack. So the message that I got from you is that preparing for a hack is so much more important than just sitting and waiting, saying that, okay, we’ve put in cybersecurity, so nothing’s gonna happen to us.

Ira Winkler: Mm-hmm. Oh yeah. That’s a given. I mean, especially when you know, like the modus operandi of the attackers. And frankly in this case, obviously we had a very specific group, but you know, in many industries, you know, for example, that there are prolific hackers who are going after companies of certain types.

Ira Winkler: And if an organization is proactive, they can go ahead and proactively let their employees know that we are potentially gonna be a victim of some certain types of attacks. And clearly phishing attacks are among the most prolific ones. But at the same time, they’re also technical attacks. And you could tell your technical teams, it’s like, look, you really have to, for example, lock up.

Ira Winkler: I don’t lock up DNS lock up, you know, like you know the web, how like certain ports on your internet and things like that. ’cause we know attackers. Who are coming through are gonna be com are gonna be attempting to compromise, for example, outdated versions of this software. And we need to make sure that you have installed the latest patches on all the software or have at least taken mitigating controls on a lot of that.

Agnidipta Sarkar: And, and also look at privilege access to figure out, you know, if those are under control. Because sometimes if the hackers are able to get into. In any way that they’re able to get access to, uh, I mean, you’ve been there, right? There are, uh, sometimes there are super user passwords that, super user accounts that don’t have passwords.

Agnidipta Sarkar: But what I’m seeing is that’s the area that people need to freeze up as well because super users can be used to launch far more bigger, uh, things than just, uh. Defacing a website or doing something wrong, maybe a ransomware. Um, and, and I think, uh, that’s one area. But to, to your point, as you said, in in preparation, uh, do you believe that if people were able to keep everything at arm’s length from the critical assets, do you not do, do you think that make better sense?

Agnidipta Sarkar: Like, I mean to, uh, I, I know hospitals, for example, many hospitals. That we know about have a flat network. So everything is available once you walk in. If you’re able to beat the initial defenses, then you have the whole thing to yourself. But on the other side, uh, manufacturing plants for example, they have, uh, very different OT networks, very different IT networks.

Agnidipta Sarkar: So there is some level of segmentation to some extent, uh, versus, uh, let’s say a financial bank. And they would probably have more controls because they are more mature in cybersecurity.

Ira Winkler: Um, I mean it at, at some level, it depends. Here’s the reality of the circumstance. Do I, do I look at for, am I worried about the Syria electronic Army type attacks?

Ira Winkler: The answer is no. It’s almost comical how you know what they’re doing. Um, I’ve investigated bank robberies where I’m like looking at a person and basically they hacked an electronic funds transfer system. And instead of potentially stealing millions of dollars, they, they had no idea what they broke into and they turned it into a wear site.

Ira Winkler: And then they basically, and I’m like, you gotta be kidding me. You know, like they just had it for like little t you know, teeny bopper hackers to exchange software on it. And I’m sitting there like, you gotta be kidding. But I’m. I’m concerned about the sophisticated attackers, the ones who are skilled, the ones who are professional, like I mentioned, Ragnar Locker, who are gonna go ahead.

Ira Winkler: And basically go in systematically, go through data, figure out what data is, you know, there they have processes that they implement. They run it like a business, they run it very professionally, and then they download data and they lock up a company as well as theoretically they can, you know, in such a way to cause harm, which was essentially, for lack of a better term, the case of in many ways, the colonial pipeline incident.

Ira Winkler: Um, you know, and, and even in that case, the criminals specifically were not as good as you would’ve thought. I mean, they didn’t know how, I mean, the, like the FBI got 85% of the money back, and the reason they got 85% of the money back was because, you know, I forgot the name of the group. Now. You, you might know.

Ira Winkler: Um, anyway, it was, you know, Russian proliferate ransomware. What? Oh, dark site.

Agnidipta Sarkar: Yeah.

Ira Winkler: So anyway, like the Dark Site is essentially a service provider. They provide ransomware as a service, and when you license their software to use in a ransomware attack, you have to pay them 15%. They’re just essentially a software, you know, ransomware as a service and the people who did it.

Ira Winkler: Did not know how to launder their Bitcoin and the FBI was able to track it back. Yet these people were fairly good at essentially phishing to get into the network. They were then able to do reconnaissance, figure out how to lock up the network. But even after all that, their execution was kind of sloppy in not being able to, and I’m, it’s a good thing, but they were essentially sloppy in how they were able to go through the follow up processes of laundering the money and taking care of stuff.

Ira Winkler: Um, I’m concerned about those type of people, whether or not it’s a hospital or whether it’s a, you know, a company with fairly good. Security.

Agnidipta Sarkar: Yeah,

Ira Winkler: exactly. Like you know, you could fault theoretically, colonial Pipeline. At the time, I think the fault was not having multifactor authentication, which allowed for the attack to essentially proceed the way it did.

Ira Winkler: But if you could go ahead and pro proactively understand how attackers are gonna be methodical, the fact of the matter is. You need to go ahead and have as strong defenses as possible, whether you are a hospital or whether you’re a Global 10 company. And this is where people are like, you know, ’cause the reality is that.

Ira Winkler: Attackers can come in and take over a hospital in, in like a half hour probably. You know, if they get access to a colonial pipeline, takes a lot longer if they even attempt to get into one of the large banks. Sorry, I don’t want, I can’t mention my, don’t wanna mention my former employers, but going through there, God, are you gonna have a, a nightmare to try to get through all the defenses?

Ira Winkler: Not that nothing’s, you know, let me, there’s no such thing as perfect security. Let me get, you know, I want to say that.

Agnidipta Sarkar: Yeah.

Ira Winkler: But the, the more advanced organizations do have much better cyber hygiene. They have much better advanced cybersecurity. They have much better monitoring in place things as they’re happening

Agnidipta Sarkar: even now.

Agnidipta Sarkar: One of the things that is worrying me, and I, I fully agree with you, that I’m no longer worried about the hackers that were there earlier because the techniques that they were using. But right now the worry that I have is that the attackers have become. Um, they’re no longer, let’s say, a bunch of guys in a dark room trying to, you know, look at the web.

Agnidipta Sarkar: They’re smart guys, they’re educated. The, the kind of attack that they did on, uh, on the help desks, right? In recent times, right? There have been three or four of them, can’t. Mark and Spencer and JLR, and. And then this MGM, what was it? MGM, yeah. MGM somebody went up to the help desk and they, they picked up the phone and they threatened someone in, in, in impersonating someone in the organization.

Agnidipta Sarkar: Now that requires. Knowledge, skill, understanding of how the company operates. So there is enough recon done. Also, whoever’s on the phone, he’s, he needs to speak good English. The, the, the amount of the kind of language that somebody in a senior position would speak, right? It, it cannot be, you know, there is to be early days when there used to be these scammers who speak in a very.

Agnidipta Sarkar: Uh, faulty language and you could detect this guy is not the right guy. But now it’s becoming more sophisticated. People are going off, and large companies are falling prey to it. Like I, I never expected, uh, F five to get breached.

Ira Winkler: So I, I, well, let’s take a step back and look, for example, at things like SolarWinds and F five, those are different types of hacks, and let me tell you why those are different types of hacks.

Ira Winkler: SolarWinds and F five put them together. This is, you know, the, the SVR or China, or, you know, ru, you know, SolarWinds was the SVR, um, F five. I can’t remember if it’s China or Russia. It doesn’t really matter. But if you have a nation state that is intent on getting into a private company, and these are, these are very targeted supply chain attacks because they realize that once they can get into these type of software.

Ira Winkler: They can get much more, they can get further access. Not to a targeted company for a quick hit, but for many, many companies.

Agnidipta Sarkar: Absolutely.

Ira Winkler: And, and this is one of the biggest things that people really don’t understand, that when you start getting into these companies, there’s a lot of effort putting in, and I’m even gonna go back to, so a lot of people think Kevin Mi, Kevin Mitnick was not that misguided teenager.

Ira Winkler: Kevin Mitnick when he was doing his things back in the late 1980s or whenever he committed his original crimes, he was working with an accomplice and their goal was to put back doors into every major computer company like I work for hp, which acquired Digital Equipment Corporation and they had a, and vendors all over the world had to stop what they were doing.

Ira Winkler: To reevaluate every line of code that went into their software because his goal was to put back doors in, to have back doors into every type of, you know, software operating system out there. And those are devastating types of attacks and it caused those a lot of grief and aggravation. And this is essentially what the SVR and, you know, with SolarWinds and F five have done.

Ira Winkler: They have been able, or they are trying to go ahead to get into other organizations with trusted software and be able to go ahead and, and commit acts of espionage or whatever the case, you know, whatever their end goals are, whether it’s sabotage. ’cause there’s the whole concept of information warfare, which is now cyber network operations.

Ira Winkler: There’s cyber network defense. There’s cyber network exploitation and there’s cyber network, um, exploitation and, oh, what’s the last one? One is essentially gathering intelligence. The other is to commit acts of war, essentially, where they’re prepping the battlefield and then being able, for example, to shut down the network at the touch of a button.

Ira Winkler: And these type of things are very, very dangerous and critical. Now, Russia getting in, I frankly, the solar winds damage that they did and the acts that they did, they got into a lot of organizations because of this. But do I blame SolarWinds for falling victim to Russia? Frankly, if you’re gonna blame SolarWinds, blame the US Department of Defense ’cause they have fallen victim blame all energy companies ’cause they have fallen victim to Russia and China and everyone else.

Ira Winkler: You are not gonna essentially stop a nation state given that they have unlimited time and unlimited resources to go against you for strategic. And when I mean strategic, I mean long-term. Decades out type of activities. They’re gonna be highly focused, put a lot of money and effort and time, and some of the best mines in the world to targeting you.

Ira Winkler: So do I blame SolarWinds? You can make an excuse of, oh gee, they got in this way or that way, but it still took the SVR to get in. Not a little script kitty. Then you go ahead

Agnidipta Sarkar: and I think

Ira Winkler: because,

Agnidipta Sarkar: sorry, go ahead.

Ira Winkler: Go ahead. I’m sorry.

Agnidipta Sarkar: No, I’m saying the point that you were making

Ira Winkler: interrupt me.

Agnidipta Sarkar: No, I know, I know.

Agnidipta Sarkar: I mean, I, I, I hate to interrupt you because you’re telling a story. It’s so revetting. But the point I think that you were making, and that’s what I, what I wanted to get to is, um, it goes back to your original point, you know?

Ira Winkler: Yeah. I mean, it’s an area where the nation states are going. It’s an area where the criminals are going.

Ira Winkler: See, there’s a whole thing where, so am I theoretically worried about China or Russia, not worried about China. For a large extent, China is sloppy, China is egregious. China doesn’t care if they get caught. You know, a lot of what they’re doing is in economic espionage and that is a problem. But from a national security perspective, China might be prepping the battlefield and China just accused the US of doing the same.

Ira Winkler: Frankly, it’s, I saw like an article come out. Um. But at the end of the day, the same type of attacks that are being used for nation state attacks, there’s also a lot of sophisticated criminals who can do similar types of things, where they have a lot of good resources, they have this, and potentially they could go ahead and say, Hey, I’m gonna ransom when this has happened, um, in different regions of the world.

Ira Winkler: I am going to lock up your power grid until you pay me money. There was, for example, a, this was an old story, but so some Brazilian, I think it was a Brazilian company, hired a bunch of hackers, used Dr. Evil quotes for hackers to test their network and then they, the. Hackers thought they didn’t pay them enough and they locked up their network.

Ira Winkler: And that’s the type of stuff where, okay, choose your vendors wisely. But at the same time, you know, there are other areas around the world that have had, you know, attacks against the power grid. They’ve had attacks against the marucci. Uh, there was a, uh, there’s the story back, um, where this got marucci incident in Australia.

Ira Winkler: Where there was a network technician who was fired and he essentially went ahead and opened up all the sewage valves and things like that. ’cause he still had a way of, you know, accessing the equipment and opening up valves a little bit remotely. Um, so you have a lot of critical infrastructures that are vulnerable to the nation states, but in the grand scheme of things.

Ira Winkler: A lot of the nation states are not gonna take action. I’m more worried about North Korea and Iran ’cause they have less to lose. You know, the more somebody has to lose, the more damage that could happen. You know? But China, Russia, they’re not gonna do anything overly stupid. You know, to really create a, an act of war in theory.

Ira Winkler: Um, then you have the criminals. Some criminals, again, are very focused, like I said, Ragnar Locker attempted to lock up power systems and things like that, and that’s not a good thing. And these criminals are potentially getting in there with the potential act of creating harm for the purpose of profit.

Ira Winkler: Now, depending on what they do, might create more of a response than others. So for example, I think it was the same ransomware group, I could be wrong, that hacked colonial pipeline. That also hacked hospital systems, or I should say their affiliates, hacked hospital systems.

Agnidipta Sarkar: Yes.

Ira Winkler: And then all of a sudden blood banks

Agnidipta Sarkar: as

Ira Winkler: well.

Ira Winkler: Yeah. And, and, but the thing was, but the hospitals were more sensitive than banks. ’cause unfortunately people are like. Okay. It’s money. That’s one thing, but hospitals. Oh no, that’s wrong. And so what happened was the, the, the affiliate group basically said, we’re not gonna let anybody, we’re not gonna allow anybody in the future who, who licenses our, our ransomware to attack hospital systems.

Agnidipta Sarkar: Yes, that’s what they said. They actually made a statement on that.

Ira Winkler: Right. They may And

Agnidipta Sarkar: and especially children.

Ira Winkler: Yeah. And, but then what happened was, you know, they basically shut down and opened up under a new name and because they had such bad publicity and maybe they told their affiliates stay away from hospitals and children and stuff like that.

Ira Winkler: So there’s a little bit of control. ’cause they realize once the heat comes down on them. The problem is that lots of people fall victim, but law enforcement agencies are basically impotent when it comes to investigating a lot of crimes because there have been times where I have given law enforcement packages on crimes with a bow on top, and they want nothing to do with it.

Ira Winkler: Like one time, for example. I had a debit card that was cloned somewhere, probably when I traveled to Singapore and all of a sudden, like I noticed a pattern of withdrawals along an LA area because I was able to go ahead, I saw like 100, $200 withdrawals on a daily basis from a debit card that I had.

Ira Winkler: Luckily I had money that it wasn’t as critical as it could have been for a lot of people. And what happened was I put together a pattern. I opened up a map. I said, okay, here’s the places. And these people are going back to the same places every day within this period of time to withdraw money out of at t.

Ira Winkler: And I was giving that to the bank, and I’m like, okay, I want it. Here is the pattern. You could go to these stores, send an investigator, tell the police to wait for these people every day, and they’re like, okay, we’ll make a note of that. I’m like, I, I go, you don’t care, do you? I go, I can literally hand you these.

Ira Winkler: They’re like, okay, I’ll, I’ll put a note that you’re willing to help. And then the guy finally says, here’s the reality of the situation. We’re gonna get the money back. You know, it’s, I go, okay, then give this information to the ATM vendors. He’s like, the ATM vendors are insured for this type of stuff. And I’m unlike sitting there, these people are not showing up to that ATM every day to take my money.

Ira Winkler: They’re not going there for my money. They’re going there probably for a dozen cards at a time that they are hiring, probably whether, you know, I’m, I’m staying at it, but anyone from, you know, low paid people where they’re saying, go to withdraw and we’ll give you a little bit of money. You know, and they are hiring these people that this is a crime syndicate that is having people all over LA take out money.

Ira Winkler: Thousands and thousands of dollars on a daily basis. Grand theft across the board probably. And these people don’t care because there’s an ecosystem Yeah. That is absorbing this.

Agnidipta Sarkar: Yeah. So, so what I hear you saying is that not only that. You know, people are, I mean, some of, some organizations are very far from what you said in the beginning.

Agnidipta Sarkar: You know, anticipate, uh, probably an attack, build capabilities to contain them and then make it better every year so that you’re ready for the next attack whenever it happens, especially if you are in. Critical, uh, national infrastructure or in an organization that can be impacted negatively? We have seen attacks on blood banks.

Agnidipta Sarkar: We’ve seen attacks on hospitals. You know, the extension hospital that happened. Right? Which, right. They returned back, uh, you know, ambulances, it went to such a state. Uh, some of the people who reported online, I was reading and there was. Um, somebody in the who, who was probably, uh, some who had to give an injection and he found that he had the wrong injection to give the patient that he realized and he was, uh, a doctor probably or a senior nurse, and he realized that this should not be, be given to this patient, all that because of somebody was attacking.

Agnidipta Sarkar: So in addition to not only that is happening, what you’re saying is. There are some organizations who are completely NT because they have other means to look at it. They’re not looking at it as something that needs to be taken an action on immediately. The sense of urgency is missing. So what you’re saying is if we have to be in the new world of digital, you know, advancement.

Agnidipta Sarkar: We need to be thinking about cyber defense and cyber resilience urgently is, is that a phase?

Ira Winkler: I mean, I think every organization should build in cyber resiliency as much as cyber defense itself. Cyber defense means you stop, but resiliency implies you keep going,

Agnidipta Sarkar: keep going.

Ira Winkler: And when things happen where things are built in, you would.

Ira Winkler: You account for issues that happen. ’cause there’s always gonna be issues. The question is, does a simple issue take you down or does an issue, you know, come up? And then learning from experience where, you know, there’s a lot of flaky things over the years I found where. You have like in network infrastructures are kind of complicated.

Ira Winkler: You have a large company and the large company uses a variety of vendors. And then for example, if a vendor all of a sudden like. I am not using this as one of my things. But you know, I read about this for not Walmart, but other companies. But if all of a sudden, like a company runs a special and there’s an increase in traffic, a vendor, a network vendor might say, oh, this looks like a denial of service attack.

Ira Winkler: ’cause all of a sudden there’s a lot of activity going to this one site and they shut something down. And that creates a major outage for retailers because a vendor thought they were practicing good cybersecurity.

Agnidipta Sarkar: Yes.

Ira Winkler: You know, that they thought they were preventing attacks because of a spike in activity.

Ira Winkler: And you know, these type of things happen. You know, to organizations of all sizes where their third parties might be doing good. Their third parties might have an outage of something, or they shut something down they think is inconsequential, which is actually critical and sets off a cascade of events.

Ira Winkler: And so we need to prepare and build in resiliency and expect things to go wrong and figure out how to troubleshoot quickly. I mean, we just, for example, had the AWS incident. Um, you know, was it God, time flies early this week, I guess Monday, uh, Monday. And when you look at A-W-A-W-S is not a bad company by any stretch of the imagination.

Ira Winkler: They’re handling the world’s web traffic and. You know, here was an outage.

Agnidipta Sarkar: I, I. I, I think I should interrupt you at this point because I’m cognizant of the time and I know you can go on and on on AWS Let’s have another meeting on that and record that point of view. But what I wanted to sum up, and because you touched upon cyber resilience and it reminded me of something that.

Agnidipta Sarkar: I, I, I was talking to someone recently on, uh, the, the breach of the dialogues, and we talked about being unaffected. So if you are able to design your network in a manner that when there is a cyber attack, and if it can be localized in the particular area, that means you’re unaffected in the other areas.

Agnidipta Sarkar: And that business, as you said, it’s no longer about cyber defense anymore, it’s about resilience. It’s about the ability to remain unaffected, even if. Something were to go wrong. AWS was an example. Some companies who had multi-cloud deployments were probably unaffected, but, um, you know, maybe another minute on it, and I think we should close then because it’s.

Agnidipta Sarkar: Almost about the R. Well,

Ira Winkler: I mean, a lot of companies do have multi-cloud. They have internal resilience for things like that and so on. You know, the problem is I think at some point you have to be realistic about your cybersecurity. ’cause not every company has the resources to. Fully redundant. Multi-cloud and things like that.

Ira Winkler: If something happens,

Agnidipta Sarkar: yes,

Ira Winkler: things have happened to AWS, things have happened to CloudFlare, you know, and so on. So it’s not just this, at some point cybersecurity comes down to risk,

Agnidipta Sarkar: but,

Ira Winkler: and the question,

Agnidipta Sarkar: hold on, on that talk. Do you think attackers are attacking the perimeter now, making that as a point of entry?

Agnidipta Sarkar: F five CloudFlare AWS.

Ira Winkler: So the problem is if people are gonna go ahead and attack them, that’s awesome. ’cause those organiza, and why I say that is those organizations have damn good security.

Agnidipta Sarkar: Yes.

Ira Winkler: And those organizations, if they are go, I mean, of course the people. With lots and lots of resources are gonna go after them.

Ira Winkler: The reality, why I recommend services like them is that they have resources to do to keep secure what they do best. An organization like I, I, you know, like a mid-tier, mid-size company. Is not gonna be able to protect their websites to the extent that AWS and CloudFlare

Agnidipta Sarkar: Correct.

Ira Winkler: You know, they can’t come close to doing that.

Ira Winkler: They don’t have the resources, they don’t have the infrastructure. And is it, and so if I am a CSO of an organization or a COO or a CEO of an organization, and I’m sitting here deciding. Well, gee, look at this incident in AWS, I’m gonna pull everything back in. That would be the dumbest decision ever. And the reason is not that maybe it might make a little financial sense, but at the end of the day it doesn’t.

Ira Winkler: You know, I know even this is, this is not a secret. Large organizations around the world, for example, are still using Office 365, you know, and things like that. They’re outsourcing there. Applications to Microsoft, to Gmail to Google, and everything like that. They still have the resources, theoretically, to create their own Microsoft Exchange servers hire their own teams, but Microsoft has the resources to do it best in a cloud environment that provides for resiliency that companies can’t do themselves.

Ira Winkler: Likewise, they have the resources to constantly keep it secure and up to date. Is that, not to say if I was a. You know, if I was a criminal or nation state, I’d be salivating to compromise the infrastructure. The answer’s hell yes, but at the same time, the amount of resources to do that means I’m gonna go somewhere else if I’m a criminal and my goal is money.

Ira Winkler: Theoretically, I can hope and pray that I’m gonna find that one way to get into Microsoft that’s gonna give me a gazi, be able to like extort them for a gazillion dollars that at at the same time you have a much easier time extorting countless companies for 10,000 here, a hundred thousand there a million there, and that’s just where the money is easiest.

Ira Winkler: And so if I’m an organization regarding resiliency, unless I am an infrastructure company itself, I’m looking to outsource my infrastructure. I am not, for example, gonna be a typical company. That might try to create my own power systems. Maybe I’ll put solar panels on rooftops or something to get cheap, locally available, electricity.

Ira Winkler: But I’m not gonna try to go ahead and create my own power plant, even though AWS and companies like that are doing that on some cases. And I understand it ’cause that’s. Part of their critical infrastructure, but they are still gonna rely upon native resources to do the right things. Anyway,

Agnidipta Sarkar: I think you spoke long and thank you so much for that.

xshield-logo

Explore the Platform

forrester-badge

Download Report

Request Your Free Customized Demo

Cybersecurity isn’t just about stopping attacks anymore. It’s about surviving them.

In our latest episode of Breach Ready Dialogues, Ira Winkler – former NSA analyst, multiple-times CISO, author, and one of the sharpest minds in cybersecurity talks about what really happens during breaches and why “perfect defense” is a myth.

Key takeaways from the conversation:

  1. Nation-state attacks aren’t new. They’re just more patient.
  2. Many “headline breaches” aren’t technical masterpieces, they’re human failures.
  3. Attackers don’t need to hack you if they can hack your vendors.
  4. Logs, preparation, and communication before a breach matter more than tools after it.
  5. Cyber defense alone is no longer enough: resilience is the new requirement. It’s not “if” you’re breached, it’s whether your business can keep running when it happens.

Listen to Cybersecurity in Transition: From Defense to Resilience to hear why breach readiness, segmentation, and human awareness are now mission critical. If you’re responsible for security, operations, or risk, this episode is for you.

Agnidipta Sarkar: Hi, everyone. Welcome once again to B Breach Ready Dialogues. I’m Agni and I have IR with me and, uh, to me he’s a, he’s a guru, he’s a visionary. And you know, I, I don’t want to spoil his standard, but. Uh, there are times that people have, you know, targeted him instead of targeting the company. So, IRA, all over to you.

Agnidipta Sarkar: Welcome to, uh, dialogues.

Ira Winkler: No thanks for having me. I. Oh, did you want me to introduce myself now or what? That would

Agnidipta Sarkar: be nice. That would be great.

Ira Winkler: Okay. So anyway, um, IRA Winkler, I’m currently the CSO at s um, and a company that focuses on CT EM and CRQ. And anyway, uh, my background, I started my career at the National Security Agency.

Ira Winkler: I was an intelligence analyst, then got cross-trained. As a computer systems analyst, as they described, um, I did a variety of things. After I left the government, I ended up investigating, I, I became a government contractor and as a fluke, I ended up investigating the Citibank Breakin in 1994, which is dating me, but it was the first large scale publicly announced cyber crime for lack of a.

Ira Winkler: Better way of phrasing it. And you know, we end up catching the guy after a while and did a variety of different things. I’ve written eight books. Um, I was over my time, I was Chief security strategist at hp, chief Security Architect at Walmart. Um. And on my side, my passion project is I run Cruise Con, which is essentially a cybersecurity conference on a cruise ship.

Ira Winkler: That’s kind of like a retreat that venture capitalists hold for the Fortune 100 CISOs. But I open it up to everyone. ’cause the people who need something like that, the least are fortune 100 CISOs, in my opinion.

Agnidipta Sarkar: Uhhuh. Yeah, that’s a great thing. I mean, uh, I’ve been hearing a lot about Cruise Con and the kind of feedback that comes from there is extremely positive.

Agnidipta Sarkar: But, uh, you know, tell me about your, uh, experience with breaches. ’cause you’ve got some very, very, uh, great stories to tell.

Ira Winkler: Yeah, I mean, depending on, like going back to data breaches, it goes, I mean, frankly. You know, I mentioned the Citibank break-in was my first foray into PI guess you’d say com, the commercial world.

Ira Winkler: Um, I ended up going ahead and essentially being, you know, one of the lead investigators on the project where we were going up to New York, going through logs and. We had to invent mechanisms to actually examine data breaches and things like that. How to go through data, how to figure out how to prioritize what’s coming in, how to figure out, okay, how do we recreate sessions that might have happened months ago, if not weeks ago or, or days ago.

Ira Winkler: And so that became, um, fairly interesting to figure out, okay, here’s actually. In the world of cybersecurity. It’s interesting to see something tangible of such a scale, and so anyway, that became part of my original data breach experience. Then over time, you know, I’ve helped, I remember getting a call, for example, from a Fortune 30 CISO who was a friend.

Ira Winkler: And he was like, IRA, what does it mean when the FBI walks into your office and says, you know, we just wanna let you know that there’s malformed DNS packets coming out of our network and they won’t tell us anything more about it. And I’m like, well, it basically means you’re screwed. And he’s like, what do you mean?

Ira Winkler: I go, basically malformed DNS packets probably means that. You are being, you know, you have been infiltrated by China as an example, and the FBI was monitoring known nodes that China uses and so a traffic coming from your network and is now telling you this. So then I got involved in helping to do a response for that.

Ira Winkler: Um, you know, there’s been different types of responses I’ve done through the years. There’s been technical responses. For different types of data breaches. And there’s been actual, I would call it more operational responses. ’cause you know, my passion in many ways has always been the human aspects of cybersecurity.

Ira Winkler: And then actually it’s a little over a decade ago, the Syrian electronic army was pretty. Prolific, for lack of a better way of phrasing it. And they were compromising the White House, or I think they didn’t compromise the white. I think they did compromise the White House, come to think of it, but they were compromising.

Ira Winkler: And remember a big deal about compromising Oprah Winfrey, compromising Harvard, compromising the associated press, one of their compromises costs. Caused a big dip in the stock market. ’cause what they did was they hacked the Associated Press Twitter feed and said there’s an attack on the White House. I can’t remember the exact details, and that President Obama might have been impacted.

Ira Winkler: And all of a sudden that tweet caused a major drop in the stock market. So anyway, I got involved with a few of the responses and then I gave a presentation calling them a bunch of cockroaches, which they are. And they ended up hacking RSA, um, or hacking the RSA conference website because of me. It was kind of funny.

Ira Winkler: Um, and they’re like, who’s the cockroach now? I’m like, what the hell? What do I care if you hack RSA? You know? And then they hack the Wall Street Journal Twitter feeds to call me a cockroach. And then, you know, ’cause I investigated why. You know how they were able to do the RSA hack and I wrote up a summary of, eh,

Agnidipta Sarkar: it’s,

Ira Winkler: you know, it was, took a lot of effort, but it was really just a very trivial accomplishment in the grand scheme of things.

Ira Winkler: All they did was redirect a third party who handled their DNS of a vendor. That, uh, they hand, they basically, just to give you an idea on how breaches actually happen, nobody hacked RS a’s conference site. What they did was they realized that the RSA conference site, when you went to the site and initiated a software program that was initiated by a call.

Ira Winkler: To another system. So it was like, I can’t remember the exact name, but it was like something, you know, like WW one, do you know? I forgot the name of the company. They ran Lucky R Software, but you know. Anyway, so what happened was the people in the Syria electronic Army saw that there was that line of code.

Ira Winkler: They went ahead, figured out who was the ISP for that Lucky Orange provider. And then they went ahead and hacked this small ISP in the middle of the United States. By just going ahead and sending them a phishing message, getting access to one of their salespeople’s e you know, logins. And then they were able to go ahead and essentially log into the administrative system and cha and redirect what ww uh, or what some like NSF one or whatever it was, two.

Ira Winkler: An GER site. And so all that happened was, the way this massive hack theoretically looked was you went to the RSA conference site and it just put up a graphics page. You know, it just put up a page saying, who’s the cockroach now, IRA Winkler, when all they really did was not hack RSA conference, not hack the software vendor, but basically hack a small ISP and redirect a subdomain to go to an image file.

Ira Winkler: And this is the problem with a lot of data breaches. And then I’ve done other ones through the years that involve different sorts of like, you know, intellectual property, you know, that involved a whole bunch of, um, you know, potentially you. Sensitive data for customers and things like that, but a lot of these things are happening in that.

Ira Winkler: In that case, it was like a RSA conference, lucky Orange ISP. So that was essentially a fourth party compromise to hack another website and then the serial electronic army after I said how trivial their hack was. Then they went ahead and hacked, basically hacked the Wall Street Journal Twitter feed by guessing passwords there, and then they hacked Buzzfeed’s Twitter feeds to call me a cockroach again.

Ira Winkler: Then I wrote another article saying how lame they were and still cockroaches. And then what happened was I knew they would attack, in this case it was IDG, who was the home for computer world that I wrote the article for. So we prepared. Computer world staff as well as IDG staff of a potential hack that would happen.

Ira Winkler: And what happened was like clockwork, four hours after the article went live, these people were trying to go ahead and hack IDG by sending lane phishing messages. They tried to make a claim that it was their B team, but the reality was. There is no B team for them. ’cause I got inside information on them and we were basically like their, A team was just sending phishing messages ’cause they had a standard method.

Ira Winkler: Of finding out who were executives in the company, sending out executives in the comp, sending out emails as executives in the company, telling people that they should read an article, which they had to log in for. And you know, essentially everybody detected it because in the great irony of things, somebody left the company, they retired, they never changed their LinkedIn page, so they were getting an email message from somebody who left the company five months before.

Ira Winkler: This is how these hacks occur. You know, in this case, let’s face it, it was a fairly comical thing. You know, there have been data breach I’ve investigated that have been more involved and more critical. The people who are actually professionals seem to be able to be, uh, how would I phrase it? So, you know, just did a recent one, Ragnar locker, you know, where they were going ahead and trying to compromise a power utility.

Ira Winkler: Ragnar Locker. It’s a Russian hacker group?

Agnidipta Sarkar: No, the, the Syrian, uh, army. Is it the same group or are you talking about a new group?

Ira Winkler: Oh, no, it’s a different group. The, the Ragnar Locker people are highly professional.

Agnidipta Sarkar: Actually, until now, whatever you told me, it’s difficult for me to recap. So let me go one by one.

Agnidipta Sarkar: I think you are a wealth of information for me. So the first thing that you told me was. That when you do cyber, um, forensic analysis, it used to be tough in the early days, but now I think there are tools that do it in a, in faster way. But even then when, when, this is my experience that whenever there is a cyber forensic analysis.

Agnidipta Sarkar: People need to access all the logs, and if the logs are easily accessible, then good for you. If they’re not, then okay, that’s a different experience. But more importantly, until the forensics are done, you really can’t access any system that’s on the same connected path whether attack has happened. This was my first thing that I learned from you.

Agnidipta Sarkar: The second thing that you talked about was how hackers hack, and one of the biggest takeaway that I have from that. Is that you had prepared the IDG guys, that there’s going to be a potential hack. So the message that I got from you is that preparing for a hack is so much more important than just sitting and waiting, saying that, okay, we’ve put in cybersecurity, so nothing’s gonna happen to us.

Ira Winkler: Mm-hmm. Oh yeah. That’s a given. I mean, especially when you know, like the modus operandi of the attackers. And frankly in this case, obviously we had a very specific group, but you know, in many industries, you know, for example, that there are prolific hackers who are going after companies of certain types.

Ira Winkler: And if an organization is proactive, they can go ahead and proactively let their employees know that we are potentially gonna be a victim of some certain types of attacks. And clearly phishing attacks are among the most prolific ones. But at the same time, they’re also technical attacks. And you could tell your technical teams, it’s like, look, you really have to, for example, lock up.

Ira Winkler: I don’t lock up DNS lock up, you know, like you know the web, how like certain ports on your internet and things like that. ’cause we know attackers. Who are coming through are gonna be com are gonna be attempting to compromise, for example, outdated versions of this software. And we need to make sure that you have installed the latest patches on all the software or have at least taken mitigating controls on a lot of that.

Agnidipta Sarkar: And, and also look at privilege access to figure out, you know, if those are under control. Because sometimes if the hackers are able to get into. In any way that they’re able to get access to, uh, I mean, you’ve been there, right? There are, uh, sometimes there are super user passwords that, super user accounts that don’t have passwords.

Agnidipta Sarkar: But what I’m seeing is that’s the area that people need to freeze up as well because super users can be used to launch far more bigger, uh, things than just, uh. Defacing a website or doing something wrong, maybe a ransomware. Um, and, and I think, uh, that’s one area. But to, to your point, as you said, in in preparation, uh, do you believe that if people were able to keep everything at arm’s length from the critical assets, do you not do, do you think that make better sense?

Agnidipta Sarkar: Like, I mean to, uh, I, I know hospitals, for example, many hospitals. That we know about have a flat network. So everything is available once you walk in. If you’re able to beat the initial defenses, then you have the whole thing to yourself. But on the other side, uh, manufacturing plants for example, they have, uh, very different OT networks, very different IT networks.

Agnidipta Sarkar: So there is some level of segmentation to some extent, uh, versus, uh, let’s say a financial bank. And they would probably have more controls because they are more mature in cybersecurity.

Ira Winkler: Um, I mean it at, at some level, it depends. Here’s the reality of the circumstance. Do I, do I look at for, am I worried about the Syria electronic Army type attacks?

Ira Winkler: The answer is no. It’s almost comical how you know what they’re doing. Um, I’ve investigated bank robberies where I’m like looking at a person and basically they hacked an electronic funds transfer system. And instead of potentially stealing millions of dollars, they, they had no idea what they broke into and they turned it into a wear site.

Ira Winkler: And then they basically, and I’m like, you gotta be kidding me. You know, like they just had it for like little t you know, teeny bopper hackers to exchange software on it. And I’m sitting there like, you gotta be kidding. But I’m. I’m concerned about the sophisticated attackers, the ones who are skilled, the ones who are professional, like I mentioned, Ragnar Locker, who are gonna go ahead.

Ira Winkler: And basically go in systematically, go through data, figure out what data is, you know, there they have processes that they implement. They run it like a business, they run it very professionally, and then they download data and they lock up a company as well as theoretically they can, you know, in such a way to cause harm, which was essentially, for lack of a better term, the case of in many ways, the colonial pipeline incident.

Ira Winkler: Um, you know, and, and even in that case, the criminals specifically were not as good as you would’ve thought. I mean, they didn’t know how, I mean, the, like the FBI got 85% of the money back, and the reason they got 85% of the money back was because, you know, I forgot the name of the group. Now. You, you might know.

Ira Winkler: Um, anyway, it was, you know, Russian proliferate ransomware. What? Oh, dark site.

Agnidipta Sarkar: Yeah.

Ira Winkler: So anyway, like the Dark Site is essentially a service provider. They provide ransomware as a service, and when you license their software to use in a ransomware attack, you have to pay them 15%. They’re just essentially a software, you know, ransomware as a service and the people who did it.

Ira Winkler: Did not know how to launder their Bitcoin and the FBI was able to track it back. Yet these people were fairly good at essentially phishing to get into the network. They were then able to do reconnaissance, figure out how to lock up the network. But even after all that, their execution was kind of sloppy in not being able to, and I’m, it’s a good thing, but they were essentially sloppy in how they were able to go through the follow up processes of laundering the money and taking care of stuff.

Ira Winkler: Um, I’m concerned about those type of people, whether or not it’s a hospital or whether it’s a, you know, a company with fairly good. Security.

Agnidipta Sarkar: Yeah,

Ira Winkler: exactly. Like you know, you could fault theoretically, colonial Pipeline. At the time, I think the fault was not having multifactor authentication, which allowed for the attack to essentially proceed the way it did.

Ira Winkler: But if you could go ahead and pro proactively understand how attackers are gonna be methodical, the fact of the matter is. You need to go ahead and have as strong defenses as possible, whether you are a hospital or whether you’re a Global 10 company. And this is where people are like, you know, ’cause the reality is that.

Ira Winkler: Attackers can come in and take over a hospital in, in like a half hour probably. You know, if they get access to a colonial pipeline, takes a lot longer if they even attempt to get into one of the large banks. Sorry, I don’t want, I can’t mention my, don’t wanna mention my former employers, but going through there, God, are you gonna have a, a nightmare to try to get through all the defenses?

Ira Winkler: Not that nothing’s, you know, let me, there’s no such thing as perfect security. Let me get, you know, I want to say that.

Agnidipta Sarkar: Yeah.

Ira Winkler: But the, the more advanced organizations do have much better cyber hygiene. They have much better advanced cybersecurity. They have much better monitoring in place things as they’re happening

Agnidipta Sarkar: even now.

Agnidipta Sarkar: One of the things that is worrying me, and I, I fully agree with you, that I’m no longer worried about the hackers that were there earlier because the techniques that they were using. But right now the worry that I have is that the attackers have become. Um, they’re no longer, let’s say, a bunch of guys in a dark room trying to, you know, look at the web.

Agnidipta Sarkar: They’re smart guys, they’re educated. The, the kind of attack that they did on, uh, on the help desks, right? In recent times, right? There have been three or four of them, can’t. Mark and Spencer and JLR, and. And then this MGM, what was it? MGM, yeah. MGM somebody went up to the help desk and they, they picked up the phone and they threatened someone in, in, in impersonating someone in the organization.

Agnidipta Sarkar: Now that requires. Knowledge, skill, understanding of how the company operates. So there is enough recon done. Also, whoever’s on the phone, he’s, he needs to speak good English. The, the, the amount of the kind of language that somebody in a senior position would speak, right? It, it cannot be, you know, there is to be early days when there used to be these scammers who speak in a very.

Agnidipta Sarkar: Uh, faulty language and you could detect this guy is not the right guy. But now it’s becoming more sophisticated. People are going off, and large companies are falling prey to it. Like I, I never expected, uh, F five to get breached.

Ira Winkler: So I, I, well, let’s take a step back and look, for example, at things like SolarWinds and F five, those are different types of hacks, and let me tell you why those are different types of hacks.

Ira Winkler: SolarWinds and F five put them together. This is, you know, the, the SVR or China, or, you know, ru, you know, SolarWinds was the SVR, um, F five. I can’t remember if it’s China or Russia. It doesn’t really matter. But if you have a nation state that is intent on getting into a private company, and these are, these are very targeted supply chain attacks because they realize that once they can get into these type of software.

Ira Winkler: They can get much more, they can get further access. Not to a targeted company for a quick hit, but for many, many companies.

Agnidipta Sarkar: Absolutely.

Ira Winkler: And, and this is one of the biggest things that people really don’t understand, that when you start getting into these companies, there’s a lot of effort putting in, and I’m even gonna go back to, so a lot of people think Kevin Mi, Kevin Mitnick was not that misguided teenager.

Ira Winkler: Kevin Mitnick when he was doing his things back in the late 1980s or whenever he committed his original crimes, he was working with an accomplice and their goal was to put back doors into every major computer company like I work for hp, which acquired Digital Equipment Corporation and they had a, and vendors all over the world had to stop what they were doing.

Ira Winkler: To reevaluate every line of code that went into their software because his goal was to put back doors in, to have back doors into every type of, you know, software operating system out there. And those are devastating types of attacks and it caused those a lot of grief and aggravation. And this is essentially what the SVR and, you know, with SolarWinds and F five have done.

Ira Winkler: They have been able, or they are trying to go ahead to get into other organizations with trusted software and be able to go ahead and, and commit acts of espionage or whatever the case, you know, whatever their end goals are, whether it’s sabotage. ’cause there’s the whole concept of information warfare, which is now cyber network operations.

Ira Winkler: There’s cyber network defense. There’s cyber network exploitation and there’s cyber network, um, exploitation and, oh, what’s the last one? One is essentially gathering intelligence. The other is to commit acts of war, essentially, where they’re prepping the battlefield and then being able, for example, to shut down the network at the touch of a button.

Ira Winkler: And these type of things are very, very dangerous and critical. Now, Russia getting in, I frankly, the solar winds damage that they did and the acts that they did, they got into a lot of organizations because of this. But do I blame SolarWinds for falling victim to Russia? Frankly, if you’re gonna blame SolarWinds, blame the US Department of Defense ’cause they have fallen victim blame all energy companies ’cause they have fallen victim to Russia and China and everyone else.

Ira Winkler: You are not gonna essentially stop a nation state given that they have unlimited time and unlimited resources to go against you for strategic. And when I mean strategic, I mean long-term. Decades out type of activities. They’re gonna be highly focused, put a lot of money and effort and time, and some of the best mines in the world to targeting you.

Ira Winkler: So do I blame SolarWinds? You can make an excuse of, oh gee, they got in this way or that way, but it still took the SVR to get in. Not a little script kitty. Then you go ahead

Agnidipta Sarkar: and I think

Ira Winkler: because,

Agnidipta Sarkar: sorry, go ahead.

Ira Winkler: Go ahead. I’m sorry.

Agnidipta Sarkar: No, I’m saying the point that you were making

Ira Winkler: interrupt me.

Agnidipta Sarkar: No, I know, I know.

Agnidipta Sarkar: I mean, I, I, I hate to interrupt you because you’re telling a story. It’s so revetting. But the point I think that you were making, and that’s what I, what I wanted to get to is, um, it goes back to your original point, you know?

Ira Winkler: Yeah. I mean, it’s an area where the nation states are going. It’s an area where the criminals are going.

Ira Winkler: See, there’s a whole thing where, so am I theoretically worried about China or Russia, not worried about China. For a large extent, China is sloppy, China is egregious. China doesn’t care if they get caught. You know, a lot of what they’re doing is in economic espionage and that is a problem. But from a national security perspective, China might be prepping the battlefield and China just accused the US of doing the same.

Ira Winkler: Frankly, it’s, I saw like an article come out. Um. But at the end of the day, the same type of attacks that are being used for nation state attacks, there’s also a lot of sophisticated criminals who can do similar types of things, where they have a lot of good resources, they have this, and potentially they could go ahead and say, Hey, I’m gonna ransom when this has happened, um, in different regions of the world.

Ira Winkler: I am going to lock up your power grid until you pay me money. There was, for example, a, this was an old story, but so some Brazilian, I think it was a Brazilian company, hired a bunch of hackers, used Dr. Evil quotes for hackers to test their network and then they, the. Hackers thought they didn’t pay them enough and they locked up their network.

Ira Winkler: And that’s the type of stuff where, okay, choose your vendors wisely. But at the same time, you know, there are other areas around the world that have had, you know, attacks against the power grid. They’ve had attacks against the marucci. Uh, there was a, uh, there’s the story back, um, where this got marucci incident in Australia.

Ira Winkler: Where there was a network technician who was fired and he essentially went ahead and opened up all the sewage valves and things like that. ’cause he still had a way of, you know, accessing the equipment and opening up valves a little bit remotely. Um, so you have a lot of critical infrastructures that are vulnerable to the nation states, but in the grand scheme of things.

Ira Winkler: A lot of the nation states are not gonna take action. I’m more worried about North Korea and Iran ’cause they have less to lose. You know, the more somebody has to lose, the more damage that could happen. You know? But China, Russia, they’re not gonna do anything overly stupid. You know, to really create a, an act of war in theory.

Ira Winkler: Um, then you have the criminals. Some criminals, again, are very focused, like I said, Ragnar Locker attempted to lock up power systems and things like that, and that’s not a good thing. And these criminals are potentially getting in there with the potential act of creating harm for the purpose of profit.

Ira Winkler: Now, depending on what they do, might create more of a response than others. So for example, I think it was the same ransomware group, I could be wrong, that hacked colonial pipeline. That also hacked hospital systems, or I should say their affiliates, hacked hospital systems.

Agnidipta Sarkar: Yes.

Ira Winkler: And then all of a sudden blood banks

Agnidipta Sarkar: as

Ira Winkler: well.

Ira Winkler: Yeah. And, and, but the thing was, but the hospitals were more sensitive than banks. ’cause unfortunately people are like. Okay. It’s money. That’s one thing, but hospitals. Oh no, that’s wrong. And so what happened was the, the, the affiliate group basically said, we’re not gonna let anybody, we’re not gonna allow anybody in the future who, who licenses our, our ransomware to attack hospital systems.

Agnidipta Sarkar: Yes, that’s what they said. They actually made a statement on that.

Ira Winkler: Right. They may And

Agnidipta Sarkar: and especially children.

Ira Winkler: Yeah. And, but then what happened was, you know, they basically shut down and opened up under a new name and because they had such bad publicity and maybe they told their affiliates stay away from hospitals and children and stuff like that.

Ira Winkler: So there’s a little bit of control. ’cause they realize once the heat comes down on them. The problem is that lots of people fall victim, but law enforcement agencies are basically impotent when it comes to investigating a lot of crimes because there have been times where I have given law enforcement packages on crimes with a bow on top, and they want nothing to do with it.

Ira Winkler: Like one time, for example. I had a debit card that was cloned somewhere, probably when I traveled to Singapore and all of a sudden, like I noticed a pattern of withdrawals along an LA area because I was able to go ahead, I saw like 100, $200 withdrawals on a daily basis from a debit card that I had.

Ira Winkler: Luckily I had money that it wasn’t as critical as it could have been for a lot of people. And what happened was I put together a pattern. I opened up a map. I said, okay, here’s the places. And these people are going back to the same places every day within this period of time to withdraw money out of at t.

Ira Winkler: And I was giving that to the bank, and I’m like, okay, I want it. Here is the pattern. You could go to these stores, send an investigator, tell the police to wait for these people every day, and they’re like, okay, we’ll make a note of that. I’m like, I, I go, you don’t care, do you? I go, I can literally hand you these.

Ira Winkler: They’re like, okay, I’ll, I’ll put a note that you’re willing to help. And then the guy finally says, here’s the reality of the situation. We’re gonna get the money back. You know, it’s, I go, okay, then give this information to the ATM vendors. He’s like, the ATM vendors are insured for this type of stuff. And I’m unlike sitting there, these people are not showing up to that ATM every day to take my money.

Ira Winkler: They’re not going there for my money. They’re going there probably for a dozen cards at a time that they are hiring, probably whether, you know, I’m, I’m staying at it, but anyone from, you know, low paid people where they’re saying, go to withdraw and we’ll give you a little bit of money. You know, and they are hiring these people that this is a crime syndicate that is having people all over LA take out money.

Ira Winkler: Thousands and thousands of dollars on a daily basis. Grand theft across the board probably. And these people don’t care because there’s an ecosystem Yeah. That is absorbing this.

Agnidipta Sarkar: Yeah. So, so what I hear you saying is that not only that. You know, people are, I mean, some of, some organizations are very far from what you said in the beginning.

Agnidipta Sarkar: You know, anticipate, uh, probably an attack, build capabilities to contain them and then make it better every year so that you’re ready for the next attack whenever it happens, especially if you are in. Critical, uh, national infrastructure or in an organization that can be impacted negatively? We have seen attacks on blood banks.

Agnidipta Sarkar: We’ve seen attacks on hospitals. You know, the extension hospital that happened. Right? Which, right. They returned back, uh, you know, ambulances, it went to such a state. Uh, some of the people who reported online, I was reading and there was. Um, somebody in the who, who was probably, uh, some who had to give an injection and he found that he had the wrong injection to give the patient that he realized and he was, uh, a doctor probably or a senior nurse, and he realized that this should not be, be given to this patient, all that because of somebody was attacking.

Agnidipta Sarkar: So in addition to not only that is happening, what you’re saying is. There are some organizations who are completely NT because they have other means to look at it. They’re not looking at it as something that needs to be taken an action on immediately. The sense of urgency is missing. So what you’re saying is if we have to be in the new world of digital, you know, advancement.

Agnidipta Sarkar: We need to be thinking about cyber defense and cyber resilience urgently is, is that a phase?

Ira Winkler: I mean, I think every organization should build in cyber resiliency as much as cyber defense itself. Cyber defense means you stop, but resiliency implies you keep going,

Agnidipta Sarkar: keep going.

Ira Winkler: And when things happen where things are built in, you would.

Ira Winkler: You account for issues that happen. ’cause there’s always gonna be issues. The question is, does a simple issue take you down or does an issue, you know, come up? And then learning from experience where, you know, there’s a lot of flaky things over the years I found where. You have like in network infrastructures are kind of complicated.

Ira Winkler: You have a large company and the large company uses a variety of vendors. And then for example, if a vendor all of a sudden like. I am not using this as one of my things. But you know, I read about this for not Walmart, but other companies. But if all of a sudden, like a company runs a special and there’s an increase in traffic, a vendor, a network vendor might say, oh, this looks like a denial of service attack.

Ira Winkler: ’cause all of a sudden there’s a lot of activity going to this one site and they shut something down. And that creates a major outage for retailers because a vendor thought they were practicing good cybersecurity.

Agnidipta Sarkar: Yes.

Ira Winkler: You know, that they thought they were preventing attacks because of a spike in activity.

Ira Winkler: And you know, these type of things happen. You know, to organizations of all sizes where their third parties might be doing good. Their third parties might have an outage of something, or they shut something down they think is inconsequential, which is actually critical and sets off a cascade of events.

Ira Winkler: And so we need to prepare and build in resiliency and expect things to go wrong and figure out how to troubleshoot quickly. I mean, we just, for example, had the AWS incident. Um, you know, was it God, time flies early this week, I guess Monday, uh, Monday. And when you look at A-W-A-W-S is not a bad company by any stretch of the imagination.

Ira Winkler: They’re handling the world’s web traffic and. You know, here was an outage.

Agnidipta Sarkar: I, I. I, I think I should interrupt you at this point because I’m cognizant of the time and I know you can go on and on on AWS Let’s have another meeting on that and record that point of view. But what I wanted to sum up, and because you touched upon cyber resilience and it reminded me of something that.

Agnidipta Sarkar: I, I, I was talking to someone recently on, uh, the, the breach of the dialogues, and we talked about being unaffected. So if you are able to design your network in a manner that when there is a cyber attack, and if it can be localized in the particular area, that means you’re unaffected in the other areas.

Agnidipta Sarkar: And that business, as you said, it’s no longer about cyber defense anymore, it’s about resilience. It’s about the ability to remain unaffected, even if. Something were to go wrong. AWS was an example. Some companies who had multi-cloud deployments were probably unaffected, but, um, you know, maybe another minute on it, and I think we should close then because it’s.

Agnidipta Sarkar: Almost about the R. Well,

Ira Winkler: I mean, a lot of companies do have multi-cloud. They have internal resilience for things like that and so on. You know, the problem is I think at some point you have to be realistic about your cybersecurity. ’cause not every company has the resources to. Fully redundant. Multi-cloud and things like that.

Ira Winkler: If something happens,

Agnidipta Sarkar: yes,

Ira Winkler: things have happened to AWS, things have happened to CloudFlare, you know, and so on. So it’s not just this, at some point cybersecurity comes down to risk,

Agnidipta Sarkar: but,

Ira Winkler: and the question,

Agnidipta Sarkar: hold on, on that talk. Do you think attackers are attacking the perimeter now, making that as a point of entry?

Agnidipta Sarkar: F five CloudFlare AWS.

Ira Winkler: So the problem is if people are gonna go ahead and attack them, that’s awesome. ’cause those organiza, and why I say that is those organizations have damn good security.

Agnidipta Sarkar: Yes.

Ira Winkler: And those organizations, if they are go, I mean, of course the people. With lots and lots of resources are gonna go after them.

Ira Winkler: The reality, why I recommend services like them is that they have resources to do to keep secure what they do best. An organization like I, I, you know, like a mid-tier, mid-size company. Is not gonna be able to protect their websites to the extent that AWS and CloudFlare

Agnidipta Sarkar: Correct.

Ira Winkler: You know, they can’t come close to doing that.

Ira Winkler: They don’t have the resources, they don’t have the infrastructure. And is it, and so if I am a CSO of an organization or a COO or a CEO of an organization, and I’m sitting here deciding. Well, gee, look at this incident in AWS, I’m gonna pull everything back in. That would be the dumbest decision ever. And the reason is not that maybe it might make a little financial sense, but at the end of the day it doesn’t.

Ira Winkler: You know, I know even this is, this is not a secret. Large organizations around the world, for example, are still using Office 365, you know, and things like that. They’re outsourcing there. Applications to Microsoft, to Gmail to Google, and everything like that. They still have the resources, theoretically, to create their own Microsoft Exchange servers hire their own teams, but Microsoft has the resources to do it best in a cloud environment that provides for resiliency that companies can’t do themselves.

Ira Winkler: Likewise, they have the resources to constantly keep it secure and up to date. Is that, not to say if I was a. You know, if I was a criminal or nation state, I’d be salivating to compromise the infrastructure. The answer’s hell yes, but at the same time, the amount of resources to do that means I’m gonna go somewhere else if I’m a criminal and my goal is money.

Ira Winkler: Theoretically, I can hope and pray that I’m gonna find that one way to get into Microsoft that’s gonna give me a gazi, be able to like extort them for a gazillion dollars that at at the same time you have a much easier time extorting countless companies for 10,000 here, a hundred thousand there a million there, and that’s just where the money is easiest.

Ira Winkler: And so if I’m an organization regarding resiliency, unless I am an infrastructure company itself, I’m looking to outsource my infrastructure. I am not, for example, gonna be a typical company. That might try to create my own power systems. Maybe I’ll put solar panels on rooftops or something to get cheap, locally available, electricity.

Ira Winkler: But I’m not gonna try to go ahead and create my own power plant, even though AWS and companies like that are doing that on some cases. And I understand it ’cause that’s. Part of their critical infrastructure, but they are still gonna rely upon native resources to do the right things. Anyway,

Agnidipta Sarkar: I think you spoke long and thank you so much for that.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.