Las Vegas, NV―Black Hat 2024―How long do you follow up on a news story after it breaks? For most people, including journalists, follow-ups are rare unless they have a specific interest in the issue. However, for Chester Wisniewski, Director and Global Field Chief Technology Officer at Sophos with over 25 years of security experience, this lack of follow-up is a critical problem that needs to be addressed.
“There’s a lot of misinformation during big events as they unfold. Everyone speculates on what happened, and usually, the first few reports in the news are wrong, but it’s those which most stick in your head,” Wisniewski told The Readable during the Black Hat Conference on August 8. “Rumors spread quickly, and the truth often comes out much later—sometimes as long as six months—when a lawsuit is filed or after someone is called to testify before Congress. But by then, people have lost interest and forgotten about the issue, so they never really hear the truth.”
In an effort to break this vicious cycle of misinformation that distorts the facts of security incidents and prevents people from learning valuable lessons, Wisniewski recently launched a podcast called “Security Take Two.” He cohosts the show with Ben Verschaeren, Director of Sales Engineering at Sophos. The podcast is independently operated and recorded during their own time on weekends, using their own equipment to keep it separate from their company’s business.
According to the podcast’s description, “Security Take Two” aims to offer insight, depth, and breadth on topics important to the information security community. The hosts revisit these topics once the truth is known, uncovering lessons that can help prevent similar incidents from occurring in the future. The title reflects both the hosts, Verschaeren and Wisniewski, and the podcast’s approach of taking a second look at security headlines “once the dust has settled.”
“I thought, ‘Let’s go back and review incidents after some time has passed to see what lessons can still be learned,’” Wisniewski explained. For example, the first episode of Security Take Two dedicates 46 minutes to dissecting the Medibank incident—Australia’s worst data breach, which exposed the personal information of 9.7 million Australians in late 2022. It was ultimately revealed that Russian cybercriminals were behind the attack.
The security expert found the Medibank incident particularly worth investigating, dedicating an entire episode of his podcast to its full story because it involved “all the social elements,” including criminals using WhatsApp to directly threaten the CEO.
The cybercriminals behind the Medibank breach released 9.7 million records on the dark web, containing the personal information of Australians, including names, dates of birth, Medicare numbers, and sensitive medical details, such as a file of pregnancy terminations. In January, the Australian government imposed cyber sanctions on Russian national Aleksandr Ermakov for his role in the Medibank breach, banning him from traveling to or remaining in Australia. Additionally, Medibank is currently facing fines of up to $21.5 trillion for failing to protect sensitive data. The Security Take Two episode on the Medibank incident walks through the breach, analyzing the most significant findings disclosed so far.
Wisniewski’s passion for sharing quality knowledge stems naturally from his role at Sophos, where he has worked for the past 21 years, contributing to more than half of the 39-year-old company’s history. Sophos, which employs just under 5,000 people, dedicates 10% of its workforce to research.
“My team’s job is to serve as the interface between all the knowledge we gather from our customers and the research we conduct. We figure out how to share that knowledge with the world so people can use it to protect themselves,” said Wisniewski. “One part of that is communicating with journalists to ensure the public has accurate information about what’s happening. We also work directly with law enforcement agencies and governments to provide intelligence that can aid national security. Additionally, we collaborate with industry partners, sharing data often in a bi-directional manner. Whatever we learn, we hope others can use it to create more effective security programs.”
This explains why the company regularly publishes research papers. In the past month alone, Sophos has released three reports, covering topics from the threat landscape of critical infrastructure to the state of active adversaries.
“What we do is review each of our incident response cases to extract relevant data points that can be summarized, analyzed, compared, and contrasted,” said John Shier, Field CTO of Threat Intelligence at Sophos, who sat down with The Readable on the same day. “We have distinct visibility into various aspects and segments of the ransomware ecosystem, which is how we add value for our clients. Based on our findings, we provide recommendations on what should be prioritized from a security perspective.”