Christian Have, CTO at Logpoint: “Ransomware groups are operating with increased sophistication”

If there’s one thing that became incredibly clear from our interview with Christian Have, CTO at Logpoint, it’s that CISOs have tough jobs. If you don’t know what CISO stands for, that’s Chief Information Security Officer, and is just one of the abbreviations you’ll need to get to grips with.

So we’ll start with a test. SEC? One point if you got Security Exchange Commission. RaaS? No points there, as Ransomware-as-a-Service is surely too easy. What about TTPs? If you got tactics, techniques and procedures then you can feel suitably smug – unless you’re a CISO, of course.

It can seem like a forest of terms, so we can only say thank you to Christian for clearing us a path in this detailed interview. “I developed what I like to call a hacker mindset growing up,” he told us. “My brother and my dad… showed me how software works and how to manipulate software to change its behaviour from its original design. The hacker mindset led me to pursue a career in cybersecurity.”

Be glad that he didn’t join the other side…

Please could you briefly introduce yourself to our readers?

I’m Christian Have, and I work as a CTO at Logpoint, a European cybersecurity company creating TDIR (threat detection and incident response) and compliance solutions for organisations and MSSPs (managed security service providers) in the mid-market.

After graduating from the IT University of Copenhagen, I gained experience as a hospital Security Specialist and Head of Network Security for the Danish National Police before joining Logpoint more than ten years ago.

At Logpoint, I’ve been responsible for the product strategy, from vision and design to development and marketing. What has been so cool about it is that I’ve brought my years of cybersecurity experience into play and built the products I would have loved to have as a practitioner.

I’m engaged in the cybersecurity community and enjoy contributing through knowledge sharing and sparring. For example, I’m a regular guest lecturer on cybersecurity at some leading Danish universities, and I mentor startups venturing into the cybersecurity space with cutting-edge technology.

What are some of the major trends in ransomware professionals need to be aware of?

Ransomware gangs are constantly changing their methods. At the end of last year, we saw the ransomware group BlackCat file a Security and Exchange Commission (SEC) complaint against MeridianLink as a punishment for not paying the ransom. The exploitation of data and cybersecurity regulations to put pressure on victims is a trend that will be interesting to follow, especially when the Network and Information Security 2 (NIS 2) directive comes into effect later this year. The BlackCat strategy is a great example of how ransomware gangs stay on top of developments within risk management and the cybersecurity landscape to maximise their business potential.

Another trend is the further commodification of Ransomware-as-a-Service (RaaS), which is causing a surge in the number of ransomware attacks and an increased focus on small and mid-sized organisations. 8base is a ransomware group specifically targeting SMEs. Initial Access Brokers are leveraging automation to identify more breach-ready environments, which they need to do as they are being pressured to reduce their price points, and ransomware operators will use generative AI to create convincing phishing scams and malware.

Finally, ransomware groups are operating with increased sophistication. They mirror modern tech companies and spend a lot of resources investing in research and development. They’re constantly refining tactics and acting increasingly as Advanced Persistent Threats (APTs), which makes it more difficult for defenders to detect a ransomware attack.

What are the biggest cybersecurity challenges those in leadership roles are facing?

The most significant challenge is the growing gap between cybersecurity and compliance. Many of the CISOs we talk to need help connecting the information they get from their cybersecurity tooling, like alerts, with what the business needs to understand, which is compliance and the impact on risk management. The demands for compliance – like the Digital Operational Resilience Act (DORA) and NIS 2 – and the requirements for getting cyber insurance are abstract, but the observations from tools are hyper-specific. The challenge is marrying the two.

With the demands for compliance changing and attacks increasing in number and impact, CISOs need new methods to build a bridge between risk and threat detection and incident response. Successful CISOs have procedures in place to work with Security Operations Centre (SOC) or Managed Detection and Response (MDR) output and use it in a business context. However, even cyber-mature organisations experience data breaches, meaning there is a general weak link in defence.

The problem that arises comes from not having the means to translate the data generated by security tools and apply it in a compliance context to determine what it means for the compliance posture. CISOs know that they need to update computers and that employees shouldn’t log on to servers and casually browse with an outdated Internet Explorer, but they need to be able to explain to the business why that is.

Worth a read: IBM bolsters AI push with Microsoft Copilot launch

What are some prevention strategies you believe every business should adopt?

Attack patterns are changing. Ransomware is getting more sophisticated and increasingly manages to stay under the radar by applying living-off-the-land techniques. LOTL attacks leverage legitimate tools in the network. To prevent cyberattacks efficiently, security professionals should transition away from threat detection based on indicators of compromise (IOCs).

The problem with traditional IOC-driven detection is three-fold.

First, the number of false positives is high due to the sheer data volume. Because no alert is 100% accurate and because alert rules are evaluated against astronomical data volumes, almost all alert triggering will generate false positives. False positives lead to alert fatigue and waste time and resources in security teams that are already overstretched.

Second, much of the threat intelligence on IOCs is decaying too fast to add real value to detection. They’re inherently precise but too old when put to work, contributing to false positives.

And finally, classical IOCs cannot help detect LOTL attacks.

The solution is to make the detection logic target tactics, techniques and procedures (TTPs). In this scenario, every atomic detection acts as observations enriched with contextual data like the MITRE ATT&CK ID, the user, the host, and so on. For example, if you have eight consecutive observations in the system that match the cyber kill chain reflected in the tactic columns in the MITRE ATT&CK framework, the likelihood that an attack is underway is high. In essence, you detect at a higher semantic level, gaining contextual threat prioritisation (CTP).

Introducing this approach decreases the number of false positives, increases the confidence in detection alerts, and provides more actionable insights for the security teams.

What is it about generative AI that makes it so prone to exploitation by threat actors? Conversely, how can it be used for good?

GenAI, in the form of Large Language Models, is a powerful tool to generate, translate and interpret text and images. The models can quickly create documents that can be entirely fake, letting attackers generate phishing emails and other fake documents, voice clips, images, and even videos. GenAI enables industrialised forgery, which the Centre for Cyber Security (CFCS) outlined well in a recent report. Seeing is believing doesn’t apply anymore.

Phishing emails have existed for a long time and are still among the most prevalent initial access vectors. Phishing emails become much more effective regarding the click-through rate when socially engineered, which we typically call spear-phishing. Traditionally, attackers needed a human with specific knowledge about a person to personalise a phish sufficiently for it to work. This has limited how many spear-phishing emails security professionals have dealt with. GenAI can generate personalised emails with information scraped from LinkedIn and industrialise spear-phishing attacks.

In addition, GenAI is good at writing code and relatively good at writing malware, lowering the bar for starting a cybercriminal career. FraudGPT is a good example of this. GenAI can easily create new permutations of malware that can throw off classical IOCs, for example, based on hash values. A dedicated attacker could leverage GenAI to simulate an attack on an opponent to craft malware and methods that won’t trigger any detectors and defences the target might have in place – a sort of reverse breach and attack simulation.  

Since GenAI is good at manipulating text, defenders can use it to infer whether an email is a well-crafted spear-phishing attack. Security professionals can use the technology to summarise and extract key knowledge from a large corpus of threat intelligence, allowing them to gather whether a particular piece of software is likely to be malware. It’s pretty good at malware reversing, which otherwise necessitates years of experience.

GenAI can generate simulated log and Endpoint Detection and Response (EDR) data for breach and attack simulation, allowing security professionals to continuously validate cyber defences and test them for new and emerging threats.

Finally, GenAI can augment EDR and log analysis. An inherent feature of traditional Security Incident and Event Management (SIEM) alerting is the high false positive rate, which can be traced back to the fundamentally low prior probability that any given system is attacked at a given point in time. The solution to this inherent problem is to look for correlations of events or observations in the form of CTP, the detection logic discussed earlier, for other AI-driven methods. GenAI can extract relevant observation rules from threat intelligence or threat reports.

Worth a read: Is INC ransomware group’s Leicester attack motivated by damage rather than money? 

Which cybersecurity best practices are being adopted with the most success by companies?

Failing to cover the basics i.e. cyber hygiene leads to cyberattacks, and unfortunately, it’s a repeating pattern. Even though best practices, like strong passwords, explicit firewall rules, network segmentation and compartmentalisation of services, patching, cybersecurity awareness training, backup and disaster recovery, and multifactor authentications, are widely known and understood, they are hard for security teams to implement with good effect.

Complex IT infrastructures are part of the challenge. The introduction of cloud-based services, Internet of Things (IoT) environments, and increased implementation of IT systems outside the IT department have made it difficult to understand the cybersecurity coverage and what falls under the CISO’s domain. In addition, security teams, IT operations teams, and enterprise risk management teams often have different objectives and work in siloes, creating a significant risk of broken processes. For example, there might be doubts about who owns backup, disaster recovery, and business continuity planning. Breaking down siloes is a critical step to enforce best practices.

An overview of the technical risk is also needed if an organisation is going to implement best practices successfully. Log data can help security professionals interrogate their IT systems for more information about relevant issues, such as deviations from best practices or security policies. Successful organisations have the tools and processes in place to help them understand where best practices are failing and to address these to move towards a more mature cybersecurity posture.

What role do you think governments play when it comes to cybersecurity?

Government agencies are increasingly introducing data and cybersecurity regulations. GDPR has done a lot to bring attention to data breaches and their impact on personal data, and the NIS 2 directive aims to increase cyber resilience by demanding specific security measures and incident reporting.

However, a critical element that is missing to increase the resilience and security of organisations is the ‘accident commission’ when cyberattacks are successfully executed. A great deal of effort goes into compliance but less into what happens afterwards, beyond the fines and punishments. That’s a shame because cybersecurity professionals and the community miss out on valuable learnings. All other security standards outside cybersecurity come with accident commissions to prevent an accident from repeating itself and advance initiatives to increase security.

Considering the geopolitical situation, it’s also a shame that Europe is so far behind the US regarding cybersecurity investments and supporting standards. IT standards from the 70s and 80s still inspire European cybersecurity standards, which is not ideal since IT and cybersecurity have changed significantly. Of course, governments shouldn’t have a consulting function or operational responsibility, so compliance is a good starting point, but the industry will benefit from a structured approach to capturing learnings from failures and following standards and best practices.

What’s something that has drastically changed about cybersecurity since you first got started in the field?

One thing that has drastically changed since I entered the industry is the rise of the cybersecurity community. When I started in the industry, organisations didn’t share anything with each other. Every organisation was left to fight for itself to fend off cyberattacks and understand the threat landscape. Nowadays, the sense of community is powerful, and knowledge sharing has primarily become the norm. There is an abundance of conferences, events, forums, peer groups, educational resources, and so on. In many ways, the community has strengthened the cybersecurity industry and made it easier to upskill.

Another exciting and related change is that we have gotten a language to talk about cybersecurity. The MITRE ATT&CK framework, the Malware Information Sharing Platform (MISP) project, the Sigma rule repository, and Structured Threat Information Expression (STIX) are all examples of frameworks that give a language to attacks, threat intelligence, rules, and programming. A common language has made it easier for people to enter the cybersecurity industry and communicate about what they see and learn. Before, you essentially got into it through network engineering or malware research. Now, there are many ways to get into the community, which has paved the way for more diversity and more latitude.