INSIDE CNA's $40M BITCOIN RANSOM | The Hack That Changed Cybersecurity
It's very easy to say
never pay from a distance.
But you know when your systems are down
and backups are gone
and millions are bleeding
out of the business daily. It's survival.
No one wants to fund crime,
but sometimes you're
buying your time to live and your
your business has to do it.
If it wants to survive.
It's not about your reputation anymore.
It's not about your clients even anymore.
It's about survival.
Welcome to The CISO Signal
the true cyber crime podcast.
I'm Jeremy Ladner.
On this episode,
the company that insures risk
became the risk.
In March 2021, CNA Insurance,
one of the largest commercial insurers
in the U.S., fell victim to a ransomware
attack that encrypted 15,000 devices
and compromised
customer data,
forcing the shut down of its systems
for weeks.
The breach didn't just steal data,
it stripped away
the illusion of preparedness
for an organization
built to model probability,
quantify exposure and price protection.
It was the ultimate irony.
They didn't underwrite the threat.
They underestimated it.
Joining us is our CISO co-host Matan Eli
Matalon, an incident response leader
and security strategist
with experience across the startup world,
military intelligence
and enterprise defense. Matan,
welcome to the show.
Can you tell us a bit about yourself?
Awesome.
So my name is Matan.
I am CISO for OP Innovate.
OP Innovate -
We're basically a cybersecurity company
that focuses on both
preventing attacks
and helping organizations respond
when things go wrong. You know?
Proactive side.
We do a lot of deep dive penetration
testing to help companies
find and fix weaknesses
before attackers do.
But we also are the team
that gets called up
when fires already started.
You know - incident response
forensics, helping
companies get back on their feet.
Thank you.
Matan.
Now...
Let's get started with the investigation.
We are in the midst of a ceaseless war.
Not of bombs or bullets, but of breaches,
firewalls and silent incursions.
The targets,
our borders, our banks, our commerce
and the critical infrastructure
that underpins a free civilization.
The enemy is cloaked in code,
fueled by greed, glory,
and a desire for chaos.
This is the story of the unseen
protectors, the nameless generals,
the CISOs,
chief information security officers.
They are the guardians at the gate.
Watchers on the wall.
Ever vigilant and always listening
for The CISO Signal.
There's a kind of silence
no company trains for.
Not the silence of idle
inboxes or frozen dashboards,
but the deep, airless quiet
that follows total digital collapse.
In March 2021,
CNA Financial,
one of the
largest insurance
carriers in the United States,
fell dark. Not a power outage.
A ransomware attack.
15,000 machines were encrypted,
phones offline, email gone,
an entire enterprise unplugged
from itself.
The attackers didn't boast.
They didn't break things for fun.
They came with a purpose and a number
$40 million.
At the time,
it was the largest
known ransom
demand in history by multiples.
But this wasn't just any company.
CNA didn't
just insure factories and fleets,
they ensured cyber risk.
They held the names of businesses
already worried about breaches.
Organizations that paid
for protection to the right adversary.
That's not just a customer database.
It's a blueprint for who will pay next.
A list of future victims.
And if that list got out,
it wasn't just CNA’s systems at risk,
it was everyone they'd sworn to protect.
This is the story of CNA Financial,
a 100 year old giant brought to its knees
by a breach no one saw coming.
and this... is The CISO Signal.
So let's talk about CNA,
in general at first,
and then we'll kind of dive
into some details.
But because you are this CISO for hire,
or outsourced CISO,
you're often called in
when something's already gone wrong.
I think you mentioned
that as well in your introduction.
What does that moment feel like
when you get that call,
that emergency panicked call,
whether it's a late night,
maybe it's on the weekend.
What's that feeling?
Yeah, I mean, it happens
way more times than I can count.
A CISO, especially the CISO as a Service.
And then incident response,
you know, manager
is it's not only a technical role,
but it's also like a psychological one.
It's an emotional one.
You were like their shrink.
It's not only to come
and solve the problem,
but it's also to make sure they are
relaxed enough
and confident enough
and trusting you into managing this.
So so it's about coming in
and build that initial trust
between the parties,
making sure they understand
where you're coming from,
what you're trying to achieve,
that you're here for them, not for me,
for anyone else, for the business.
This is your main goal.
And when you set that initial trust,
it's easier to come in and
and start working
and get to the bottom of the incident.
Do you
remember a moment that really shook you,
where the weight
of the responsibility
of being this guardian at the gate,
protector, watcher on the wall
landed with you,
and you realized the responsibility
and the magnitude
of the responsibility
in protecting these organizations
and these companies.
Yeah.
Not too long ago,
I would say, like, two months ago,
we had, a very big incident
response
for a major organization
in the US where we got approached...
They saw malicious activity
and wanted one of their
development environments,
and they didn't really know
what was going on
and what made me feel really,
really surreal
is that the fact
that their security posture was good,
their security posture was really good.
It's
one that you,
you know, expect to see at a client.
You want to see at a client,
they got
every single tool in the book,
they got their network segmented.
They got the right VPN identity.
They had everything.
But they still got hit
with something
that at first,
you didn't know what it was
and how they got in.
So that feeling is kind of it
paralyzes you a little bit.
You don't know where to start,
why you want to check first.
And this is the moment when you
really get tested
by your emotions, how you
communicate with them,
how you communicate with yourself.
And what do you do first?
We love making this
podcast and we really hope
that shows in the care
and quality that we invest in it.
And we would really appreciate it
if you could take a moment to like
and share it with your fellow
security professionals,
as well as dropping us a comment,
letting us know what stories and guests
you'd like to have on the podcast
in future episodes.
Now back to the story.
Act 1
The Risk Experts.
CNA Financial didn't build cars.
They didn't make software
or manufacture microchips.
They sold something harder to define
and much harder to replace.
Assurance.
Founded in 1897, CNA
had spent over a century building
trust. Trust
that losses could be managed,
that disasters could be priced,
prepared for and, if necessary, paid out.
They were a backbone institution.
They insured skyscrapers
and shipping lines,
but more recently
they insured cyber. By 2021,
CNA had become one of the largest
cyber insurance providers in the US.
Their policies covered ransomware.
Their language
warned of credential theft,
lateral movement, exfiltration.
Their job was to anticipate the breach
before it happened. To study
the attackers
playbook and write policies
that made the unthinkable manageable.
But like many large, mature enterprises,
CNA carried
technical debt behind its sleek branding.
Legacy systems, patchwork infrastructure,
a hybrid of ‘on-prem’ servers
and cloud migrations still in progress.
And somewhere
inside that hybrid sprawl,
a door had been left open.
It wasn't negligence, it was complexity.
Years of mergers, years of integrations,
systems designed for resilience,
but not necessarily for speed
or visibility.
And so while CNA managed risk for others,
they quietly inherited risk of their own.
Internally, security tools
hummed in the background.
Phishing filters, VPNs,
endpoint detection, the modern stack
checked, maintained and compliant.
But in practice,
security wasn't just a product,
it was a race.
And in March 2021,
someone else crossed
the finish line first.
They weren't a nation state,
not a known APT, at least not yet.
But what they had was patience
and precision.
The malware came quietly,
not through a wide open door,
but through a subtle gap in the frame.
And once in, it didn't blink,
it didn't pause.
It just spread.
By the time CNA realized
what was happening,
it wasn't just about
defending their systems,
it was about whether they could
still defend anyone's.
What do you wish people understood
about being a CISO
that never shows up
in the job description?
You're not only there
to solve the technical problems,
you are there to solve more complex
business and people related problems.
It's not a checklist, it's about trust.
You carry the weight of potential failure
every day and sometimes even blame.
So you need to be
a very mentally strong person
to handle stress
from not only the specific problem side,
but also from many parties
in that specific business.
Okay, so if you had to name one issue,
one concern
that keeps you up at night
in regards
to your ability to provide security
and respond to an incident,
what would that one issue be?
It's rarely talked about,
but during an incident
and big incident, it's
what really keeps me up at night.
It's the resources
getting the right resources.
Because when you have the team
of incident
responders and analysts, it's
all about getting the right people
onto the job
and managing the time
well and the assignments.
Because if you don't
manage your research bank
and the things that you want to achieve
in that incident response well,
the incident response
is not going to go well.
So for me, when I
when I manage an incident response,
I really get nervous about the resourcing
because it's everything.
In an incident
when you see an organization
like CNA go dark,
what would your first step have been
if they were your client?
A smart man
once told me that
when a big incident happens,
the first thing you do
is to grab a cold glass of water
and just breathe.
You have to be relaxed.
You have to be very focused.
And the first thing that you want to do
is assess the impact,
because that's ethical,
because that
sets your tone
and what you're going to do
first and next.
You have to understand what happened,
what is the potential impact
to the business going to be?
How much money is this,
you know, environment
being down which costs you?
How much money does the data being leaked
gonna cost you?
Is it personal information?
Is it PII. Is it health information?
What is the regulatory
impact of this,
this whole things of items.
And answers that you want to get...
they set the tone
for the entire incident.
So before you even do any technical stuff
on the client's environment,
you have to answer some
very core questions.
Act 2
Contact Lost.
There is a moment just before impact
when the world goes quiet.
No alarms, no flashing lights, just
stillness.
That's how it began
at CNA. Not with chaos,
but with subtle disconnection,
a delay in response,
a paused cursor. A call
that didn't go through.
The systems were still on,
but something beneath them wasn't.
The malware was already inside,
moving, watching, preparing.
And then it began to spread.
Not wildly, not with noise,
but with intent.
One end point, then another.
Desktops across departments
locking into silence, servers
blinking off one by one
like lights going out in a distant city.
By the time it was recognized
as ransomware,
it had already become everything.
Phoenix locker,
though the name came later,
had claimed more than just devices.
It had severed the company's spine,
encrypted over 15,000 machines
not just tools, but lifelines.
Email gone. Phones dead. The network
detached from itself
like a body without a nervous system.
What remained was analog. Footsteps
in quiet
hallways, flashlights
sweeping across darkened
desks, whiteboards,
handwritten notes, radios.
If you were lucky,
the irony wasn't
lost on anyone who understood the stakes.
CNA didn't
just insure companies against cyber risk,
they insured against this.
They were supposed to be
the ones who understood
how to prevent it, contain it, price it.
Now they were living it in real time,
in silence
and worse files had been taken.
Policyholder data,
personal records, risk profiles, names
and numbers
and blueprints for future attacks.
The ransom note came quietly.
No theatrics, no countdown,
just a demand.
$40 million at the time,
the largest known ransom ever paid
and perhaps the most consequential.
Because CNA didn't
just hold sensitive data,
they held the identities
of other companies.
Companies already afraid of breaches
to the wrong adversary.
That wasn't just a list,
it was a target map outside the building.
The world hadn't noticed yet.
The headlines were all still quiet,
but inside, CNA faced
the most impossible question
what is the cost of silence?
During
a major ransomware event like CNA’s,
what's the right way
to handle communication
between vendors,
insurers, legal and execs?
One word that I would describe
is orchestration.
It's about every single person
needs to know their place,
and they have their place
to state they're opinion.
But at the end, it's
going to be my recommendation of what
the next move is,
and it's going to be the CEO's
final word.
So it's all about orchestration,
giving the person the place
to say their piece,
but it has to be in a respected way.
It has to be in a well organized way,
and it has to give that my way of giving,
my recommendation.
It's going to be the CEO’s final word
and them accepting it.
Have you run into any situations
where you've given advice
to the C-suite, to the CEO
or someone else?
And they said, you know, no,
we can't do that
because of a business situation
that we can't share with you.
But there are things that are going on.
Maybe for whatever reason,
they just didn't take your advice.
Did you ever run into that?
Of course.
I mean, a lot of times
when we come from the outside,
we always don't have the perspective
of an
an employee or a C-level manager
in that organization.
We don't know every piece of information
in that business.
So when I come in,
I give my unbiased opinion
or recommendation.
And sometimes, you know, it
conflicts with other stuff,
which I don't know about.
When a CEO comes in and tells me,
you know, we can’t do this, we can’t do that.
Usually I would say, okay, look,
you know, your business
and I'm here to serve your business.
And if you think this is wrong
for your business,
than I'm going with you.
But for the record,
and I always
say for the record
and we always make sure
we document those things
in a well-designed report
that it was being recommended by us
and the CEO chose
not to go with that direction
for whatever reason.
You know,
when you come in as a security person
from the outside,
you are the expertise on that.
And you have your... you're entitled
to say your opinion
and your recommendation,
and they are entitled to say no.
But it always needs to be on record
that you gave that information,
because sometimes rare cases,
They’re going to try
to twist it against you sometimes
because they're in
a very stressful position.
And if things go wrong,
even after the incident,
everyone wants to point a finger.
CNA was somewhat unique in the fact
that it's
one of the largest insurance
companies in the US, and what they insure
are other companies
against cyber attacks.
So if the attacker gets inside,
has access
to all kinds of data,
let's say a list of other companies
that are paying for cyber insurance,
that's their target list
for who they're going to hit up next.
Does that change
how you would
advise them, whether it's pay, don't pay,
or is that even something
that you would advise on,
or are you just there
to basically get their systems
back online, retrieve their data, etc.?
You know, it's about crisis management.
And first of all,
when you reach to a company like CNA,
which they sell cyber insurance,
you know, it's about reputation
and if you, you know, ruin
that reputation
by getting hit by yourself
in such a way
and getting that ‘ransom ask’
then it's a problem.
First for your brand
and second for the clients
that are paying for you.
And like I said before,
you know, supply
chain attacks are big these days
because attackers
not only target the end businesses,
they target their suppliers
so they can reach more.
So that definitely changes
the picture in regards
to paying
a ransom generally, you know,
my position is usually not to advise
if to pay or not to pay,
because usually
those companies have their own.
You know, legal or financial advisors
to guide them in that direction.
But if they would ask me for my opinion
it all adds up to the impact, you know
what would be the financial
and business
impact of not paying
of, let's say,
the data
being lost. Of that environment
not being restored.
If you don't have the right backups,
if that
business and financial impact
exceeds that ransom payment,
then I would probably
suggest them to pay it.
Although morally this is probably wrong.
But you know,
moral doesn't take you to the bank.
And if you're looking at a business
and the business goal is to maximize,
you know, their,
their financial capabilities,
then probably paying
is the right way to go.
But again,
it varies
and it depends on a lot of variables.
Act 3
The Cost Of Control.
There are breaches you respond to
and then there are breaches
you negotiate with.
This was the second kind
the attackers had said little.
No manifesto, no countdown,
just a lock on the systems
and a number 999
Bitcoin, roughly $55 million at the time.
cold, calculated, and delivered in code.
But CNA didn't pay.
Not immediately.
They engaged
negotiators, third party
and unbranded began the slow,
tense ritual back
channel messages, delayed
replies, subtle signals, stalling,
probing, testing
the adversary's patience.
But it didn't work.
The demand increased
1099 Bitcoin,
now nearly $60 million.
The price of recovery
was going up by the day
for two weeks.
The back and forth continued
not in war rooms but in encrypted chats,
not with raised voices,
but with slow typing ellipses.
The attackers weren't amateurs.
They didn't posture. They didn't panic.
They knew who they had and what CNA
stood to lose.
Because this wasn't
just a company brought to a halt,
it was an insurer of cyber risk.
It held the names, exposures
and histories of companies
who were already worried about ransomware
policyholders, executives,
industries marked vulnerable
and now exposed.
If that data was sold,
it wouldn't just hurt CMA,
it would prime the next victims.
A roadmap of the insured.
The pre-qualified. The likely to pay.
That was the real leverage. Inside CNA
The debate wasn't philosophical,
It was operational.
Every hour meant delayed
claims, eroding trust,
rising reputational cost
systems remained encrypted.
The business was functioning all
but barely. Publicly, CNA said
little.
Privately, they ran every scenario
legal compliance, regulatory exposure.
Could they pay?
Should they?
They consulted the US
Department of Treasury, specifically
the Office of Foreign Assets
Control, OFAC.
The attackers were believed
to be part of the Phoenix Group
using a ransomware
variant linked to Evil Corp.
But unlike Evil Corp,
Phoenix was not sanctioned.
That cleared a legal path,
but not a moral one.
Still, with the backing
of law enforcement
and after vetting the threat actor
through multiple
channels, CNA authorized the transfer
1000 Bitcoin, roughly $40 million,
a negotiated reduction
but still one of the largest
known ransomware payments in history.
The payment was made anonymously.
As always.
No receipts, no paper trail,
just a
cold transaction on a blockchain ledger.
Value moved, and with it.
The promise of a decryption key.
The key arrived. Files
began to unlock, servers
blinked back to life
and CNA’s systems stirred.
But they did not celebrate
because the recovery was not instant
and it was not clean.
Some files were corrupted,
some had been copied,
and no one yet knew
what had been left behind.
The business resumed,
but not where it had left off.
Something had changed.
The breach wasn't
just a technical failure,
it was a reputational rupture.
Word leaked of the payment.
Reporters circled, forums buzzed.
CNA wouldn't confirm the number.
They didn't need to.
Everyone already knew.
And in cyber security
circles, the questions began to echo.
Had CNA done the right thing,
or had they set a price for recovery
that others would be forced to match
for the attackers?
The payout was validation
for the industry.
It was a line drawn in dark water
and for CNA
it was the beginning of the next phase.
The breach was no longer
about what had been lost.
It was about what was still out there
and who might be coming next.
Yeah, it's
a really interesting question
because you're right,
paying ransom is certainly
not the moral thing to do,
and it invites more attacks.
But at the same time,
if you have this corporate responsibility
where you, let's say,
have a thousand customers
who've paid you for cyber
attack insurance,
and the attacker is threatening
to make that list public
so that other attackers
start lining up to attack those
your customers,
because now they know they're insured
and they're more likely to pay up,
even if it hurts you morally
to pay up the 40 million in this case,
then you do it
because in some ways,
it's the right thing to do
because you're protecting your...
you think you're protecting...
You believe you're
protecting your customers. Yeah.
If not, you have responsibility.
You have a responsibility
not only to yourself
but to other companies as well.
So I know we touched on this briefly,
but is there anything you want to add in
regards to the concept and wisdom
of paying ransom demands,
like the $40 million
that CNA was forced to fork over?
Yeah.
So, you know,
like I said,
it's very easy to say
never pay from a distance.
But, you know, when your systems are down
and backups are gone
and millions are bleeding
out of the business daily,
I mean, it's survival.
Basically, no one wants to fund crime.
But sometimes you're
buying your time to live and your
your business has to do it
if it wants to survive.
It's not about your reputation anymore.
It's not about your clients.
Even anymore. It's about survival.
So, it varies
and it depends on a lot of variables.
But, you know,
sometimes you've got to do it.
You have no choice.
Do you think most of your clients
could survive
ten days completely offline, like CNA?
That's a very good question
because it differs
between one client and another.
I had an incident a few months back
that an attacker leaked a lot of the data
out of that organization,
and we had to shut down the environment
for like two days.
And after few hours,
clients already threatened to leave.
And it was about
not even about the cyber attack anymore.
It's about restoring
that trust and reputation.
On the contrary,
I had another incident
where the client told me,
look, the incident already only happened
in the development environment
and the attacker seems to not
be able to get out of it - and it’s contained to this environment
I don't mind
shutting down the dev environment
for how long as it needs
to find a root cause for this incident.
So I can shut it down
and it has no business impact on me.
So it really varies.
But, you know, as
as I saw in a lot of businesses,
you know, ten hours, could even back them.
So, you know,
ten days could be very, very crucial.
Yeah.
That makes that makes perfect sense.
Different companies
are going to react differently.
If all your business is online,
it's going to make
a big difference versus whether you
you have a website
up and a couple things
and ya okay, it's
an inconvenience. Okay, great.
So what tools or tactics are underrated
in defending against an attack
like CNA. Visibility -
I think for me
visibility is everything
because you cannot protect
what you can't see.
You cannot respond to what you can’t see.
If I’m not able
to see, and be able to alert
on, you know, a
suspicious activity or malicious activity
than I cannot defend against it.
And second thing,
which I really think is important
is about the segmentation.
If you have the right segmentation
between environments and
and be able to say
that your most [precious] crown jewels
are being protected by that segmentation,
then I am well.
Rest assured that if you do get hit
and one of your external
facing environments,
the attacker won't be able
to move laterally
into those more important production
like environments.
So segmentation is very important.
But again,
cybersecurity is all about
defense in layers.
You're building those layers
to slow down the attackers.
There's never that 100% protection.
You always try to make it harder
for the attackers.
So you don't only need
that segmentation of visibility.
It has to be combined with,
you know, that
EDR. That identity control.
Those DNS layer protections.
The basics still win those battles.
It's not about the zero
days anymore.
They are
only they focus usually on the simple
simple weaknesses
Act 4 | Surface Tension.
The lights came back on slowly,
system by system, file
by file and function by function.
After weeks of darkness,
CNA's infrastructure began to hum again.
Work resumed,
claims were processed and phones rang.
But something fundamental had shifted.
Internally, there was relief.
Externally, there were questions.
The breach, once invisible to the outside
world, was now impossible to ignore.
Headlines began to surface
not just about the attack,
but about the price.
$40 million - 1000 Bitcoin. Paid in full.
Reported but not confirmed.
Echoed but not denied.
The amount
set a new watermark, one
that towered above the others.
Colonial Pipeline weeks
later would pay $4.4
million. JBS foods $11 million.
CNA's payment was several times that,
and the target
wasn't infrastructure or food,
it was trust.
The industry took notice
and so did regulators.
There were no sanctions violations,
CNA had verified that
they worked in tandem
with federal law enforcement,
followed OFAC
guidance, made sure the attackers
were not on the Treasury's blacklist.
Legally, the path was clear, but
ethically the terrain was unstable.
Security professionals debated it openly.
Had CNA prevented wider damage
or funded a playbook
for future attackers?
Was this containment or encouragement
inside the company?
CNA began the hard work of rebuilding
not just systems, but credibility.
A full forensic
investigation was launched,
and they confirmed that the attackers
had gained access
to sensitive personal information.
75,349 individuals were affected,
mostly employees, past and present,
and their dependents.
The company offered credit
monitoring, issued notifications
and published statements,
but they chose their words carefully.
The message was always framed
around restoration,
control and compliance and not fear.
What CNA
didn't say publicly
couldn't say
was what else might have been taken.
The value
wasn't in the files themselves,
it was in the patterns.
Insurers know
more than they say
about risk, exposure, liability.
That's what makes them valuable
and what makes them vulnerable.
In the months
that followed,
CNA initiated sweeping changes. Security
modernization, cloud migration,
new controls and new vendors.
Externally, they began advocating
for ransomware awareness.
Speaking on resilience,
positioning themselves
as a cautionary tale
but not a cautionary brand.
It was a careful return
to visibility. Controlled, measured
and very corporate.
But beneath the surface,
other conversations had started.
Insurance firms
reconsidered their underwriting models,
premiums rose, policies narrowed, and
some insurers quietly
began refusing
to cover ransomware payments altogether.
The market was changing, and CNA's breach
was part of the reason why.
Because this wasn't just another attack.
It was a glimpse into a high value,
low resilience target class.
The insurers of risk themselves.
No one in the industry missed the irony,
and no one was ready to say
it couldn't happen again
because the truth is, CNA
did many things right.
They followed guidance,
they contained the spread.
They worked with law enforcement,
they communicated with regulators,
and they took care of their people.
But even doing everything right
wasn't enough to stop the breach,
or to avoid the payment,
or to fully explain what had been lost.
Because not all damage is visible.
Not all
compromises leave logs, and not all truths
survive
press review.
CNA returned to business,
but the industry had changed around them
more cautious,
more expensive
and in some corners more afraid.
The ransomware economy had evolved,
and this breach helped prove
just how valuable
the right kind of victim could be.
When something does blow up
and maybe you've already been there
for a while,
or maybe you're called
in because it's blown up,
what would you say
would be the first conversation
you have with the CEO?
That's a very good question.
And as I mentioned
before, it's
all about building that trust.
he needs to trust me.
A lot of times you come from the outside.
The CEO doesn't know you.
Maybe he knows the company you work for,
but he doesn't know you personally.
And you come in
and you see him
usually at his most vulnerable
state. He’s broken.
They try to keep this business alive and
and it's all about keeping him
calm and trusting you
that you are here for them.
It's saying,
you know,
we are going to lead you through this.
We are not reacting.
We're going to find out what happened,
or at least try to.
But it has to be together.
No blame, just clarity.
Because, you know, if he panics,
then everything falls. Interesting.
You said try to.
Would you say it
from a sort of a forensic
analyst point of view?
What percentage of the time
are you just able to not solve
the mystery
of how they breached, how
they got in, when they got in,
is that most of the time,
or is that a tiny percentage of the time
that most CISOs just can't figure it out?
You just can't.
You can't find that hole
that they crawled in through.
I would say it's much more than you
would think.
I mean,
if everything was,
you know, being documented
and being configured
to be to have the right visibility
and the sufficient visibility,
then every incident
would have been solved very quickly.
But usually it's not the case.
Nothing is perfect.
And sometimes you just crawl your way in
and and you investigate
for days and weeks and,
you know, eventually the,
the company
says, look,
it's not that important to us
at this point.
We restored the services.
We kept the business going.
The impact was minimum.
We contained the incident.
We don't really care to know
exactly how he got in.
But, you know, sometimes
companies tell us, look,
take as much time
as you need to find that,
find that root cause.
And unfortunately,
sometimes you just can't because
you don't have sufficient information.
And, you know, that's why I say
make sure everything is visible.
Make sure you log everything.
Everything you can log log.
Because if some some things blow up
and you need to find
why it happen
if you don't have the sufficient logs.
You're just blind
and you wouldn't be able to find it ever.
If CNA had been your client pre incident,
what would you have pushed them to fix
or prepare for?
I think one of the first items -
the front lines, identity and access.
I mean you don't need ransomware
if you have a domain admin.
you need to have MFA everywhere
because MFA is your one wildcard.
An attacker can get your password,
they can get username,
but it's much, much harder
getting your MFA.
And basically you have to have
that anomaly detection.
You have to have the capable people to
even if they did get a hold of MFA,
you have to have the person that is able
to tell you that something's weird.
And afterward,
as we saw in the CNA incident,
they probably weren't
segmented right enough
because they got exposed
and everything got encrypted eventually.
And you have to be able to segment
so your attacker wouldn't
be able to move laterally.
Is there a multi-factor
authentication tool
that you live by
that you would say
you're not going to pry
that from my cold, dead hands.
I trust this tool.
It's awesome.
It's the best. It's never failed me.
Or they pretty much all the same.
Pretty much. I'd say all the same.
There's not a specific favorite.
The big ones like Microsoft
and Google and Okta,
they usually do the job.
But you know,
you usually need to be able to say
if you
even if you don't use
those authenticators
and you're able to only send emails
or SMS messages,
everything is something
you need to start somewhere,
and you need to be able
to add that layer.
As I said, it's all about the layers.
It's all about making
the attacker work hard for their money.
I guess it's
similar to that sort of old story
where you don't
have to be fast enough to outrun
the bear,
you just have to be faster
than the guy next to you
so that the bear eats him.
So if you're making it,
if you're making it so hard
that the attackers like you know
it's not worth it,
we'll just go somewhere where
it's easier to to breach.
Yeah, that's that's something
that we, we tell clients a lot
that you don't need to be 100% protected.
You just have to make it hard enough
for the attacker saying,
yeah, it's not worth my time.
And and that's something that we do
see sometimes when clients look,
we saw that something trying to
to attack us,
but it didn't really go further
because we had the right
protection mechanisms.
So if you do it in a way
where you make it hard
enough for the attacker, then
then it should be good enough.
Nothing is 100%.
Act 5 | The Insured
Cyber insurance
used to be the safety net,
the final layer,
the thing you hoped you'd never need
but were glad to have.
It was built on logic
models, probability curves,
loss projections,
premiums priced
like seatbelts in a luxury car.
But CNA's breach cracked that illusion
because when the company writing
the policies
becomes the victim of the policy,
you're forced to ask
where does the risk really live?
For years, ransomware attacks
followed a script: 1. Attack 2. Lock 3. Demand
and then 3. Vanish.
But this one changed the conversation
that because of how it started,
but because of what it cost,
CNA didn't
just pay a ransom,
they reset expectations
40 million dollars - confirmed or not,
the number took on a weight of its own.
It was repeated in boardrooms
and underwriting meetings
and whispered
conversations between CISOs and CFOs,
and it signaled something dangerous
to both sides of the equation
to attackers.
It said.
Insurance companies are lucrative,
they're central, and when breached,
they have motive to pay fast. To insurers,
it said
we may have underestimated
our own exposure.
It wasn't just a CNA a problem,
It was a blueprint for how quickly
the tables could turn.
In the months
that followed,
insurers across the globe
revised their stances.
Some added ransomware
sublimates, others
introduced clauses
excluding ransom coverage altogether.
Premiums climbed,
but not because risk had changed,
but because now they'd seen it up close.
Cyber insurance
was never meant to eliminate loss.
It was meant to transfer it,
to redistribute it.
But CNA’s
breach
revealed something difficult to admit.
You can't insure against a system
you're part of.
If the companies pricing the risk
or also feeding the targets,
then the model isn't
just flawed,
it's compromised. And somewhere...
Quietly,
defenders began asking harder questions
“Are we enabling ransomware by covering it?”
“Are payouts fueling the criminal economy?”
“Should we outlaw
ransom payments altogether?”
There were no simple answers.
OFAC had already made its position clear
paying sanctioned entities was illegal,
but Phoenix, in CNA's
case, was not sanctioned.
So the payment was legal.
Ethically fraught, yes, but compliant.
So what does it mean
when a payment can be legal,
effective, and still feel like defeat?
This is the paradox of modern cyber
defense.
You can build well, you can detect early.
You can comply with every regulation
and still find yourself
with no good options.
CNA did what many would have done,
what many will do.
They contained the damage,
protected their clients,
restored operations and followed the law.
But the moment they pressed
send on that Bitcoin transaction,
they stopped being just a victim
and they became a signal. To attackers
It was a green light. To peers
It was a warning.
And to regulators a case study.
And maybe that's the cost
no one calculates
in the insurance tables.
Not just the ransom,
not just the downtime,
but the moment
a breach becomes a precedent.
CNA moved on, filed their disclosures,
closed the case.
But for the rest of the industry,
the breach never fully ended.
It left behind a question
still echoing in the background.
If the one who insures
against the worst case scenario
can't stop it, who can?
How do
incidents like CNAs
change the way CISOs today built trusts
with their boards or with their clients?
It's a good question.
The trust with the boards
- they don't care about the excuses.
They don't care about the blame.
They want to see receipts.
They want to see your readiness.
They want to see how you learned
from the mistakes.
They want to see
what you're going to do next
and how you’re going to make sure
this doesn't happen again.
So when building that trust again
with the boards,
you have to be able to show them
that you are doing
everything in your power
to make sure this doesn't happen,
whether it's playbooks,
whether it's, policies,
whether it's
you know, buying more security vendors
and paying even more about,
you know, for cyber insurance,
you have to show them
what you're doing in order to,
to be prepared.
What should every CISO be doing right now
to avoid being the next CNA?
Two things.
Like I said, with the board,
you have to be able to run the playbook.
It's not about tabletop.
Tabletop is nice to do once in a while,
but you have to run the full simulation.
You have to test everything, run
the drills,
test backups. KILL your own services
and see who panics.
Make sure that someone besides
the CISO knows
how to initiate the IR, and also it's...
you need to be able to have someone
to try to hack you from the outside.
Whether it's red teaming exercises
or penetration tests.
You need to do that as well
because you know
where your weaknesses are.
But the attack.
But potential attackers
can know about weaknesses
that you don't know about.
And if you bring someone from the outside
which is unbiased in a white hat,
gray hat type of service,
then it can potentially
get you a much clearer picture.
And and we
we actually do that in OP Innovate as well.
We come to clients,
we expose those, you know, unbiased
vulnerabilities from the outside
and tell them,
you know, we found a lot of stuff
that you didn't know about.
And that way they come in
and they it usually changes
the whole picture in their organization.
Interesting. Okay.
You see a lot of different types of teams
across different verticals
in different sectors.
What's one mistake
you still see too often
coming up again and again?
One mistake.
As I previously said,
it's the visibility.
People just don't
turn on that configuration
when you're asked to
to log
the information
whether it's the EDR,
or it’s the firewall, the VPN, even if it's local
logs like on the server itself
or the endpoints,
because afterwards when you come in
and you investigate the instance,
you just don't see anything.
Another thing is our shared credentials.
A lot of the people
still share the credentials.
They send it in Slack,
they send it in Teams,
they put it in Google
Docs on the cloud, and even more,
they don't have the MFA.
So sometimes the attacker gets it so easy
and he just grabs that password
and just does what he wants.
And you're not even able
to see that anomaly
because it's legitimate activity.
You know, people
a lot of the time obsessed
over the zero days because it's cool.
It's sexy.
But it's
what I see from the past few years.
It's always the door.
Someone forgot to lock it.
That simple,
you know, mechanism
that it's so obvious that people
sometimes forget to turn it on.
Matan
thank you for those words of wisdom.
It was great having you on the show.
Looking forward to having you back again.
And now onto our closing.
Every breach leaves a mark,
not always in the systems,
sometimes in the story,
and sometimes in the mirror.
CNA wasn't the first company to get hit.
They weren't the first to pay,
but they were one of the first
to show
what it looks like
when the people who price the risk
become the risk.
For years, insurers spoke with certainty.
They modeled loss events,
calculated premiums
and forecasted frequency.
But cybersecurity isn't weather.
It doesn't move in seasons.
It shifts, it adapts, and it learns
and this breach made that clear.
The attackers
didn't need to break the rules.
They just needed to study
the ones that everyone else
was already playing by.
CNA paid the ransom.
They followed the law and they recovered.
But the breach was never
just about one company.
It was a signpost for the industry.
A moment
where the guardians of risk discovered
just how vulnerable they really were.
And now
everyone's policy
feels a little more fragile.
This is the world we live in now, where
safety is a negotiation,
where trust is provisional,
and where the people
who promise protection
sometimes need it most.
Today, security experts
must always be prepared, always vigilant,
and always listening for The CISO Signal...
All episodes are based on publicly
available reports, post-mortems
and expert analysis.
While we've done our best
to insure accuracy,
some cybersecurity incidents
evolve over time
and not all details have been confirmed.
Our goal is to inform and entertain,
not to assign blame.
Where facts are unclear,
we've used cautionary language
and we always welcome your corrections.
Thanks for listening to The CISO Signal.
