ITTech Pulse Exclusive Interview with Jason Baker, Managing Security Consultant, at GuidePoint Security
Stay updated with us
Sign up for our newsletter
Mr. Jason Baker, Managing Security Consultant for Threat Intelligence at GuidePoint Security, discusses leading the Research and Intelligence Team, sharing intelligence roots and incident response expertise in this catch-up with ITTech Pulse.
What first drew you toward cybersecurity and threat intelligence, and how did that early interest evolve into the leadership role you hold today at GuidePoint Security?
I began my career in military intelligence, and while progressing from there, into government and eventually into the private sector. I valued having an adversary that I could channel my efforts towards. Cybersecurity isn’t always exciting, but it’s helpful to have a reminder that what you’re doing ultimately works to frustrate your adversary and make their lives more difficult.
I try to apply the same lessons I learned as an NCO and a SNCO in the Marine Corps towards the team I lead today; keep them informed, teach what you know, learn what you don’t, use the tools/skills you have, and model the behavior you expect. Collectively, these keep me and our team honest, willing to challenge assumptions, and open to new approaches.
Based on your experience, what is the most notable change you’ve observed in ransomware operations and threat actor behavior in recent years?
At a high-level, I think we’ve seen reduced highly visible, attention-seeking behavior, at least from the most prolific ransomware groups. There are still a few actors that like to make a scene, but the largest ones seem to have learned from the behavior that prefaced Alphv/Black Cat and LockBit’s disruptions in 2024 – loud, highly public actions and a “come and get me” approach to messaging that demanded heavy law enforcement and intelligence community responses. If you look at Akira today by comparison, for an example, they’re practically silent.
Read More: ITTech Pulse Exclusive Interview with Dilip Kumar Global Head of Technology Solutions at NTT DATA
Your recent analysis highlights record highs in ransomware victims and active threat groups. What are the key factors behind this surge, and why are many organizations still struggling to contain the risk?
The biggest factor we have seen on the ransomware group side is reduced barriers to entry – it is easier than ever for less-skilled or unskilled actors to have devastating impacts on victim networks, whether through the partnership structures inherent in the Ransomware-as-a-Service space, or through augmentation via AI/LLMs. On the victim side, we remain susceptible to more advanced and targeted social engineering and have seen some limitations in the ability to prioritize emerging high-impact vulnerabilities, particularly in edge/perimeter devices. Threat Actors have seized on and expanded their capabilities in these areas.
What core capabilities set GuidePoint Security apart when it comes to threat intelligence and ransomware response?
Most of all, I’d say it’s the integration across our DFIR (Digital Forensics and Incident Response) practice. Our threat intelligence team sits alongside our Incident Response and Incident Response Advisory teams, which provide a rich and current source of information on what is happening on both the attacker side and the enterprise side. We know where companies can do better in their planning and structure because we participate in the advisory team’s tabletops. We can see the latest attacker TTPs (Tactics, Techniques, and Procedures) because we support our Incident Response team’s engagements across ransomware and business email compromise (BEC) attacks. This kind of integration is something the community has been preaching for a while about—threat intelligence-driven security operations—but it’s not necessarily the norm yet.
Our research shows proactive threat intelligence significantly reduces incident impact. How critical is intelligence in helping organizations stay ahead of attacks?
Threat intelligence doesn’t help anyone predict the future – but it does make you familiar with the range of threats that your enterprise could face. The worst spot to be in mid-attack is not only to be caught unaware of a particular threats’ presence, but to also have no idea of what it even is or how to begin to fix it.
Threat intelligence should be tailored to an organization’s unique profile – it’s industry, it’s tech stack, its attack surface, its budget, it’s acceptable controls and risks; it should operate based on a threat model. From there, analysts should be able to observe and help to orient the organization’s defensive posture around the most relevant threats. Ideally this results in preemptive measures and controls which make prominent tactics and techniques futile. But even in the case where controls fail in this regard, good threat intelligence should enable security operations to respond more nimbly and effectively across the incident response cycle.
Read More: ITTech Pulse Exclusive Interview Khadim Batti, CEO and Co-Founder at Whatfix
During an active ransomware incident, what should executives prioritize to maintain control and minimize damage?
At a technical level, adhering to your incident response plan and taking actions based on threat type are your best bet. We see deviations from an IR plan that sometimes snowball and lead to infighting and cluelessness as to what teams should do next in this regard. The type of threat you’re facing matters too; pre-ransomware is much more time-sensitive and may preclude full scoping of the threat before action must be taken to prevent undesirable outcomes, for example. But by comparison, suspected nation-state operations demand a more complete understanding of the situation before containment and remediation actions should be taken, as the process tips off the threat actor who likely maintains redundant and widespread persistent access.
What emerging ransomware or extortion trends should security leaders be preparing for over the next year?
The number of unsophisticated and low-skilled actors entering the space will continue to increase, but the tactics they employ and the vulnerabilities they depend on are the most common and easily fixed. Think exposed services and ports, unenforced MFA, overly high privileges, etc. The bright side to this is that this is “low lying fruit,” and a well-defended enterprise should already be addressing these risks as the basics. So, while mature security organizations are unlikely to witness the impacts of growing threat diversity directly, smaller organizations and non-profits may feel the heat if they cannot find the time or resources to prioritize best practices.
AI/LLMs continue to make social engineering more effective and highly customizable for the victims; this means the days of looking for the spelling or grammar mistakes in a text-only email are fading, and the days of trying to spot an odd URL on an otherwise perfect phishing page are upon us. Our internal training and security measures need to keep up with this, and victims or potential victims should themselves become sensors for effective social engineering attacks, reporting to security teams what they’ve seen even if it is notionally “too late.”
Before we wrap-up could you please guide our audience on the biggest misconception business leaders still have about ransomware resilience today?
Backups remain the key factor in whether an organization is responding to double-extortion ransomware on their terms, or the adversary’s. But it is not enough to buy a backup solution and say you have it so now you’re good. Defenders should implement in accordance with best practices, ensuring they have immutable and segmented or off-network copies, and that they have validated them as such. Recovery from backup is a perishable skill, so drilling on how to restore from backups, and how long doing so will take, should be a key part of internal exercises.
There are a lot of misconceptions around the topic of ransomware negotiations, or what we call Threat Actor Communications here at GuidePoint Security. Chiefly, it is often understood as a course of action for those looking to pay the threat actor, and many leaders are understandably averse to doing so. We prefer to describe these efforts as an intelligence-gathering tool, a method of understanding what data may have been impacted in a way forensics and incident response may be incapable or limited. Yes, some organizations will ultimately opt to pay a ransom – but Threat Actor Communications should serve to educate and inform victims on possible courses of action so that they can make the best decision possible, not push them one way or another.
Thank you, Mr. Jason, for taking the time to share your insights with us.
Write to us [wasim.a@demandmediaagency.com] to learn more about our exclusive editorial packages and programmes.
Jason Baker manages GuidePoint Security’s Research and Intelligence Team (GRIT), where he oversees and engages in threat intelligence program development, incident response investigations, and threat intelligence research on behalf of the firm and its clients. His career background includes strategic intelligence analysis and intelligence program management in the private sector, the Department of Defense, and the United States Marine Corps.
GuidePoint Security helps organizations overcome the most complex cybersecurity challenges, mature their security posture, minimize risk and ensure compliance. As a trusted cybersecurity advisor and partner, GuidePoint keeps people, data, and operations safe. We deliver tailored cybersecurity services and offerings that adapt and scale to safeguard the nation’s leading organizations today, while preparing them to confidently face tomorrow’s cyber challenges. More than 6,000 organizations of all sizes and across every industry, as well as over half of U.S. cabinet-level agencies, rely on GuidePoint to strengthen their defenses and reduce risk.
