Blue Team Keynote by Lisa Forte

thanks I am not going to introduce myself because I find that incredibly awkward so just safe to say I am Lisa forde I have shown my identification at the door so people know I am I say I'm unlike Holly who came for me who you know you may not want to trust on Facebook um so I'm here to talk today about um and how not to handle a ransomware attack and when I Was preparing for this talk I came across this quote and the quote actually comes from a saying that a lot of people on Wall Street started to use and it's often wrong never in doubt and it depicts a situation where in this case Traders would um essentially make trades that they were super confident were going to make loads of money based purely off of intuition and it didn't work out and I thought it's really striking because in the work I do when I'm helping companies prepare for a Cyber attack a lot of the decision making that I see very much fits into this category often wrong never in doubt they're not using data they're not often using advice they're not working through the playbooks that the CSO and the security team have written um they're not even really following best practice and often I've seen gold teams so CEOs CFOs uh sort of c-suite Executives making decisions that they claim is based off of their intuition and often it goes really really wrong it's become a sort of I would say like a pillar almost of how companies handle cyber incidents and it doesn't tend to end well and probably as I'm saying this brand names are flashing through your minds of companies that maybe haven't handled an incident particularly well and there's loads of examples of that and we're going to come on to some of the things later on so often wrong never in doubt that is the the slogan for most companies incident response so what am I going to talk about today I'm going to focus mainly on the sort of double extortion ransomware attacks um for those of you who don't know uh what this is is a sort of evolved tactic I suppose from attackers where they sort of execute a traditional ransomware attack but prior to doing that they'll also exiltrate usually a really large quantity of data from a couple of months of doing so um and hold that essentially as a as an extortion tactic against the company um they've become very very good at doing that I've also seen them quite um cleverly I suppose um approaching the main customers of that company and saying this is the data we have you need to call the company and tell them to pay the ransom which works really well as a sort of Leverage tactic um but I also appreciate that it's not all going to be serious in this talk so what I've done is I've put quotes from the mean ransomware groups on Lovely motivational images um so hopefully some of them will see that and they'll everyone will find it funny um so the three kind of big mistakes that I'm going to talk about today the first one is uh they're all sort of the uh I suppose the default position of a lot of companies keep it quiet no one will know we'll talk about that in a minute um never pay you can't trust them or the belief that actually it's really simple to pay which is also not the case and then my personal bug bear of uh c-suite or gold teams which is it won't take long to recover just chill um and in their minds I truly believe they think there is this button that exists within the IT team and you just press that button and you restore from backup and go back to where you were and then that's it and that's their decision making done and everything's cool um unfortunately we realize that that's not the case but we'll get into that in a bit more detail so start with this wonderful quote this came from um the ransomware group are evil who allegedly are named so named because the founders really liked playing Resident Evil so that's where the ransomware group came from and they were talking in this particular situation they're actually talking to a journalist um and they were talking about the fact that this was really difficult for people to break into the ransomware market because it's so saturated and it's so highly skilled that there's very few gaps in the market so I guess they have an opposite problem to us with the skills Gap I don't know good for them um so the first one that I really want to talk about is keep it quiet nobody will know um and I can't stress this enough the number of times I've run exercises or worked with c-suites uh if big companies and the general counsel has said to me well we don't need to notify the Ico the time hasn't started running and I was like okay okay fine why do you say that well we don't know we've had a data breach we suspect we've had a data breach and we suspect but a suspect is not knowing we haven't got to the point where we 100 know yet so we don't need to start the clock running okay the CEO looks over and he says yeah I think that's a good policy we just won't we won't tell anybody yet we don't know Splash screens are on your devices around each other it could still be an I.T outage and that is that as soon as someone knows Dan card don't tell him I said that um as soon as someone knows it'll be on Twitter it'll be all over the price staff will be talking about it rumors will be spreading and what will happen is the actual narrative the actual thing that has happened will not be communicated properly at all and what will be communicated instead is a nonsense that then you have to be on the firefighting arm of annual comms team will now have an absolute nightmare getting ahead of that story so keep it quiet no one will know is is not a good strategy um the other thing that um I want to point out about this is that there are actually a lot of people that have to be told when you have a breach and again this often is where I sort of come up against General counsels in these companies that I work with who have a different perspective on this um I suppose people like the insurers your Regulators the board all of these people need to be communicated with customers the public and the companies that do this really really well and they are few and far between but the companies that do this really well have comms plans where the comms team has worked with the Cyber team they've identified the stakeholders that need to be notified they've ranked them from high priority high frequency low priority low frequency in terms of the cons they receive and it works really really well one example actually I'll come on to that in a second um the other thing I say is if you tell one person you tell everyone it is not the case that you can tell your regulator and expect no one else will find out um I'm gonna have to say this I might get shot by people in the audience that's fine um capita okay so capita had to um had an I.T outage um and the IT outage looked pretty serious and I think a lot of people probably in this room were looking at it going looks like quite a quite an I.T outage um it then transpired that they'd actually been in touch with the Ico which again for an IT outage seems like you're being a bit overly cautious I wouldn't contact the Ico for an IT outage but okay okay fine um they then kept reassuring all their customers some of my clients are their customers they kept reassuring them that there was nothing there was no attack nothing was going wrong but they had to notify the London Stock Exchange and on Monday morning the London Stock Exchange posted a notice on their website that was written by Capital that said we have experienced a Cyber attack at this point nobody of their customers had been told it was a Cyber attack so Google Alerts goes off and you read this London Stock Exchange announcement and the people at Capital also didn't know this had been public and people were knowing about it so they were still going down the line of it's an I.T outage it's an I.T outage and very quickly the you saw the media shift from their usual kind of lack of empathy to actually being quite combative on how they handled it and what you saw was quite interesting because because they'd done this and because it now looked deceitful everything else they put out from that point onwards was not treated as gospel it was treated as this was potentially a load of rubbish um so that was a big mistake from their perspective um and I guess that comes back to being transparent but not over sharing this is what I always tell people that if you don't know you've had a Cyber attack you don't need to tell people you've had a Cyber attack that's fine if you're still investigating you're investigating no one's going to hold that against you but the moment you know that all the data is gone it starts to become a little bit unfeasible to maintain that position the final point on keeping quiet and actually this was done pretty well unfortunately I was not in this breach Ferrari um had a ransomware attack and they lost a load of data um it's the only breach I really wish I'd actually been in but they're Alas and they did some really awesome comps and they've got these still up on their website so go check it out if you are looking to improve your crisis Management in your organizations and Ferrari did a really masterful thing and they partially did this because they've had quite a lot of breaches um but they put out a statement that was written in the first person and signed off by the CEO and the whole thing read like it had come from the CEO it wasn't company like we had this and we are investigating and we are taking this seriously it was I am looking into this I am taking this seriously I am working with these people I am making sure this happens and the touch was really really nice and they they did some really masterful qualms so if you want some templates of how to do stuff that's that's definitely a good one to look for foreign but on to our next quote no matter how bad you think our work is we are pleased to know that we have changed someone's life so this came from dark side and this was referencing their strategy that they came up with where they gave a percentage of the ransom page to charity [Music] yeah nice don't think we need to say anything more about that so there you go so that brings me on to my next point about payment so I'm not going to go into the morality of whether or not we should pay a ransom and you know what are we funding we're not funding blah blah blah we've all seen those discussions um but the fact of the matter is people do pay a lot of people do pay and you could very well be backed into a corner where that is your only option to get out that happens that's a realistic situation that you could find yourself in and so in preparing for these sorts of things one thing that I think is really prudent is to have the discussion board level at c-suite level about if we were to pay a ransom when would that happen at what level what would what sort of limits what kind of policy might we have definitely don't write this down and store it on your network don't do that um but it is a good discussion to have and something that I think can save a lot of time and it's amazing when you start getting into it how complicated that can get one thing that I often realize is that people believe that it's really quick so let's say you're not going for your insurer because insurers tend to Advocate towards paying because it's cheaper let's say you're not going for your insurer though and you're going to have to pay the ransom yourself paying isn't straightforward and it's not very quick and easy to do at a company level setting up crypto wallets at company level is not a two-second job at all that takes time so if you haven't prepared that you're going to be on the back foot the second side of this that I see a lot is this very mistaken belief that the cryptocurrency landscape operates in the same way that the Fiat landscape does in that we have Banks who can track payments and block accounts and we can reclaim money and there's this whole network it's obviously not like that it's been specifically designed to be decentralized and as such there is no person to stop these transactions so quick show of hands how many people know about how we clean we you know they they clean money through the cryptocurrency blockchain quite a few pretty good so for those of you who don't know it's very very complicated and very unlikely that you'll ever be able to trace the transaction not actually recover any money in fact the cases where even law enforcement have done that has been really really limited um and not as impressive as they've put forward to be honest uh one of one such case was the dark side Colonial pipeline case where I think they recovered 20 of the ransom pay or something like that um which isn't it isn't great um so on the cryptocurrency sort of blockchain world there's two ways that they can have privacy you can have it natively or you can have it as app-based so um things like Monero which is a privacy coin have privacy built in natively whereas Bitcoin it's at base so it works a bit differently and we used to see ransoms almost always be demanded in Bitcoin then Darkseid went for Colonial pipeline which was a bit of a mistake from a strategic perspective the FBI got involved there was a lot of noise some of the ransom was discovered and reclaimed and there was a big shift that happened after that case and then attackers started saying we'll give you this big discount if you pay a Monero or you pay in a privacy coin because you can't trace the Privacy coin in fact not only can you not trace a privacy coin they set up stealth addresses so you don't even know who the people are that are transacting so it's not even like the Bitcoin blockchain where you can see wallets it is literally complete I mean it's a work of art to be perfectly honest doesn't help us at all but it is a work of art so they tend to try and use Monero but even if they don't and they use Bitcoin it's really really difficult to trace the Bitcoin payments because they'll use techniques such as coin join um chain hopping just jumping between different blockchains and then mixing Services as well where they'll mix Bitcoin with lots of other sources of Bitcoin and pay it out in random denominations repeat the process over and over and over and without those mixing Services giving you any logs which obviously they don't keep um you have no idea you have absolutely no idea where the money's going um and so that's the biggest problem with ransomware but it also means you are not going to be able to get this money back so if your c-suite think this is an option it's not you pay it it's gone that's the end of it on to the next quote are evil again um this was actually said in Communications to JBS which was a company that they attacked a couple years ago and they had this really long drawn out communication that has actually been published if you want to go read it um where they are talking about how they're in business not war they they're your business but think of us more like your business partners they would say um and it was sort of um someone joked online that it was sort of a an unexpected encryption event to use business lingo as opposed to a ransomware attack um but yeah they're they're an interesting group they've put out a recent video actually I don't know if you've seen it it's not well made um okay the next one is everything is burning but it won't take long to recover just chill this is my personal bug bear I suppose of all of the misconceptions that c-suites have and actually a lot of this comes down to us and our mistakes I think as a community and one of the things we have to be really careful of is that when we give I'm going to use the term gold team basically just depicting that c-suite team that's making strategic decisions in an incident when we give our gold team information about our options for example containment we need to communicate to them what exactly we mean what actually is this red button that we're saying exists that we can push and I had this recently with a client where the CSO said well actually we can disconnect the entire organization from the internet and the CEO is like and then what happens and they said well then the attacks can take and he said okay do that no consequences discussed no well this is what will happen and everything so you know I was saying we were saying over lunch with Holly and she's had a similar experience where they're sort of like okay yeah that's fine and I said you know okay so how are you going to contact these people and your incident response plan oh that's on the G Drive hey foreign you just press the red button though oh yeah okay Okay so we've lost all of that and the problem I'm trying to convey here is that we need to be very proactive and careful when we discuss these options with these c-suite people because they don't understand it they don't understand the consequences of it they're panicked they know they're next on the line in this incident and that the CEO may be rolled out in front of the media and it's all a disaster for them so we have to be really careful when we give them options that they can use to make sure they understand what happens if we do that because nothing that we do is without consequence so if you pull the organization from the internet what does that mean what does that mean for your for getting everything back online what does that mean in terms of time um and to say I've seen a lot of panic containment as I would call it um is a bit of an understatement so what does it mean to do those things and what are the actual options that you've got because they don't tend to truly understand what that means and I don't think they truly understand what taking something offline means in terms of recovery either it's not a magical red button that you press and everything's back you've probably also had this when you speak to the c-suite and you say this is what this is what's happened and they say well we've got backups we'll just restore from back up and you're like okay yeah we can we can do that but the length of time that this is going to take isn't isn't short and if you ask them how long they think in fact you should do this go and ask them how long they think it would take to restore everything from back up and I guarantee you they will put the number in minutes or hours so unless you've got an amazing capability which maybe you have in which case can I know about it um they are basing their decisions off of something that's not even real all their decision making is based off the fact that there's this button they press it and everything's back online then your decision making is completely flawed it's in our interests to do as agreed we've helped hundreds of companies um it's quite funny actually when you read I recommend you do read if it's published um the U.S um Congress have actually published lots of these communications with big companies that have had ransomware attacks it's very interesting to read them um they are incredibly friendly and helpful it's unbelievable the customer service you get I mean I've been to Marks and Spencer's and you do not get that level of service I can tell you that for a start um they're really really helpful really friendly um and yeah they'll give you they'll give you plenty of time I mean often they'll you pay a deposit they'll extend the deadline it's not a problem we're all in business okay so how do we avoid some of these traps so the first thing um plans and pay books these are really really important however they are important but I've never seen them work completely as they're written down so there needs to be a level of flexibility in them to allow for different decision making but have a comms Playbook talk to your comms team and make sure they understand what a cyber incident looks like and how you need to escalate the cons over time so something like