Anatomy of a Ransomware Attack

i will try to monitor the discord for questions uh this is a great session to have questions in i will do my best to make sure that i keep a look on that um but we'll catch up just as fast as we can so um really happy to be here with you guys today we'll go ahead and jump right in so uh i'm chris fernick and i'm here to talk to you about ransomware which is a bit of a bummer conversation to have on a saturday morning so um i'm really happy to be here um think about this right we're here on a saturday morning most of us are based in the greenville upstate area the talks

that you hear today are from folks who are impacting cyber security around the globe how cool is that right just just think about that for a minute and with the work that adam anderson is doing we're going to the stratosphere right so i think greenville is really important um i'm based here just down 85 going towards clemson i'm here to talk about ransomware which is not always a fun topic but we'll try to keep it upbeat i've got a lot of good information to share with you stop me let's have a conversation at the end you'll see some contact information you can shoot me an email reach me on linkedin sometimes i get on the twitter sphere and we can

talk there but email or linkedin are the best spot so as you can see from the slide deck here we're going to talk about ransomware these are tips that you can prepare for and avoid attack so i am an incident responder so i meet folks in the middle of their darkest day often times right their entire environment has been locked down with ransomware they're in the middle of a malware outbreak it runs a gamut but i will tell you the majority of the cases that i work over the past year have been about ransomware this talk specifically is about a specific case that we worked just a couple months ago so there'll be some facts that i'll

share with you uh what you won't hear is the name of the company we won't talk about that i'm not being cleared to mention those things but uh almost anything else it's an open book so i'll give you a lot of good details here and then we can kind of dig in so we'll keep going first off i work for ford list solutions uh we are proud to be a nationally certified woman-owned small business so my boss theresa payton was the first female cio of the white house she served under the bush administration so we're kind of known for our red teaming capabilities uh almost everyone in this in the company has a top secret

government clearance so we work both in private industry as well as government again i work in digital forensic and instant response so um we'll talk about what that means in just a few moment few moments but i did want to give a shout out to my company that are sponsored this year and i'm really proud to work at fortless speaker introduction again i'm chris fernick i've got about 10 years of cyber security experience i do some work for sans as a security leadership subject matter expert also do some 1099 work for mcgraw-hill as a technical editor the last book i worked on you'll see there is the gpen all-in-one guide so lots of acronyms here i won't uh read

all those things to you i'm really proud to have been a volunteer for the greenville b-sides over the past several years so i'm really happy about um where where we're going uh with the locals uh scene one thing that's the most important thing for you to remember from this slide though is that my cat smoking abandoned think i'm really cool man they come and whenever they get hungry they come here and we go snacking it's amazing so we'll keep going uh first off um these are proactive steps you should take we're going to look at this case from two different perspectives right the two perspectives are one this happened to a client of ours uh the

other part is how do you prepare for and avoid so you don't fall into the same uh category that that they do so again we're not going to talk about what their uh the client name we'll tell you what vertical they're in we'll tell you the ransom that they did end up paying we'll talk a little more about that and what the negotiation process looks like um but the the most of the facts that we'll talk about here uh and i know uh see shane edwards smoking uh smoky in the bandit i i figured he'd like that one i know he's got a couple of bandit cars but we'll talk about some other cases as well so

we'll keep working here guys um ransomware for the headline so i i don't have to tell you guys you are here on a saturday morning watching a security talk you know about ransomware you understand kind of the implications you can't go to any of the websites on any day and not see a major breach happen uh within the past 24 hours so you see jvc kenwood got hit a couple days ago by conti one thing that you see here on the right is a dark website so we've seen a significant uptick in name and shame what that means is when an attacker ex-fills data they go to their dark website and post that they've got you for ransom

how much data they have of yours and they give you a countdown what this does it lets the entire world know that you're in the middle of a ransomware attack right it also creates pressure for you to pay that ransom so that's why the name and change sites come up we've seen i would say and i don't know that statistic from the cases that we've worked but i would say over the past six months i can't think of one where they didn't go to their dark website and post data about um what the effect stolen from the client so you see this one from missouri delta uh here they threatened to and ultimately release 95 000 patient records right

imagine that 95 000 people having all of their data um freely available on the internet now because missouri delta a didn't have controls in place to begin with and b didn't pay the ransom so um yeah so uh in the the discord the pearl harbor of our times i think you're exactly correct uh and this is an epidemic um the reason that i believe we've seen such a ray a rise in ransomware over the past um probably 18 months or so are the rise of the ransomware syndicates right so we do ransomware as a service now so i don't have to know how to break into a network and traverse the network and escalate privilege and create malware

and create encryption software and negotiate um you know payment and and launder the money that way i don't have to do all of those things i just have to be able to do one of them and go find a buddy to do the rest right so we're seeing these syndicates form look at conti some of the others it's really becoming an epidemic proportion so the barrier to entry is much lower than it was just a couple years ago so that's the explosion that we've seen uh over the past 18 months we've seen just a significant um rise in that and if you've not been watching the news um it's not hard to see those things if you're not paying attention

we'll keep going uh ransomware by the numbers these are statistics from several different reports uh the code ware report i think is really good um sophos is decent as well but here are some things to keep in mind so the average cost of dealing with a ransomware attack is 1.85 million dollars ransom attacks that threaten leaks 81 percent right so that's the vast majority the third bullet port i think is really important because we're seeing a shift in some of the attacks um what we call extortion style attacks attackers are coming in siphoning off your data not bothering to encrypt the rest of the environment but posting you up on the dark web and asking you for the ransom

payment they don't have to go through and deal with the decryption or anything else they don't have to encrypt the environment wait for that to happen before uh they're able to um you know ask for the money so we've seen a significant uptick in that it's still not nearly as high as what we're seeing ransomware cases where they encrypt the entire environment but this is becoming an issue so keep that in mind when you hear extortion of style attacks and you're hearing oh we've got all the best um protection against decrypt or encrypting all of the data right so some of the backup softwares and edrs can stop those things from happening if they can siphon off your data do they

really need to go through and encrypt all of your devices we're seeing a significant rise there so keep that in mind the fourth bullet point that you see there's the average ransom payment so that's 136 thousand dollars and i want to talk about that number a little bit that number is a bit skewed the study that this came out of um for the the cohere blog was taken across the entire globe um many of those respondents came from india the average ransom that they're seeing in india is about ten thousand dollars per incident if you were to see that number just for u.s that the number will be considerably higher so the average that we're seeing

is anywhere between 450 and 750 000 a ransom payment per attack so keep that in mind uh downtime we can talk about that as well and what that impact is to the business but think about the bottom two bullet points if you don't remember anything uh other than this from this talk this is important the top two vectors are email fish which is 40 percent um and expose remote access 37 combined that's 77 of attacks come from these two things that we've known have been relatively low-hanging fruit for quite some time right if we're doing better user awareness if we're doing uh turning off macros so that they don't get through our email filters if we're

educating our users not to click on links uh the email fish vector goes down considerably right and i know if you look at some of the tools for doing user awareness like the hook security and some of the new before you're doing some really great videos and helping with that i think that's really important the next portion that you'll see here and one that i see a considerable amount of our cases is exposed remote access having rdp exposed on the internet so we'll talk about that a little bit uh in in a couple slides but uh expose remote access if you've got rdp hanging out on the internet we've got a problem right um sometimes that comes from shadow i.t

or other things but we've got to clean those things up so we'll keep going um a case overview so the case that we'll talk about today the victim organization was a north carolina-based uh manufacturer so they've got 20 sites across 10 states their original demand was 25 bitcoin they did pay the ransom and they negotiated that down to 12.5 bitcoin last i checked bitcoin was around 50 years so 50 000 or so dollars each uh so that kind of you can give you an idea of what they paid their downtime was about 12 days and the negotiation time was about six days we'll talk about that in a minute some folks think that you know

paying the ransom is easy button right you ran some of my stuff i paid you the money you give me the key we keep going um that's um not how it typically works there are a lot of other intricacies built into that um and uh to um [Music] the point in the discord channel you're absolutely correct cyber insurance is looking at rdp as part of that uh there are at some point there's gonna be you gotta be this tall to get cyber insurance right we're seeing folks get turned away because they don't have basic controls but in the place that's a good point that you mentioned there and the variant of ransomware here was snatched so if you look at

the the right side of the screen this is an actual screenshot of the ransom note uh client um had a backup job fail over a weekend admin logs in and sees this on several devices throughout the environment and then it's it's game on at that point right so we're seeing most of these threat actors use protonmail or toot nota for contact and they're giving a website for you to go uh visit to to to log in to get um get to ransom start so we'll keep moving here uh proactive tips so think about the timing of attacks when do we typically see these things happen the larger attacks typically happen around u.s holidays and it makes

sense right there's less folks working at that time there's more time to be able to do things because people are on vacation and they make a bigger impact when you do it if you see see the pattern here most of us especially those of us in the southeast were impacted by the dark side attack on colonial pipeline right so mike mentioned in his talk earlier you know no gas at several gas stations things like that that happened around mother's day the next one we saw was uh jbs meat so one of the largest meat processors in the world was impacted around memorial day of of this year uh we saw the casey attack happen around july 4th that was

huge from an mssp perspective and what i want you to think about is who's next right we didn't see any large attacks happen around labor day which was great um and being an innocent responder and i rarely get a holiday off right so i had labor day off this year which was really great i was really happy for that but uh what i'm concerned about is what happens next right who's who's being set up um for an attack on thanksgiving typically attackers aren't within an environment for weeks before they start their encryption process they're going through they're getting more intelligence they're elevating their privilege they're going and destroying your backups by the way we'll talk about

that but typically they're in the environment for a few weeks before they do before they perform an encryption so what i want us to be able to do is go back into our environments and increase our security awareness training for our folks let's do an extra fish test let's send out uh some more mailers let's get them thinking more about clicking on links and things like that this is a great month right so um it's uh a great month because it's uh cyber security awareness month so i i've spoken to several clients this month and we're doing some more training for other clients um not to scare people out of getting getting out of ir as christian

mentions in the discord field but it it is important for folks to understand what we're seeing um outside now so this is a good time for you to send out extra mailers do extra fish tests whatever it is that you do inside your environment right again i know hook security and know before some others have a lot of campaigns going on now it's really easy to go in and click send those things out and get raise more awareness for security so really important time of year and i think it's nice um and the geek seek mentions yeah some weekly quizzes prizes are great people love prizes right where that's uh you know amazon cards i see a lot of folks doing

amazon cards or are giving away some type of points i've seen folks do aggregate points where someone gets an extra day off at the end of the month after those things there's a lot of ways to to to build that uh trusting community around securities but security is everyone's job right so we want to make sure that we empower the users so that's really important we'll keep moving cyber insurance coverage you'll hear a cyber insurance coverage i don't think you can go to a conference without talking about cyber insurance now um so it it's there's a lot of sessions about it and a lot of online things to think about what i don't think a lot of

clients think about beforehand is what their coverage uh pays for so this particular client had an issue they had cyber insurance they thought they were good until they read and found out what it actually pays for so their insurance would pay for a half a million dollar ransom that's that's a problem right we already talked about the bitcoins were over uh you know fifty thousand dollars and they had 12.5 to pay so that's one gap they had to pay out of also their coverage did not pay for data recovery it didn't pay for the negotiation it didn't pay for anything else it only paid for that ransom so yes they had insurance coverage and they thought they

were in a good spot however they just didn't realize what they didn't know so what we're encouraging folks do is to know what your coverage is you don't want to be negotiating with the fire department when your house is on fire right you want to know these things before time and that's what's really important to know what you're paying for to know what to expect um again cyber insurance is important and it's great to have but if you don't know what you're paying for and you don't know what's going to be covered it's going to be very challenging for you to come out on the other end a good spot so proactive tip go look at your cyber insurance policy see

what you're paying for see what the brokers are charging for you and make sure that you're at appropriate level for your risk appetite perimeter exposure so we talked about rdp being open on the internet that's 37 percent of ransomware cases uh this is huge so uh colonial pipeline you guys have all heard about it uh the reason that started was from the legacy infrastructure on the network perimeter someone left a vpn concentrator without multi-factor authentication turned on the outside perimeter they they were able to breach the environment and come through game over at that point right so we need to make sure that we understand what is exposed in our perimeter and it's really easy for something like this to happen

right it's maybe it's shadow i.t maybe it's end of life devices that no one thought about anymore there's all kind of things that could be hanging out there we need to understand what it is so um what i'm encouraging folks to do is to have a regular cadence of proactive scans and that can just be an map scan right maybe you're spitting up an nmap server and you know scanning once a month and it's important that we do it once a month or at some regular cadence to look at the deltas right it's one thing to go out and say oh let's just go and see um uh you know what's open today and it's fine right

everything was fine in the beginning of october we don't have to do this again no what we need to do is make sure that we understand what opens over that time right so there's all kind of things that could happen in title environment and i know shane is very familiar with large environments and he's posting uh some stuff in the discord there but yeah it happens all the time right there's it's really difficult for any uh one body to know everything all the moving parts within a network so if we're doing regular scheduled scans with our regular cadence it lets us understand so i looked at it on the beginning of september and i looked at

it again on october what changed right why is 33.89 open now why is smb open now right so and icon recommends uh using rumble for uh external scan it's that's a great uh suggestion there icon i think thanks for posting it but let's make sure that we're watching our external exposure right the only way we're going to get better at this is if we understand our risk and our exposure so we'll keep moving here multi-factor all the things this is a huge pet peeve of mine real time authentication and biometrics should be integrated to all of the things passwords are dead they are a cake we should get rid of them i don't care what you have to do you got

to be this tall to get on the ride but if you're not doing multi-factor some type of real-time authentication you're not doing it right if you're not road mapping a future where folks don't have to remember 12 or 25 character passwords and they can actually work through something that's biometric maybe it's a push something else then then we're not doing it right so you've got to keep doing those type of things because it's important a multi-factor wasn't enabled in this client environment they had were rolling it out but didn't have it fully operationalized when this attack happened you can imagine how much more quick how much quicker the rolled out happened once they became encrypted with

ransomware so i think this is hugely important we cannot continue to expect our users to come up with new 12 character passwords every 30 days right based on whatever cycle that we're using we can't continue to expect our coders to not hard code passwords into their scripts right we cannot continue to do that so there are plenty of tools out that allow you to to get around that right you can use cyberark as a secrets tool you can do all kinds of different things right octa's got their multi-factor but we need to be envisioning a past wordless future um i say everything that has administrative privilege right now should have multi-factor on it today right that's a

thing for you to do in the next quarter make sure anything that's administrative uh has multi-factor turned on so you're going to administer an azure blob you've got to have multi-factor you're going in to add new folks in o365 you've got to have multi-factor heck i think every email account in o365 should have multi-factor so i can preach about passwords all day long but passwords are dead let's bury them and move on uh backup and restoration this is critical right so they always say amateurs back up and professionals or store if you don't have a restoration process built into your backup program then you're only doing half your job and i would say even less than that so

this is a critical aspect folks they're using versioning software maybe it's deserto maybe some of the others where you can roll back to three days before right but what about the account that deserto is using right has that password ever been changed is it integrated with active directory if so then i've got access to your backups at that point right if i'm an attacker i can go in and destroy them so uh most of the attacks that we're seeing now uh backups are being encrypted from the jump they're coming into your environment before you even know and they're encrypting all of your backups and that's the case with this client they used veeam as their

backup tool uh the veeam backup account was compromised they went through and encrypted all the backup before they were even noticed before we even knew they were in the 10 house they had already encrypted all of the backups so we're seeing that more and more i would say over 50 percent of the cases that we're working now they're going after the backups first so one thing that we can do we tell folks is to consider air gapping our backups uh that means they're someplace off the network right maybe it's a tape room somewhere maybe it's uh i don't know maybe it's uh synology that you plug in when you do a backup and and unplug it right take it back off the

network i don't care where it is but if it's got 445 uh connected to it smb then it's game over right these folks are going to get there and they're going to encrypt your backup so let's get them off the network let's protect them so that if we do have to rebuild we could do that from a good start so the next point that you see there on proactive tip is restoration procedure procedure should be timed and tweaked what does that mean right what is your risk tolerance how long can you be down to restore from a backup what impedes you from being quicker at that right if you're not going through and taking a backup and restoring it and

timing how long did it how long does this take how critical is this to my business then what are you doing right yes you have a backup and yes you can cut back from it but if you're you're down for two weeks are you out of business at that point a lot a lot of small million businesses would be so we've got to get quicker that we've got to remove any uh barriers moving into that so um one thing to think about from a different client they had an air gap backup great it was on tapes perfect how long did it take to come back a four terabyte server to come back from tape took 72 hours

that's 72 hours that they weren't able to rebuild right all file servers were we're coming back on that for four terabytes so keep these rebuild things in mind um and make sure that we're communicating up to our leadership hey if we had a problem it's going to take us this long to come back you want me to shorten that no problem mr leader we're going to have to have some more budget we're going to have to do some additional things cool and you guys have some really good points in the chat there that's really great um understanding the ransom process this is another important slide um paying the ransom is not an easy button keep that in mind uh we at fortless have

we we make the stands that we do not uh suggest that anyone pay the ransom ever we don't believe it's um it behooves you to pay the ransom it funnels money into other criminal activities there's a lot of things that happen when you pay that ransom however at some point it becomes a business decision and we understand that you have to understand that either this client pays a ransom and several hundred thousand dollars or they completely go out of business it becomes a different uh conversation at that point right so when a client has decides they want to pay the ransom we give them the pros and cons what that means if they decide to

pay the rents and what we do is act as a go-between between them and their ransom negotiators right so we're partners with kivu we work really closely with them some of the other ransom negotiators as well what that looks like is we actually um kind of insulate the client at that point right so client knows what we're doing and we're not charging extra money on top of this but we're insulating them and advising them on how to move forward um so it's important to understand the ransom process it's not like you're going to go get a bitcoin wallet down at local bank of america put a hundred thousand dollars in it and go buy a

couple bitcoins and you're going to be working tomorrow afternoon that's not it at all negotiations often take several days and you want to negotiate simply because it's typically 40 to 50 reduction in the ask if you do negotiating so that's important um the oftentimes the attackers are not in the same time zone as we are they're often on eastern european time so those negotiations can take several days back and forth uh so keep that uh my in mind the time to recover uh is a good bit to come come back and forth so between the two um often these decryption tools are awfully poorly written so we've seen decryption tool come in and if it's on a

you know 10 megs of word documents it works fine if you have to decrypt an entire virtual machine and it's 500 gigs yeah they very rarely um decrypt those in any decent amount of time and oftentimes they end up destroying the file right so first off make backups before you try to decrypt and try to decrypt the backups before you do that that's the first thing the next thing is sometimes you got to take that key and write your own better decryption tool and the third thing is sometimes you've got to give extra resources to the the v center um to be able to encrypt the the file so we can talk about that hopefully you

never get into that situation but these are things to keep in mind the next thing to know is attackers know your pain point they are not going to target for example and asking for ten thousand dollars what two thousand dollars is nothing to target right they're also not going to a mom and pop shop and asking for four billion dollars it just doesn't make sense typically what we're seeing attackers are looking online sometimes they're looking in the data they stole from you uh sometimes they're looking at other online um ocean information and they're taking about 10 percent of what your your gross profit is for a year and that's what they're asking for in ransom so

they understand about what you can pay and they understand what makes it uh palatable for you um a new trend that we want to talk about is a lot of the ransomware attackers now have decided they're not going to work with a negotiator they're putting in their ransom note if you try to contact some of these negotiators uh we will automatically uh delete your decryption key um so that's important right so they uh for whatever reason they decided they're not dealing with negotiators anymore they're that's a middle person they don't want to deal with them we've seen a significant uptick in that over the past probably three or four weeks when threat actors are coming in and

saying we're not going to deal with negotiators anymore so keep that in mind and the last point that you see there this a lot of information on the slide there is no guarantee there's no guarantee if you pay that money that you'll get the decryption key there is however uh what i like to call honor among thieves so when you start dealing with the negotiator you can start to see what the trends are right so if you deal with a negotiator like your keyboard or some of the other ones they will give you a report back saying yes we've dealt with conti for example and our success rate is 92 but we usually get the the

decryption tool and this amount of days things like that so you do get some type of assurance but there is no guarantee that if you pay the ransom that you'll get your keys so keep that in mind what i would say is for a proactive tip here is to consider opening a bitcoin wallet now um maybe that's someone in your financial um services uh arm of your company have a bitcoin wallet ready maybe you only you know put a few dollars in it but have it be able to to access it and be able to go add bitcoin in case you need it again we want you to be prepared if you were to come up on a

ransomware situation i love the chapman you guys are hitting on some really great points there network segmentation so as we talked about segmentation uh this particular client is as mentioned a manufacturer their uh network had grown organically over several years they were based in about 10 different states so that happened through mergers and acquisitions do that sound familiar there's a lot of people who are growing through m a right and you don't know what the other sites often have and oftentimes you just open everything over the mpls between the two different sites and and that makes it incredibly difficult to be able to contain an infection if we had it so these attackers came in through the main

data center there was no segmentation between the main data center and the other uh 20 or so sites and then they were able to move out over s b 445 uh and encrypt the entire environment so we want to have and be road mapping a zero trust micro segmented network and if you are doing anything in cyber security you're hearing everyone talking about xero trust right it's the new buzzword it's if machine learning and ai was a buzzword for the past five years zero trust is a new buzzword and what we're talking about when we say xero trust is a need to know specifically right is there any reason for the ipad that's on the ceo's

desk should it ever touch the ot devices in the production you know manufacture facility probably not right there's really no reason for us to have open networks across the entire environment it makes it really difficult to protect and it makes it incredibly difficult to contain uh oftentimes we go in in the middle of an incident and talk to clients they don't have any segmentation at all so what we have them do is build up a clean network so we can put in triage devices or rebuilt devices and then build the network out from there with some segmentation built in so the proactive tip be road mapping a zero truss micro segmented network for only devices that

need to talk to each other are allowed to do that um let's keep moving here um engaging uh law enforcement um this is a bit of a touchy subject uh for several reasons but um you don't have to in the united states you don't or you're not required currently to report a ransomware incident whether you're in the middle of an incident where you paid the ransom you're not required to report those things currently and i say currently because just a couple days ago there was some legislation that's beginning to form on the hill where you'll have 48 hours after you pay a ransom to be able to come in and report up what you paid what the

particular specifics of your incident are now having said that we encourage folks to engage with the fbi and department of justice and we can be their go between for them and there's two different ways you can do that and i'll tell you the distinction between the two one is you can do that anonymously so we have um relationships with the fbi and doj we can broker the connectivity for you there so if you want to do it anonymously what we can do is give them information about your case right maybe we tell the vertical urine we tell them the variant that we're dealing with what they can do is provide back some indicators of compromise and some threat intel that

they have so they have a world of information about iocs oftentimes it's things that haven't been um leaked out or others that don't know so when we engage them on your behalf it's really great for us to get that intel back it's really awesome uh some of the things that we've read there it's things that you don't see in normal reports so i always encourage folks to do that um the second way to do this is actual uh transparency right so i can go to the fbi and say hey i've got a client they're based in greenville south carolina here's their name here's what we're dealing with here's how long they've been down things like that

this gives them even more information and i'll tell you why that's important for the next person who gets encrypted right if they have the information from this new um company right this new ransomware um attack they can add that to their database and then we can build a better picture of what our threat actors are are doing so i always encourage folks to talk to fbi and i've had some clients say i don't want anybody knowing about this right and that typically comes from council either internal or external but they'll say no we don't want to engage fbi or doj and that's fine if they don't want to that it's okay but we always encourage folks to do that

just because it gives the fbi a better idea of how to deal with this for the next attack one thing also to think about here no matter where you're based a different office may be handling the case right so conti for example instead of having each fbi office uh having someone dealing with conti ransomware all those are handled out of the dallas office right or maybe you're uh dealing with snatch um so that may be based out of the charlotte office or something else so uh wherever you report into maybe locally you may get sent off to one of the other offices so i appreciate the kind words in the uh chat there this is good information i

hope you guys are getting getting something out of it so the proactive tip here is consider what criteria should be weighed when engaging law enforcement right so think about uh make sure your council understands the difference between doing it um anonymously or transparency if it's x number of data that has left the environment is that when we call in the fbi is it x number of ransom if it's over five bitcoin we engage other things to think about and what we're trying to do here is be proactive right we're trying to to understand and think through these things before we're in the middle of an attack once you get into the middle of attack all these things start speeding up and

moving more quickly if we have a plan it's really much easier to work through and and to execute on the plan we don't have to think through the things at that point we just execute that's what we're trying to get to we'll keep going out of band communications this one's big it's another takeaway take a screenshot go to your leadership tomorrow i don't know what you have to do but folks don't think about having out-of-band communication what happens when our collaboration and our email tools are compromised or we think there may be compromise this attack originally started as a business email compromise we had indication that they were still inside the email system so we had to quickly

establish out-of-band communications right so it looks like maybe it's proton mail maybe it's gmail i don't know what it is but make sure you have a plan for out of bad communications we have to have a way to work through the incident and to share information back and forth in a secure manner there are many times where we have to get the entire environment's encrypted how are we going to use sharepoint right how are we going to use some of these other tools a lot of folks aren't thinking about what happens if the entire environment is down or we have an issue it's just a really big problem that i don't think a lot of folks are thinking

through how do they how do they talk if they're in the middle of a compromise so um the pro tip is established about a bad communication collaboration strategy maybe that looks like you going and registering five proton mail accounts on monday and you keep the password and the password manager and if the world's on fire you know you've got five accounts you can dole out to different votes and you all can collaborate on protonmail right so these are things to keep it keep in mind we're getting to the end guys and i'm really uh happy you guys are staying with me so we're getting pretty close here so uh we talked a little bit about

name and shame um again most of the attacks that we're dealing with now are threatening to release stolen data on the dark web it's rare for us to see a case that it doesn't happen anymore um attackers they're going to release data right so that's and the reason they do that is to compel you to pay um and and what is a compelling reason though typically it's reputational damage so maybe you had good backups right maybe you could bring them back up and you don't necessarily care about it but what happens if all your contracts are leaked on the internet right what happens if all of your clients data is leaked out on the dark web these are some of the

things challenges that they're that that um that we're having to deal with and we have to decide yes i could bring my environment back up with backups but is it worth paying for bitcoin so that all of my clients data doesn't get sprayed out there these are things that we have to work out and you have to work through in real time right so um you have to be prepared for that have a strategy again we're trying to do proactive things so we can just execute in the middle of an attack uh the bottom bullet point that you see there we are seeing attackers contacting leadership so they're looking through linkedin or they're looking through uh or trees that

they've stolen from your environment they're finding out who the coo is who the ceo is who the financial folks are who the legal team are and they're contacting them saying that they have the data is out for sale on the dark web and your i.t team is considering not paying right so they're contacting leadership so you've got to make sure that you're telling your leadership that yes you may be contacted here the things to say or not say yes mr ceo i understand it's going to be scary if you have a thick russian accent person on the other end of the line saying that they have all of your data that actually happened i talked to a

client on wednesday their co was called by a thick russian accent we've got all your data you guys have to pay the ransom so that will spook any ceo right so let's make sure we're communicating with them you don't want that to hit them in a blind spot and then they end up leaking some information um that that could be critical to the to the incident response so the proactive tip that you see here an advanced data map these are basic things right we have to have a data classification methodology we have to have those things because how do we know what value the data they took is if i can go through logs and see that someone

was in the environment for three weeks and they took out you know two gigs of data but they only got access to um you know public powerpoint slides am i going to be compelled to pay at that point probably not but if we don't have a data map and we don't have a data classification methodology it's really difficult to be able to do that so um it's really a challenge i think we need to have data maps i don't think we talk about that enough it's not sexy like response or pen testing or anything like that but having a data map understanding where our data is is really critical all right oh that's it so i came in at 10 45 i'm

getting us close to being back on track um what proactive tips did you hear that you disagree with this is where you guys throw tomatoes uh have some questions is there any topics that need more context to be actionable uh and as ryan posted we'll have an attorney on later um to talk about data maps i think that's that's critical um are there any proactive tips that you guys heard that you think you want to call bravo sierra on anything that's um different than what the way that i described it or any other questions that you have i'm glad to answer those in just a couple minutes that we have left yeah uh 100 right there uh

critical and an incident to have a data map so uh shane said i could be a little more excited about the topic you know i mean i get i get worked up man i i get uh i get excited about these things so uh it's not good to be excited about it but i i want to give you guys good information so i'm glad you guys are receptive um i will send the i will stop sharing and send the host back to mike and then i'll be in the chat if you guys have other questions i'm glad to glad to chat so uh if you want to reach out to me would love to have a conversation you see my email

address there the linkedin if you send me a linkedin invitation please uh tell me that you saw your besides talk or something i don't typically accept all those things and i rarely get on the twitterscape but uh my twitter handle is there if you want to connect me i would love love to chat so i'll pass it back to you like yeah same cell phone i've always had this doesn't like to text back apparently uh well that's another thing mike said sorry about that it got me blacklisted apparently so thanks chris sure i thought it was a great talk i actually posted a question what's the uh longest wall time you've come across in your adventures and incident responses

so longest time that i've seen and the logs only went back for 12 months and they were there for every log that they had so uh yeah it's it's a challenge for sure