Ransomware Readiness: What Does it Mean to Really Be Ready?

All right. So, all right. I'll just be real quick with an introduction. My name is Bill Carver. Uh I work at apprentice partners and I think I see a lot of faces here that I talked with earlier um and gave his feel so I won't go too long but please look us up. We're research testing um a little bit different than most pent testing firms and we have a risk advisory practice uh and that's what I have but we're a pretty small company. Um only about 40 people, no investment money, no salespeople. We just survive by word of mouth doing really good work. Uh so uh in my role uh I get to uh you know work with our clients. I do

a lot of uh IR tabletop exercises. So during those exercises uh naturally you just kind of like pick up on what people are doing good, what they're not doing good, what their challenges are. So recently somebody had asked me, you know, uh just feeling like they weren't doing enough for their ransomware preparedness. Just just having that nagging feeling have an IR plan. Uh, I've done some tabletop exercises. You know, we walk through some things, but he's like, I just don't feel like we're doing enough. I don't feel like I'm really ready. So, he's like, I want you to help help me help me be really ready. So, I'm just going to walk through some things. Um,

and my goal is to just if you can, you know, walk out of here picking up like one thing, two things with where you say, "Oh, hey, I hadn't really thought about that or that might be important. You I probably need to check into that." Uh, some of it's not going to be earthshattering, you know, information. Uh, but again, if you can just pick up a couple things, you're like, "Oh, wow. That's that's a good idea. I probably need to go back to my location and think about this." Uh I'm not going to read all these stats for you. You can read them while I'm talking. Um but basically the premise is uh as we probably all

know ransomware is not going anywhere, right? Uh a slight decrease last year in the number of organizations that were impacted. Uh but it's not going anywhere. And you can make the argument that although that number is a little bit lower, uh they'll probably go back up this year. But they're also getting the attackers are getting more effective with what they're doing, right? So okay, maybe a little bit less number of organizations are impacted, but the attacks are more successful, the ransomware amounts are higher, and realistically, think about if you're uh 60% almost 60% of companies that will or did last year have a ransomware incident, uh you're more likely to have one than not, right? Which kind of stinks, but

that's the reality of it is that it's just not going anywhere. It's getting worse. the effectiveness is getting worse. Uh so some trends uh these are the things are like contributing to making it uh making it even worse right can't have a presentation probably without AI going to have a conversation today about AI it seems but uh it's a very real thing that is impacting effectiveness of ransomware so uh couple things it is helping attackers develop better fishing attempts believe it or not so using AI to develop the messages that you get that ultimately are going to give you ransomware. AI is helping to write those messages better and the click-through rates are better using AI. So, boom, AI

is helping the bad guys do their job better. Uh, and then you have these um access brokers. You haven't heard that term? Access brokers are just people who are gaining access into an environment. They gain a foothold, right? Uh, and then they don't do anything with it. they just hold on to it and then they sell it to others so that they can use that access. So much like ransomware as a service, you've got people out there whose jobs and they're making plenty of money, gain access into an environment and then hold on to that access and then sell it to someone else. So, oh hey, you've got ransomware. I've got access. Let's put those things together and see

what we've got. Fantastic. So, access brokers are on the rise. That's an impact. Then you have, you know, traditional ransomware was always, uh, you know, you got the message on your screen, your files have been locked, right? What am I going to do now? Uh, so that's bad, right? I can't use my data. That kind of stinks. But, uh, at least previously that was kind of your only problem, right? How do I get my data unlocked? Maybe I can recover my backups, right? It's a it's a challenge, but it's not the worst challenge. Now what you see almost all the time is data exfiltration. So your stuff is locked and they take in copies of your data. So

that just ratchets up the pressure. What do I do now? Okay, great. I can unlock my information. But what about the data that they have? Right? So that's a huge problem that's on the rise along with data corruption where now it's we're going to exfiltrate your data. We're going to lock your data. and we've been in your environment long enough that we've uh we've corrupted some of your data. So all the backups that you think you're going to rely on, those have been corrupted. They also may have malware, ransomware on them as well. So that's a challenge, right? And then um ransomware as a service. I save this for last cuz this just blows my mind. So uh

everybody's heard of ransomware as a service. uh there's a whole you know dark web infrastructure of ransomware as a service that is like regular businesses like eBay and Amazon where you can go and you can sign up uh pick what kind of ransomware you want to use what type of uh organizations do you want to target uh there's support and chat right you pay you can see your metrics and your trending bills ransomware is infected these 50 companies, you know, what would you like to do? Ransomware is absolutely amazing. But um it's a full-fledged viable business, right? And super easy to use. So now you don't you don't even have to know technology. You don't have

to know how to write a single script. Just go find a ransomware as a service site, sign up, do your evil deeds, make money, get paid in your cryptocurrency, and it has all the bells and whistles. Hey, my ransomware is not working right. Can you help me out? Why certainly, sir? It's It's unbelievable. It It does kind of blow my mind. All right. So, I mentioned uh about being really ready. So, the the usual approach. So next few slides I'm going to just talk through why the usual approach kind of is failing and what you may need to do better. And before I jump into those things, I'm just going to say if I'm saying

uh the usual approach isn't good enough and I'm saying something, I'm not picking on anybody. Like you might see something say, "Oh yeah, we're doing that." Uh and that's not good. I am not picking on anybody. there's a normal uh process and like maturation that that goes on where you know like anything else, right? We're going to start here, we're going to get better. So, a lot of the things that I'm going to say aren't good enough and are kind of bad practices. It's not a personal attack on anybody or their company. It's all just very normal stuff, right? There's a reason that we've observed these things is because they are common, right? Uh but again not picking on anybody or

their company if that's where you're at and that's what you've done but just starting out with some things here. So some things I see pretty commonly um thinking that uh not sure how many direct infosc professionals we have here but just infosc people tend to think of a lot of things as being an infosc problem when it's really much more than an infosc problem. So ransomware readiness, incident response preparedness is way bigger than information security, right? But again, a lot of us in infosc, we tend to be, I don't know, maybe a little bit introverted. Uh maybe want to, you know, like keep things a little bit close to the vest because we don't trust other

people. Anybody like that? So it's a very common thing, right? So I can write an instant response plan. I can I can manage this whole thing. So you tend to keep it just like a little bit closer to the vest and you don't reach out to all these other departments and groups that you see here. And it's a it's it's a major mistake because realistically you may as infosc be kind of on the front lines when something happens and that first uh hint of a ransomware attack happens or any incident response and you you might be at that point but then all of the key decisions that you're going to make thereafter are a lot of them are not

going to be made uh made by infosc right and part of it too is just it it's hard it's it's hard to talk to these other groups um in most organizations it's difficult uh because they're going to ask you a lot of hard questions, right? Um they're they're just going to make things more difficult. You have to have, you know, meetings and conversations with these other groups, but it's super super important to get them involved. And I see it all the time where, okay, you've got an incident response plan. Have you communicated this with HR and legal marketing corporate communications, crisis communications? if you have it, right? All these other groups, they play an incredibly key role

in the response process. So, just a very common thing we see is, you know, infosc kind of keeping everything tight, you know, tight to the vest, not getting other groups engaged and and that's really a critical mistake because as hard as it is to talk, especially the network ops people, they're the worst, right? I'm kidding. I'm totally um you know it it's it's hard having the conversations but these people and these other groups can really help you too right and it's super important and it's super important to make sure that you're talking with them way way way before you have an incident right so it's one thing to say okay well I know if we something

bad happens we need to reach out to these groups but the time to do it isn't during an incident right reach out be proactive communicate with these groups get them involved yes it can be a pain especially lawyers any lawyer just kidding. Okay. Uh it can be difficult but they really can help you tremendously. Uh okay so our incident response uh planning and our team uh of people who may be incident responders. So this is another super common thing. This is probably why I made the point to say I'm not picking on anybody because the most common thing I see is yeah, we've got an incident response plan. Like, hey, all right, great. That's a really good, you

know, first step. And then you look at the incident response plan and somebody downloaded it from the interwebs, found some leading practice, downloaded it, and inserted their company name throughout. And then they, oh, there's a table here to uh add, you know, all of our contact information and stuff like that. So, you put everybody's contact information in there. That's a terrible plan, right? It is. It's terrible because it's not, you know, to state the obvious, right? It's not going to really help you in an incident. You want your instant response plan. Yes, you should have one. Don't don't misinterpret that at all. But uh you should not have one that is completely generic, not tailored

to your organization and really isn't going to do you any good, you know, in an actual incident or helping people understand um how you're going to respond to an incident. Uh yeah, go ahead. Uh, I was going to say, um, basically the better way to say it is yes, have an incident response plan, but don't be point Dexter on day one where he puts on the glasses and he's like, step one of engineering report incident response plan is to um, oh, call a doctor, right? Exactly. And and the idea of not tailoring it, so a basic generic uh, IR plan. So, and to be clear, like uh I'm going to separate out procedures uh and other documentation that support

the incident response plan. The incident response plan should be at this level. This should be something that all of those other groups that I had on the previous slide should review. They should be familiar with. It's going to describe how the organization in general is going to respond when you have an incident. But what it doesn't give you is it doesn't give you the step-by-step instructions someone needs to actually manage an incident. It's just we're going to do these things. This is what we aspire to be. Incident response plans are great. Before you have a tabletop session, you should have a good plan and you should share that with those stakeholders. Again, I referenced on the

previous slide. They should understand just in general, okay, well, what is a security incident and how in general are we going to respond to it? but it doesn't give you any technical details. It doesn't give you step-by-step instructions. It's just a plan. So, a plan is good, but also only as good as you make it. So, I just really strongly encourage everyone uh if you've done that, nothing wrong with downloading that leading practice, you know, framework, but spending the time to tailor it to your environment is absolutely key and critical. Don't do the, hey, boom, we're good. I got to put up a painting and then we're all set, right? Uh and then also uh skill sets in training. I I see this

all the time too where you know just because somebody works in the infosc department does not mean that they're the best person or even a good person to respond to a security incident, right? Um making sure that they have the right training. They should be incident handlers. Send them to incident handling training. But also really important is that they have to have the right personality to be an incident responder. So think about working with all those other groups and think about has anybody been through like a really bad incident before security breach that they've had to manage on a Friday afternoon and it sucks. Yeah. Okay. Thanks a long weekend right? Um, man, and if you've been through a

bad one, uh, man, the pressure is high, you know, in bullets depending on your size of your organization and complexity and all that stuff, but it the the pressure is really high. People are freaking out a little bit potentially, right? Um, and it does typically happen on a Friday afternoon. I was kind of only kidding, but it seems like it's always a Friday afternoon. But the person who's managing it from the infosc side, working with those other stakeholders, yes, they have to have great technical aptitude, but they also have to be able to manage the pressure, manage the stress, communicate with other people, right? It's super super critical. I've met a lot of people who've been tagged with incident

responder status or roles that are in no way really qualified to do it, right? I'm just like, that person is going to be a disaster if if there is an incident. So making sure that not only they have the technical aptitude but they have the business acumen as well to be able to manage an incident, communicate with people uh that is super important. Think about what it would do to your incident response process during that super stressful time and you've got somebody running point for infosc who yeah might be the most technically awesome resource that you have on the team but just not capable of of coordination of pulling everything together uh managing things as they need

to be. Um, and then also your your plan. Uh, this is super kind of to forget for some reason is let's say you're some type of service provider. Uh, what is my incident, my ransomware attack? How is that going to affect all of the people that are relying on me for business? So, who do I need to communicate with? When do I need to communicate with them? um missing third whatever third parties, business partners, vendors, contractors, whatever you want to call them, your your external partners, people that are either relying on you for a service or you share data with or they share data with you. That all falls into this bucket. And it's amazing how often

they're just not included in the plan, not even included in the thought process. And just all the you can imagine, right, all the bad things that could happen from that. You could have issues with, you know, uh, legal liability because you didn't provide a service because you were down with ransomware. Um, you could have reputational risk because you weren't available able to provide the service, things like that. So, very uh key, very important is to uh make sure you're including those third parties in your instant response plan. Uh, and just to mention it too, there's a panel at 4:30. Sorry, I should have mentioned this at the beginning. So I am going to try to

be done by around that in case folks want to go see that. So I'm going to try to be done. So okay. So here's another one. Uh when we think about prevention and detection. So we've got endpoint detection and response, right? We've got the best EDR solution. We got Crowd Strike. We got SE1. Whatever. We're awesome. You know, we we bought the best product. We bought professional services. They came in. and they helped us fine-tune it, implement it, everything's awesome. Usually not really, right? Um, why I say that is one of the things that we do at Tradus is we test EDR implementations and we're always successful at bypassing EDR implementations. Um, part of the

reason for that is just everybody's environment is different. Everybody's standard build is just a little bit different, right? Everybody's infrastructure is a little bit different. Um certainly they're going to catch you know 98 99% of the stuff and that's great but what's super important that not a lot of people do is leverage an outside firm doesn't have to be a trad but leverage an outside firm to test your edr don't use use the vendor for their professional services and implementation but to actually sit down you know with a laptop with your standard config on it and your edr on it um have somebody actually test that, right? We're sending malicious payloads or doing something bad. Is it catching

it? Is it not catching it? Um, almost every time I've seen that done, there's problems with the ER. Some of it's easily fixable, some of it's not. But just thinking that you've purchased it, you've implemented it, you've leveraged the vendor to help, you know, uh, implement it as properly as possible, do more, do the next step, uh, test your your ED. And then secondarily is that EDR is just part of your defense and depth, you know, strategy, right? It's not the only thing you have. You probably have other things uh that are helping protect you. Um a common mistake is just not to consider and do a strategy and a road map like a technology tools roadmap where you say

here's all the wonderful products we have cuz infosc people the other thing we like to we like to buy tools. love buying a tool vendor comes and got a shiny new widget, silver bullet, let's let's buy it. Uh we like to buy a lot of tools. So the big thing is okay, it's great to have the tools, but do you have a clear picture of what the coverage is of all the different tools? Where are the overlapping coverages? Do we want overlapping coverage? If you can't visually look at that, that's something that you definitely want to consider. uh call you know product tools strategy roadmap but also in addition to what are the capabilities of the tools and do we

have all of the things covered that we want to have covered um all the different portions of our environment and all the different layers of our environment. Um, not only do we have it covered, so that's a good thing, but then also really important is uh who's doing what with the data, right? Super common to see, you know, we've got a tool. Hey, awesome. You got it. Yeah, it generates, you know, tons of logs and it's all super useful information and yeah, well, who looks at it, communicates to other people and, you know, actually oper makes it operational. Uh, big mistake is just having all of that data, not knowing who owns it or who should do something with

it. Uh nothing worse than getting uh having all that information and not acting on it. Okay. Uh and then data backups. So I talk a lot of people who uh feel really strongly that their ransomware readiness strategy really begins and ends with data backups. We are we're good. We got data backups. We we test them. We not only test that they're running and and working properly as far as the actual function of doing backup, but we test them if you're on the higher end of the maturity scale, you're actually testing the backups, you know, doing resource from backup, things like that. Um, it's important. So, don't take any of the things I'm going to say next

to say that data backups are not important. They're they're certainly very important, but uh it is not a sole strategy for ransomware readiness to just say, "Hey, if we get hit with ransomware, we're just going to restore from backup." Right? I get the sense that most people in a room know that like when somebody says that that we'll just restore from backups. It's not that easy. It's not it's it's never that easy and it can be super super time consuming to restore from backups, right? But then think about some of the trends that I mentioned before. So you're going to restore from backups and then you realize that oh well the attackers have compromised my backup data. That's a

problem, right? Um or um you you've got your backups and um let's say that you know maybe you haven't run them as frequently as you need to. So now your data is going to be inaccurate. You can't bring it back. Um, it's just it's not again it's not a sole strategy. It should be part of your strategy. It definitely shouldn't be the the thing that you're hanging your hat on. Um, so the thing we we see missing most often your your regular uh testing of your your backup data, not just whether or not it's functioning correctly or not. Um, but also it doesn't solve when I say it's not a sole strategy, it doesn't solve the data

exfiltration problem. So you might be able to recover from backups in a long period of time, but it doesn't help because the attackers have also exfiltrated your data. So okay, how do we solve for that challenge, right? Um and then uh the uh what was the other piece? Oh, about the um the data corruption piece and and installing malware and the same ransomware into your backup environments. So a lot of times the attackers have been there for quite a period of time. Uh they're not just going to break in launch ransomware and and that's that they're going to hang out in the environment for a while before they launch ransomware. Before they do that, they are attacking the

backups. I don't recall exactly, but I think there was some statistics on the first slide I had about the prevalence of, you know, based on the the number of ransomware incidents. I think it was in the 70s or 80% of those successful attacks also targeted backups. So they they know that that's what people are relying on for a strategy. Again, it's absolutely important. We absolutely want to do it, but it is definitely not a sole strategy. How confident would you be? You know, raise raise your hands. How confident would you be if you had a massive ransomware uh attack tomorrow and you collectively made the decision to just recover from backups? Everything. We're just going to recover

from backups. raise hands for who would be like 99% confident that that would go well. Yeah. Okay. Well, not nobody. Okay. I thought maybe there'd be one brave soul to say, "Yeah, yeah, we're super good." And you might be for sure that that could definitely count. But that just goes to show that it's not a a a great strategy. Again, part of your strategy. Uh and then really uh with cyber insurance and incident response retainers. Uh this is yeah this is some really fun stuff. So um tons of common mistakes that we see here and this this actually these next two slides to me probably play most into the things that are really uh forgotten

most and are really bad. Um but when you think about your your insurance I talked with a lot of lot of companies and done tabletops where they said you know hey we've got we've got insurance you know we're we're good. Okay. Well it's great you got insurance. How much insurance do you have? They generally know the number. Okay, we've got 5 million, we got 10 million. Okay, do you know how that breaks out into the different areas that they will reimburse you for? So, you may get a certain amount of money that covers your IT recovery, you know, asset recovery, things like that, physical things. You may have a certain amount of that money that's available

for notifying customers, sending out notifications, doing things like that, other communication. But most cases, people don't really know what that breakdown looks like. But far far worse than that is not knowing number one exactly how to engage with your insurer. Um when you do have an incident. So some of them may require you to notify them immediately. Like whatever course of action you're going to take, first thing you have to do is notify your insurance provider. Okay? Maybe you have an incident response retainer. So you have a firm that you like to work with. you've got an incident response company that's going to parachute in maybe when you have an incident and they're going to help you. A very very common thing is

to have an incident response retainer. So, a couple things to think about there and things that I I see done incorrectly a lot is making sure that you're whoever you may want to use if you have an IR retainer, make sure that they are on your insurers's approved list because you may have something in your insurance that says you may only use incident response folks from these companies. So, your company that you want to use may not even be on the list. might not be hard to get them on the list, but the last thing you want to do is have, okay, I'm going to I got a retainer. I'm going to use this company. And if you do that,

you could possibly void your insurance because you didn't use a company that was on, you know, your your uh insurance requirements. Um, also with your instant response firms, uh, they like to, uh, come in when they're selling you a retainer and tell you how how great they are, uh, and you sign up and you buy, I don't know, you buy 500 hours of instant response retainer. uh be really really sure to check what the SLAs's are on retainers. So they might just be giving a presentation again about how wonderful they are and you know we can have somebody respond within you know within 12 hours we can but is that in your retainer right so it's just really

important to make sure that your retainer uh meets what you think your needs are for response time. So, great to have a retainer. Just make sure it's got those details in there. But making sure that whomever you want to use uh is on your approved list for the insurers. I mean, just to say it out loud, they don't really want to pay you, right? That's the whole insurance model, right? Let's not pay. Just like bang up your car and they try to give you a hard time about paying. It's the same thing. So, they're going to look for ways not to pay you. Sorry if there's any silent insurance folks in here. I'm not trying

to be mean. Um, make sure to if there's criteria for reimbursement, like I mentioned, that phone call that you might have to make to your insurance provider, that might be something they might have other steps in there that you have to take in order to receive reimbursement. So, just double, triple, quadruple check those things just to make sure you're on board. Um, they often times will have, so you may have your insurance and retainer capabilities like IR response capabilities through your your insurer. Um, if so, make sure you got a really good understanding of what their process is. They might have a 1-800 number that you have to call. Okay. Well, what's the SLA for how

quickly they have to respond if I'm relying on insurance? All of those details that they'll be in your uh if you have a policy. Uh, that that information will be in there. So, make sure that you uh double check that. Um, and I talked about coverage a little bit. So, um, the big thing again, read the read your insurance. uh make sure that if you have your own IR uh instant response provider that they are either on their list or they can be put on their list or that you're in some other way allowed to use them. Make sure about what those response times are and SLAs's what coverage you have in different areas. You'll probably if you have a big

enough uh insurance uh uh amount uh coverage amount uh you may have uh reinsurers. So you've got, you know, main insurer covers this amount of money, but then you've got other insurance providers, reinsurers that are part of it. Understand how all that works. And also really super important is uh making sure that when it comes to paying a ransom, and I'm going to jump into this in the last slide, u make sure that when it comes to paying a ransom, understand what language is in your insurance for that as well. Will they help you facilitate that? So if your organization has made a decision that you know what, if it's bad enough, you I'm a healthcare provider. If I get

ransomware and I can't provide critical care, that's a problem, right? So I'm going to pay a ransom. Okay? I'm just going to make that decision. I'm going to pay it. Like I have patient safety issues. I'm going to pay it. Don't judge me. That's just my business. That's what I'm going to do. um making sure that in your policy um if it's not there that you have a plan for how would you actually do that? How would you actually pay a ransom? I had a customer one time ask me they were they were determined that they wanted to that they would pay a ransom and that they would do it themselves. they didn't have any of that uh that capability built

within their insurance policy where they would help them facilitate that and negotiate with attackers and things like that. So, they were determined, no, we're we're going to pay it. Boy, I'm blowing past 430. Okay, I'll be quick. Okay, so um they were determined that they were going to do it themselves. So, I I explained to them I said, "Okay, so here's what that's going to require well in advance. You're going to have to set yourself up some cryptocurrency wallets. That's going to take maybe a week or so. Then you're going to have to take organizational money and put it into cryptocurrency so that you can pay an attacker when this happens. Uh and then how are you actually going to pay?

You know, you're sitting there, are you going to just use your, you know, regular work laptop to go pay ransomware attackers? Are you going to negotiate with the attackers? Pay try I'm just paying it yourself, I feel like, is just not a great idea. So, just make sure that it's built into your insurance or your IR retainers that you've got people to help you negotiate and pay because it's not something that you're that you're going to be able to adequately do if you just try to pick up and do it uh for the first time ever when you're in that pressure pack situation that we were talking about before. Okay. So, try to be quick through this last one here.

But really, really important. This is the last thing, maybe the most important thing that I see within organizations is they just don't ask the right questions and they don't ask the hard questions. Going back to, you know, some people maybe being a little bit, you know, a little bit introverted, uh, wanting to keep things close to the vest and these are hard, you know, hard questions, so they don't often get asked. But um quick show of hands. Within your organization, do you know definitively whether you would pay a ransom or not if you got attacked? Definitely. No. Okay, cool. No. Okay. Definitively. No. Okay. So, you're not sure, right? So, that's uh did a tabletop uh maybe about a month

ago with the company started out uh had all the right people there. those stakeholders that we mentioned early on, they were all there and first one of the first things we kind of threw out was about paying a ransom and every one of them without hesitation was like, "Oh god, no chance we'd ever pay a ransom." No, we're not doing that. No, no way whatsoever. By the end of the tabletop exercise, uh just naturally occurred through discussion. They're like, "I don't know, Bob. Would we pay a ransom? Maybe we would. What if it what if it impacted this or what if it was only this amount that they were asking for?" Right? So talk about that well well well well in

advance. Get those decisions out in the open. I uh don't see it very often, but I really strongly recommend a decision matrix of some kind. So if the ransomware happens and these things happen, it is, you know, this much data affected or these areas that are affected or the ransom is this much, whatever it might be, you've got some type of decision matrix. But that's definitely not an infoset question to answer for sure. That's not up to us. that's definitely up to other folks in the organization generally at much much higher levels. Um let them decide and whatever that decision is I'm okay with it from an infoscept perspective. I tell you about risk and you make your own

decisions that's fine. Um but just really get ahead of it and know whether you would pay it or not. Um has it been discussed? Has it been documented? That's super important. Um and then uh we talked about a little bit you know how would you pay a ransom? So if you decide that you would pay a ransom, really think about, okay, how would we execute this when minutes, you know, seconds and minutes are going to really matter and we've got this, you know, this ransomware attack. So really have that decided up front. Uh that's super critical. And um would anything change if you had, you know, data excfiltration involved, data corruption involved, you know, would any

of that change your uh decision? Would you consider using public uh publicly available decryption keys? I've seen this all over the map. Some people are like dead set against it. Like no chance I'm going to trust some quote unquote publicly available decryption key. Other people are like, "Yeah, I'd give it a shot if it uh helps us avoid paying ransom." Um so just understanding all these things up front, they're super tough questions. I understand why people don't like to talk about it because it's uncomfortable because when we talk about these things we're all thinking about my god what would happen if we had had ransomware and I'm not going to ask anybody if they've had ransomware I'm

just going to guess based on a 60% number and I look across the room I guess at least a few of you that have had ransomware um but I get why people don't want to talk about these things but they are ask the hard questions of the right people uh get in a room do it in an instant response you know tabletop session. Uh that's a good time to do it. You know, get people talking about it. So, all right. Well, with that, I'm sorry I blew past 4:30 a little bit, so I apologize if you wanted to go uh listen to the panel. Um but that's all I have. Anybody have any questions? Yeah,

I have two. The first one was quick and the second one might be slower. But if anybody else wants to leave, you don't have to. Um but the first one is um with respect to paying the ransom, how many of your customers have you noticed that the exfiltrated data is not really the legal um so we don't at a trade we do not um provide instant response services. So the information I have is from instant response table exercises, planning developments, things of that nature. I think if people don't have any you can't have any real great level of assurance that you pay the ransom but your only level of assurance is that in in odd way

I mentioned the uh you know the kind of the dark web ransomware as a service um there is a code there is a code between attackers and the whole ransomware subculture where one one uh one attacker can make everybody look bad, right? So, if I want to keep getting paid, right, as all the other attackers do, if I don't hold my crazy this sounds, if I don't uphold my word, right, that's really bad cuz then people are saying, well, that's going to get out and that's going to happen again. And then people are going to say, well, I'm not going to pay because you might unlock my data because you're not going to delete it or

if you delete it, maybe you're actually kind of come up to it. So I think the best you can do is rely on the code of honor of the attackers in this case and hope that they uh that they delete your exfiltrated data. Yeah. So then my second comment about that is that with respect to backups, if the first thing you're going after is backups, um how are you backing up terabytes or more of data? And not only that, but how long does it take to recover? Um, it takes a soup. It takes a soup a long time. I mean, yeah, it takes a long time. It's that's why I say it's never as easy as we think it is, which

makes me why makes me cringe when people say, you know, data backups, you know, that's that's my my strategy because it's just not super effective. Nobody raises their hand. They don't think, no, not a single person. When I ask, would you have confidence that you could pull it off and pull it off reasonably and would your data be accurate? And how would you validate that it's accurate? It's it's tough. You certainly when it comes to your backup strategy, you want something that's like highly redundant um you know of um you know something that is not off the network from your standard you know all your standard systems and something that is immutable right so you you want all of those

things but even if you have that it's just I think of all the you know large you know mid to large organizations how difficult it would be to actually think about how hard it is for most companies to do like a real disaster recovery where you're actually, you know, uh, replicating, you know, an incident and recovering from from actual backups and that's just like a small subset of your organization that you typically do that against a subset of applications and stuff. Um, that's super hard to do by itself. I can't even imagine everything or almost everything is done on we're just going to it's it's a it's yeah, I mean I I'll just say I'm definitely in

in a lot of cases I'm in the pay the ransom category. I understand the uh the the ethics of it all and understand too that some companies are uh legally uh prevent uh prevented from paying ransom. So certain certain governments uh and state governments have have made it illegal to pay a ransom. But I'm generally in the if it's going to massively impact your business and you're providing a service, you're providing care, you're providing something, you know, really critical, uh, or it's going to just cost you a boatload of revenue every day that you're not available, uh, like the, uh, was it the the pipeline incident, like how much money that that costs every day. I get the we we probably should pay

the ransom, right? I mean, I I I understand because to me, that's better than I'm going to just say forget it. We're gonna wipe everything. We're gonna restore from backups. That's just I just really feel like that's probably not gonna happen or at least very well. So, is negotiate is negotiation a waste of time? No. No, not at all. No. No, I don't think so. Uh by by the professionals, not by me. Yeah. But no, um there is there are statistics that show that often times negotiation can reduce the payment amount. I think the base payment request is around $2 million. Um and then uh in many cases the negotiation negotiator it's easy for me to say are able to reduce that amount

by sometimes up to like 40 or 50%. So it is definitely worth a shot and you're if you've got a good insurance provider they they will help with a lot of this. You just have to know exactly how to engage them and exactly when to engage them and things like that. But I definitely think and that's part of why I think it's really foolish to ever think that you're going to just do it yourself. you're certainly not going to negotiate. So, that hurts right on your back. You're not going to give yourself a chance to reduce the dollar amount. Um, but then also that the whole idea of how would you actually make, you know,

the process of making a cryptocurrency payment to an attacker. Good luck. I think you killed I guess one thing that we were we were advised as well like in in dealing with like an incident um just like speaking to outside counsel and like what they had advised us was like um there there is actually a list like government list in the United States of organizations that you cannot pay because they're affiliated with like terrorist organizations and stuff too. So if you just make that decision, oh we'll pay it and do it, but you don't consult that like you can then have legal implications from a government for paying out to a you know an organization. How many how many folks do

you think have done that thoughtful analysis as part of their ransom? Yeah. Yeah. We know we we went through a tabletop exercise was told this by you know North Korea. Um actually I think yeah I was going to echo the same thing. You have to be careful if you're doing any business with the government and things like that because you don't want to find out that now your your your organization can no longer do business with the US government because your organization funded a terrorist group. And I strongly advise anybody that if you are if you've decided that you're going to go down it, reach out to a broker. I feel both Yeah. both ways. the brokers

know the players out there and they're able to negotiate. Now, the people that are coming in that are going to issue the ransom, they've been in on your system. They know how much your company's worth. They know how much your cyber insurance is. Your cyber insurance carrier is most likely going to invite you to pay cuz it's cheaper. Um, and but the broker will be able to tell you whether or not you know they're how much you can basically trust them, right? You could pay them and they could just ghost you and you don't get the keys and now you've just wasted a a million dollars. Um was it somebody over here had I was

going to add on to the earlier point. Um the question about the restore time and and you you mentioned the pipelines the pipeline a few years ago they were actually restoring a good backup found out it was taking too long. So then they make a decision to be quicker to pay them and restore restore from the ransom with ransom. So you got to know your your recovery time objectives and test your systems to know are we meeting the business objectives with our capabilities. So yeah, like you said, it's hard to do on larger. We have to know what that is. Yeah. And no, you make a good point too because even if you do um you know, you

do some great business impact analysis work and you know what all like you have your set of applications and you know exactly what your recovery time objectives are and all that good stuff. Um you tend to do those BAS in a vacuum. You're looking at that application say okay great we can bring that up in you know 12 hours or 10 or whatever the problem is. You you spread it out now and it's a massive instant and all the applications are down and all of them need to be recovered. You're ne you're never meeting those RTO's right at the chase. And it's important they have different business stakeholders then because their operations were down. They

could provide all the fuel they wanted. Their account was found. They couldn't collect money from us. They said we're not doing business. We can't collect money. So you could have looked at operations all you wanted and said we'll make sure we have availability. Yeah. It right. It doesn't matter if you're not able to operate. Right. You have a question. So just going back to running tabletop exercises and how you handle that. Um, I've just started doing that recently with with my company and uh I've sort of found the teams I talk with are either like we're doing this for the first time or we've done this a million times and just find it really boring. How do you

keep them engaging and like how do you draw people in? Uh I I mean so you're right in in that line of thinking I would say if you as a facilitator are talking more than the people then the tabletop's not going you know going really good. Um part of it is just asking uh asking questions. Um, so a lot of times when you do it, you'll here's my scenario and then you've got your inject. So you're going to ratchet up the intensity of your instant response scenario. Um, it's really easy to forget um to ask questions and make people answer questions and say, "Okay, well, what do you think?" Right? So some people might want to be quiet. No, just

ask it directly like, you know, what do you think? But changing up uh changing up the scenarios, you know, certainly does help. You're probably doing that. But I mean, changing up the scenarios really helps. So, um, you know, if you did ransomware, then you could do something else and change it up, you know what I mean, and change it up or even, um, you could have different ways that the, uh, whatever the malware is was introduced into the environment. Um, but I find just, you know, telling people right out of the gate that it's only going to be as good as as much as you're talking and I'm not talking. Uh, asking them direct questions and if they

don't answer questions, like for people that just don't want to talk, I just ask them directly. So, Bob, you know, what you know, what's your take on this? building uh a lot of questions and they're not just statements like this happened, that happened, then this happened, then that happened. Um I like to with the inject say, okay, here's something that happened. The help desk got a weird call at this time and then uh somebody else called said they got this uh had this message on their screen and some Okay. Um then when I do that, I'll do the inject about what just happened. Then the next thing I do is questions. So don't I don't get too far

past that. It's inject like this thing happened at this time and then Bob what would you do at this point in time uh who would you call you know would you call legal yet would you call this person yet? Would you call law enforcement? Right? So building tons of questions in and just being kind of obnoxious and asking people making them feel uncomfortable. Uh and also uh say uh being comfortable with dead silence too for a minute. Eventually somebody will will probably speak up and and say something right. So if there if there's a question out there and you know they know the answer and they're just kind of sitting there, let them sit there for a

minute. Eventually somebody will say something. So all right, I I nailed it. 4:30 right on a dot. Technically to be fair, I am perfectly within my regularly allotted time. Uh I was trying to get done. I apologize if you really want to see the panel. You were being polite. You didn't run out on me in the middle. But uh that's awesome. So thank you. Uh, and uh, if anybody did come in late, didn't get a challenge coin from Adrenus, uh, let me know. And certainly check out our website. Uh, everybody I talked to earlier knows I I mentioned this. Uh, but read our our blogs. Uh, our hackers, uh, not just lip service. They are truly the best and brightest in

the world. Uh, we only have about 25 or 30 of them. Um, and they are absolutely amazing. Check out the blogs. They will absolutely blow your mind. And it's not like some cruddy uh blogs from like 5 years ago that aren't relevant anymore. We're usually releasing one about once a month or so. So, they're really good. Uh some awesome ransomware blogs out there by Bill Herbert. Check those out. But yeah, check our site out. Uh and hopefully someday in the future, you know, maybe our paths will cross and we'll be working with the crazies and that'll be great. So, thanks so much for your time. Appreciate it. [Applause]