Ransomware: Tech Industry's Cyber Crime Wave

(DESCRIPTION)
Text, Ransomware: Tech Industry’s Cyber Crime Wave

(SPEECH)
LOUISA DESSON: Thank you for joining us today for Ransomware: The Tech Industry's Cyber Crime Wave. You can submit your questions for our panelists at any time during our webinar today using the chat box. We'll save time at the end to take your questions, and we have a really good, robust panel on hand to address them so we're looking forward to that.

Great welcome everyone, thank you again for joining us today Ransomware: The Tech Industry's Cyber Crime Wave. I'm Louisa Desson, Director and Senior Editor, Enterprise Integrated Marketing, and I'll be your moderator here today. At Travelers, I create articles, videos and other content to help our tech customers protect their businesses from risks, including cybercrime. I'm joined by a really outstanding panel here today to discuss this important topic. We hope that today's discussion will give tech companies some concrete steps to help protect your data and your business from ransomware, and we've really seen an evolution in ransomware in recent months as attacks have gotten increasingly sophisticated.

Ransomware has been described as the new business model for cybercrime, making up 41 percent of cyber insurance claims for the first half of 2020.

And although ransomware attacks are industry agnostic, the tech industry is especially vulnerable given the nature of their business.

Alright, we have a great panel here today including Chase Cunningham from Forrester, Sean Hoar, a data breach coach at Lewis Brisbois

(DESCRIPTION)
Headshots of five panelists.

Text, Our Panel
Panelist Chase Cunningham, VP, Principal Analyst Serving Security & Risk Professaionls at Forrester
Panelist Joy Fausey Cyber Claim Specialist at Travelers
Panelist Sear Hoar Partner and Chair, Data Privacy & Cybersecurity Practice at Lewis Brisbois Bisgaard & Smith LLP
Panelist Kirstin Simonson Cyber Lead, Global Technology at Travelers
Moderator, Louisa Desson Director & Senior Editor, Enterprise Integrated Marketing at Travelers

(SPEECH)
LOUISA: and two of our Travelers tech subject matter experts.

I'll go ahead and let our panelists introduce themselves in a moment.

We're going to save time at the end to answer questions.

Alright we are ready to get started. I'll let our panelists introduce themselves.

(SPEECH)
CHASE CUNNINGHAM: My name is Chase Cunningham, I'm a VP and Principal Analyst at Forrester Research. Primarily I cover zero trust but I've written books about the subject of ransomware and many, many papers about it.

(SPEECH)
LOUISA: Great, thank you. Joy.

(SPEECH)
JOY FAUSEY: Hi, I'm Joy Fausey, I'm a Claim Professional with Travelers, and one of my areas of expertise is cyber claims.

(SPEECH)
LOUISA: Very good thanks Joy. And Sean.

(SPEECH)
SEAN HOAR: Hi, this is Sean, I'm Chair of the Data Privacy and Cyber Security Practice at Lewis Brisbois and spent much of my adult life as a cyber attorney for U.S. D.O.J. working system intrusions with the FBI and Secret Service.

(SPEECH)
LOUISA: Excellent thank you, and KIRSTIN.

(SPEECH)
KIRSTIN SIMONSON: Hi, KIRSTIN Simonson, I manage our Tech, E&O and our Cyber Insurance products and underwriting strategies for technology companies.

(SPEECH)
LOUISA: Very good thank you very much. Alright let's get started. Um, so as we think about the ransomware landscape, how have we seen it change over time? Chase, we'll start with you.

(DESCRIPTION)
Chase Cunningham speaking over slide 3. Text, Ransomware Has Evolved with the Market Image with timeline is displayed of how Ransomware has evolved.

(SPEECH)
CHASE: So this is kind of interesting because really what you see here is, and I remind people this all the time, is ransomware seen as kind of this amazing new thing that we never saw coming and we've never knew that there was this thing in the space. In reality, it's been around since the 90s. ‘89 was kind of one of our first instances. Now if you think about you know how long that is, I mean, we're talking 30 years of, more than that really, if you go back some of the other instances of where this came from. And the first one was the AIDS Trojan when someone physically took a disc, stuck it in the mail, and sent it to people. And they went, “oh, neat disc” and stuck it in their machine and sure enough it bricked the machine, I mean, that was a long time ago. Here we are today 2019-2020 when you've got React and gang crab and matrix and mega cortex and all these other things, that really are just doing things in a more virtual cloudy way. We've evolved but we've only evolved in that the adversary has figured out how to leverage the very same resources we use for business to conduct ransomware attacks.

This is not something that is necessarily totally different than what we've known about. This is just an evolution of tactics in the space. The hardest part about Ransomware and I'll show you on the next slide deck or the next graphic, is that this is not even necessarily malware. People think that you're looking for this post-quantum encryption super evil Russian-hackery thing and it's usually not.

Most ransomware is an ability to use the installed operating components of a system to do something that it shouldn't do. That's why antivirus doesn't typically pick up on this.

(DESCRIPTION)
Chase Cunningham speaking over slide 4. Text, Ransomware is a Booming Industry. A graph is displayed with the number of predicted ransomware damages from 2015 to 2021. An image is also displayed with statistics of Ransomware.

(SPEECH)
CHASE: This is a booming industry. This is only getting bigger, bigger better, which is not good for those of us on the defensive side. You can see that the numbers here just continue to hockey stick their way to the right. The one that really blows my mind is every 14 seconds, someone, somewhere is getting hit with a ransomware infection.

You know by the time we finished this webinar, there will be a few hundred people that have infected their networks with ransomware. Just the spread of this, and the growth and the ease of use for the adversary is really what people should be most concerned about. The global cyber security market is hundreds of billions of dollars, but the global ransomware market is you know $21-$22 billion by the end of next year.

(SPEECH)
LOUISA: This sounds like what you're saying as technology continues to get sophisticated that the attacks are getting sophisticated, almost as a function of that.

(SPEECH)
CHASE: Well, I mean, the attacks are just getting more prolific. The more technology that we put into the space and the more we continue to introduce the same vulnerabilities and the same issues, it just becomes easier. I jokingly say that this is the self-licking ice cream cone of misery, it just continues to go on and on and on.

(DESCRIPTION)
Chase Cunningham speaking over slide 5. A process chart is shown for sample Ransomware attack campaigns.

(SPEECH)
CHASE: Ransomware attacks tactically, technically are not really that amazing in the way that they conduct their operations. If you think about what actually is required. I always like to deal with the physics of problems gravity and those types of things. The physics of what is required for ransomware attacks are not that different than what you would have seen back in the 80s or 90s.

I mean, really, you look at initial access, it's going to be some sort of RDP, possibly brute force, they're going to find a vulnerable Internet- facing system or a weak app, you know, usernames, passwords, those types of things are also thrown into the mix. And they're going to go and crawl through the network, which is where the credential theft and escalation of capabilities goes on, and then they move laterally. Once they get laterally, then they're doing persistence, and then at the end of this thing is when the payload is finally delivered.

Now there's other things that can be done during the mix here that may throw this off a little bit and may show some different tangents on the approach.

But in reality, if you went back to that early graphic and said what happened in the early 90s to now, this same flow is the same thing that have happened.

The tactics change and modify a little bit, but the overall requirements, the physics for what takes place to make this happen, have not changed. And that honestly is indicative more of a broader problem in the cyber security industry and that we've got hundreds of billions of dollars going into technology to solve this problem.

But we don't deal with the physics of the problem. In other words we treat the symptoms, really, really well. We don't treat the disease.

(SPEECH)
LOUSA: And now as we see on the next slide you know with everyone home or many people working from home. COVID pandemic that's affecting things as well.

(DESCRIPTION)
Chase Cunningham speaking over slide 6. Text, COVID Killed Your Perimeter. Two images are show; one with a man working with his child and the other is of a laptop.

(SPEECH)
CHASE: Yeah, I mean this is exponentially increased that you know the role here. You've probably heard a lot of conversations about zero trust and zero trust has kind of become the dominant strategy for the space.

The global market is moving towards this and the reason for that is, March 13, 2020 is what I like to call zero trust day. Like that was the day that the government came out and said COVID, it is a bad thing. Everybody go work from home, you know, don't come back to the office, the perimeter died that day.

Since then, everyone everywhere is a remote office, everyone everywhere is piping into their network. If you have a bad username and password, you have compromised asset, you have an unpatched machine. That is an avenue for compromise into your network. So your perimeter now has dissolved. You must approach it more, you know, more sort of strategically to make sure that you solve back the physics of that problem. And you've got to be looking for what's going on there. I think one of the most important things that folks need to wrap their head around is visibility - it’s absolutely key to knowing what's going on so you can respond.

It does you no good to see a wildfire, you know, raging you know 100 miles away if you don't know it's raging, you know 30 yards behind you. You've got to see what's going on.

(DESCRIPTION)
Text, Poll Question

(SPEECH)
LOUISA: And the question is the top ransomware variants in 2020 included all of the following except? Trickbot, mirai, zeus, doppelpaymer and cryptolocker. And the correct answer was crypto locker.

(DESCRIPTION)
Louisa Desson speaking over slide 8. Text, They Will Target Your Users…and One Set of Credentials Leads to Another. Image, two examples of phishing emails

(SPEECH)
LOUISA: Chase you really talked about what has changed across the ransomware landscape. Why are tech companies a target for ransomware, and Sean you might have some thoughts on this as well.

(SPEECH)
CHASE: Yeah so, tech companies are great avenues of access. I mean if you go back and look at what happened with mere skin norse hydro, the, the initial compromise didn't occur within those organizations, it occurred with someone that they did business with.

So, you know they were basically pushing out I believe in Maersk, it was a company that was pushing out finance software accounting software, and they managed to get in there package their exploits, send it through that and then it was deployed in that system. Tech companies are great because tech companies are doing techy things, which usually mean you have excess privileges, lots of admin access, capabilities beyond just the average user. So, from the red teamer attacker perspective, you know, I'm looking for the easy targets but I'm also looking for targets to give me maximum return on my investment. Those are going to be tech companies because tech companies can give me access with power.

(DESCRIPTION)
Chase Cunningham speaking over slide 9. Text, Tech Companies Get Ransomed. Images, examples of company press release, support email and system status after company is ransomed

(SPEECH)
CHASE: We won't go into the specific names of the companies here, but just to provide you know reality. I mean globally, GPS went down because they were, you know, you can figure out who that company was but because they got ransomed. I mean that that happened a few weeks ago. I mean the U.S. Government was losing their mind because GPS wasn't working. That's pretty important.

Um, tech company. Alright, hundreds of millions of dollars in cyber security, ransomed. And the funny thing too is when you look at the actual adversaries in the space, the Maze team the guys sending out maze ransomware, they've got their own PR group.

(SPEECH)
LOUISA: Yeah, so we're looking at a press release right here.

(SPEECH)
CHASE: Yeah, they literally have people that will do press releases for them and say like, look we told you we were going to get you, and you know you can either pay up or we'll release your information. They go after whatever they can get to, but, they want to go after high value targets. High value targets equal technology.

(SPEECH)
JOY: Would you say run more like professional organizations, like a professional business than they used to be, in terms of their organization?

(SPEECH)
CHASE: Yeah, I mean they're run and managed just like a professional organization and they, I mean they do everything from recruiting to training to they have their own HR. I mean it, it's pretty staggering. I think the best one I saw was the, the folks and, I can't remember where it was, but they were having a corporate Christmas party and, part of the door prize was they auctioned off of Ferrari. Like that's how much money they made.

(SPEECH)
LOUISA: At Travelers, we talk about how it takes a team to respond to a data breach and it would seem that if you're ransomware attackers have a team you would at least need one to respond.

(SPEECH)
CHASE: I mean I'll briefly speak about this ransomware as a service.

The other thing to really remember too like Joy was saying, you used to have to be a computer scientist to do this type of work. You used to have to know how to do exploits and know how to fuzz and whatever else, this is a service you can go buy a gan crab and I'm not saying go buy a gan crab, but you can go buy gan crab for I think it's $25 on the underground to get your first license.

So, you know to your point this is an industry that is built around this, and it's a service. Just like you can figure out how to configure aws with 10 minutes on Youtube, you can figure out how to send exploits through these types of operations, and not necessarily have to worry about detection whatever else unless you kind of screw it up, because it is offered through the cloud as a service just like a regular company would offer.

(SPEECH)
LOUISA: So, given the changing landscape how is the approach of protecting companies change or how does it need to change?

(DESCRIPTION)
Chase Cunningham speaking over slide 11. Text, Zero Trust = Never Trust, Always Verify. A chart representing Zero Trust components is displayed. Text, ZTX Framework.

(SPEECH)
CHASE: Well I think what we see is that this is where the ZT side really comes into. It is that you've got to adapt to your approach back to the physics of the problem, right. If you look at what ZT talks about, never trusting, always verifying, and I can tell you this because I wrote books about it. You can go look at the history of exploitation and what you will see is that it is not usually the super mega post-quantum encryption, crazy NSA hack that causes these massive compromised ransomware issues. It’s usually the basics that are combined in a way to cause close compromises and if you take the framework that we've created and map that into it, you can see what problems you solve were right. People, typically accesses and accounts, workloads, clouds, and application that live in the cloud networks, firewalls, and V lands devices, IoT, Data and then automation and visibility.

So the point being that you can't continue to embrace the old approach and think you're going to do anything any better, than all those other organizations that failed at it. There are organizations that spent half a billion dollars a year in that old approach and failed.

If that's the case, logic dictates we must address things differently. And that is where ZT strategically comes into that place.

(SPEECH)
LOUISA: Companies are doing business differently now as a result of the pandemic and advances in technology so it stands to reason that your approach to protecting the company would also need to evolve. Very good, helpful.

(DESCRIPTION)
Slide 12, Poll Question

(SPEECH)
LOUISA: So, according to the results from a survey of 200 IT and cyber security professionals, what percentage of organizations had a security breach caused by remote workers since the start of the pandemic?

Alright, so the right answer was 20 percent.

(DESCRIPTION)
Louisa talks over slide 13. Text, Plan, Prevent and Recover.
Image, drawing of 3 professionals. Text, Plan strategically. Create detailed incident response and business continuity plans. Define your crisis response team (e.g. data breach coach, insurance carrier). Train employees and run tabletop exercises.
Image, lock icon. Text, Enforce Security Standards, Require Multi-Factor Authorization. Consider an Endpoint Detection System. Restrict access to critical data and disable unnecessary software controls (e.g. PowerShell). Maintain security patches, firewall settings and log monitoring procedures.
Image, icon of computer network. Text, Manage Your Assets with Recovery in Mind. Inventory network assets to identify critical data. Segment your network to isolate sensitive data. Backup often and store offline.

(SPEECH)
LOUISA: Alright though so, then how could companies do more to protect against ransomware especially when it comes to business continuity?

(SPEECH)
KIRSTIN: Yeah, so I think where we start you know, protecting against ransomware, the importance of good cyber hygiene continues to be critical, and as was mentioned earlier, technology companies are that access point quite often into a much larger enterprise or fish so to speak. So, this is a great time to step back, take a look, and think about your existing policies and procedures.

You know, as an underwriter, I'm looking for several things, but I start with the cyber kill chain.

So, if you recall a slide that Chase had earlier where he was showing access points as a very starter on it. I'm looking at all of those avenues and what can be done to prevent something from happening? What are those various points where you can stop the malware from getting deeper into the organization?

And one of the proactive security measures that I look for includes how strong are there access protocols?

And we talk about a remote work environment and so I'm looking for connecting to either secure network using the company issued VPNs, or working at more directly into the corporate network.

If there's not a corporate issued VPN, that certainly can increase the vulnerability.

But these days, I think one of the areas and this gets into that zero trust really looking for multifactor authentication broadly used across the organization. We're starting to see it more commonly for remote access, but it's surprising that we don't see it as commoners frequently used for privilege or admin access. Where, you know, really, you have the keys to the kingdom, right. So, what are they doing to make sure that the access to the most privileged of networks information, whatever it is, how is that separated and segregated from just little old me who needs to get on to do business using the very various apps, you know.

We also look at what are they doing to monitoring and close things like open Remote Desktop protocol and we know that that's pretty much like leaving a window open for a drive-by for someone to see, hey, there's this window open, it's an opportunity to get in leave, something behind and deploy it later. So, you know, what are they doing to make sure that they have secured the open RDP and SMB and similar.

Once you think about you know how the network is functioning. We also look at what type of endpoint detection and response tools have been deployed. Now, this gives you that opportunity to gauge or look at what is moving around in your network, where's it going and etc. So, I think that becomes even more critical as we think about the significant number of the workforce now working remotely. So how are you managing all of those additional access points and points that you didn't have 6, 9, 12 months ago?

And then thinking further on that remote workforce, you know, as they're coming back into the organization, you don't know what has happened to all that laptop or whatever the devices has been working in a home environment. How are you making sure that once they're connecting directly into that corporate network, it's clean? You're not just taking on something without checking.

(SPEECH)
LOUISA: We've heard even that, that in some cases the cyber thieves are waiting until the devices are plugged in. Is that right Kirstin? And they recognize more opportunity once a device is connected to a corporate network.

(SPEECH)
KIRSTIN: Certainly doesn't surprise me. I know we've seen a couple instances of that, absolutely.

Yeah, you know the other thing you know quite frankly we cannot forget employee training, and as was talked about as we as the criminals continue to ramp up and shift tactics, you think about what you as an employer doing on a daily basis. And, personally I'm whipping through emails as fast as I can, and am I really paying attention to what is being asked of me? And clicking on things and quite frankly the phishing emails are getting more and more creative. I have been astonished at some of them that I've seen, and going you know I don't think I would recognize that if I wasn't just a naturally suspicious person and I don't trust anybody I don't know or even people I do know, quite frankly. So, the training around how the cyber criminals work and how they might be approaching you and socially engineering you and how those actions can have an impact is I think critically important. Um, so now if you assume that you've got some of these critical preventive measures and that's just kind of a few, there are a lot more that can be taken, now you think about okay business continuity, and so now it's about the preparation to survive an event, right? So, really I look at this as preparing for the catastrophe no different than planning for any other catastrophic event, whether it's a fire, a hurricane or tornado Whatever it might be. You have to think about how it could significantly impact operations if your network is shut down, you don't have access to your tools and how are you going to get up and running quickly? So, this really means identifying those critical areas and assets that need to remain functioning.

So, what are those key risk factors and then making sure you're putting a plan in place to respond, and don't forget to test that plan. I think one of the areas that I can't stress enough, if you expect to rely on backups to maintain operations, you have to be sure those backups are available and they didn't get encrypted when the ransomware hit as well. So, you know it's going to be a real hard road if the backups are encrypted, or if they're four weeks old or four months old. So, really making sure that those backups are often and they're segmented and off-site from the production.

And then like I said, testing the incident response plan, testing your business continuity plan and you know a little plug, but, don't forget to engage your insurance carriers or other vendors that you might have on retainer, that have helped you work through this because they can help with testing those plans and making recommendations and suggestions.

(SPEECH)
LOUISA: That's all very good advice and I know one of the things that we talk about here is how a company responds to a data breach can absolutely affect how quickly they recover. So, Joy, what are some some key steps for a company to take after a breach?

(DESCRIPTION)
Joy talks over slide. Text, What to Do When Your Company Is Breached. Three images are shown for beginning, middle and end.

(SPEECH)
JOY: Sure and I was also going to talk about this event feeling like a catastrophe for most companies who have this happen, and you know with catastrophes some companies think I need to get in touch with my insurance carrier or my insurance broker agent and some I think more sophisticated companies, and maybe particularly technology companies, may want to jump right in to try to solve the problem on their own. And I would just urge that you do involve your carrier as soon as possible, because this is something that I work on day in and day out and have contacts with: breach counsel with forensic vendors who are ready to jump in immediately to start helping out.

So um, when we first hear of it, we typically do have a conversation with a breach counsel and that is an attorney or a firm that specializes in cyber events and assisting with those. And with ransomware, I know we didn't touch on this too much but, when somebody's in your system they may not only be encrypting but they may be um accessing confidential data.

So, there are other issues to consider that the attorney, the forensics investigation firm, can help out with.

So, I'm talking about like a data breach or something like that.

(SPEECH)
LOUISA: Notification requirements and those types of things.

(SPEECH)
JOY: Well just to investigate whether a data breach may have happened and then, if it did, right then you would have those notification obligations possibly and that's where the attorney can also assist. Then um, you know there are certain variants where just based on past experience the forensics firm may know typically yes, this one it also may involve a data breach or data incident.

So, that's why it's so important to involve the right vendors from the outset. I also caution using the same vendors who may have helped you with your system, with looking at what happened, if you know they may have configured something you know mistakenly. It can sometimes be helpful to just have an outside you know uninvolved party taking a look at things.

So we'll start off with that call with breach counsel. They typically would retain the forensics investigation firm to protect that attorney-client privilege, and then they would do their investigation. First thing with a ransomware event, they're going to want to see as Kirstin was talking about, are your backups available, are they current because that may influence your decision, whether you would actually consider paying the ransom. It's something you want to also do on the quicker side to the extent possible because sometimes with the bad actors, if you wait a while before you get back to them, let's say that it takes a while to figure out that the backups are not available or it's just there's been a delay for whatever reason and you get back to them two weeks later.

I've seen the ransom double or you know even more than that the ransom amount just gets significantly increased because, now they're realizing “oh they must be desperate they really want to get their system back, or now they're realizing their backups are encrypted as well or aren't available.” And so now they need to now they need to pay the ransom and they're going to be paying a lot more.

(SPEECH)
LOUISA: And that really highlights the value of having that, that data breach coach relationship that can coordinate your, your crisis communications firm and your forensics team and all those pieces that you don't want to be trying to identify and retain in the middle of potentially an emotional hack experience.

(SPEECH)
JOY:| It is a catastrophe it really is yeah um, and so as I mentioned if there's a breach notification required you also want to get vendors involved who can assist on that front and that forensic investigation firm will give you a report at the end of its findings and typically if you've involved breach counsel they'll give you that final report as well. Sean I see you've rejoined, I didn't know if you wanted to jump in here at all.

(SPEECH)
SEAN: I think well I'll just come in here real quickly and just say you know it starts with preparation and it ends with preparation. And I was reminded this week of a couple of things that uh, are critical for business. You know a client I started help yesterday who had a large incident and before they really understood what took place, they notified about 50,000 of their members and they didn't think about the fact that if you're going to notify 50,000 people that something may have happened, you've got to have capacity to respond to those incoming messages.

And so they're flooded today with messages and really don't know how to even respond to the communication as we're starting to deploy forensics to see whether they really have something. And so, it's just one of those tiny little moving parts that ultimately can become a very big moving part if you don't control it at the outset and manage the messaging. But no, like we said a couple times here before you know the first call should be the broker to the carrier. Hopefully although I have a dog in this race the second call perhaps outside counsel. But, then make sure you are working with whomever it is, somebody who's got experience and then the relationships with forensics firms. Epecially in the ransomware environment, it's, it's so critically important to have somebody that it's a rapid response. An hour or two delay can result in a day or two is worth of downtime, and the revenue you can lose in a day or two and a large corporation can be catastrophic. And it really can come down to that, a two or three hour delay on a Saturday morning, where you're struggling to figure out where your cyber insurance policy is, who your carrier is and then how to file a claim and all that sort of thing. But, if you've actually practiced, you've got a plan, you've done a tabletop exercise, you have a fluid response, you can reach out and you're going to be on the other side you know much more quickly.

I think also we haven't talked about it much, Chase did a wonderful job walking through the evolution if you will, the history of ransomware. Kirstin you did a tremendous job. I mean I felt like I was in a Masters class for there for a little bit.

But in the ransomware environment: what's really become dangerous right when I teach corporate executives about this is that I think the most dangerous environment right now is the extro- filtration extortion model, where it's not just data encrypted where it can move the throttle your business model.

But if you in fact they're actually stealing your sensitive information as well. And then hold you hostage and that's truly where your cyber insurance component comes back into it to make sure that you've got the resources you've been paying for and to make sure that you're the corporation of the business understands that now is the time to utilize those resources to bring in the forensics firm immediately to identify what you have or what you don't have.

It's going to allow you to determine whether the bad guys are just posturing about stealing stuff or whether forensically you can corroborate that they really have and then you can start to rather immediately assess the risk to the organization and get a feel for you actually have to unfortunately pay the guys who just told your dad or at least commits communication with them.

(SPEECH)
KRISTIN SIMONSON: I'm actually glad you brought that up because as you both were talking, you know, I realized that has been a growing trend right where we're seeing the X-filtration of data. And then they start actually extorting the owners of that data, which isn't necessarily the first company, you know, the tech company. It was breached, it could be their hospital client or their banking client or whatever it is. And now are you also facing a liability situation which really to me kind of amps up the need of how critically important it is to engage the carrier, the broker, and the breach council very, very early on to help assess that that situation.

(SPEECH)
SEAN HOAR: Well, another thing to recognize in this new ransomware environment with the extra-filtration extortion model is that these guys are not just a programmers to come in and crib data and leave.

They're going to work your business, they're going to make sure that if you're not communicating with them or you're not, doesn't look like you're ready to come to the table to pay ransom, they're going to start to use the journalists, like the, I call them the dark web trolls, as communications or public relations agents for them. They're going to have them start to tweet about the fact that they’ve stolen some data from you.

Or they're going to have their own agents, their own employees, come back and start calling your employees or calling your customers.

Because the data they stole, they now know who to contact and say, oh, by the way, did you know that this investment company that you have been you know you've got x y and z here because I've got your financials, you know, they've been locked down and we’ve stolen their data.

And all of sudden those members, those employees or those clients are going to call you back, and you're going to realize, oh my gosh, I've got to accelerate this. Maybe I do have to pay ransom. But they have layers offensive layers to their model. Not just the programmers, not just, you know, the technology to ultimately do reconnaissance, figure out where the vulnerabilities lie, customize the malware to get in and blow past your AV products and ultimately drop malware in your system. But then set up on the outside to start social engineering to get back in if they get locked out or to start to tweak the communications lines to put pressure on you to negotiate with them. So just recognize this is much more sophisticated and I certainly I ever imagined. And there are a lot of moving parts, you have to prepare for you. You take one step, they're going to be taken another and you better be two or three steps down the road, otherwise you'll get stepped on.

(SPEECH)
LOUISA: I think this conversation really highlights all of the different aspects that you need to consider in a plan to be prepared before this happens so that you can respond after the fact, which kind of teased up our next poll question.

(DESCRIPTION)
Louisa talks over slide. Text, Poll Question.

(SPEECH)
LOUISA: A post-cyber event plan should consider a number of issues, which one of the following should not be a part of your post cyber event plan?

And the right answer of course was to set a strategy that's something that needs to be done as a conversation we just had just illustrates well in advance that the planning needs to happen well before a ransomware attempt and ideally that the backups in place would prevent the need from having to deal with the ransomware negotiators in the first place.

(DESCRIPTION)
Louisa talks over slide. Text, Q&A.

(SPEECH)
LOUISA: So at this point I mentioned the beginning that we would be taking questions. The first one, what mistakes have we seen companies make in responding to a ransomware attack? Sean, you might be well positioned to answer this one.

(DESCRIPTION)
Sean speaking from his home office.

(SPEECH)
SEAN: Yeah, well the first big mistake is not calling your broker, your carrier immediately. Sometimes we will be called into a matter after our business has been kind of playing with it for a couple days, thinking that they can get it done. Or, calling Joe the I.T. guy or the my uncle's neighbor's friend to come in and help out, and again, every hour delay could result in a couple days delay.

But, when you factor you're not dealing with professionals and so oftentimes the system breakdown gets worse. That could be the one big thing. Not, not calling broker carrier immediately, not deploying the resources.

Another thing is, in addition to notifying the proper people at the outset, sometimes we find that businesses will actually communicate directly with the attacker right off the bat trying to be proactive, and however well-intentioned that might be, sometimes the attackers don't actually know who they've hit. Sometimes they've done a random kind of drive by, they found a vulnerable a port, they've got an IP address but they don't know much beyond that, they haven't cared much about it because they've got you know 100 other victims on the line.

And yet, somebody inside that domain communicates with attacker from that domain and all of a sudden that the attacker realizes oh my gosh we've got a big financial services firm on our hands, we’ve got to ratchet that ransom up.

Or, or some people don't recognize that it's really not a good idea to pay attackers yourself. Uh, there are some federal laws to comply with, and so we want to make sure that if in fact you actually are negotiating with an attacker you're utilizing perhaps a third party that's got a due diligence process set up to actually comply with anti-money laundering and office of foreign asset control laws.

Because, if in fact we're paying attention somebody and we don't know who they are we might actually be violating federal law. So, again that's where your cyber insurance carriers come in, they've got preferred providers for that service, and we find that's going to be done much more professionally, you're probably going to get a much better deal if you're negotiating with somebody who does that on a regular basis. You're also going to be complying with the laws.

(DESCRIPTION)
Louisa speaking from her home office.

(SPEECH)
LOUISA: Any others want to chime in on that question?

(DESCRIPTION)
Joy speaking from her home office.

(SPEECH)
JOY: Yeah, you know on top of what Sean was saying, you could be compromising your insurance coverage by kind of going rogue on your own and I'd hate to see that happen for anyone.

(DESCRIPTION)
Louisa speaking from her home office.

(SPEECH)
LOUISA: Very important point, thank you Joy. Um, our next question. What should companies be doing globally to help protect against ransomware attacks?

(DESCRIPTION)
Kirstin speaking from her home office.

(SPEECH)
KIRSTIN:  Well, I think again this gets back to engaging the carrier and the broker quickly, because if you need a global response team and you really do want a global response team. They're well positioned to take that on and make sure that those things run smoothly. I mean globally, there are so many different laws and regulations and things that have to be thought through in response to that. So, that is my biggest piece of advice, is you want to have a globalized response team versus trying to handle it locally and having multiple vendors trying to work the problem, so to speak.

(DESCRIPTION)
Sean speaking from his home office.

(SPEECH)
SEAN: Well some of your preferred providers, whether it's a forensics firm or another firm that does collateral threat intelligence uh, oftentimes you're going to benefit literally from a global resource of intelligence. Maybe it's dark web scanning, maybe it's a forensics firm that's got a variety of branches, a lot of investigators regularly investigating and developing their own libraries of indicators of compromise, they're going to expand well beyond your network their their knowledge. And then also, for instance if you're going to pay ransom, the office of foreign asset control came out with guidance recentl, strongly suggested of course check against the sanctions list. But, also report it to the FBI and do it sooner than later, and as it turns out the FBI does have a task force assigned each major malware variant, and they are tying into again global intelligence that they've learned and others have learned and ultimately sometimes they can't necessarily help you in your response to the incident.

But, there's some intelligence, maybe some indicators of compromise, that can help you accelerate your investigation, and so in combination with again your forensics firms, maybe dark web scanning for their technology and sources, and the FBI, you can really take advantage of a lot of intelligence far outside your resources.

(DESCRIPTION)
Louisa speaking from her home office.

(SPEECH)
LOUISA: Thank you and potentially also just help build that database within the FBI so they can help track these things and get a handle on it as well. What are carriers doing to assist insurance with paying high ransomware demands when the insured or the client can't pay ransomware up front?

(DESCRIPTION)
Kirstin speaking from her home office.

(SPEECH)
KIRSTIN: Again, that gets into all the vendor partners that that we work with. I mean we have those folks in place because they are experienced in negotiating that and have the capabilities to step up when it's needed.

(SPEECH)
LOUISA: Very good. This next question, we've heard some examples of attacks but is there a big trend that any of you are seeing?

(DESCRIPTION)
Sean speaking from his home office.

(SPEECH)
SEAN: Well I guess I'll just I'll pop in, Chase you might have some something to say here too. But, what we've seen is that initially we thought it was a kind of scary, what 18 months or so ago when we started to see the exfiltration extortion model but, it seems as though the last two to three months almost everybody in the brother is hopping into that model. They previously were known as just an encryption model and now they're spinning up something else or they're calling themselves something different. Or, they're franchising out somebody else's model and uh, many of the attackers now are using both encryption to extort, but also the exfiltration to extort and that's again it's just such a dangerous model. And the sophisticated actors are also utilizing a few new techniques with some custom code to come in very stealthily. It's again the AV products don't recognize it, they're in your network a little longer than previous, they're able to drop it throughout the network and really take advantage of the entire network. So, when they execute the attack, your system is locked up, your backups are wiped, and they've actually stolen all the most sensitive information.

And, so that's uh, again it's, it's a combination of those things that is making that one of the most dangerous attacks I've seen. And we are we see multiple models right now doing that in tandem.

(DESCRIPTION)
Chase speaking from his home office.

(SPEECH)
CHASE: My experience, looking at this side of the market, if you want to solve, or at least drastically reduce your risk of being compromised, ransomware do three things right now.

Move to a remote browser, do application white listing, and mandate multi factor authentication. If you do those three things, you're not going to be perfect, but you won't be the slow gazelle stumbling across the Serengeti.

I mean this does not mean I have to be perfect, I just got to be better than you. And if I do some very simple things they'll attack you and not me. So you don't have to focus on perfection. But what you should focus on is pushing your users through things that basically make them operate in a fashion where they are not going to be the avenue of compromise.

And yes you know, yes, I think you should train your people. And yes, you should educate people on what this looks like. But it's very difficult to fix people.

I can fix infrastructure, they definitely but you should be leveraging solutions that make it where your users operate in more secure fashion but they're not aware that they're actually doing it.

That's why I'm a big fan of those things I talked about, I can push you through a remote browser, you'll never know that you're on, you know, a protected infrastructure and you just simply can't engage with the content that would cause you a compromise like where could it be more simple?

(DESCRIPTION)
Louisa speaking from her home office.

(SPEECH)
LOUISA: Right, make it, make it automatic.

(DESCRIPTION)
Sean speaking from his home office.

(SPEECH)
SEAN: If you don't mind me to mention another defensive measure, and it's also a containment measure, is that you know you've talked about it multiple times here already, an additional multi-factor authentication, but, it's robust endpoint monitoring. It used to be seen I think as a luxury, and now it's a key part of any containment effort to respond to a ransomware event. And now ever more than before it's a key defensive part of your layered defense program, and while again I say it's a luxury, it used to be seen as luxury because it's not inexpensive. Now, in order to detect something like a ransomware attack, if you don't have robust endpoint monitoring with what we call heuristic applications, meaning those applications that aren't just going to flag a signature-based piece of malware something that's already been identified as malicious, but, it's going to identify behaviors that appear to be malicious, even if they're with legitimate applications. And without that sort of a tool in your system, malware will get in, ransomware will be executed you will become a victim. It's going to be far more expensive than to pay that what used to be discretionary spend, now I see it as infosec 101. Get that in your system now, you're going to monitor all your endpoints and so in addition to everything else that Chase has talked about, that's going to be a line of defense, it's going to immediately detect something inside your perimeter and you're going to be able to shut it down as opposed to becoming a victim.

(DESCRIPTION)
Chase speaking from his home office.

(SPEECH)
CHASE: Yeah, the last thing I'll say too is that having dealt with a bunch of organizations that are responding to this, if someone's coming to you right now and says I have a solution that will help limit the you know likelihood of spread of these compromises and they say it'll cost you, you know x number of dollars now. it's cheaper to pay for the solution that will fix this problem now, than it will be when you get ransom. So, don't sit there and go no like we got this, we're not worried about it whatever else, you will regret it. I mark my words. So, engage in fixing the problem before it becomes a problem.

(DESCRIPTION)
Louisa speaking from her home office.

(SPEECH)
LOUISA: Alright, we'll let that be the last word today. Thank you all for a great discussion and some really hands-on tips about how to avoid a ransomware attack and what to do if one does indeed affect your business.

So, as we heard today the idea of being prepared in advance is especially critical, having a plan and practicing, it having segmented backups that are regularly updated and secured off-site and having trusted resources in place who can help work on your behalf in the event of a ransomware attack.

Well thank you again Chase, Sean, Joy, Kirstin. Those are all great discussions today. Thank you for joining us to all of our attendees, you can learn more at Travelers.com or contact your Travelers rep for more information.

So, from all of us at Travelers, thank you again and take care.

[MUSIC PLAYING]

(DESCRIPTON)
Travelers Logo

(DESCRIPTON)
Legal Disclaimer

The information provided is for general informational purposes only. We make reasonable efforts to include accurate information however, we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability or completeness of any information. It is not intended as, nor does it constitute, legal or professional advice. Federal, state or local laws, regulations, standards or codes may apply and the reader should always refer to applicable requirements. In no event will Travelers or any of its subsidiaries and affiliates be liable in contract or in tort to anyone for the accuracy or completeness of the information provided. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers.