hb template summer 2017 - privacy+security academy
TRANSCRIPT
May 25, 2021
Anatomy of a Ransomware Attack
Heather Egan SussmanOrrick, Herrington & Sutcliffe, LLP
Steve ElovitzFireEye Mandiant
Scott GodesBarnes & Thornburg LLP
Adam AbreschNational Cyber Risk Practice Leader Acrisure
Agenda
• Introductions• A Brief History of Ransomware• Insurance and Risk Transfer• Ransomware Scenario• Pre-mediation
SpeakersHeather Egan SussmanCyber, Privacy & Data InnovationOrrick Herrington & Sutcliffe LLP
Heather Egan Sussman is head of Orrick's global Cyber, Privacy & Data Innovation Group and is ranked byChambers USA, Chambers Global and The Legal 500 United States as a leader in her field.Heather routinely guides clients through the existing patchwork of laws impacting privacy andcybersecurity around the globe. Outside of the U.S., she manages teams of talented counsel around theworld to deliver seamless advice for clients that operate across many jurisdictional lines, developingcomprehensive privacy and cybersecurity programs that address competing regulatory regimes. She draftsonline privacy notices for global rollout and implements data transfer mechanisms for the free flow of dataworldwide.Heather also helps clients develop and achieve their data innovation strategies, so they can leverage theincredible value of data and digital technologies in ways that not only meet compliance obligations, butalso support innovation, deliver value to the business, meet security needs and solidify brand andconsumer trust. Heather devotes a significant part of her practice to helping clients reduce the risk ofprivacy and security incidents. In the event of a privacy or security breach, she helps companies respond,successfully guiding them through investigation, remediation, notification and any ensuing governmentinquiries.Heather frequently writes on current privacy and information security issues before trade and legalorganizations and has been quoted in hundreds of major news outlets.
Speakers
Steve ElovitzManaging DirectorFireEye Mandiant
As a Managing Director of FireEye Mandiant’s Incident Response team, Steve isresponsible for guiding his clients through cyber security crises: advising executivedecision making, overseeing investigations, remediations, and enterprise hardeningefforts. In this role, Steve has led the investigations into some of the most notableincidents in history and has ample experience responding to both nation-statesponsored cyber espionage as well as financially motivated attacks.
Steve also helps enable his clients develop their security programs by proactivelyidentifying, prioritizing, and mitigating security risks. His role on the front lines enableshim to see the latest tools, tactics, and procedures in use by attackers, as well as whatsecurity controls are effective at preventing, detecting, and disrupting attacks.
Speakers
Scott GodesPartner, Co-Chair – Insurance Recovery and Counseling PracticeBarnes & Thornburg LLP
Described as the “most interesting insurance lawyer in the world,” ScottGodes is a Chambers-rated insurance recovery attorney who has assistedclients recover more than $1 billion in insurance coverage. He focused hisinsurance recovery work on coverage for cybersecurity and privacy claims in2008 and is one of the few lawyers in the country who has litigated the scopeof insurance coverage available for data breach claims under cyberinsurancepolicies. He also has helped clients recover millions for data privacy incidentsand cyberattacks under cyber, crime, CGL, first party property, and Tech E&Oinsurance policies, as well as in connection with professional liability claims.He has provided strategic coverage advice for companies that have hadcloud-based privacy and cybersecurity events.
Speakers
Adam AbreschNational Cyber Risk Practice LeaderAcrisure
A Brief History of Ransomware
Ransomware Landscape
• Significant threat to global organizations
• We continue to see an increase in ransomware-related intrusions
• Shift by more sophisticated financially motivated actors towards use of ransomware/extortion
Evolution of Ransomware
CryptoLocker
2013
SamSam
2015 2016
WannaCry / NotPetya
2017 2018
Victim Naming and Shaming Trend
Beginsin Q4
2019
Revil, DopplePaymer,
Conti, Netwalkerand others create
public shaming sites
2020
Indictment and Sanctions of
SamSamoperators
Indictment and Sanctions of
Dridex operators (“EvilCorp”)
Targeting of Healthcare
Organizations
2014
Ryuk
FIN6 incorporates ransomware
2021
Continued Diversification of Extortive Tactics
Post-Compromise Targeting
• Majority recent Mandiant investigations involved post-compromise approach
• Key advantages associated with post-compromise operations versus traditional indiscriminate targeting
Typical Ransomware Attack Lifecycle
Attacker
Credential TheftInternal ReconnaissanceLateral Movement ToolsEscalate PrivilegesDelete Backups
1ST STAGE
VictimOrganization
3RD STAGE
Ransomware
POST COMPROMISE APPROACH
2ND STAGE
Data Theft (Sometimes)
Typical Ransomware Attack Lifecycle
• Single Factor Perimeter Compromise
• Email Phishing
• Software Vulnerabilities
Common Initial Access Vectors:
• Human Actors
• Ransomware-As-A-Service (RaaS)
• Quick Deployments
• Data Theft and extortion
Special considerations:
Exploitation Model
Access
+ Credentials
+ Connectivity
_______________
PROFIT=
Preparation
Insurance and Risk Transfer
Insurance and Risk Transfer
• Some Best Practices When Buying Insurance• Is cyberextortion coverage included?• Is business interruption and extra
expense coverage included?• Is bricking coverage included?• Is betterment coverage included?• Is your choice of forensic firms and law
firms included in the policy? At what hourly rate?
• How does the policy cover non-litigated resolutions with customers?
Insurance and Risk Transfer
• Other Risk Transfer Questions• What limits (and sublimits) are in the
tower of coverage?• What policies does the company have
that might respond to ransomware?• Cyberinsurance• Kidnap, ransom, and extortion• Crime insurance• Property insurance
• Who is filling out the application?• What is the retroactive date?
Attack Scenario
Scenario: Day 0 (Friday evening)
• At 4:00pm ET on Friday afternoon, InfoSec receives alerts that certain systems are unavailable and it appears to be a ransomware event.
• Email does not appear to be disrupted. • InfoSec undertakes initial containment efforts. • A number of server instances appear not to be
available.
Day 0 (Friday evening)
A ransom note is discovered:
Day 0-1 (Overnight to Saturday)
• Decision needs to be made on shutting down the network
Day 1 (Saturday)
• After following the instructions, and inputting the key, a timer begins to count down.
• Price will be doubled if you don’t pay on time
• Ransom negotiator establishes contact:
• threat actor claims to have 30GB of data
• threatens to publish in 7 days unless full payment received
Day 3 (Monday)
• Company notifies key regulators with 72-hour deadlines
• Existing IT and security tools were impacted by the ransomware and unusable
• Competing priorities of Forensic Agent deployment / System restoration and Recovery
• Active Directory and Network Hardening Ensues
Day 5 (Wednesday)
• Confirmed: Data cannot be decrypted without the key• Confirmed: Some backups exist, but no reliable understanding of
coverage• Confirmed: A data sample was decrypted per instructions and it is
highly sensitive company information• Unconfirmed: Technicians cannot precisely say how long a data
recovery from backup will take. Best estimate is 72 – 96 hours• Confirmed: Data was exfiltrated from the network• Unconfirmed: What full scope of data was stolen? What are the
obligations based on the sample set? Based on the rest of the data?
Day 7 (Friday)
• Company negotiates with the carrier regarding payment
• Company has notified law enforcement, reviewed facts with OFAC counsel, and secured approval by the carrier for payment of a certain amount
• Company initiates wire payment to the negotiator
• Negotiator performs sanctions check
• After the check clears, negotiator makes the payment
Next three to twelve weeks
• After brief delay while bitcoin is converted to Monaro, the key is obtained
• The technical teams work methodically to bring affected systems back online
• IT and OT support services retained to assist• Communications plan continues to unfold• Company responds to regulator and customer inquiries, clearing all
comms with outside counsel • Forensic analysis continues and feeds findings to the legal team to
provide legal advice regarding notification obligations, if any based on the available evidence.
Pre·mediation: noun
Proactively implementing common remediation-focused initiatives
Exploitation Model
Access
+ Credentials
+ Connectivity
_______________
PROFIT=
Proactive Measures – Access Hardening
Regularly scan
externally facing
systems for common
ports and protocols
open
Enhance
Vulnerability
Management for
systems that are
external
Train end-users on
spotting Phishing
emails and
regularly perform
phishing campaign
exercises
Harden external
access capabilities
with Multifactor
Authentication
(MFA)
Proactive Measures – Credential Hardening
Minimize privileged
credential exposure!
Harden systems so
that privileged
and/or service
accounts cannot be
used for logons to
standard endpoints
Remove the
capability for local
administrative
accounts to be
used for remote
logons to other
endpoints
Randomize the
password for built-
in local
administrative
accounts on
endpoints
Harden endpoints
so that clear-text
passwords are not
stored in memory
Proactive Measures – Connectivity Hardening
Restrict egress
access, ports,
and protocols
Remove the
capability for
privileged
accounts to be
used for remote
logon purposes
Disable
unnecessary
services on
endpoints
Leverage
dedicated
privileged access
workstations (PAWs)
for performing
administrative tasks
Restrict
system-to-system
communications
Questions + Contact
Steve ElovitzManaging DirectorFireEye [email protected]@SElovitz
Scott GodesPartner, Co-Chair –Insurance RecoveryBarnes & [email protected]
Heather Egan SussmanPartner, Head of Global Cyber, Privacy & Data Innovation GroupOrrick, Herrington & [email protected]
Adam AbreschNational Cyber Risk Practice [email protected]