By Roger A. Grimes
Tens of thousands of companies, organizations and cities are being savagely taken offline by ransomware. Some targeted entities handle it relatively fine and are down a day or three. Others are down for weeks, and sometimes they are hit again. The difference between a quick recovery and a chronic problem often depends on who you call for help.
I talked to one of the best in the game recently. John F. Mullen, partner with Mullen Coughlin, LLC, has been involved with thousands of cybersecurity incident responses in his career. His firm was involved in 1200 just last year.
You probably never heard of Mullen Coughlin. I didn’t before I spoke with a city CISO friend of mine. When he called the phone number his cyber insurance company gave him to pre-establish a relationship for security responses, he ended up speaking with John.
If you have a cybersecurity incident and have purchased cyber insurance, your insurance company doesn’t have the professional folks to handle your technical cybersecurity incident response, no more than the insurance company would patch the fiberglass of a boat after a hurricane claim. Insurance companies do insurance and underwriting. When a claim is made and the damage has to be fixed, they sub it out.
Why use a specialized incident response firm
John sees three reasons why an organization should use a firm like Mullen Coughlin after an attack. First, they have experience. Entities calling Mullen are often already working the incident response but using local IT firms they know. That’s OK, but those local firms usually don’t have equivalent experience of the forensic teams available to Mullen Coughlin. As John put it, “It’s all we do.” Plus, sometimes the reason the customer was compromised was because of something the local IT service did, like a missed patch or bad configuration setting.
Second, John’s team are all lawyers. Anything they discuss and do on behalf of the customer is privileged. That’s legalese for “anything we discuss will likely not be shared with anyone else.” Everybody John hires comes under the privileged communication umbrella. Local IT firms can’t give you that.
Third, and most important, firms like John’s and the insurance carriers have already vetted all the necessary forensic, PR and mass mailing/ID protection service providers needed to cover a customer’s situation.
Call ahead and do annual security reviews
John recommends that that if you have the opportunity, call the incident response firm your cyber insurance works with before an attack occurs. He said that maybe 1% of his customers call ahead of time to meet his team and find out how the process is going to work. He welcomes these customer calls because they allow him to establish trust and share how the process will work. This saves precious minutes when that emergency call happens. So, call ahead of time.
John also recommends that every organization purchase cyber insurance and have an outside security review performed at least annually. He also suggests using an IT firm to conduct the review that is not the same as the one currently providing regular services. Make sure to change which outside firm you use every year. Different firms find different things, he says, and you want a unique, independent perspective each time you do it.
How ransomware is changing
John says ransomware attacks have changed over the years. Just a couple of years ago, ransomware typically activated as soon as it entered an organization and encrypted the desktop it was on. Now the attacker is far more likely to be inside of an organization for multiple days or weeks, figuring out how to maximize their access to the penetrated system. He says you can’t automatically trust your offline backups, because the ransomware guys are working to block even that avenue of safety.
I asked if social engineering was involved in the majority of cases of ransomware. John says that social engineering was likely involved in half or over half of the cases, especially if you include third-party service providers that are compromised to reach the ultimate victim. Misconfiguration and unpatched software also frequently played a role.
Some research claims that paying a ransom demand does not result in getting a working decryptor key up to 40% of the time. John says his experience is different. “Ninety-five percent of the time, when the customer pays the ransom it results in less recovery work and downtime than if they didn’t pay it.”
If you ever need to call a firm like John’s, he offers one piece of advice to make things go smoother: “Make sure the people calling my firm have the necessary authority to make decisions. You can’t imagine how many times we come up with a plan of action only to have to wait again while the right decision makers are contacted, and I have to say everything again to get a decision.” Making sure the person calling has the necessary authority can only make everything happen faster.
A security columnist since 2005, Roger Grimes holds more than 40 computer certifications and has authored ten books on computer security.