Episode #71 The evolution of ransomware response with Chloe Sevil

Transcript

CP: Hello and welcome to The Security Collective podcast. I'm your host Claire Pales and today's guest is Chloe Sevil. Chloe has assisted more than 143 clients to recover from cyber incidents and is known for her ability to handle the complex regulatory environment surrounding a cyber incident. Chloe has helped some of Australia's largest listed companies deal with several of Australia's most complex cyber incidents in recent times, and manages multi jurisdictional legal teams, forensic vendors, law enforcement, public relations, communications teams and executive teams to deal with the fallout and bounce back from a cyber attack. Chloe, it is great to have you on the podcast today.

CS: Hi Claire, great to be here.

CP: So let's jump in and have a little bit about you first, tell me what led to you becoming a woman in cyber security given that you've got a background in law.

CS: I left Sydney shores to go and study the Australian National University down in Canberra and I studied an economics law degree. That led to a job in a startup law firm that my friend had just got a job at. And he said, Chloe, you've got to try this out, it's law but a little bit different. The people have fun, the people were young, come and try it out. As part of my time there I started specialising in tech and privacy. And I went, aha, this is this is really interesting, I can sense that this is an area that's growing, a lot of people are starting to really be concerned about their privacy. And a lot of businesses are starting to be aware that their customers and their clients are concerned about their privacy because people are understanding that businesses like Facebook and other data agencies are monetising their data. So that's when it kind of tweaked that privacy might be an interest of mine. And then in terms of how I then took the leap into being a breach coach was that I actually found out about my current employer, and then they were doing this thing which involves helping businesses recover from cyber attacks. And I started looking a little bit more into them. And going, wow, what they actually do is they crisis manage, and they help businesses who are really in crisis mode, Most businesses in Australia, I would say, have never experienced a cyber incident or critical cyber incident. And I went well, that's super interesting, that combines my really growing interest in privacy, plus, my love of managing stakeholders and project managing. I really like interacting with people, establishing rapport, and that kind of encouraged me to go to my current role, where I'm on a day to day basis interacting with executives to help them recover from cyber incidents. And I feel like I've really found my calling. Yeah, just being able to help professionals through one of the most stressful moments of their professional career is really rewarding. And we here really just hope that we're really providing some practical value add assistance to these people who are experiencing a cyber incident.

CP: So you've got a background in law, and so becoming an incident response lawyer is not too far, I guess, from the experience required. But can anybody become a breach coach? How does that career path work?

CS: I think there's lots of different pathways into becoming a breach coach, because there's lots of different types. So you can be a breach coach like me, so I have a legal background. But also there are lots of breach coaches who have a more technical background. For example, lots of the forensic vendors that we work with, they have breach coaches who've done it security or computing degrees, and then they have transitioned into a security role and then found out they like coaching businesses and executives through incidents. I would say that because it's such a new sector, I think that I see a lot of people who have lots and lots of different backgrounds. So just backgrounds you wouldn't experience. You've just got to perhaps really like interacting with people, be good at establishing relationships quickly with people, those relationships of trust, and be really passionate about helping businesses through critical moments in that business's history. Because really, there's lots and lots of opportunity to get into it and I don't necessarily think that you need a particular background to get into it.

CP: And I guess the most common or the most publicised type of cyber incident at the moment is ransomware, so it'd be good to talk about that. Specifically, it's a pretty hot topic in the media and it's not really a new thing. So how has ransomware as an incident evolved over the last 18 months, what have you been seeing?

CS: In terms of the evolution of ransomware we've seen businesses or the same threat actors not only encrypting files, and then asking for the ransom. We've seen them encrypting files and taking files off businesses systems. So typically, what threat actor groups are doing now is spending a little bit of time exploring that entities environment. So it looks for things like the file server, so your repository of where all your information is held, so business critical personal information belonging to your customers, and they will run scripts, which will grab whole chunks of information. Depending on the threat actor group, they might just do a smash and grab, where they will just gain, they will just exfiltrate a whole swathe of data. Some other threat actor groups, we've seen running queries on databases searching for particular words, such as passports or quote unquote, confidential, and then exfiltrating the results of those queries offline. They will typically put the documents they've exfiltrated somewhere else, such as on a file sharing platform. What they'll then do is then make contact with the organisation and say, 'Hi, we've encrypted your systems, and if you don't make contact with us by 10 days time, we're actually going to start releasing your data online'. And if that business then makes contact with the criminal, the criminal will likely provide a small tranche or a data set of documents as samples to that business to demonstrate that the criminal has actually got those documents. So the threat actor doesn't know if it's hit the jackpot, to use that that phrase, in terms of whether the data that it actually has is important to that business, but it hopes by providing that sample to the business, the business and the executives will look at it and go, oh, yes, that is quite sensitive. And that will encourage the business to consider paying the ransom. A further evolution that we've seen, even more recently, in the last six months is much more hostility from the part of threat actors. So threat actors even calling people in the business or emailing people in the business to say we've stolen your data, that understandably causes a lot of consternation on the part of the business when you know, it's hoping to just manage this at an executive or breach coach level. And its day to day staff or the people at the call centre are getting these calls, that causes quite a lot of consternation. And the criminal does that to turn the heat up on that business, encouraging them to pay.

CP: So interestingly, sometimes we're seeing ransomware where there's not actually a dollar amount requested. What's the driving force behind that? And and I guess, what are you seeing in your experience around the different types or styles of ransomware?

CS: What we're seeing is there are multiple groups out there who conduct ransomware attacks. So I would say they fall mainly into two groups. So we've got attacks from foreign state actors, and we've got attacks from criminal groups. Those two different groups are after different outcomes. So the state actors and depending on which state we're talking about, are targeting educational institutions, healthcare providers, hospitals, these kinds of organisations. They're after perhaps intellectual property, they're after knowledge, they want to know what's going on, what's being researched. In these kinds of incidents, we see those threat actors not making their presence in the organisation systems obvious. They're seeking not to be detected. So they are not asking for ransom because they just want to sit in this organisation's systems and gather information and intelligence without being detected. So moving from the state sponsored threat actor point to the criminal groups, the criminal groups do want to monetise their access to an organisation's environment. They are going to be asking for ransoms. And to drop in an interesting point, I will just say that lots of these criminal groups actually have multiple business units within the group. So there will be the business unit that is responsible for finding the way into the organisation's systems. Now that can be achieved through many different ways. It can be through buying credentials from the dark web, it can be through conducting distributed denial of service attacks against that entities infrastructure to find a way in. It can be by conducting extensive research on the organisation's staff members, and conducting spear phishing attacks, to then gain credential details to then gain access. Then yet another business unit, once accesses has been gained, or then focused on exploring the entities network. And then figuring out how that access can be monetised. And then that unit will maybe even sell that access now that it has been obtained to people on the dark web. And then once that access is bought, then those separate groups will come in, and then they will run the ransomware. And they will encrypt the business's systems. You might even have a separate business unit that is actually responsible for carrying out the negotiations to obtain the ransom.

CP: And so you talked a little bit about what attackers do once they're inside the environment and how they get in. I'm interested in how an organisation can be sure that they've cleansed their network of an attack?

CS: What we typically do when a business has been subject to a significant ransomware attack is two things. And there are usually two components to the response. So it's the recovery, so getting your data back, engaging a data recovery provider, alongside say your IT provider to recover data. Then there's the forensic investigation to determine the root cause and the extent of the compromise. There's also the legal piece as well, but I will just focus on the recovery plus the forensics. So the forensics are important to do, because figuring out how the threat actor got into the environment is important because we want to plug that vulnerability, we want to patch it, make sure they can't utilise that again. So we hope that if the evidence is good enough in the business's systems, that the forensic provider will be able to say, they got into your environment through an open remote desktop protocol port, or they got into your environment through a phishing email. We hope that that is able to be identified. But in many cases, unfortunately, the root cause can't be identified. And that's because threat actors are quite good at being in a environment and not being detected. And the longer they've been in there, the more likely it is that evidence will disappear because a lot of the time the way organisation's logging is set up, it is just simply time to expire, say after 7 days or 30 days, because it takes a lot of space to gather those reams and reams of data. So it might be that you can't actually find root cause. In these scenarios, there's many things that you can do, but I'll just focus on two. So one is the relationship you have with your IT provider. So just selecting an IT provider who has a good patching programme, so they run regular patching of your servers and all the programmes you're using because various application providers and software providers, they're always renewing and improving their applications and their software. With that constant renewing it means that there's potential additional vulnerabilities that are built in to the improvement. We actually saw that with the SolarWinds attack where a software patch that was rolled out early last year, actually had a vulnerability built into it by an unauthorised state party. And then that was rolled out to every organisation who rolled out a patch for that particular software programme. Now that's an instance where an unauthorised third party has actually built in the vulnerability. Then I would say, the second thing would be to conduct something like a pen test.

CP: In the heat of the moment, you know when you're in the depths of a crisis, a lot of people can take additional risk. While we're talking about incidents, and we're talking about ransomware, most organisations talk about, you know, should we pay the ransom? And I think it would be remiss of me not to ask you your thoughts on that because a lot of boards and executives, their focus is pay the ransom, get the encryption key and get our data back. I'm really interested to know from your perspective, what you're seeing and what your opinion is?

CS: Yeah, definitely. It's definitely a hot topic at the moment, with lots of media reporting about the payment of quite significant ransoms in quite public ransomware cases, and if an organisation is subject to a ransomware incident and a threat actor is asking for a ransom, it is an issue that the board will have to come up against. It's helpful if the board has a bit of a think about its stance on whether it would pay a ransom even before it experiences such an incident, because it just helps to have a position to start from. It's very rare that that actually occurs, where we experience a border who's actually come to a preset position, which we can then work from. But look, there are many different factors that go into that decision. And it's completely unique to that business. So, I mean, the factors against paying a ransom is that the business simply may have a moral code against paying the ransom, and it will not pay the criminal. And that's a completely valid point of view, because, you know, on one side, by you paying the ransom, you're paying a criminal group. You're also helping them continue with their operations or funding their operations, on one point of view via payment of that ransom. I would also say on that point, that ransomware gangs or groups are a little bit less reliable, of late. So around about two years ago, there were a lot fewer ransomware groups. And when you paid a ransom, they were quite reliable in delivering what they said they would give you. So that's perhaps the key to unlock the data, perhaps giving back the data, and a whole suite of other things. But of late, we've noticed that quite a few groups are entering the market because they've seen the size of the ransoms that have been paid. And they have thought, okay, we need to get into this because it's quite a good way to make money. Now with, as we know, with any market, the more entrants there are, the more variable their service level, if we can think about it in that way. So we've seen of late that the groups are less reliable in delivering the deliverables. So you might not get back what you paid for. We've seen groups, and I've mentioned this before, acting in a hostile manner towards an organisation and making it very uncomfortable for those organisations. We've also had a recent group which shut down its operations after it just got a little bit too hot for that organisation. And it meant that any organisation that was in the process of negotiating with that criminal or had paid a ransom might not have got what they paid for, because it actually shut down its operations. I will also say that if the organisation does decide to pay the ransom, it's important to utilise the services of a third party specialist or vendor, who is a specialist in actually conducting negotiations with these threat actor groups. And if the ransom is looked at being paid, they will actually conduct checks of various sanctions lists. So at an EU level, a US level in Australia, to verify to its knowledge whether that criminal group is on any of the sanctions lists, because we never want to be paying ransoms to sanctioned entities.

CP: And I think you make a really good point there about making sure as an organisation that you're utilising the services of experts, because, you know, as you said, most organisations will never hopefully never face a grand scale incident to the magnitude where you need a breach coach. And so it's often a new thing to an organisation to be dealing with something like this. And so I feel like the advice around, you know, not only get a breach coach, but if you're going to negotiate with these criminal groups, to get somebody who's done it before and who provides the services and is trustworthy themselves, so that you can feel that level of confidence that you're making the right decision. And you can't begin to imagine what you're going to face when you have a ransomware. You know that phone call at 2am, or whenever it comes to say, you know, we think that there's a problem. No one's ever fully prepared for that. But there are plenty of opportunities for these decisions to be pre considered. And you know, what would we do in the face of a crisis? What would we do if there was a ransomware? How long could we sort of survive as an organisation if we couldn't be operational? What if we had to turn off our IT systems, or our OT systems for that matter? All of that can be pre thought through, and so having a breach coach there, when you can say we've already thought these things through, we've rehearsed this. We've got an incident response plan that our security teams rehearse but also our board and executive know their roles to play. I mean, that must make your job easier if you've got a whole group of people that are possibly a bit frantic, but a little bit better prepared.

CS: I definitely love to comment on that Claire, because when dealing with a cyber incident, as I've mentioned before, it is so new. And if you have an organisation that has conducted a road test of its Incident Response Plan, and in fact has an Incident Response Plan, they're already in a better position to deal with that cyber incident. And an Incident Response Plan should be there, but it also is meant to be a living document. So you don't want to be experiencing a ransomware incident or any cyber incident, scrolling through your Incident Response Plan, and realising that the legal advisor that you had nominated has moved on, and the plan hasn't been updated in two years to reflect that. That is not the kind of scrambling you want to be doing in the face of an incident that you're experiencing, you want to have an Incident Response Plan that is up to date. In terms of road testing that plan, you can do tabletop exercises, where you simply sit executives around the table in the room, and you get all the stakeholders that you think might be responding to the incident there. So they bring their different views to the table. Because you can be in situations where sales and marketing is essentially concerned about not being able to send products or supply services and wants to recover very rapidly for backup. And in order to achieve that you want to isolate, say the affected servers. But then you've got the HR team whose particular piece of software that they utilise, to manage and pay staff sitting on that server, isolating that server will not allow them to pay staff. Unless you have that HR person on the table and those other members there at the table as well you're not going to get that crossing of views to go actually we need to think about this in in more detail.

CP: Your point there around paying employees interests me because more and more at the moment, we're starting to recognise a voice around the human impact of cyber incidents. And, you know, we've seen this year, people not being able to buy fuel in other countries, we've seen thousands of people in casual workforces not able to go to work and pack meat where we've had an incident in in the meat industry. We've had newspapers, unable to print news, we've had people, you know, organisations unable to go to air. There's definitely becoming a human factor to this from a broader society perspective and really hitting the community not only financially but also just people being able to live their lives. And I think up until recently, maybe that hasn't been recognised as much but the human or the community impact of cyber incidents is much greater, or the coverage of it is much greater, and the impact to people is much greater than maybe previously. Would you agree with that?

CS: Yes, it's completely true that cyber incidents are increasingly having an impact on people's lives. And as threat actors simply find more and more ways they can get into systems, they will do so and they will leverage that. I would also say that, moving back to the IT point of view and the theft of data, if data is being stolen or being misused by criminals, access to certain pieces of risky personal information such as your identity documents can mean that your personal records can be compromised and people can perpetrate misuse events, such as identity theft and financial fraud. And that is incredibly stressful for an individual to find out about and recover from. It's a lengthy process to try and recover your identity or salvage your financials when there's been a sustained attack against those through a threat actor having had access to your identity documents. So yeah, there's this is huge personal aspect and impact to a cyber incident that I think is becoming increasingly known. There's lots of resources out there that can help individuals that have suffered these kind of incidents. So IDCARE is an organisation or an NGO that's pretty world leading, it's based up in Queensland. It's actually an organisation entirely devoted to helping individuals whose personal information has been compromised. So individuals can reach out to IDCARE and IDCARE would actually coach them through what they can do to recover a bank account or change their driver's licence. And that kind of support is invaluable when an individual discovers that their personal information has been compromised, because often you might not know what to do and who to contact, and it's time consuming. So IDCARE has the points of contact and specific devices to help with that.

CP: I could ask you so many more questions on this topic. And I think there's a lot of sort of branching ideas that we've talked about as well around incident response plans and how people can do better at keeping them up to date and working with the board around incidents and simulations and all probably podcasts for another day. But for now, Chloe, thank you so much for joining me and our listeners today. And I'll pop some of the information in the show notes about Clyde & Co where you work, and yeah, it'd be great to have you back in the future to ask you some more questions about incident response and being a breach coach. Thank you so much.

CS: Thanks so much Claire.