How to Solve a CISO’s Worst Nightmare
By T.J. Minichillo and Brett Paradis
Imagine waking up one morning, checking in and seeing a waterfall of messages from your incident response team, reporting that multiple users can’t access their data. You have a meeting in 10 minutes with regulators and a monthly executive leadership meeting at noon. Panic!
Meanwhile, your response team is reporting in with an update, advising that hundreds of employees in the company can’t access their data. Then, a ransom demand message from the criminals suddenly appears on multiple end-user computers, threatening to release your files publicly if you don’t comply with their demands.
So begins a major ransomware and data loss incident. And your worst nightmare just came true.
As the CISO, your job is to protect and maintain your company’s crown jewels – strategic business plans, HR files, designs for new products, patent ideas, merger and acquisition documents, sensitive meeting memos from a board discussion, confidential data stored in the cloud or on premise in shared drives along with decades’ worth of emails, network diagrams, photos and videos associated with internal investigations that multiple departments saved on the corporate network. All those critical assets, now at risk of a major breach.
Now what?
Start crisis management protocols? Call your incident response and retainer service? Notify the CEO? Check your cyber insurance coverage? Huddle with the lawyers and public relations team over Zoom? Or start negotiating with the criminals to lower their ransom demand?
As the pit in your stomach grows, you realize investigating the company’s stolen data could take weeks or months to resolve, with no guarantee some or all the data won’t be corrupted or resold on the dark web. It could paralyze company-wide productivity and cost millions in lost revenue until your systems are back up again. Even millions more as customers defect in droves or file lawsuits. Your brand reputation is on the line. And so is your job.
Nightmare Averted
Suddenly, a lightbulb goes off. You quickly verify that the stolen files won’t open for the criminals, no matter how hard they try and no matter how many copies they made.
Every time the criminals attempt to access the stolen files your data dashboard lights up. You can pinpoint exactly where your company’s files AND the criminals are located and confirm that your data is still under your control. With a long trail of forensic details that the criminals left behind when they tried opening your company’s files, you can now alert law enforcement as well as your CEO and board of directors, the lawyers and your PR team about an unfolding ransomware crisis that just got averted.
Because every piece of sensitive data that was stolen had been transformed months before into intelligent, self-protecting and self-aware data, your files were never at risk. The data in criminal hands? Still under your control, able to be recalled in near-real time. As the data’s system administrator, with just a click of a button and in the blink of an eye, all your stolen data instantly follows your commands, frustrating the opportunistic criminals who just moved onto their next target. Because the company’s data was infused with intelligence to self-protect, you are now empowered to follow security and law enforcement best practices to NEVER negotiate with criminals.
That pit in your stomach turns into a sigh of relief, knowing the company’s crown jewels are safe. Your team goes about identifying, containing and cleaning the infected endpoints, then successfully restoring data from a backup.
Your CEO notifies the board members, employees and customers that an attempted ransomware attack was successfully deflected, the company’s data has been fully restored and that it’s back to business as usual.
The Safety Port in Your Storm
Could this scenario happen to you and your company?
It might not be ransomware. But it could be data extortion, with a criminal threatening to publicly expose, destroy or sell your data to the highest bidder.
Cybercriminals are likely to boast about their victims and publicly shame organizations that delay or ignore their demands, allowing for a company’s brand reputation to be tarnished in the process.
As a result of heightened cybersecurity threats and attacks, there’s been an increase in federal mandates requiring public and private companies to report data loss as part of a ransomware, other cyber attack or inadvertent unauthorized disclosure.
For example, the Transportation Security Administration (TSA) under the U.S. Department of Homeland Security issued two cybersecurity directives requiring owners and operators of TSA-designated critical pipelines transporting hazardous liquids and natural gas “to implement a number of urgently needed protections against cyber intrusions.” These directives require, among other things, that owner/operators protect against ransomware attacks and other known threats to IT and operational technology (OT) systems and to report to the Cybersecurity and Infrastructure Security Agency (CISA) any cybersecurity incidents within 12 hours. In their report, they must also disclose any “…data theft that have or are likely to be incurred…”
The Securities and Exchange Commission (SEC) has also proposed a rule that would impose mandatory reporting for public companies about “material” cybersecurity events – including whether any sensitive data was stolen, altered or exfiltrated — within four business days after uncovering them. The proposed rule also calls for periodic updates about previous cyber incidents.
In March, President Biden signed a new law requiring owner/operators of critical infrastructure to report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. The law also requires CISA to issue a rule that defines what constitutes a “substantial” loss of confidentiality, integrity or availability of the affected information system or network. Confidentiality, integrity and availability – also known as the CIA triad – are important management tools for several reasons. As elements of a strong resilience strategy, these “three legs” of the CIA stool can help decision-makers determine the value-add of new IT products and services. And they can help organizations evaluate whether they have the best policies, practices and procedures in place to support their overall resiliency strategy.
The truth is, no company infrastructure is ever 100% secure. And a cyber attack isn’t a matter of if, but when.
According to Digital Shadows, ransomware criminals continue to hit the U.S. the hardest. As of the first quarter of this year, 38.5% of all organizations posted to ransomware data-leak websites were located within the United States. Organizations everywhere are under siege. Researchers at Trend Micro predict modern ransomware will become increasingly targeted and prominent, mimicking traditional nation-state APT attacks and that ransomware operators will use more complex extortion tactics, such as exfiltrating data to weaponize it. For the most part, ransomware has become a major source of very easy money for cybercriminals who know where & how to exploit vulnerable networks and exfiltrate unprotected data.
The Lapsus$ Group DEV-0537 activity between late 2021 and early 2022 demonstrates how relentless threat actors really are and that they’re capable of finding innovative ways to compromise an organization — despite all the security controls and training about social engineering techniques organizations have in place (e.g., enforcing complex passwords, implementing multifactor authentication (MFA), using web filtering, deploying endpoint protection, using anti-malware solutions, monitoring and responding to SIEM alerts, detecting and blocking email phishing campaigns and reducing one’s attack surface through threat and vulnerability management). Relishing a challenge, a determined adversary will still be able to find a way into a network.
Being a CISO has never been more difficult. Even the most experienced professionals can feel overwhelmed as threat actors find new ways to infiltrate systems and exploit unsuspecting victims. Cyber threats are constantly evolving with greater sophistication, the attack surface continues to widen and continuous stakeholder demands for new innovation only add to the stress.
A recent report from CISA underscores the multitude of plates today’s CISOs must juggle: ensuring MFA is enabled, that the right privileges and permissions for data access are in place and software is regularly patched. They also worry about the security of vendors and their supply chain, training their workforce to spot phishing campaigns, monitoring endpoints and ensuring cloud services are properly configured and protected. And, they need to protect all business data from external and insider threats.
Now imagine a world where data can safely travel anywhere, anytime, on any device or platform. And imagine a world where CISOs can control their data’s destiny, forever. At Keyavi, we already built this world by infusing data itself with intelligence, so it thinks and self-protects automatically. For the first time, data knows where it’s allowed to be, who can open it and under what circumstances.
And, in the process, we can help you finally get a good night’s sleep.
About the Authors
T.J. Minichillo and Brett Paradis are nationally renowned cyber threat & intelligence experts detecting and thwarting cyber threats to keep Keyavi’s infrastructure, its employees, and customers safe from bad actors.
As Keyavi’s chief information security officer (CISO) and VP of cyber threat & intelligence, T.J. has held strategic intelligence roles in financial services, the military, and energy, including global head of threat intelligence at both National Grid and Morgan Stanley, deputy director at Citigroup’s Cyber Intelligence Center, chief cyber intelligence officer at Merrill Lynch, and senior intelligence special agent at the Department of Defense. Follow him on Twitter and LinkedIn.
As Keyavi’s director of cyber threat & intelligence, Brett has an extensive intelligence and cybersecurity background, including fusion center analyst at the Connecticut Intelligence Center, where he produced, analyzed and shared cyber threat information with the intelligence community as well as federal, state and local law enforcement investigators. He was also a senior cyber threat intelligence analyst and manager at National Grid, one of the world’s largest utility companies, where he maintained continual situational awareness of the threat landscape and collaborated with industry peers and government officials. Follow him on LinkedIn.
Copyright @ 2022 Keyavi Data Corp.
FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.