Risk Matters Podcast | Cyber Incident Response

Episode 3 part one

1
00:00:00,120 --> 00:00:00,920
Welcome to Risk

2
00:00:00,920 --> 00:00:02,520
Matters, the insurance podcast

3
00:00:02,520 --> 00:00:03,720
brought to you by DWF

4
00:00:03,720 --> 00:00:04,680
and your global guide

5
00:00:04,680 --> 00:00:05,520
to the latest trends

6
00:00:05,520 --> 00:00:06,800
and issues in the insurance

7
00:00:06,800 --> 00:00:08,640
and reinsurance industry.

8
00:00:08,640 --> 00:00:09,120
Join us

9
00:00:09,120 --> 00:00:10,640
as we explore topical issues,

10
00:00:10,640 --> 00:00:11,720
emerging technologies,

11
00:00:11,720 --> 00:00:12,960
and the innovative strategies

12
00:00:12,960 --> 00:00:14,400
that are shaping the global future

13
00:00:14,400 --> 00:00:17,400
of insurance.

14
00:00:20,160 --> 00:00:20,600
Welcome

15
00:00:20,600 --> 00:00:22,360
to another episode of Risk Matters

16
00:00:22,360 --> 00:00:23,920
DWF insurance podcast.

17
00:00:23,920 --> 00:00:25,200
I'm delighted to be joined today

18
00:00:25,200 --> 00:00:26,680
by Jamie Taylor,

19
00:00:26,680 --> 00:00:29,520
a director in, Cyber and Data Team,

20
00:00:29,520 --> 00:00:33,360
and by Ollie Price, a director at SRM.

21
00:00:33,400 --> 00:00:36,400
He specializes in, I guess, incident response

22
00:00:36,400 --> 00:00:39,960
and with a history of, work in network security

23
00:00:40,120 --> 00:00:41,360
and network systems.

24
00:00:41,360 --> 00:00:42,680
Just to sort of set the scene,

25
00:00:42,680 --> 00:00:45,600
I expect in terms of incident response,

26
00:00:45,600 --> 00:00:46,760
it's useful to bear in mind,

27
00:00:46,760 --> 00:00:49,080
because I think the three of us have sort of

28
00:00:49,080 --> 00:00:50,480
been around the block a few times

29
00:00:50,480 --> 00:00:52,360
now that it's been quite a long journey,

30
00:00:52,360 --> 00:00:54,480
and it's evolving, law,

31
00:00:54,480 --> 00:00:55,720
perhaps in particular for Jamie

32
00:00:55,720 --> 00:00:59,320
and I, sort of chugs along, but Ollie your space is

33
00:00:59,960 --> 00:01:02,360
is rather more dynamic.

34
00:01:02,360 --> 00:01:05,080
I guess in the great scheme of things.

35
00:01:05,080 --> 00:01:06,480
Certainly threatens to be.

36
00:01:06,480 --> 00:01:08,040
I think

37
00:01:08,040 --> 00:01:08,560
it's been

38
00:01:08,560 --> 00:01:10,240
interesting in their preparation for this,

39
00:01:10,240 --> 00:01:12,160
I was looking back into the

40
00:01:12,160 --> 00:01:15,560
the NotPetya attack against Ukraine in 2017,

41
00:01:15,880 --> 00:01:18,680
and the the memory doesn't quite sit right.

42
00:01:18,680 --> 00:01:20,360
I had to go back and look at what the original,

43
00:01:20,360 --> 00:01:21,440
original ransom note was.

44
00:01:21,440 --> 00:01:23,600
It was like ransom notes of the day

45
00:01:23,600 --> 00:01:25,400
demanded $300,

46
00:01:25,400 --> 00:01:26,680
which I'm sure for those of us

47
00:01:26,680 --> 00:01:28,400
that have done a ransomware case recently.

48
00:01:28,400 --> 00:01:29,720
Yeah, I wish that

49
00:01:29,720 --> 00:01:31,560
that was the ransom these days for most of these.

50
00:01:31,560 --> 00:01:32,160
Cases, paper

51
00:01:32,160 --> 00:01:34,200
nailed on the door or something like that. Yeah.

52
00:01:34,200 --> 00:01:35,720
I mean, I was doing something

53
00:01:35,720 --> 00:01:36,920
very similar and,

54
00:01:36,920 --> 00:01:37,280
remembering

55
00:01:37,280 --> 00:01:37,680
when I was doing

56
00:01:37,680 --> 00:01:39,640
some work experience of solicitors firms

57
00:01:39,640 --> 00:01:42,640
and you had to sort of clamber through corridors

58
00:01:42,760 --> 00:01:43,520
full of paper.

59
00:01:43,520 --> 00:01:45,800
People had desks piled high with paper.

60
00:01:45,800 --> 00:01:48,920
And even as a trainee, I think the reliance on

61
00:01:49,360 --> 00:01:51,640
sort of the IT kit was pretty modest. We

62
00:01:52,640 --> 00:01:54,040
we had a bit of word processing.

63
00:01:54,040 --> 00:01:56,640
We might have used stuff for,

64
00:01:56,640 --> 00:01:58,800
say financial record keeping

65
00:01:58,800 --> 00:01:59,600
and other things on that.

66
00:01:59,600 --> 00:02:02,400
But most of the day to day we book was paper.

67
00:02:02,400 --> 00:02:04,080
Think back to the first ransomware

68
00:02:04,080 --> 00:02:06,560
and it was on floppy disk like 1989.

69
00:02:06,560 --> 00:02:08,720
So things are things have changed quite a bit.

70
00:02:08,720 --> 00:02:09,440
But it meant that

71
00:02:09,440 --> 00:02:10,720
I think that sort of changes

72
00:02:10,720 --> 00:02:11,520
the dynamics as well.

73
00:02:11,520 --> 00:02:14,520
And because it's incremental, I think,

74
00:02:14,840 --> 00:02:17,000
a lot of businesses didn't think they were

75
00:02:17,000 --> 00:02:17,800
tech businesses

76
00:02:17,800 --> 00:02:19,040
actually went on a journey

77
00:02:19,040 --> 00:02:20,480
where they

78
00:02:20,480 --> 00:02:22,560
we're more reliant on tech than they thought

79
00:02:22,560 --> 00:02:23,760
and certainly saved

80
00:02:23,760 --> 00:02:25,520
a classic law firm

81
00:02:25,520 --> 00:02:26,800
where now you'd have perhaps

82
00:02:26,800 --> 00:02:27,440
your case

83
00:02:27,440 --> 00:02:30,560
management systems, your client systems,

84
00:02:30,560 --> 00:02:32,120
your financial systems,

85
00:02:32,120 --> 00:02:34,040
your email, you know, your documents.

86
00:02:34,040 --> 00:02:35,120
If most people or

87
00:02:35,120 --> 00:02:37,240
a lot of people would be paperless now.

88
00:02:37,240 --> 00:02:38,760
So you've got two things, I guess.

89
00:02:38,760 --> 00:02:39,520
One is

90
00:02:39,520 --> 00:02:42,760
you've got a vast amount of data on your systems.

91
00:02:43,080 --> 00:02:44,640
And the second thing is you're

92
00:02:44,640 --> 00:02:46,240
increasingly reliant on your systems.

93
00:02:46,240 --> 00:02:48,440
And that I think from a

94
00:02:48,440 --> 00:02:51,440
an external bad actor perspective,

95
00:02:51,920 --> 00:02:53,840
criticism of opportunities is

96
00:02:53,840 --> 00:02:55,640
the value of the data is enormous.

97
00:02:55,640 --> 00:02:57,680
So in the same way that one might have,

98
00:02:57,680 --> 00:02:58,840
I was thinking on the,

99
00:02:58,840 --> 00:02:59,200
way over here,

100
00:02:59,200 --> 00:03:01,760
sort of a large amount of money in a bank,

101
00:03:01,760 --> 00:03:02,960
a large amount of data on the system

102
00:03:02,960 --> 00:03:05,400
is is hugely attractive to an attacker.

103
00:03:05,400 --> 00:03:07,760
And if you couple that with businesses

104
00:03:07,760 --> 00:03:10,760
reliance on the system and the

105
00:03:11,080 --> 00:03:13,360
that sort of ransom element where

106
00:03:13,360 --> 00:03:14,840
if the system's not available to you,

107
00:03:16,120 --> 00:03:16,760
that causes you a

108
00:03:16,760 --> 00:03:17,360
lot of problems,

109
00:03:17,360 --> 00:03:19,760
you've got a real opportunity for,

110
00:03:19,760 --> 00:03:22,240
the bad sort of the threat actors

111
00:03:22,240 --> 00:03:24,320
to to come and try and take advantage

112
00:03:24,320 --> 00:03:25,560
and does that,

113
00:03:25,560 --> 00:03:26,920
I guess, for the two of you,

114
00:03:26,920 --> 00:03:30,200
in terms of your journeys, have you seen the

115
00:03:30,440 --> 00:03:31,520
the sort of severity

116
00:03:31,520 --> 00:03:33,800
and frequency of incidents like this

117
00:03:33,800 --> 00:03:36,800
is that the upward track that I would expect?

118
00:03:36,840 --> 00:03:37,760
Yeah, absolutely.

119
00:03:37,760 --> 00:03:40,760
I mean, you know, if there's one constant,

120
00:03:41,240 --> 00:03:42,360
it's that threat actors

121
00:03:42,360 --> 00:03:44,480
have continued to evolve over time.

122
00:03:44,480 --> 00:03:45,800
So, you know,

123
00:03:45,800 --> 00:03:46,800
think about if you're

124
00:03:46,800 --> 00:03:49,800
a threat actor deploying ransomware,

125
00:03:50,000 --> 00:03:52,040
one of the barriers to entry

126
00:03:52,040 --> 00:03:52,880
that you used to come across

127
00:03:53,480 --> 00:03:56,480
is having to have your own encryption malware.

128
00:03:56,720 --> 00:03:58,440
You had to develop that.

129
00:03:58,440 --> 00:03:59,600
So of course, what threat actors

130
00:03:59,600 --> 00:04:01,920
that over time they develop the ransomware

131
00:04:01,920 --> 00:04:03,280
as a service model

132
00:04:03,280 --> 00:04:05,720
so they could scale up massively.

133
00:04:05,720 --> 00:04:07,040
and that's what we've seen over the last.

134
00:04:07,040 --> 00:04:09,600
They have sort of franchise technologies. Yeah.

135
00:04:09,600 --> 00:04:11,240
And that there's so many examples.

136
00:04:11,240 --> 00:04:13,800
I don't know of how threat actors have evolved,

137
00:04:13,800 --> 00:04:15,000
in response

138
00:04:15,000 --> 00:04:16,360
to organizations

139
00:04:16,360 --> 00:04:18,760
trying to better protect themselves, better,

140
00:04:18,760 --> 00:04:20,720
you know, of course, we've had

141
00:04:20,720 --> 00:04:22,680
perhaps the most obvious example

142
00:04:22,680 --> 00:04:25,200
in response to encryption.

143
00:04:25,200 --> 00:04:27,880
companies have upped the game

144
00:04:27,880 --> 00:04:29,240
in terms of the backups.

145
00:04:29,240 --> 00:04:30,880
So they now have air gapped

146
00:04:30,880 --> 00:04:32,960
and immutable backups.

147
00:04:32,960 --> 00:04:33,680
In response

148
00:04:33,680 --> 00:04:34,280
to that

149
00:04:34,280 --> 00:04:37,280
threat, actors have pivoted to exfiltration.

150
00:04:37,840 --> 00:04:40,560
you know, we've had a a massive uptake

151
00:04:40,560 --> 00:04:44,240
in multifactor authentication over the years.

152
00:04:44,280 --> 00:04:46,880
threat actors again, have pivoted.

153
00:04:46,880 --> 00:04:50,000
And now deploying attacks such as MFA bombing

154
00:04:50,240 --> 00:04:51,760
attackers in the middle,

155
00:04:51,760 --> 00:04:55,160
in order to bypass those sort of MFA controls.

156
00:04:55,760 --> 00:04:58,400
in recent times, we've seen

157
00:04:59,440 --> 00:05:00,040
a lot of law

158
00:05:00,040 --> 00:05:02,000
enforcement activity taking down

159
00:05:02,000 --> 00:05:04,040
some of the big players in ransomeware,

160
00:05:04,040 --> 00:05:04,240
you know,

161
00:05:04,240 --> 00:05:05,640
the Contis of this world

162
00:05:05,640 --> 00:05:08,120
was the LockBits, the ALPHVs,

163
00:05:08,120 --> 00:05:10,280
but very, very quickly

164
00:05:10,280 --> 00:05:13,280
we see new entities emerge ransom hub, for example.

165
00:05:13,840 --> 00:05:16,840
So the threat actor evolution just continues to,

166
00:05:17,400 --> 00:05:20,800
you know, develop saw some stats recently.

167
00:05:20,800 --> 00:05:22,360
I think it was from chain analysis.

168
00:05:22,360 --> 00:05:23,120
That's.

169
00:05:23,120 --> 00:05:26,920
In 2023 the amounts of ransom payments.

170
00:05:26,920 --> 00:05:29,920
So not ransom demands but ransom payments

171
00:05:29,960 --> 00:05:33,440
was about 1.1 billion, just in those 12 months.

172
00:05:33,440 --> 00:05:35,000
So that I think, speaks volumes

173
00:05:35,000 --> 00:05:36,080
as to how the severity

174
00:05:36,080 --> 00:05:38,200
and the volume has increased.

175
00:05:38,200 --> 00:05:39,680
Threat actors aren't doing this thing

176
00:05:39,680 --> 00:05:42,080
because they enjoy getting better

177
00:05:42,080 --> 00:05:43,840
at being threat actors and criminals.

178
00:05:43,840 --> 00:05:44,400
They're doing this

179
00:05:44,400 --> 00:05:46,000
because they're being challenged

180
00:05:46,000 --> 00:05:48,240
by organizations that are getting better.

181
00:05:48,240 --> 00:05:49,960
If criminals could make as much money

182
00:05:49,960 --> 00:05:50,840
as they wanted doing

183
00:05:50,840 --> 00:05:52,040
what they did seven years ago,

184
00:05:52,040 --> 00:05:53,720
they'd still be doing it.

185
00:05:53,720 --> 00:05:55,240
I think what we're really saying is,

186
00:05:55,240 --> 00:05:57,640
you know, this is an adversarial problem.

187
00:05:57,640 --> 00:06:00,640
The the goodies and the baddies are vying here.

188
00:06:00,760 --> 00:06:01,920
And yeah.

189
00:06:01,920 --> 00:06:04,000
It's very much a call and response.

190
00:06:04,000 --> 00:06:05,200
But I think also

191
00:06:06,560 --> 00:06:07,560
being aware that the

192
00:06:07,560 --> 00:06:09,600
cybersecurity space

193
00:06:09,600 --> 00:06:12,600
is a bubble within a bubble.

194
00:06:12,600 --> 00:06:13,600
It's being impacted

195
00:06:13,600 --> 00:06:13,840
a lot

196
00:06:13,840 --> 00:06:17,200
by the effects of digitization by, say,

197
00:06:17,200 --> 00:06:18,240
sort of AI.

198
00:06:18,240 --> 00:06:20,480
But this additional fragility

199
00:06:20,480 --> 00:06:21,760
that's coming into the system,

200
00:06:21,760 --> 00:06:23,520
I think is very much played into their hands.

201
00:06:23,520 --> 00:06:25,120
You know, as organizations

202
00:06:25,120 --> 00:06:26,040
move away from paper

203
00:06:26,040 --> 00:06:29,080
to having stuff in on computers,

204
00:06:29,840 --> 00:06:31,080
and that's incredibly efficient,

205
00:06:31,080 --> 00:06:32,680
allows the business to move quite quickly,

206
00:06:32,680 --> 00:06:34,280
but it does make it more fragile.

207
00:06:34,280 --> 00:06:36,040
We saw that during the novel Covid

208
00:06:36,040 --> 00:06:38,440
pandemic, where supply chains became fragile

209
00:06:38,440 --> 00:06:39,840
because they were spread out.

210
00:06:39,840 --> 00:06:41,840
And I think we see exactly the same situation

211
00:06:41,840 --> 00:06:44,840
that's playing into this ransomware card.

212
00:06:44,840 --> 00:06:46,360
I don't think that's a good alternative.

213
00:06:46,360 --> 00:06:47,160
I'm not suggesting

214
00:06:47,160 --> 00:06:48,520
we go back to working on paper,

215
00:06:48,520 --> 00:06:49,200
but it is a thing

216
00:06:49,200 --> 00:06:51,120
for organizations to be aware of.

217
00:06:51,120 --> 00:06:53,200
there's still a school of thought out there.

218
00:06:53,200 --> 00:06:53,680
I don't think it's

219
00:06:53,680 --> 00:06:54,680
particularly popular now,

220
00:06:54,680 --> 00:06:56,160
but I think certainly exists that

221
00:06:56,160 --> 00:06:57,840
when it comes to backups,

222
00:06:57,840 --> 00:06:58,080
you know,

223
00:06:58,080 --> 00:06:59,080
because threat actors

224
00:06:59,080 --> 00:07:00,480
got so good at infiltrating

225
00:07:00,480 --> 00:07:02,320
the backups themselves,

226
00:07:02,320 --> 00:07:04,960
you know, are old fashioned tapes

227
00:07:04,960 --> 00:07:05,920
a better solution?

228
00:07:05,920 --> 00:07:07,840
You know, they're not sort of electronic.

229
00:07:07,840 --> 00:07:09,520
that that's one option.

230
00:07:10,480 --> 00:07:11,640
but it did.

231
00:07:11,640 --> 00:07:12,920
The observation I think I have

232
00:07:12,920 --> 00:07:15,280
is that against that

233
00:07:15,280 --> 00:07:17,840
threat landscape that we've seen,

234
00:07:17,840 --> 00:07:20,840
you know, the the law has also evolved.

235
00:07:21,080 --> 00:07:23,240
Wouldn't say it's quite kept pace.

236
00:07:23,240 --> 00:07:26,240
but for example, we've gone from,

237
00:07:26,560 --> 00:07:26,840
you know,

238
00:07:26,840 --> 00:07:28,560
Data Protection Act 1998

239
00:07:28,560 --> 00:07:30,560
where there was no mandatory

240
00:07:30,560 --> 00:07:32,120
breach reporting regime,

241
00:07:32,120 --> 00:07:34,160
albeit it was still encouraged by the regulator

242
00:07:34,160 --> 00:07:36,040
at the time.

243
00:07:36,040 --> 00:07:37,120
and we're now in a situation,

244
00:07:37,120 --> 00:07:37,480
of course,

245
00:07:37,480 --> 00:07:40,840
we have the GDPR sort of 72 hour time frame.

246
00:07:41,360 --> 00:07:43,920
If you're telecoms provider,

247
00:07:43,920 --> 00:07:44,680
you might be required

248
00:07:44,680 --> 00:07:47,680
under PaCA to notify within 24 hours.

249
00:07:47,720 --> 00:07:50,720
If you were a payment service provider,

250
00:07:50,920 --> 00:07:52,320
you might be required to notify

251
00:07:52,320 --> 00:07:54,400
within four hours on the psd2.

252
00:07:54,400 --> 00:07:57,200
So timescales are getting shorter.

253
00:07:57,200 --> 00:07:57,560
And that,

254
00:07:57,560 --> 00:07:58,760
of course, is a reaction

255
00:07:58,760 --> 00:08:00,760
to the severity of the threats,

256
00:08:00,760 --> 00:08:02,480
that these organizations are facing.

257
00:08:03,520 --> 00:08:05,320
And then in terms of the perhaps the

258
00:08:05,320 --> 00:08:08,680
the threat actors, we can see I expect that,

259
00:08:10,160 --> 00:08:13,480
if you cybercrime is so much more straightforward

260
00:08:13,480 --> 00:08:14,000
in some ways

261
00:08:14,000 --> 00:08:15,400
and physical crime

262
00:08:15,400 --> 00:08:18,000
because you can do it to anyone from anywhere.

263
00:08:18,000 --> 00:08:21,280
And in an area where we're working from home

264
00:08:21,280 --> 00:08:22,480
is a, thing.

265
00:08:22,480 --> 00:08:24,800
Now, someone with the right jurisdiction.

266
00:08:24,800 --> 00:08:26,520
Agnostic. Yeah.

267
00:08:26,520 --> 00:08:29,520
And you've got all the kind of, I guess,

268
00:08:29,880 --> 00:08:31,120
challenges one might have

269
00:08:31,120 --> 00:08:32,440
you know we look at if

270
00:08:32,440 --> 00:08:34,080
we are dealing with organizations

271
00:08:34,080 --> 00:08:35,560
that are victims of,

272
00:08:35,560 --> 00:08:37,520
thefts and or,

273
00:08:37,520 --> 00:08:40,320
let's say, the financial diversions we see

274
00:08:40,320 --> 00:08:41,280
actually tracing the money

275
00:08:41,280 --> 00:08:42,640
can be financially difficult because of that,

276
00:08:42,640 --> 00:08:44,240
because you find that the money

277
00:08:44,240 --> 00:08:46,720
will ping around those different jurisdictions.

278
00:08:46,720 --> 00:08:48,240
but it does mean that

279
00:08:48,240 --> 00:08:49,800
you can't just look within your own

280
00:08:49,800 --> 00:08:51,920
sort of jurisdiction for the risk

281
00:08:51,920 --> 00:08:52,960
you're trying to manage, a risk

282
00:08:52,960 --> 00:08:54,920
that is sort of,

283
00:08:54,920 --> 00:08:55,920
extra jurisdictional

284
00:08:55,920 --> 00:08:57,560
that could come from from anywhere.

285
00:08:57,560 --> 00:08:59,400
And that makes the challenges,

286
00:08:59,400 --> 00:09:01,040
even more difficult for

287
00:09:01,040 --> 00:09:02,960
but for both of you, I guess.

288
00:09:02,960 --> 00:09:05,160
You know, some of these cyber criminals,

289
00:09:05,160 --> 00:09:08,480
they operate, I won't say with impunity,

290
00:09:09,080 --> 00:09:11,880
but sometimes it's not far off that, particularly

291
00:09:11,880 --> 00:09:13,000
if they're in territories

292
00:09:13,000 --> 00:09:16,000
where, you know, is there activity

293
00:09:16,200 --> 00:09:17,920
state sponsored,

294
00:09:17,920 --> 00:09:20,920
or is the state simply turning a blind eye?

295
00:09:20,960 --> 00:09:23,800
You know, certainly they know it goes on.

296
00:09:23,800 --> 00:09:25,920
so it's very difficult

297
00:09:25,920 --> 00:09:28,280
if you're the victim organization,

298
00:09:28,280 --> 00:09:31,840
identifying precisely who it is,

299
00:09:31,840 --> 00:09:32,760
who are the attacker,

300
00:09:32,760 --> 00:09:34,080
who is the threat actor,

301
00:09:34,080 --> 00:09:36,600
where they're like, where are they located?

302
00:09:36,600 --> 00:09:37,800
And as you say Tim trying to

303
00:09:37,800 --> 00:09:41,080
then trace a Bitcoin payments through

304
00:09:41,080 --> 00:09:44,080
the Bitcoin chain is tremendously difficult.

305
00:09:44,520 --> 00:09:46,520
And that's it. Attribution,

306
00:09:46,520 --> 00:09:48,640
so literally just knowing who's done

307
00:09:48,640 --> 00:09:50,360
this is difficult

308
00:09:50,360 --> 00:09:53,080
and therefore really quite expensive.

309
00:09:53,080 --> 00:09:55,000
And therefore for private organization

310
00:09:55,000 --> 00:09:57,120
to try and do that themselves would be

311
00:09:57,120 --> 00:09:58,560
it is a very heavy burden,

312
00:09:58,560 --> 00:09:59,640
and it's not the kind of burden

313
00:09:59,640 --> 00:10:02,400
that we expect organizations to, to take on.

314
00:10:02,400 --> 00:10:02,920
Yeah, yeah.

315
00:10:02,920 --> 00:10:03,960
I guess

316
00:10:03,960 --> 00:10:06,200
starting with that instant response piece in that

317
00:10:06,200 --> 00:10:07,560
I've been hit.

318
00:10:07,560 --> 00:10:10,280
What do I do? We're probably the ones

319
00:10:10,280 --> 00:10:13,760
operating the the hotline as the call comes in.

320
00:10:14,080 --> 00:10:16,400
Jamie, do you want to sort of

321
00:10:16,400 --> 00:10:18,920
talk our audience through that first sort of

322
00:10:18,920 --> 00:10:19,640
call them what

323
00:10:19,640 --> 00:10:20,120
what happens,

324
00:10:20,120 --> 00:10:21,760
what we're looking to do. Well,

325
00:10:21,760 --> 00:10:23,000
let's give the proper context

326
00:10:23,000 --> 00:10:26,000
to that first call, because you'll be dealing

327
00:10:26,000 --> 00:10:29,000
with an organization who's probably experiencing

328
00:10:29,840 --> 00:10:31,560
the most stressful day

329
00:10:31,560 --> 00:10:32,840
of their professional lives,

330
00:10:32,840 --> 00:10:34,640
or certainly one of them,

331
00:10:34,640 --> 00:10:38,520
and you might have on the call, perhaps,

332
00:10:38,520 --> 00:10:40,920
a GC general counsel from the business

333
00:10:40,920 --> 00:10:42,440
and also somebody from the I.T

334
00:10:42,440 --> 00:10:45,440
who's responsible for security, perhaps a CISO,

335
00:10:45,440 --> 00:10:47,240
if they have one,

336
00:10:47,240 --> 00:10:50,520
that I.T person will be feeling particularly,

337
00:10:50,960 --> 00:10:54,680
stressed and vulnerable because it's their job

338
00:10:54,680 --> 00:10:56,680
essentially to look after security.

339
00:10:56,680 --> 00:10:59,880
So you need to display as the external counsel

340
00:11:00,080 --> 00:11:02,840
empathy towards that person's position

341
00:11:02,840 --> 00:11:04,920
because they're worry and stress.

342
00:11:04,920 --> 00:11:06,280
Know it does.

343
00:11:06,280 --> 00:11:08,840
It does have some logic behind it

344
00:11:08,840 --> 00:11:11,400
because we've seen recently, haven't we, some

345
00:11:11,400 --> 00:11:14,720
personal liability attaching to executives.

346
00:11:14,720 --> 00:11:15,320
For example,

347
00:11:15,320 --> 00:11:17,760
in the Uber case, SolarWinds

348
00:11:17,760 --> 00:11:19,160
also a case called Drizly.

349
00:11:19,160 --> 00:11:21,320
So it's that empathy towards

350
00:11:21,320 --> 00:11:23,720
the victim organizations is an important piece.

351
00:11:25,440 --> 00:11:27,560
the other bit of important context

352
00:11:27,560 --> 00:11:31,960
to that first call is that the the priority.

353
00:11:32,160 --> 00:11:34,960
And often, you know, I, as external counsel, need

354
00:11:34,960 --> 00:11:36,360
to emphasize this point

355
00:11:36,360 --> 00:11:38,600
to the victim in the first call,

356
00:11:38,600 --> 00:11:41,080
the initial priorities is all about containments,

357
00:11:41,080 --> 00:11:42,920
you know, stopping the bleeding,

358
00:11:42,920 --> 00:11:45,760
stopping the threat actor from perpetrating

359
00:11:45,760 --> 00:11:47,880
further attacks against the company.

360
00:11:47,880 --> 00:11:50,120
Exfiltrating data.

361
00:11:50,120 --> 00:11:53,120
it's often the case, understandably,

362
00:11:53,200 --> 00:11:54,360
when you're speaking to a client

363
00:11:54,360 --> 00:11:55,480
for the first time,

364
00:11:55,480 --> 00:11:57,680
they want to skip the containment

365
00:11:57,680 --> 00:11:58,800
and eradication steps

366
00:11:58,800 --> 00:12:01,040
and jump straight to recovery.

367
00:12:01,040 --> 00:12:04,280
I can think one case in particular, for example,

368
00:12:04,280 --> 00:12:05,720
just quickly

369
00:12:05,720 --> 00:12:08,960
where we got a call, the very first call,

370
00:12:09,320 --> 00:12:11,200
by the time we receive that call,

371
00:12:11,200 --> 00:12:13,040
the client was already three days

372
00:12:13,040 --> 00:12:14,920
deep into the breach

373
00:12:14,920 --> 00:12:16,200
that the muddling the way through

374
00:12:16,200 --> 00:12:17,880
as best they could on their own

375
00:12:17,880 --> 00:12:20,040
got to a point where they couldn't cope,

376
00:12:20,040 --> 00:12:22,240
phoned us for support.

377
00:12:22,240 --> 00:12:24,920
it transpired by the time they called us,

378
00:12:24,920 --> 00:12:26,280
they had already completely

379
00:12:26,280 --> 00:12:28,960
wiped the affected servers.

380
00:12:28,960 --> 00:12:31,960
So the idea of preserving and collecting data,

381
00:12:32,080 --> 00:12:34,240
digital evidence had just gone out the window.

382
00:12:34,240 --> 00:12:37,400
so so with that context, out of the way,

383
00:12:37,680 --> 00:12:40,600
my first question's usually going to be,

384
00:12:40,600 --> 00:12:43,400
you know, are we confident this line,

385
00:12:43,400 --> 00:12:45,080
this telephone line, teams

386
00:12:45,080 --> 00:12:47,880
platform or zoom platform, is it secure?

387
00:12:47,880 --> 00:12:48,200
You know,

388
00:12:48,200 --> 00:12:49,760
how do we know that

389
00:12:49,760 --> 00:12:50,840
there's a well-worn phrase

390
00:12:50,840 --> 00:12:52,280
and incident response, you know,

391
00:12:52,280 --> 00:12:54,640
assume compromise.

392
00:12:54,640 --> 00:12:57,640
My next question is going to be, are you insured?

393
00:12:57,680 --> 00:12:59,880
you know,

394
00:13:01,000 --> 00:13:02,800
every cyber policy

395
00:13:02,800 --> 00:13:05,160
will usually require the insureds

396
00:13:05,160 --> 00:13:08,160
to notify their insurer in a timely manner,

397
00:13:08,400 --> 00:13:10,480
particularly of a ransomware attack.

398
00:13:10,480 --> 00:13:11,960
and if they don't do that, you know,

399
00:13:11,960 --> 00:13:14,960
they might jeopardize the cover.

400
00:13:16,040 --> 00:13:17,440
after that, we really get

401
00:13:17,440 --> 00:13:20,440
to the information gathering phase.

402
00:13:20,680 --> 00:13:21,640
So I'm in listen mode.

403
00:13:21,640 --> 00:13:23,760
I'm asking questions. You know, what happened?

404
00:13:23,760 --> 00:13:25,120
how did it happen?

405
00:13:25,120 --> 00:13:28,120
What part of the network was compromised?

406
00:13:28,960 --> 00:13:30,200
do you have backups still?

407
00:13:30,200 --> 00:13:31,680
Are they are they in a good state? What?

408
00:13:31,680 --> 00:13:33,040
What's their status?

409
00:13:33,040 --> 00:13:36,080
How many end points do you have?

410
00:13:36,160 --> 00:13:38,160
What's your operating system?

411
00:13:38,160 --> 00:13:40,160
And who's responsible for your security?

412
00:13:40,160 --> 00:13:41,720
Do you handle it yourself?

413
00:13:41,720 --> 00:13:43,360
or do you have a third party

414
00:13:43,360 --> 00:13:45,840
managed service provider?

415
00:13:45,840 --> 00:13:47,080
And I need answers to that,

416
00:13:47,080 --> 00:13:48,400
not just for my own benefit

417
00:13:48,400 --> 00:13:49,840
so I can assist the company,

418
00:13:49,840 --> 00:13:50,960
but also

419
00:13:50,960 --> 00:13:51,800
because I know my next

420
00:13:51,800 --> 00:13:54,280
call is going to be to Ollie.

421
00:13:54,280 --> 00:13:56,240
and to give Ollie a heads up

422
00:13:56,240 --> 00:13:59,400
so he can come to the follow on call,

423
00:13:59,400 --> 00:14:00,360
slightly prepared.

424
00:14:00,360 --> 00:14:01,320
Is obviously,

425
00:14:01,320 --> 00:14:03,120
you know, really important,

426
00:14:03,120 --> 00:14:05,120
all the things we want to know.

427
00:14:05,120 --> 00:14:07,520
What have you done so far?

428
00:14:07,520 --> 00:14:09,600
and what actions have they taken?

429
00:14:09,600 --> 00:14:11,560
Have they deleted anything?

430
00:14:11,560 --> 00:14:12,800
Who have they called?

431
00:14:12,800 --> 00:14:14,880
Have they notified anybody?

432
00:14:14,880 --> 00:14:16,960
And what resources do they have internally?

433
00:14:16,960 --> 00:14:19,960
What internal capabilities that they have?

434
00:14:20,080 --> 00:14:23,080
And what external support might they require?

435
00:14:23,160 --> 00:14:25,480
As I'm asking all these questions

436
00:14:25,480 --> 00:14:26,040
going on

437
00:14:26,040 --> 00:14:26,640
in my head, it's

438
00:14:26,640 --> 00:14:29,040
a sort of a running risk assessment.

439
00:14:29,040 --> 00:14:31,040
So I'm thinking, what is the timeline?

440
00:14:31,040 --> 00:14:32,680
When were they breached?

441
00:14:32,680 --> 00:14:34,000
What regulatory

442
00:14:34,000 --> 00:14:37,040
notification clock's already started ticking.

443
00:14:37,800 --> 00:14:40,720
So all that's going on at the same time.

444
00:14:40,720 --> 00:14:41,880
you know, I, I'm working out

445
00:14:41,880 --> 00:14:43,480
what support do we need?

446
00:14:43,480 --> 00:14:44,280
You know,

447
00:14:44,280 --> 00:14:45,920
typically, as we all know, it's

448
00:14:45,920 --> 00:14:47,920
sort of digital forensics.

449
00:14:47,920 --> 00:14:49,960
It's a PR crisis.

450
00:14:49,960 --> 00:14:54,000
Communications experts, obviously legal counsel.

451
00:14:54,120 --> 00:14:55,920
And if it's a ransomware incidence,

452
00:14:55,920 --> 00:14:58,480
then a sort of counter extortion,

453
00:14:58,480 --> 00:14:59,640
ransom negotiator

454
00:14:59,640 --> 00:15:00,640
with typically

455
00:15:00,640 --> 00:15:01,200
the,

456
00:15:01,200 --> 00:15:02,240
external disciplines

457
00:15:02,240 --> 00:15:03,720
that we would look to bring in,

458
00:15:03,720 --> 00:15:04,960
as a, as a, you know,

459
00:15:06,200 --> 00:15:08,240
an urgent first step.

460
00:15:08,240 --> 00:15:10,360
And then we sort of at that point

461
00:15:10,360 --> 00:15:12,880
thinking about the nature of the organization,

462
00:15:12,880 --> 00:15:13,960
what what they do,

463
00:15:13,960 --> 00:15:16,200
what information they hold as well in terms of

464
00:15:16,200 --> 00:15:18,160
so feeding that into your.

465
00:15:18,160 --> 00:15:21,160
Yes, regulatory thinking and and strategic.

466
00:15:21,560 --> 00:15:22,200
Exactly.

467
00:15:22,200 --> 00:15:22,640
I mean,

468
00:15:22,640 --> 00:15:25,040
a deeper dive on

469
00:15:25,040 --> 00:15:26,760
that would probably come into the second call,

470
00:15:26,760 --> 00:15:27,960
but certainly when you're asking

471
00:15:27,960 --> 00:15:30,080
those initial questions about,

472
00:15:30,080 --> 00:15:31,920
you know, what part of network was impacted,

473
00:15:31,920 --> 00:15:33,040
what servers,

474
00:15:33,040 --> 00:15:34,000
you'd also want to know

475
00:15:34,000 --> 00:15:35,360
at the same time, ideally,

476
00:15:35,360 --> 00:15:36,600
what sort of data do

477
00:15:36,600 --> 00:15:39,480
we think was on that servers, on those servers.

478
00:15:39,480 --> 00:15:41,000
And sometimes the client will know,

479
00:15:41,000 --> 00:15:44,000
but quite often that they won't know.

480
00:15:44,160 --> 00:15:45,960
And then with that being said, about

481
00:15:45,960 --> 00:15:47,320
what are the things that

482
00:15:47,320 --> 00:15:49,000
put a smile on your face in that situation?

483
00:15:49,000 --> 00:15:50,240
What are the things that make your heart sink

484
00:15:50,240 --> 00:15:51,680
in terms of the answers you get?

485
00:15:51,680 --> 00:15:54,360
So talking about what makes me feel like

486
00:15:54,360 --> 00:15:56,840
this is going to be a successful call,

487
00:15:56,840 --> 00:15:58,680
there are, probably clear ones.

488
00:15:58,680 --> 00:16:00,280
There's the they've got good backups.

489
00:16:00,280 --> 00:16:01,440
We know they're great.

490
00:16:01,440 --> 00:16:04,200
It hasn't impacted large parts of the network.

491
00:16:04,200 --> 00:16:06,560
I think sort of a softer side of this was

492
00:16:06,560 --> 00:16:09,200
would be that there's a skeptic on the call.

493
00:16:09,200 --> 00:16:10,440
I think a lot of us,

494
00:16:10,440 --> 00:16:11,800
you know, the reason why we're good at

495
00:16:11,800 --> 00:16:13,720
this is because we walk into the call

496
00:16:13,720 --> 00:16:14,680
and we we absolutely

497
00:16:14,680 --> 00:16:16,000
listen to what we're hearing,

498
00:16:16,000 --> 00:16:18,280
but we know that that might not be the

499
00:16:18,280 --> 00:16:19,760
the absolute ground truth.

500
00:16:19,760 --> 00:16:21,720
Does that influence as well I presume

501
00:16:21,720 --> 00:16:23,880
that goes into the mix with that people dynamic

502
00:16:23,880 --> 00:16:24,840
that Jamie was talking about,

503
00:16:24,840 --> 00:16:26,680
that we know that

504
00:16:26,680 --> 00:16:29,680
this is a distress situation for the the victim.

505
00:16:29,680 --> 00:16:31,160
The people are under the cosh.

506
00:16:31,160 --> 00:16:33,040
There's a huge amount of pressure.

507
00:16:33,040 --> 00:16:34,800
And you kind of

508
00:16:34,800 --> 00:16:37,400
we've got to arrive with a, a cynical mindset,

509
00:16:37,400 --> 00:16:37,840
as you say.

510
00:16:37,840 --> 00:16:39,600
But we've got to reassure people that that

511
00:16:39,600 --> 00:16:41,040
that isn't because we don't believe them.

512
00:16:41,040 --> 00:16:42,640
It's yeah.

513
00:16:42,640 --> 00:16:44,640
And that's it. You've got to set out.

514
00:16:44,640 --> 00:16:45,720
This is,

515
00:16:45,720 --> 00:16:46,320
you know,

516
00:16:46,320 --> 00:16:48,440
we're standing shoulder to shoulder with you.

517
00:16:48,440 --> 00:16:50,520
We absolutely believe what you're saying.

518
00:16:50,520 --> 00:16:51,600
But we need to verify

519
00:16:51,600 --> 00:16:53,160
that something else hasn't changed.

520
00:16:53,160 --> 00:16:54,200
That in the meantime is

521
00:16:54,200 --> 00:16:56,520
is broadly the way you're coming to this,

522
00:16:56,520 --> 00:16:58,080
particularly when you start saying,

523
00:16:58,080 --> 00:16:59,480
okay, we're now going to start,

524
00:16:59,480 --> 00:17:00,640
notifying regulators

525
00:17:00,640 --> 00:17:02,600
or putting out press statements

526
00:17:02,600 --> 00:17:04,480
because there's someone who's sitting out there

527
00:17:04,480 --> 00:17:06,120
who would love to be able to say,

528
00:17:06,120 --> 00:17:08,160
that's not how it is. It's actually this.

529
00:17:08,160 --> 00:17:10,080
That it’s someone that's willing to,

530
00:17:10,080 --> 00:17:10,920
you know, immediately

531
00:17:10,920 --> 00:17:12,360
rebut that potentially he's

532
00:17:12,360 --> 00:17:14,520
had access to your systems for months.

533
00:17:14,520 --> 00:17:14,800
Yeah.

534
00:17:14,800 --> 00:17:17,880
And, you know, the usual course of events

535
00:17:17,880 --> 00:17:20,880
would be in those first 24, 48 hours.

536
00:17:21,040 --> 00:17:23,040
You probably know very little,

537
00:17:23,040 --> 00:17:24,800
and even the things that you think,

538
00:17:24,800 --> 00:17:26,560
you know, you know, might not be correct.

539
00:17:26,560 --> 00:17:27,840
You know, threat actors these days

540
00:17:27,840 --> 00:17:30,840
to deploy measures, measures such as,

541
00:17:30,920 --> 00:17:33,240
you know, anti forensics will cover their tracks.

542
00:17:33,240 --> 00:17:35,360
They'll sort of delete logs,

543
00:17:35,360 --> 00:17:37,360
they'll try and distract you.

544
00:17:38,320 --> 00:17:40,800
there's the risk of secondary attacks.

545
00:17:40,800 --> 00:17:41,840
so you need to,

546
00:17:41,840 --> 00:17:42,080
you know,

547
00:17:42,080 --> 00:17:43,520
bare all these things into account

548
00:17:43,520 --> 00:17:45,600
and work through things properly.

549
00:17:45,600 --> 00:17:48,040
so once we've

550
00:17:48,040 --> 00:17:48,680
made the phone

551
00:17:48,680 --> 00:17:51,160
calls, we've got our experts on board,

552
00:17:51,160 --> 00:17:56,120
our team, you know, there then becomes

553
00:17:56,480 --> 00:17:59,480
some fairly significant operational

554
00:17:59,520 --> 00:18:01,320
considerations to work through.

555
00:18:01,320 --> 00:18:04,040
Because if you are bringing in,

556
00:18:04,040 --> 00:18:06,840
you know, several external third parties

557
00:18:06,840 --> 00:18:09,960
to work alongside, but several internal parties,

558
00:18:10,520 --> 00:18:11,600
you can't assume

559
00:18:11,600 --> 00:18:13,080
that's just going to be on itself.

560
00:18:13,080 --> 00:18:14,840
There needs to be a significant element

561
00:18:14,840 --> 00:18:16,920
of project management.

562
00:18:16,920 --> 00:18:20,120
and what you certainly can't have is everybody,

563
00:18:20,120 --> 00:18:21,680
you know, from forensics,

564
00:18:21,680 --> 00:18:25,240
comms legal in the same meeting together.

565
00:18:25,640 --> 00:18:27,760
So we split out into separate work

566
00:18:27,760 --> 00:18:28,880
streams,

567
00:18:28,880 --> 00:18:30,360
So things can be done in parallel

568
00:18:30,360 --> 00:18:31,520
at the same time.

569
00:18:31,520 --> 00:18:32,360
Should we run through

570
00:18:32,360 --> 00:18:34,600
perhaps for our audience what,

571
00:18:34,600 --> 00:18:35,520
what we're going to be looking at

572
00:18:35,520 --> 00:18:36,920
in that situation in terms of which

573
00:18:36,920 --> 00:18:38,840
what streams will be looking at

574
00:18:38,840 --> 00:18:40,600
and who would be bringing in?

575
00:18:40,600 --> 00:18:41,440
But typically,

576
00:18:41,440 --> 00:18:42,560
as I mentioned earlier,

577
00:18:42,560 --> 00:18:45,360
you know, it's forensics, it's PR comms.

578
00:18:45,360 --> 00:18:47,920
It's a ransom negotiator.

579
00:18:49,720 --> 00:18:51,640
You know, even if the client is adamant

580
00:18:51,640 --> 00:18:53,520
that they don't want to pay the ransom,

581
00:18:53,520 --> 00:18:55,560
there's still,

582
00:18:55,560 --> 00:18:58,080
a logic for having that ransom negotiator

583
00:18:58,080 --> 00:18:58,720
at the table

584
00:18:58,720 --> 00:19:01,720
for reasons we can we can come on to,

585
00:19:02,800 --> 00:19:04,880
external legal counsel, obviously.

586
00:19:04,880 --> 00:19:07,520
and that they're the main ones at the start.

587
00:19:07,520 --> 00:19:09,080
You might want additional ones

588
00:19:09,080 --> 00:19:10,840
as you get further down the line for example,

589
00:19:10,840 --> 00:19:14,320
I might be a stream on, restoration mediation.

590
00:19:14,680 --> 00:19:16,720
there might be a stream on data analysis,

591
00:19:16,720 --> 00:19:18,960
but initially it's those core ones

592
00:19:18,960 --> 00:19:19,920
we've talked about.

593
00:19:19,920 --> 00:19:23,040
So, you know, as I say, there are operational

594
00:19:23,040 --> 00:19:24,320
things that need to be done

595
00:19:24,320 --> 00:19:26,680
to get those streams up and running properly.

596
00:19:26,680 --> 00:19:29,680
so who's who's going to lead each stream?

597
00:19:30,120 --> 00:19:32,600
How frequently are the meetings

598
00:19:32,600 --> 00:19:33,280
going to take place?

599
00:19:33,280 --> 00:19:34,840
What's the cadence of meetings?

600
00:19:34,840 --> 00:19:35,560
So typically

601
00:19:35,560 --> 00:19:37,040
you'd have a morning meeting,

602
00:19:37,040 --> 00:19:39,720
you'd have an afternoon end of day meeting.

603
00:19:39,720 --> 00:19:42,360
you'd want to know,

604
00:19:42,360 --> 00:19:42,640
you know,

605
00:19:42,640 --> 00:19:45,640
who is the ultimate decision maker client side.

606
00:19:45,760 --> 00:19:48,640
So who who's got the no or no go call

607
00:19:48,640 --> 00:19:49,920
on all of the big decisions

608
00:19:49,920 --> 00:19:52,040
that you know you're going to have to make.

609
00:19:52,040 --> 00:19:54,280
And then there's some operational structure

610
00:19:54,280 --> 00:19:56,800
you will need or would want to have things like,

611
00:19:57,760 --> 00:20:01,440
a decision log, an action tracker.

612
00:20:01,880 --> 00:20:02,240
You know,

613
00:20:02,240 --> 00:20:04,720
those artifacts are things that can help you

614
00:20:04,720 --> 00:20:05,680
when you come on later

615
00:20:05,680 --> 00:20:08,680
down the line to deal with regulatory inquiries.

616
00:20:09,000 --> 00:20:11,600
from the legal side,

617
00:20:11,600 --> 00:20:13,360
everything I've just talked about,

618
00:20:13,360 --> 00:20:14,880
we would be looking to wrap that

619
00:20:14,880 --> 00:20:17,880
in a legally privileged envelope,

620
00:20:17,960 --> 00:20:19,400
to protect the clients

621
00:20:19,400 --> 00:20:22,400
from the confidentiality perspective.

622
00:20:22,680 --> 00:20:23,680
and obviously the steps

623
00:20:23,680 --> 00:20:25,840
we need to work through to achieve that.

624
00:20:25,840 --> 00:20:26,720
so first, on.

625
00:20:26,720 --> 00:20:28,200
With a sort of litigators

626
00:20:28,200 --> 00:20:31,120
hat on and a claims hat on, you see, all of that

627
00:20:31,120 --> 00:20:33,680
sort of material is being requested by claimants

628
00:20:33,680 --> 00:20:34,440
very early on.

629
00:20:34,440 --> 00:20:35,360
So we

630
00:20:35,360 --> 00:20:37,720
we need to be alert to the fact that one day,

631
00:20:37,720 --> 00:20:40,360
if there is a claim or a group action,

632
00:20:40,360 --> 00:20:41,760
whatever it might be,

633
00:20:41,760 --> 00:20:42,880
people are going to be knocking on the door

634
00:20:42,880 --> 00:20:43,360
asking for that

635
00:20:43,360 --> 00:20:45,400
so that that's a crucial piece of the.

636
00:20:45,400 --> 00:20:45,960
Yeah, you might

637
00:20:45,960 --> 00:20:47,320
you might still be on day one,

638
00:20:47,320 --> 00:20:48,480
but you're having to think about

639
00:20:48,480 --> 00:20:50,520
what are the downstream implications.

640
00:20:50,520 --> 00:20:51,200
You know,

641
00:20:51,200 --> 00:20:53,920
weeks, months, years down the line potentially.

642
00:20:53,920 --> 00:20:55,720
So if we start with forensics,

643
00:20:55,720 --> 00:20:56,360
perhaps as the

644
00:20:56,360 --> 00:20:57,320
the first workstream

645
00:20:57,320 --> 00:21:02,440
to chat in more detail about, you know, ideally,

646
00:21:02,720 --> 00:21:06,280
it would be external counsel instructing only,

647
00:21:06,280 --> 00:21:08,440
perhaps through a sort of tripartite agreement

648
00:21:08,440 --> 00:21:10,720
with the insurers, to sort of

649
00:21:11,680 --> 00:21:14,680
ensure that privilege is in place.

650
00:21:14,680 --> 00:21:17,680
and then what that would essentially look like is

651
00:21:18,240 --> 00:21:21,240
the letter of engagement, which would speak to,

652
00:21:21,440 --> 00:21:24,440
these being instructed in order to,

653
00:21:25,360 --> 00:21:27,760
assist the lawyers with the technical

654
00:21:27,760 --> 00:21:30,840
aspects of the breach, in order

655
00:21:30,840 --> 00:21:33,320
to inform legal advice that we would give

656
00:21:33,320 --> 00:21:34,960
to the victim organization.

657
00:21:34,960 --> 00:21:37,400
And so that's, you know,

658
00:21:37,400 --> 00:21:39,520
how you could go about setting privilege up.

659
00:21:39,520 --> 00:21:40,800
You'd also look, obviously,

660
00:21:40,800 --> 00:21:41,880
to carefully control

661
00:21:41,880 --> 00:21:44,880
the parameters of the investigation.

662
00:21:44,880 --> 00:21:47,680
For the moment Jamie calls you then Ollie what's, what's

663
00:21:47,680 --> 00:21:49,080
going through your,

664
00:21:49,080 --> 00:21:49,960
your mind in terms of

665
00:21:49,960 --> 00:21:51,640
what have I got to do what it is.

666
00:21:51,640 --> 00:21:52,800
There is

667
00:21:52,800 --> 00:21:55,880
a broad playbook for you terms of. Definitely.

668
00:21:55,960 --> 00:21:58,960
And and I think that the broad

669
00:21:59,240 --> 00:22:01,440
outline that Jamie's given there is,

670
00:22:01,440 --> 00:22:03,240
is true for every single player

671
00:22:03,240 --> 00:22:04,800
in in that role below.

672
00:22:04,800 --> 00:22:05,880
It's going in

673
00:22:05,880 --> 00:22:08,280
trying to get as much information as possible,

674
00:22:08,280 --> 00:22:11,000
understanding how we fit within the wider hole,

675
00:22:11,000 --> 00:22:14,360
because all of those different workstreams

676
00:22:14,360 --> 00:22:15,840
need information from all the others.

677
00:22:15,840 --> 00:22:17,400
We need to make sure that we're all playing

678
00:22:17,400 --> 00:22:19,000
to the same tame

679
00:22:19,000 --> 00:22:20,880
score here,

680
00:22:20,880 --> 00:22:22,000
without necessarily

681
00:22:22,000 --> 00:22:23,040
having to set up a meeting

682
00:22:23,040 --> 00:22:24,000
with 20 different people.

683
00:22:24,000 --> 00:22:25,080
So making sure that all of that

684
00:22:25,080 --> 00:22:27,720
communication is in place is really clear.

685
00:22:27,720 --> 00:22:29,080
That priority around making sure

686
00:22:29,080 --> 00:22:30,960
that you're containing the incident

687
00:22:30,960 --> 00:22:33,480
before you start to remove things

688
00:22:33,480 --> 00:22:34,920
for secure recovery as well.

689
00:22:34,920 --> 00:22:35,640
What,

690
00:22:35,640 --> 00:22:37,240
what are the agreed procedures

691
00:22:37,240 --> 00:22:38,760
that you're following there,

692
00:22:38,760 --> 00:22:39,440
bearing in mind

693
00:22:39,440 --> 00:22:40,120
that in

694
00:22:40,120 --> 00:22:41,560
many of these situations, this

695
00:22:41,560 --> 00:22:43,120
the client we don't know we don't know

696
00:22:43,120 --> 00:22:44,680
the ins and outs of their infrastructure.

697
00:22:44,680 --> 00:22:45,760
So we want to be really clear

698
00:22:45,760 --> 00:22:46,760
when we're doing something,

699
00:22:46,760 --> 00:22:47,760
it's not going to be something

700
00:22:47,760 --> 00:22:49,400
potentially disruptive.

701
00:22:49,400 --> 00:22:51,080
So make sure that's clear.

702
00:22:51,080 --> 00:22:53,640
Being really aware of what systems are fragile,

703
00:22:53,640 --> 00:22:56,640
what which systems are critical to the business

704
00:22:56,640 --> 00:22:57,560
that are still running.

705
00:22:57,560 --> 00:22:59,960
You don't want to hurt them on the on the way up,

706
00:22:59,960 --> 00:23:02,880
but also being as clear as possible about,

707
00:23:03,960 --> 00:23:04,800
the fact that

708
00:23:04,800 --> 00:23:06,840
things might get worse in the short term

709
00:23:06,840 --> 00:23:08,080
if you want them to get better,

710
00:23:08,080 --> 00:23:09,840
that may be things you need to be turning off.

711
00:23:09,840 --> 00:23:12,840
There may be,

712
00:23:12,960 --> 00:23:14,520
some actions that you've already taken

713
00:23:14,520 --> 00:23:15,600
that you need to roll back.

714
00:23:15,600 --> 00:23:16,880
So, so being really clear that

715
00:23:16,880 --> 00:23:18,960
that sort of slowing down,

716
00:23:18,960 --> 00:23:20,440
making deliberate decisions

717
00:23:20,440 --> 00:23:21,680
to contain the incident,

718
00:23:21,680 --> 00:23:22,560
to stop the bleed,

719
00:23:22,560 --> 00:23:23,440
to protect the data

720
00:23:23,440 --> 00:23:26,440
that you still have is critical.

721
00:23:27,120 --> 00:23:30,560
The business can then, Jamie’s done his excellent work

722
00:23:30,560 --> 00:23:32,120
of identifying the key decision

723
00:23:32,120 --> 00:23:32,960
makers, making sure

724
00:23:32,960 --> 00:23:35,440
that they can be briefed on things

725
00:23:35,440 --> 00:23:37,440
so that when we bring them questions

726
00:23:37,440 --> 00:23:39,280
or I wouldn't want to call them problems,

727
00:23:39,280 --> 00:23:40,440
but challenges,

728
00:23:40,440 --> 00:23:40,920
you know,

729
00:23:40,920 --> 00:23:41,800
you've got a situation

730
00:23:41,800 --> 00:23:43,680
where it's going to take us a week

731
00:23:43,680 --> 00:23:45,080
in order to do the forensic analysis

732
00:23:45,080 --> 00:23:47,080
on a particular piece of hardware,

733
00:23:47,080 --> 00:23:48,680
but that's so critical to the business

734
00:23:48,680 --> 00:23:50,000
that if it's not brought up in a week

735
00:23:50,000 --> 00:23:52,640
that the business is going to exist anymore,

736
00:23:52,640 --> 00:23:54,200
who's actually making the ultimate decision

737
00:23:54,200 --> 00:23:55,800
on whether or not you get to proceed

738
00:23:55,800 --> 00:23:57,120
without doing investigation?

739
00:23:57,120 --> 00:23:58,800
So our job is to provide the advice.

740
00:23:58,800 --> 00:24:00,400
It's going to, you know, this is

741
00:24:01,640 --> 00:24:03,320
so critical to our investigation.

742
00:24:03,320 --> 00:24:05,640
We're not going to know.

743
00:24:05,640 --> 00:24:07,360
But obviously that's completely useless

744
00:24:07,360 --> 00:24:09,480
if that's not going to the right decision maker.

745
00:24:09,480 --> 00:24:10,680
So there's that.

746
00:24:10,680 --> 00:24:13,960
And then finally the the point here around,

747
00:24:15,200 --> 00:24:16,960
making it really clear

748
00:24:16,960 --> 00:24:18,840
when we're advising the client

749
00:24:18,840 --> 00:24:20,960
what they're likely to know, when

750
00:24:20,960 --> 00:24:21,360
I think

751
00:24:21,360 --> 00:24:23,400
that the one of the most uncomfortable things

752
00:24:23,400 --> 00:24:24,360
for senior executives

753
00:24:24,360 --> 00:24:26,000
that we see in these incidents are

754
00:24:26,000 --> 00:24:28,040
they're used to having a good amount

755
00:24:28,040 --> 00:24:28,600
of information

756
00:24:28,600 --> 00:24:29,640
about the things that they're trying

757
00:24:29,640 --> 00:24:31,120
to make a decision on.

758
00:24:31,120 --> 00:24:33,720
And unfortunately, incidents aren't like that.

759
00:24:33,720 --> 00:24:36,600
You start off knowing basically nothing

760
00:24:36,600 --> 00:24:38,040
and having to make some pretty impactful

761
00:24:38,040 --> 00:24:40,600
decisions in,

762
00:24:40,600 --> 00:24:43,600
usually a subject area you're not familiar with.

763
00:24:43,600 --> 00:24:45,040
And that's incredibly uncomfortable

764
00:24:45,040 --> 00:24:45,960
for almost everybody.

765
00:24:45,960 --> 00:24:47,440
I wouldn't want to sit in that chair,

766
00:24:48,840 --> 00:24:49,480
so try

767
00:24:49,480 --> 00:24:49,920
to give them

768
00:24:49,920 --> 00:24:52,920
an idea as to what they can expect the next day,

769
00:24:53,000 --> 00:24:55,760
week, month to look like.

770
00:24:55,760 --> 00:24:56,440
You know,

771
00:24:56,440 --> 00:24:57,320
it might be bad now,

772
00:24:57,320 --> 00:24:58,400
but it's going to get better.

773
00:24:58,400 --> 00:25:02,600
Basically, is is important, is critical.

774
00:25:02,600 --> 00:25:04,840
And it's also a thing that generally,

775
00:25:04,840 --> 00:25:06,000
the internal teams

776
00:25:06,000 --> 00:25:07,440
struggle with because they're going through

777
00:25:07,440 --> 00:25:09,160
that same journey themselves.

778
00:25:09,160 --> 00:25:11,600
And from an IT perspective, perhaps

779
00:25:11,600 --> 00:25:12,680
what I've seen is certainly

780
00:25:12,680 --> 00:25:15,680
that internal teams can be, primarily

781
00:25:15,680 --> 00:25:17,000
focused on some functionality

782
00:25:17,000 --> 00:25:18,800
on the day to day running of the system.

783
00:25:18,800 --> 00:25:20,520
And, and that security piece

784
00:25:20,520 --> 00:25:21,480
is slightly different.

785
00:25:21,480 --> 00:25:22,480
You might have,

786
00:25:22,480 --> 00:25:25,600
as we do I from them I.T security architect

787
00:25:26,160 --> 00:25:27,200
specialists,

788
00:25:27,200 --> 00:25:30,000
but they perhaps have got a different, approach,

789
00:25:30,000 --> 00:25:30,560
a different skill

790
00:25:30,560 --> 00:25:31,760
set to you and your team

791
00:25:31,760 --> 00:25:33,720
because you're coming into

792
00:25:33,720 --> 00:25:35,120
to a sort of distress situation

793
00:25:35,120 --> 00:25:36,560
with,

794
00:25:36,560 --> 00:25:39,200
a business that's been hit with encryption and,

795
00:25:39,200 --> 00:25:42,200
and on getting that backup to to speed

796
00:25:42,200 --> 00:25:44,960
and back on the straight and narrows is,

797
00:25:44,960 --> 00:25:46,160
is a slightly different skill set.

798
00:25:46,160 --> 00:25:47,600
So it's complementary blend.

799
00:25:47,600 --> 00:25:50,520
You need to work with the internal team,

800
00:25:51,640 --> 00:25:54,000
but also bring your own.

801
00:25:54,000 --> 00:25:55,040
Yeah.

802
00:25:55,040 --> 00:25:58,240
and or work with any third party MSP.

803
00:25:58,480 --> 00:26:02,600
and you know, thankfully in the vast

804
00:26:02,600 --> 00:26:05,960
majority of cases, you know, the client will be,

805
00:26:07,720 --> 00:26:08,960
you know, doing everything

806
00:26:08,960 --> 00:26:10,320
they can to give all the

807
00:26:10,320 --> 00:26:12,880
everything he needs in terms of access,

808
00:26:12,880 --> 00:26:16,320
information, requests, log evidence,

809
00:26:16,400 --> 00:26:17,800
whatever it may be.

810
00:26:17,800 --> 00:26:22,080
but we have had, a case or two, haven't we?

811
00:26:22,080 --> 00:26:22,880
Ollie that we've worked

812
00:26:22,880 --> 00:26:25,880
on where that hasn't been the case and where

813
00:26:26,960 --> 00:26:29,960
a sort of third party MSP has actually

814
00:26:30,600 --> 00:26:32,800
been instructed not to hand over

815
00:26:32,800 --> 00:26:34,320
certain material.

816
00:26:34,320 --> 00:26:35,840
It didn't add. Up. No.

817
00:26:35,840 --> 00:26:37,120
and so we

818
00:26:37,120 --> 00:26:38,400
you know what that meant,

819
00:26:38,400 --> 00:26:40,680
as well as creating a delay in the,

820
00:26:40,680 --> 00:26:42,400
the incident response,

821
00:26:42,400 --> 00:26:44,200
it's also meant on the legal side that,

822
00:26:44,200 --> 00:26:46,360
you know, mid breach

823
00:26:46,360 --> 00:26:47,000
you're having dealing

824
00:26:47,000 --> 00:26:48,120
with dealing with other issues

825
00:26:48,120 --> 00:26:51,120
such as, you know, potentially

826
00:26:51,520 --> 00:26:55,000
liability of the MSP, the sort of third party,

827
00:26:55,440 --> 00:26:57,640
the potential H.R issues

828
00:26:57,640 --> 00:26:58,960
if people aren't handing over what

829
00:26:58,960 --> 00:26:59,760
they should be handing over

830
00:26:59,760 --> 00:27:03,040
or properly cooperating so things things can,

831
00:27:03,600 --> 00:27:05,160
get a lot more complicated.

832
00:27:05,160 --> 00:27:06,520
And of course,

833
00:27:06,520 --> 00:27:07,920
another thing we haven't touched on yet,

834
00:27:08,920 --> 00:27:09,640
you know,

835
00:27:09,640 --> 00:27:10,960
for those larger breaches

836
00:27:10,960 --> 00:27:13,120
to have an international elements,

837
00:27:13,120 --> 00:27:16,120
you there might be three, four, five

838
00:27:16,280 --> 00:27:18,320
plus different C suites.

839
00:27:18,320 --> 00:27:20,000
So the C so in Europe a C

840
00:27:20,000 --> 00:27:22,080
so A pack C so in the Americas,

841
00:27:22,080 --> 00:27:24,840
all of whom want to input into how best

842
00:27:24,840 --> 00:27:25,800
to respond to the breach.

843
00:27:25,800 --> 00:27:27,520
And probably in

844
00:27:27,520 --> 00:27:30,520
some cases Ollie makes your life a bit bit harder.

845
00:27:31,320 --> 00:27:32,000
Definitely.

846
00:27:32,000 --> 00:27:34,120
I mean,

847
00:27:34,120 --> 00:27:34,760
when you end up

848
00:27:34,760 --> 00:27:36,520
with those really complicated situations

849
00:27:36,520 --> 00:27:37,720
where you've got

850
00:27:37,720 --> 00:27:39,880
different C suites or, you know, a

851
00:27:39,880 --> 00:27:41,560
sort of a group organization,

852
00:27:41,560 --> 00:27:42,400
and particularly

853
00:27:42,400 --> 00:27:44,080
when you start dealing with multiple different

854
00:27:44,080 --> 00:27:45,640
jurisdictions of law enforcement,

855
00:27:45,640 --> 00:27:46,960
I think that's where that can become

856
00:27:46,960 --> 00:27:48,400
really complicated.

857
00:27:48,400 --> 00:27:49,840
We've got the Italian postal police

858
00:27:49,840 --> 00:27:50,560
knocking on the door

859
00:27:50,560 --> 00:27:52,000
asking about something at the same time as

860
00:27:52,000 --> 00:27:53,680
you've got the FBI in the US

861
00:27:54,640 --> 00:27:56,960
making sure that you can

862
00:27:56,960 --> 00:27:58,680
answer the questions sensibly,

863
00:27:58,680 --> 00:28:00,480
taking the information they're giving you,

864
00:28:00,480 --> 00:28:02,440
because also,

865
00:28:02,440 --> 00:28:03,960
depending on the size of the organization,

866
00:28:03,960 --> 00:28:04,640
the type of breach,

867
00:28:04,640 --> 00:28:06,240
they might be telling you something.

868
00:28:06,240 --> 00:28:07,880
You'll never know where that's coming from.

869
00:28:07,880 --> 00:28:09,240
You don't know how true or accurate

870
00:28:09,240 --> 00:28:10,480
that's necessarily going to be,

871
00:28:10,480 --> 00:28:11,920
not because they're trying to mislead

872
00:28:11,920 --> 00:28:13,000
you just because,

873
00:28:13,000 --> 00:28:13,200
you know,

874
00:28:13,200 --> 00:28:16,200
you're a much smaller piece of a much wider hole,

875
00:28:16,360 --> 00:28:18,720
and that can add lots of complication.

876
00:28:18,720 --> 00:28:20,560
It can create a lot of frustration

877
00:28:20,560 --> 00:28:22,320
at the senior executive level,

878
00:28:22,320 --> 00:28:25,320
because people always want to believe, you know,

879
00:28:25,520 --> 00:28:27,000
when you've got that kind of entity

880
00:28:27,000 --> 00:28:30,000
turning up at your door, you want to act on it

881
00:28:30,000 --> 00:28:30,800
for good reason.

882
00:28:30,800 --> 00:28:32,920
But it can take a lot of really useful time

883
00:28:32,920 --> 00:28:33,920
out of a system at a time

884
00:28:33,920 --> 00:28:35,560
where there isn't any spare time.

885
00:28:35,560 --> 00:28:37,000
And a quick, quick

886
00:28:37,000 --> 00:28:37,960
interjection here

887
00:28:37,960 --> 00:28:40,120
that these are some of the difficulties

888
00:28:40,120 --> 00:28:43,120
that you can potentially resolve

889
00:28:43,120 --> 00:28:44,680
or certainly improve

890
00:28:44,680 --> 00:28:47,400
by some of the pre breach populations.

891
00:28:47,400 --> 00:28:49,400
In terms of incident response, if you

892
00:28:49,400 --> 00:28:52,960
if you already know the the victim, you know,

893
00:28:53,320 --> 00:28:54,680
have their systems,

894
00:28:54,680 --> 00:28:57,120
you know, the people, you know the drills

895
00:28:58,360 --> 00:28:59,680
that will make,

896
00:28:59,680 --> 00:29:02,800
a fundamentally sort of tangible difference to

897
00:29:03,320 --> 00:29:05,600
how quickly and efficiently you can

898
00:29:05,600 --> 00:29:06,920
you can sort of respond

899
00:29:06,920 --> 00:29:08,720
to the incident enormously.

900
00:29:08,720 --> 00:29:09,880
So and

901
00:29:09,880 --> 00:29:12,440
so your mention of the first call.

902
00:29:12,440 --> 00:29:13,400
And when you're going through

903
00:29:13,400 --> 00:29:14,920
asking those questions,

904
00:29:14,920 --> 00:29:15,960
if what we've if we've done

905
00:29:15,960 --> 00:29:17,240
that three months earlier

906
00:29:17,240 --> 00:29:19,040
and we've already asked those same questions,

907
00:29:19,040 --> 00:29:21,040
and it's actually a validation exercise.

908
00:29:21,040 --> 00:29:23,040
And because when we did it three months earlier,

909
00:29:23,040 --> 00:29:25,240
it wasn't a Saturday morning at 2 a.m..

910
00:29:25,240 --> 00:29:27,000
It was a reasonable time that had been scheduled

911
00:29:27,000 --> 00:29:28,240
everyone's diaries.

912
00:29:28,240 --> 00:29:29,920
And we didn't just have the IT team.

913
00:29:29,920 --> 00:29:30,760
We had certain parts

914
00:29:30,760 --> 00:29:32,080
of the operational part of the business

915
00:29:32,080 --> 00:29:33,840
that understood the wider context.

916
00:29:33,840 --> 00:29:34,960
So when we're running through,

917
00:29:34,960 --> 00:29:36,680
we can say, well, you told us this,

918
00:29:36,680 --> 00:29:38,160
is that still the case? Yes.

919
00:29:38,160 --> 00:29:40,920
No, you you're not relying on someone's memory

920
00:29:40,920 --> 00:29:42,480
at an incredibly stressful time.

921
00:29:42,480 --> 00:29:42,960
You know,

922
00:29:42,960 --> 00:29:43,840
you're meeting

923
00:29:43,840 --> 00:29:45,440
with the best people at the best time.

924
00:29:45,440 --> 00:29:46,840
And you've also got a list

925
00:29:46,840 --> 00:29:49,320
then of the people you need on the calls.

926
00:29:49,320 --> 00:29:50,480
You know, fishing around

927
00:29:50,480 --> 00:29:52,960
for who would be in charge of this, who knows it.

928
00:29:52,960 --> 00:29:55,080
You've got that structure in place ready to go.

929
00:29:55,080 --> 00:29:58,280
Okay, well, X deals with I.T security.

930
00:29:58,480 --> 00:30:01,400
Why is the HR lead not to say it's

931
00:30:01,400 --> 00:30:03,400
going to be our sort of board

932
00:30:03,400 --> 00:30:05,600
level decision maker and off you go.

933
00:30:05,600 --> 00:30:06,320
Yeah. Exactly.

934
00:30:06,320 --> 00:30:07,000
Yeah, exactly.

935
00:30:07,000 --> 00:30:08,280
And I think

936
00:30:08,280 --> 00:30:10,080
threat actor engagements are a good example

937
00:30:10,080 --> 00:30:11,040
where you know

938
00:30:11,040 --> 00:30:12,280
the pre breach testing

939
00:30:12,280 --> 00:30:15,080
can really, pay dividends.

940
00:30:15,080 --> 00:30:17,800
because you know, making a big decision

941
00:30:17,800 --> 00:30:20,840
such as do we want to engage the threat actor.

942
00:30:21,160 --> 00:30:23,120
Do we want to pay the ransom?

943
00:30:23,120 --> 00:30:24,000
If you're doing that

944
00:30:24,000 --> 00:30:26,840
for the first time conceptually,

945
00:30:26,840 --> 00:30:29,840
in a live breach, it's going to be slow.

946
00:30:29,840 --> 00:30:31,760
You know, there's going to be lots of people

947
00:30:31,760 --> 00:30:32,680
and stakeholders

948
00:30:32,680 --> 00:30:33,880
need to be in the conversation

949
00:30:33,880 --> 00:30:35,480
that need to be assuring.

950
00:30:35,480 --> 00:30:36,720
There's going to be lots of questions

951
00:30:36,720 --> 00:30:38,680
around the legalities of payments,

952
00:30:38,680 --> 00:30:39,520
the mechanics,

953
00:30:39,520 --> 00:30:40,840
who makes payments,

954
00:30:40,840 --> 00:30:42,640
who speaks to the threat actor?

955
00:30:42,640 --> 00:30:46,400
all of that stuff can be worked through.

956
00:30:46,720 --> 00:30:49,720
you know, when you're not in a crisis situation.

957
00:30:49,920 --> 00:30:52,800
So you've got a plan that's been tested

958
00:30:52,800 --> 00:30:53,920
and that will just make your

959
00:30:53,920 --> 00:30:54,960
your incident response

960
00:30:54,960 --> 00:30:56,640
go that much smoother and quicker,

961
00:30:56,640 --> 00:30:58,720
meaning you can, you know, recover faster.

962
00:30:58,720 --> 00:30:59,440
And for the two of you,

963
00:30:59,440 --> 00:31:00,960
what does

964
00:31:00,960 --> 00:31:02,200
what does good look like

965
00:31:02,200 --> 00:31:05,320
when when you're called in terms of a victim

966
00:31:05,320 --> 00:31:07,960
giving you the information about where they are

967
00:31:07,960 --> 00:31:08,880
in terms of, say,

968
00:31:08,880 --> 00:31:09,560
from your point of view,

969
00:31:09,560 --> 00:31:12,720
perhaps only on on system resilience, on backups.

970
00:31:13,200 --> 00:31:15,760
So I think that the critical part is, is

971
00:31:15,760 --> 00:31:17,120
someone being able to be

972
00:31:18,160 --> 00:31:19,840
to see the wider organization.

973
00:31:19,840 --> 00:31:22,840
So the best responses I've been part of

974
00:31:23,040 --> 00:31:24,880
have been with

975
00:31:24,880 --> 00:31:26,920
a senior CIO from the business

976
00:31:26,920 --> 00:31:28,000
that has probably got quite

977
00:31:28,000 --> 00:31:29,760
a lot of operational responsibility.

978
00:31:29,760 --> 00:31:31,720
They've been there for quite a lot of time.

979
00:31:31,720 --> 00:31:34,680
They understand the IT systems, but also how the

980
00:31:34,680 --> 00:31:36,360
the actual human side

981
00:31:36,360 --> 00:31:38,440
of the business functions as well.

982
00:31:38,440 --> 00:31:41,040
well, if you need to ask this kind of question

983
00:31:41,040 --> 00:31:43,120
about operations, you speak to that person.

984
00:31:43,120 --> 00:31:43,800
They understand

985
00:31:43,800 --> 00:31:45,160
how the business is going to react

986
00:31:45,160 --> 00:31:46,800
to this sudden change in risk.

987
00:31:46,800 --> 00:31:48,240
They have a good relationship

988
00:31:48,240 --> 00:31:49,520
with general counsel.

989
00:31:49,520 --> 00:31:52,640
That's that's really what good looks like

990
00:31:53,080 --> 00:31:54,720
the the opposite side of sorry.

991
00:31:54,720 --> 00:31:56,200
So so that was one of the lessons

992
00:31:56,200 --> 00:31:56,800
and perhaps is

993
00:31:56,800 --> 00:31:57,800
is for organizations

994
00:31:57,800 --> 00:32:01,080
to make sure that they are plugging their CIO

995
00:32:01,080 --> 00:32:04,600
into, into their sort of C-suite, into the GC,

996
00:32:04,600 --> 00:32:06,640
so that those relationships are there

997
00:32:06,640 --> 00:32:08,560
so that when we come, when we come knocking.

998
00:32:10,080 --> 00:32:10,440
yeah.

999
00:32:10,440 --> 00:32:10,720
I mean.

1000
00:32:10,720 --> 00:32:12,320
They can put us in the right direction and.

1001
00:32:12,320 --> 00:32:13,200
And same for you.

1002
00:32:13,200 --> 00:32:14,560
Jamie what

1003
00:32:14,560 --> 00:32:16,640
what are the the sort of things where you go.

1004
00:32:16,640 --> 00:32:18,560
pleased to hear that.

1005
00:32:18,560 --> 00:32:18,840
Yeah.

1006
00:32:18,840 --> 00:32:22,040
It's always nice when there's a very clear, line

1007
00:32:22,040 --> 00:32:23,240
of authority at,

1008
00:32:23,240 --> 00:32:25,520
you know, who is making the decisions.

1009
00:32:25,520 --> 00:32:27,240
something that we've seen,

1010
00:32:27,240 --> 00:32:28,880
you know, more than one occasion,

1011
00:32:28,880 --> 00:32:29,840
which can really slow

1012
00:32:29,840 --> 00:32:33,120
things down, is a sort of decision paralysis

1013
00:32:33,680 --> 00:32:34,440
where, you know, it's

1014
00:32:34,440 --> 00:32:35,600
such a big decision

1015
00:32:35,600 --> 00:32:36,920
potentially, you know, in

1016
00:32:36,920 --> 00:32:39,480
some of these extreme cases,

1017
00:32:39,480 --> 00:32:41,200
the future viability of the business

1018
00:32:41,200 --> 00:32:42,640
could literally be,

1019
00:32:42,640 --> 00:32:46,440
you know, you know, in question,

1020
00:32:46,920 --> 00:32:50,440
and therefore having somebody who, you know,

1021
00:32:50,440 --> 00:32:52,000
going to this person,

1022
00:32:52,000 --> 00:32:53,720
you're going to get an answer

1023
00:32:53,720 --> 00:32:56,720
and that person has the authority to tell you yay

1024
00:32:56,720 --> 00:32:58,720
or nay regarding a certain action, for example,

1025
00:32:58,720 --> 00:33:00,480
you turning off the network,

1026
00:33:00,480 --> 00:33:02,480
making a ransom payments,

1027
00:33:02,480 --> 00:33:04,520
bringing extra support in,

1028
00:33:04,520 --> 00:33:07,200
all those are big questions,

1029
00:33:07,200 --> 00:33:10,200
which can consume a lot of time and resource,

1030
00:33:10,320 --> 00:33:11,560
particularly

1031
00:33:11,560 --> 00:33:14,360
when there's not a clear line of decision making.

1032
00:33:14,360 --> 00:33:16,320
so that certainly makes,

1033
00:33:16,320 --> 00:33:18,200
not only my life easier.

1034
00:33:18,200 --> 00:33:18,520
Yeah.

1035
00:33:18,520 --> 00:33:19,760
But I think the sort of victim

1036
00:33:19,760 --> 00:33:21,560
organizations recovery.

1037
00:33:21,560 --> 00:33:22,600
And do you see situations

1038
00:33:22,600 --> 00:33:23,800
where there's a bit of a

1039
00:33:23,800 --> 00:33:25,120
push pull within the business?

1040
00:33:25,120 --> 00:33:28,360
I remember one where, people

1041
00:33:28,360 --> 00:33:30,080
I work with dealt with,

1042
00:33:30,080 --> 00:33:31,520
a logistics business where,

1043
00:33:32,520 --> 00:33:33,960
like, classically, the threat

1044
00:33:33,960 --> 00:33:35,400
actors hit you with a bad time.

1045
00:33:35,400 --> 00:33:36,560
So say, for example,

1046
00:33:36,560 --> 00:33:37,880
you've got that Christmas

1047
00:33:37,880 --> 00:33:38,680
run up,

1048
00:33:38,680 --> 00:33:40,280
you've got warehouses full of stuff

1049
00:33:40,280 --> 00:33:41,840
you need to deliver,

1050
00:33:41,840 --> 00:33:44,800
you've been hit and you've got that push

1051
00:33:44,800 --> 00:33:46,360
pull within the business or people going, oh,

1052
00:33:46,360 --> 00:33:47,880
I can't access my emails.

1053
00:33:47,880 --> 00:33:49,120
And the chairman's

1054
00:33:49,120 --> 00:33:51,000
sort of saying, someone get my email sorted out.

1055
00:33:51,000 --> 00:33:51,800
Whereas in fact,

1056
00:33:51,800 --> 00:33:52,680
perhaps for the business,

1057
00:33:52,680 --> 00:33:54,040
the important thing is to

1058
00:33:54,040 --> 00:33:55,040
get into the warehouses,

1059
00:33:55,040 --> 00:33:57,200
do a stocktake, work out what needs to be where,

1060
00:33:57,200 --> 00:33:59,320
start putting together systems

1061
00:33:59,320 --> 00:34:01,440
that will enable the business to function,

1062
00:34:01,440 --> 00:34:02,760
and you've got to park

1063
00:34:02,760 --> 00:34:04,400
some of the sort of you've got to identify

1064
00:34:04,400 --> 00:34:05,960
what's a luxury, what's a must have,

1065
00:34:05,960 --> 00:34:07,280
I guess early on.

1066
00:34:07,280 --> 00:34:09,920
do you see that sort of prioritization process

1067
00:34:09,920 --> 00:34:11,960
so emerge relatively early in a.

1068
00:34:13,760 --> 00:34:14,080
Yeah.

1069
00:34:14,080 --> 00:34:14,840
You do.

1070
00:34:14,840 --> 00:34:15,640
I mean, you know,

1071
00:34:15,640 --> 00:34:17,480
of course you need to look at what

1072
00:34:17,480 --> 00:34:18,400
what has been

1073
00:34:18,400 --> 00:34:20,520
the operational impact on the business

1074
00:34:20,520 --> 00:34:22,200
from the cyber attack.

1075
00:34:22,200 --> 00:34:23,480
and once you know that,

1076
00:34:23,480 --> 00:34:25,440
then you can start to put in a plan in place to

1077
00:34:25,440 --> 00:34:28,280
to sort of get, you know, back up and running.

1078
00:34:28,280 --> 00:34:29,080
I'm not sure

1079
00:34:29,080 --> 00:34:31,400
whether I'm pinching one of your sayings earlier,

1080
00:34:31,400 --> 00:34:32,920
whether it's some somewhere

1081
00:34:32,920 --> 00:34:34,160
else, but,

1082
00:34:34,160 --> 00:34:34,720
you know,

1083
00:34:34,720 --> 00:34:35,960
once you've had the attack

1084
00:34:35,960 --> 00:34:38,160
and you're starting to get back on your feet,

1085
00:34:38,160 --> 00:34:41,000
you're starting to bring systems back on line,

1086
00:34:41,000 --> 00:34:41,440
you know, so,

1087
00:34:41,440 --> 00:34:43,480
so perhaps one at a time, one

1088
00:34:43,480 --> 00:34:44,920
application for certain.

1089
00:34:44,920 --> 00:34:47,320
You perhaps the finance application,

1090
00:34:47,320 --> 00:34:48,640
might be one of the early ones.

1091
00:34:48,640 --> 00:34:50,320
Maybe HR

1092
00:34:50,320 --> 00:34:50,800
what you can

1093
00:34:50,800 --> 00:34:52,240
sometimes have is

1094
00:34:52,240 --> 00:34:54,360
what's sometimes referred to as a sort of a

1095
00:34:54,360 --> 00:34:54,840
The Hunger

1096
00:34:54,840 --> 00:34:56,360
Games scenario, where

1097
00:34:56,360 --> 00:34:57,240
different business

1098
00:34:57,240 --> 00:34:58,720
heads are competing

1099
00:34:58,720 --> 00:34:59,920
for their application

1100
00:34:59,920 --> 00:35:01,440
to be put back online first, which.

1101
00:35:01,440 --> 00:35:02,160
Is perfectly natural,

1102
00:35:02,160 --> 00:35:02,480
I guess,

1103
00:35:02,480 --> 00:35:04,160
but it's slightly Darwinian in that

1104
00:35:04,160 --> 00:35:06,200
everyone's sort of jockeying for position

1105
00:35:06,200 --> 00:35:08,520
to get in. And yeah, it's completely natural.

1106
00:35:08,520 --> 00:35:11,520
and, you know, from our perspective,

1107
00:35:11,520 --> 00:35:12,600
you know, we need to make sure

1108
00:35:13,920 --> 00:35:14,840
it's done properly.

1109
00:35:14,840 --> 00:35:17,600
So systems are, you know, we

1110
00:35:17,600 --> 00:35:19,400
again, I'm speaking to Ollie’s bit here,

1111
00:35:19,400 --> 00:35:20,200
but we want to make sure

1112
00:35:20,200 --> 00:35:22,160
that anything brought back online is clean.

1113
00:35:22,160 --> 00:35:23,960
And we verified it's clean.

1114
00:35:23,960 --> 00:35:25,320
It's safe.

1115
00:35:25,320 --> 00:35:27,560
we want to be, you know, comfortable.

1116
00:35:27,560 --> 00:35:28,000
Look,

1117
00:35:28,000 --> 00:35:30,120
you know, any risk of a sort of secondary

1118
00:35:30,120 --> 00:35:31,080
or following follow

1119
00:35:31,080 --> 00:35:32,520
an attack has been removed insofar

1120
00:35:32,520 --> 00:35:35,040
as we can possibly have that for sure.

1121
00:35:35,040 --> 00:35:36,080
And if you've got that,

1122
00:35:36,080 --> 00:35:37,640
I guess the two pronged thing

1123
00:35:37,640 --> 00:35:41,120
we see now with encryption and exfiltration

1124
00:35:41,680 --> 00:35:42,800
of what's the point?

1125
00:35:42,800 --> 00:35:44,200
I guess Ollie it is for you.

1126
00:35:44,200 --> 00:35:47,080
are you looking for traces of exfiltration?

1127
00:35:47,080 --> 00:35:49,080
So essentially, immediately.

1128
00:35:49,080 --> 00:35:51,040
But almost every incident these days,

1129
00:35:51,040 --> 00:35:51,520
we know that

1130
00:35:51,520 --> 00:35:53,360
that's going to be a critical work stream.

1131
00:35:53,360 --> 00:35:53,880
The business

1132
00:35:53,880 --> 00:35:54,840
being able to understand

1133
00:35:54,840 --> 00:35:56,200
what happened

1134
00:35:56,200 --> 00:35:59,560
is a so important, you know, it runs

1135
00:35:59,560 --> 00:36:00,760
in parallel with containment.

1136
00:36:04,360 --> 00:36:06,360
so therefore being able to be clear

1137
00:36:06,360 --> 00:36:09,360
with the victim in this case,

1138
00:36:09,480 --> 00:36:10,280
these are the kind of things

1139
00:36:10,280 --> 00:36:11,240
we're going to be looking for.

1140
00:36:11,240 --> 00:36:12,800
Please don't touch those kind of systems.

1141
00:36:12,800 --> 00:36:13,920
Understanding when,

1142
00:36:13,920 --> 00:36:16,480
logs are likely to time out,

1143
00:36:16,480 --> 00:36:18,000
but only keep a week, 2

1144
00:36:18,000 --> 00:36:20,680
or 3 weeks or longer in logs

1145
00:36:20,680 --> 00:36:22,360
and taking a snapshot.

1146
00:36:22,360 --> 00:36:23,920
Now, even if we're not going to start

1147
00:36:23,920 --> 00:36:25,080
looking at them for a few days

1148
00:36:25,080 --> 00:36:27,360
because we're prioritizing containment,

1149
00:36:27,360 --> 00:36:29,120
doing that kind of stuff early

1150
00:36:29,120 --> 00:36:30,400
allows you to make sure that you haven't

1151
00:36:30,400 --> 00:36:31,680
made those those kind of errors.

1152
00:36:31,680 --> 00:36:32,080
you know,

1153
00:36:32,080 --> 00:36:33,160
as Ollie touched on,

1154
00:36:33,160 --> 00:36:35,800
as far as exfiltration is concerned,

1155
00:36:35,800 --> 00:36:37,040
pretty much every incident

1156
00:36:37,040 --> 00:36:38,600
these days, ransomware incident,

1157
00:36:38,600 --> 00:36:41,640
there'll be an exfiltration component,

1158
00:36:41,640 --> 00:36:45,440
and usually get quite quick,

1159
00:36:45,440 --> 00:36:46,720
confirmation of that.

1160
00:36:46,720 --> 00:36:49,160
So there can be some telltale clues.

1161
00:36:49,160 --> 00:36:51,200
Forensically, there might be a big spike

1162
00:36:51,200 --> 00:36:53,360
in network traffic going to an unknown IP.

1163
00:36:53,360 --> 00:36:54,360
Address.

1164
00:36:54,360 --> 00:36:56,840
2:00 in the morning, whatever it might be.

1165
00:36:56,840 --> 00:36:59,080
but so also the threat actors themselves,

1166
00:36:59,080 --> 00:36:59,960
you know,

1167
00:36:59,960 --> 00:37:02,960
they've definitely shortened the amount of time

1168
00:37:03,160 --> 00:37:06,800
that they take between carrying out the attack

1169
00:37:07,160 --> 00:37:08,400
and then posting something

1170
00:37:08,400 --> 00:37:10,240
on one of the leak sites.

1171
00:37:10,240 --> 00:37:13,760
might just be, an allegation

1172
00:37:13,760 --> 00:37:15,080
that they've taken the data.

1173
00:37:15,080 --> 00:37:18,080
It might be initially a small snip of the data,

1174
00:37:18,160 --> 00:37:19,560
very small at sample.

1175
00:37:21,160 --> 00:37:21,600
it might

1176
00:37:21,600 --> 00:37:22,760
be that they've decided

1177
00:37:22,760 --> 00:37:24,720
to talk directly to certain

1178
00:37:24,720 --> 00:37:26,120
cyber journalists again,

1179
00:37:26,120 --> 00:37:28,760
as a sort of a pressure leverage tactic.

1180
00:37:28,760 --> 00:37:30,080
and of course, all of these things,

1181
00:37:30,080 --> 00:37:31,360
as you can imagine,

1182
00:37:31,360 --> 00:37:35,200
significantly also feed into the comms strategy,

1183
00:37:35,680 --> 00:37:37,240
and what comms,

1184
00:37:37,240 --> 00:37:39,360
if any, the business decides to sort of push out

1185
00:37:39,360 --> 00:37:40,400
and when.

1186
00:37:40,400 --> 00:37:40,640
And it's

1187
00:37:40,640 --> 00:37:42,760
that sort of speed of action

1188
00:37:42,760 --> 00:37:45,760
on the part of the threat actor, perhaps,

1189
00:37:45,800 --> 00:37:47,800
a reaction to the fact that perhaps detection

1190
00:37:47,800 --> 00:37:50,240
systems are better than they used to be.

1191
00:37:50,240 --> 00:37:50,520
Sort of.

1192
00:37:50,520 --> 00:37:51,600
A large amount of data

1193
00:37:51,600 --> 00:37:52,960
is taken out of the system.

1194
00:37:52,960 --> 00:37:55,280
An alarm bell might sound someone they know.

1195
00:37:55,280 --> 00:37:56,960
For example, that

1196
00:37:56,960 --> 00:37:57,600
that might trigger

1197
00:37:57,600 --> 00:38:00,600
a set of actions internally that might

1198
00:38:00,920 --> 00:38:02,560
stop them going about their business.

1199
00:38:02,560 --> 00:38:04,640
So they want to move a bit quicker

1200
00:38:04,640 --> 00:38:05,520
than perhaps they used to

1201
00:38:05,520 --> 00:38:06,640
when systems weren't as good

1202
00:38:06,640 --> 00:38:09,120
at spotting that kind of.

1203
00:38:09,120 --> 00:38:11,520
So I think that's happening, what we used to call

1204
00:38:11,520 --> 00:38:13,280
still sort of happen to be called dwell time.

1205
00:38:13,280 --> 00:38:14,960
So before they get getting up to

1206
00:38:14,960 --> 00:38:16,880
the point of encryption has

1207
00:38:18,120 --> 00:38:19,000
has decreased.

1208
00:38:19,000 --> 00:38:21,720
that's happening much faster.

1209
00:38:21,720 --> 00:38:24,080
also the,

1210
00:38:24,080 --> 00:38:24,560
the different

1211
00:38:24,560 --> 00:38:26,600
the time between encryption and a client,

1212
00:38:26,600 --> 00:38:29,480
a victim being aware of what's happened here

1213
00:38:29,480 --> 00:38:32,480
and then being named has shortened because

1214
00:38:33,600 --> 00:38:35,760
threat groups realize there's no real advantage

1215
00:38:35,760 --> 00:38:36,640
to hanging around.

1216
00:38:36,640 --> 00:38:38,200
They don't want to keep this data any longer

1217
00:38:38,200 --> 00:38:41,200
than they need to in order to extort people.

1218
00:38:41,200 --> 00:38:43,840
and

1219
00:38:43,840 --> 00:38:45,400
I think to a certain degree,

1220
00:38:45,400 --> 00:38:47,000
they've realized that if an organization

1221
00:38:47,000 --> 00:38:48,920
isn't hasn't paid in a certain amount of time,

1222
00:38:48,920 --> 00:38:50,760
they're probably not going to

1223
00:38:50,760 --> 00:38:52,200
this is a numbers game for them

1224
00:38:52,200 --> 00:38:53,280
that trying to roll through this

1225
00:38:53,280 --> 00:38:54,520
as quickly as possible,

1226
00:38:54,520 --> 00:38:56,680
which very much to Jamie's point around

1227
00:38:56,680 --> 00:38:58,720
making sure that your

1228
00:38:58,720 --> 00:39:01,880
prepared to negotiate quickly is important

1229
00:39:02,080 --> 00:39:03,480
if you do want to engage,

1230
00:39:03,480 --> 00:39:04,600
if you do need to either

1231
00:39:04,600 --> 00:39:06,400
buy time or get additional information,

1232
00:39:06,400 --> 00:39:09,400
not engaging fast enough could well be the

1233
00:39:09,720 --> 00:39:10,280
you know,

1234
00:39:10,280 --> 00:39:12,240
you may well be beaten to the punch by the

1235
00:39:12,240 --> 00:39:13,160
the press and up.

1236
00:39:13,160 --> 00:39:14,880
Well, I hope that was all very useful.

1237
00:39:14,880 --> 00:39:16,320
And, thank you for joining us.

1238
00:39:16,320 --> 00:39:19,200
And we hope you will join us next time for the,

1239
00:39:19,200 --> 00:39:20,720
the next episode in the series.

1240
00:39:20,720 --> 00:39:21,560
Thank you very much.

1241
00:39:23,320 --> 00:39:24,360
Thank you for listening to

1242
00:39:24,360 --> 00:39:27,360
Risk Matters the DWF insurance podcast.

1243
00:39:27,400 --> 00:39:28,720
We hope you join us again soon

1244
00:39:28,720 --> 00:39:30,400
for future podcasts in our series.

Legal Services

Legal Operations

Business Services

Solutions

Commentary

Latest

Resources

Cyber Incident Response

Listen to the podcast

Subscribe to Risk Matters via Apple Podcasts and Spotify

Audio Transcripts

Watch the video

Previous episodes

Key contacts

Tim Smith

Jamie Taylor

Further Reading

Legal Services

Legal Operations

Business Services

Solutions

Commentary

Latest

Resources

Legal Services

Legal Operations

Business Services

Solutions

Commentary

Latest

Resources

Cyber Incident Response

Listen to the podcast

Subscribe to Risk Matters via Apple Podcasts and Spotify

Audio Transcripts

Watch the video

Previous episodes

Key contacts

Tim Smith

Jamie Taylor

Related Sectors

Related Services

Further Reading