Risk Matters Podcast | Cyber Incident Response

Audio Transcripts

Episode 3 part one

1
00:00:00,120 --> 00:00:00,920
Welcome to Risk

2
00:00:00,920 --> 00:00:02,520
Matters, the insurance podcast

3
00:00:02,520 --> 00:00:03,720
brought to you by DWF

4
00:00:03,720 --> 00:00:04,680
and your global guide

5
00:00:04,680 --> 00:00:05,520
to the latest trends

6
00:00:05,520 --> 00:00:06,800
and issues in the insurance

7
00:00:06,800 --> 00:00:08,640
and reinsurance industry.

8
00:00:08,640 --> 00:00:09,120
Join us

9
00:00:09,120 --> 00:00:10,640
as we explore topical issues,

10
00:00:10,640 --> 00:00:11,720
emerging technologies,

11
00:00:11,720 --> 00:00:12,960
and the innovative strategies

12
00:00:12,960 --> 00:00:14,400
that are shaping the global future

13
00:00:14,400 --> 00:00:17,400
of insurance.

14
00:00:20,160 --> 00:00:20,600
Welcome

15
00:00:20,600 --> 00:00:22,360
to another episode of Risk Matters

16
00:00:22,360 --> 00:00:23,920
DWF insurance podcast.

17
00:00:23,920 --> 00:00:25,200
I'm delighted to be joined today

18
00:00:25,200 --> 00:00:26,680
by Jamie Taylor,

19
00:00:26,680 --> 00:00:29,520
a director in, Cyber and Data Team,

20
00:00:29,520 --> 00:00:33,360
and by Ollie Price, a director at SRM.

21
00:00:33,400 --> 00:00:36,400
He specializes in, I guess, incident response

22
00:00:36,400 --> 00:00:39,960
and with a history of, work in network security

23
00:00:40,120 --> 00:00:41,360
and network systems.

24
00:00:41,360 --> 00:00:42,680
Just to sort of set the scene,

25
00:00:42,680 --> 00:00:45,600
I expect in terms of incident response,

26
00:00:45,600 --> 00:00:46,760
it's useful to bear in mind,

27
00:00:46,760 --> 00:00:49,080
because I think the three of us have sort of

28
00:00:49,080 --> 00:00:50,480
been around the block a few times

29
00:00:50,480 --> 00:00:52,360
now that it's been quite a long journey,

30
00:00:52,360 --> 00:00:54,480
and it's evolving, law,

31
00:00:54,480 --> 00:00:55,720
perhaps in particular for Jamie

32
00:00:55,720 --> 00:00:59,320
and I, sort of chugs along, but Ollie your space is

33
00:00:59,960 --> 00:01:02,360
is rather more dynamic.

34
00:01:02,360 --> 00:01:05,080
I guess in the great scheme of things.

35
00:01:05,080 --> 00:01:06,480
Certainly threatens to be.

36
00:01:06,480 --> 00:01:08,040
I think

37
00:01:08,040 --> 00:01:08,560
it's been

38
00:01:08,560 --> 00:01:10,240
interesting in their preparation for this,

39
00:01:10,240 --> 00:01:12,160
I was looking back into the

40
00:01:12,160 --> 00:01:15,560
the NotPetya attack against Ukraine in 2017,

41
00:01:15,880 --> 00:01:18,680
and the the memory doesn't quite sit right.

42
00:01:18,680 --> 00:01:20,360
I had to go back and look at what the original,

43
00:01:20,360 --> 00:01:21,440
original ransom note was.

44
00:01:21,440 --> 00:01:23,600
It was like ransom notes of the day

45
00:01:23,600 --> 00:01:25,400
demanded $300,

46
00:01:25,400 --> 00:01:26,680
which I'm sure for those of us

47
00:01:26,680 --> 00:01:28,400
that have done a ransomware case recently.

48
00:01:28,400 --> 00:01:29,720
Yeah, I wish that

49
00:01:29,720 --> 00:01:31,560
that was the ransom these days for most of these.

50
00:01:31,560 --> 00:01:32,160
Cases, paper

51
00:01:32,160 --> 00:01:34,200
nailed on the door or something like that. Yeah.

52
00:01:34,200 --> 00:01:35,720
I mean, I was doing something

53
00:01:35,720 --> 00:01:36,920
very similar and,

54
00:01:36,920 --> 00:01:37,280
remembering

55
00:01:37,280 --> 00:01:37,680
when I was doing

56
00:01:37,680 --> 00:01:39,640
some work experience of solicitors firms

57
00:01:39,640 --> 00:01:42,640
and you had to sort of clamber through corridors

58
00:01:42,760 --> 00:01:43,520
full of paper.

59
00:01:43,520 --> 00:01:45,800
People had desks piled high with paper.

60
00:01:45,800 --> 00:01:48,920
And even as a trainee, I think the reliance on

61
00:01:49,360 --> 00:01:51,640
sort of the IT kit was pretty modest. We

62
00:01:52,640 --> 00:01:54,040
we had a bit of word processing.

63
00:01:54,040 --> 00:01:56,640
We might have used stuff for,

64
00:01:56,640 --> 00:01:58,800
say financial record keeping

65
00:01:58,800 --> 00:01:59,600
and other things on that.

66
00:01:59,600 --> 00:02:02,400
But most of the day to day we book was paper.

67
00:02:02,400 --> 00:02:04,080
Think back to the first ransomware

68
00:02:04,080 --> 00:02:06,560
and it was on floppy disk like 1989.

69
00:02:06,560 --> 00:02:08,720
So things are things have changed quite a bit.

70
00:02:08,720 --> 00:02:09,440
But it meant that

71
00:02:09,440 --> 00:02:10,720
I think that sort of changes

72
00:02:10,720 --> 00:02:11,520
the dynamics as well.

73
00:02:11,520 --> 00:02:14,520
And because it's incremental, I think,

74
00:02:14,840 --> 00:02:17,000
a lot of businesses didn't think they were

75
00:02:17,000 --> 00:02:17,800
tech businesses

76
00:02:17,800 --> 00:02:19,040
actually went on a journey

77
00:02:19,040 --> 00:02:20,480
where they

78
00:02:20,480 --> 00:02:22,560
we're more reliant on tech than they thought

79
00:02:22,560 --> 00:02:23,760
and certainly saved

80
00:02:23,760 --> 00:02:25,520
a classic law firm

81
00:02:25,520 --> 00:02:26,800
where now you'd have perhaps

82
00:02:26,800 --> 00:02:27,440
your case

83
00:02:27,440 --> 00:02:30,560
management systems, your client systems,

84
00:02:30,560 --> 00:02:32,120
your financial systems,

85
00:02:32,120 --> 00:02:34,040
your email, you know, your documents.

86
00:02:34,040 --> 00:02:35,120
If most people or

87
00:02:35,120 --> 00:02:37,240
a lot of people would be paperless now.

88
00:02:37,240 --> 00:02:38,760
So you've got two things, I guess.

89
00:02:38,760 --> 00:02:39,520
One is

90
00:02:39,520 --> 00:02:42,760
you've got a vast amount of data on your systems.

91
00:02:43,080 --> 00:02:44,640
And the second thing is you're

92
00:02:44,640 --> 00:02:46,240
increasingly reliant on your systems.

93
00:02:46,240 --> 00:02:48,440
And that I think from a

94
00:02:48,440 --> 00:02:51,440
an external bad actor perspective,

95
00:02:51,920 --> 00:02:53,840
criticism of opportunities is

96
00:02:53,840 --> 00:02:55,640
the value of the data is enormous.

97
00:02:55,640 --> 00:02:57,680
So in the same way that one might have,

98
00:02:57,680 --> 00:02:58,840
I was thinking on the,

99
00:02:58,840 --> 00:02:59,200
way over here,

100
00:02:59,200 --> 00:03:01,760
sort of a large amount of money in a bank,

101
00:03:01,760 --> 00:03:02,960
a large amount of data on the system

102
00:03:02,960 --> 00:03:05,400
is is hugely attractive to an attacker.

103
00:03:05,400 --> 00:03:07,760
And if you couple that with businesses

104
00:03:07,760 --> 00:03:10,760
reliance on the system and the

105
00:03:11,080 --> 00:03:13,360
that sort of ransom element where

106
00:03:13,360 --> 00:03:14,840
if the system's not available to you,

107
00:03:16,120 --> 00:03:16,760
that causes you a

108
00:03:16,760 --> 00:03:17,360
lot of problems,

109
00:03:17,360 --> 00:03:19,760
you've got a real opportunity for,

110
00:03:19,760 --> 00:03:22,240
the bad sort of the threat actors

111
00:03:22,240 --> 00:03:24,320
to to come and try and take advantage

112
00:03:24,320 --> 00:03:25,560
and does that,

113
00:03:25,560 --> 00:03:26,920
I guess, for the two of you,

114
00:03:26,920 --> 00:03:30,200
in terms of your journeys, have you seen the

115
00:03:30,440 --> 00:03:31,520
the sort of severity

116
00:03:31,520 --> 00:03:33,800
and frequency of incidents like this

117
00:03:33,800 --> 00:03:36,800
is that the upward track that I would expect?

118
00:03:36,840 --> 00:03:37,760
Yeah, absolutely.

119
00:03:37,760 --> 00:03:40,760
I mean, you know, if there's one constant,

120
00:03:41,240 --> 00:03:42,360
it's that threat actors

121
00:03:42,360 --> 00:03:44,480
have continued to evolve over time.

122
00:03:44,480 --> 00:03:45,800
So, you know,

123
00:03:45,800 --> 00:03:46,800
think about if you're

124
00:03:46,800 --> 00:03:49,800
a threat actor deploying ransomware,

125
00:03:50,000 --> 00:03:52,040
one of the barriers to entry

126
00:03:52,040 --> 00:03:52,880
that you used to come across

127
00:03:53,480 --> 00:03:56,480
is having to have your own encryption malware.

128
00:03:56,720 --> 00:03:58,440
You had to develop that.

129
00:03:58,440 --> 00:03:59,600
So of course, what threat actors

130
00:03:59,600 --> 00:04:01,920
that over time they develop the ransomware

131
00:04:01,920 --> 00:04:03,280
as a service model

132
00:04:03,280 --> 00:04:05,720
so they could scale up massively.

133
00:04:05,720 --> 00:04:07,040
and that's what we've seen over the last.

134
00:04:07,040 --> 00:04:09,600
They have sort of franchise technologies. Yeah.

135
00:04:09,600 --> 00:04:11,240
And that there's so many examples.

136
00:04:11,240 --> 00:04:13,800
I don't know of how threat actors have evolved,

137
00:04:13,800 --> 00:04:15,000
in response

138
00:04:15,000 --> 00:04:16,360
to organizations

139
00:04:16,360 --> 00:04:18,760
trying to better protect themselves, better,

140
00:04:18,760 --> 00:04:20,720
you know, of course, we've had

141
00:04:20,720 --> 00:04:22,680
perhaps the most obvious example

142
00:04:22,680 --> 00:04:25,200
in response to encryption.

143
00:04:25,200 --> 00:04:27,880
companies have upped the game

144
00:04:27,880 --> 00:04:29,240
in terms of the backups.

145
00:04:29,240 --> 00:04:30,880
So they now have air gapped

146
00:04:30,880 --> 00:04:32,960
and immutable backups.

147
00:04:32,960 --> 00:04:33,680
In response

148
00:04:33,680 --> 00:04:34,280
to that

149
00:04:34,280 --> 00:04:37,280
threat, actors have pivoted to exfiltration.

150
00:04:37,840 --> 00:04:40,560
you know, we've had a a massive uptake

151
00:04:40,560 --> 00:04:44,240
in multifactor authentication over the years.

152
00:04:44,280 --> 00:04:46,880
threat actors again, have pivoted.

153
00:04:46,880 --> 00:04:50,000
And now deploying attacks such as MFA bombing

154
00:04:50,240 --> 00:04:51,760
attackers in the middle,

155
00:04:51,760 --> 00:04:55,160
in order to bypass those sort of MFA controls.

156
00:04:55,760 --> 00:04:58,400
in recent times, we've seen

157
00:04:59,440 --> 00:05:00,040
a lot of law

158
00:05:00,040 --> 00:05:02,000
enforcement activity taking down

159
00:05:02,000 --> 00:05:04,040
some of the big players in ransomeware,

160
00:05:04,040 --> 00:05:04,240
you know,

161
00:05:04,240 --> 00:05:05,640
the Contis of this world

162
00:05:05,640 --> 00:05:08,120
was the LockBits, the ALPHVs,

163
00:05:08,120 --> 00:05:10,280
but very, very quickly

164
00:05:10,280 --> 00:05:13,280
we see new entities emerge ransom hub, for example.

165
00:05:13,840 --> 00:05:16,840
So the threat actor evolution just continues to,

166
00:05:17,400 --> 00:05:20,800
you know, develop saw some stats recently.

167
00:05:20,800 --> 00:05:22,360
I think it was from chain analysis.

168
00:05:22,360 --> 00:05:23,120
That's.

169
00:05:23,120 --> 00:05:26,920
In 2023 the amounts of ransom payments.

170
00:05:26,920 --> 00:05:29,920
So not ransom demands but ransom payments

171
00:05:29,960 --> 00:05:33,440
was about 1.1 billion, just in those 12 months.

172
00:05:33,440 --> 00:05:35,000
So that I think, speaks volumes

173
00:05:35,000 --> 00:05:36,080
as to how the severity

174
00:05:36,080 --> 00:05:38,200
and the volume has increased.

175
00:05:38,200 --> 00:05:39,680
Threat actors aren't doing this thing

176
00:05:39,680 --> 00:05:42,080
because they enjoy getting better

177
00:05:42,080 --> 00:05:43,840
at being threat actors and criminals.

178
00:05:43,840 --> 00:05:44,400
They're doing this

179
00:05:44,400 --> 00:05:46,000
because they're being challenged

180
00:05:46,000 --> 00:05:48,240
by organizations that are getting better.

181
00:05:48,240 --> 00:05:49,960
If criminals could make as much money

182
00:05:49,960 --> 00:05:50,840
as they wanted doing

183
00:05:50,840 --> 00:05:52,040
what they did seven years ago,

184
00:05:52,040 --> 00:05:53,720
they'd still be doing it.

185
00:05:53,720 --> 00:05:55,240
I think what we're really saying is,

186
00:05:55,240 --> 00:05:57,640
you know, this is an adversarial problem.

187
00:05:57,640 --> 00:06:00,640
The the goodies and the baddies are vying here.

188
00:06:00,760 --> 00:06:01,920
And yeah.

189
00:06:01,920 --> 00:06:04,000
It's very much a call and response.

190
00:06:04,000 --> 00:06:05,200
But I think also

191
00:06:06,560 --> 00:06:07,560
being aware that the

192
00:06:07,560 --> 00:06:09,600
cybersecurity space

193
00:06:09,600 --> 00:06:12,600
is a bubble within a bubble.

194
00:06:12,600 --> 00:06:13,600
It's being impacted

195
00:06:13,600 --> 00:06:13,840
a lot

196
00:06:13,840 --> 00:06:17,200
by the effects of digitization by, say,

197
00:06:17,200 --> 00:06:18,240
sort of AI.

198
00:06:18,240 --> 00:06:20,480
But this additional fragility

199
00:06:20,480 --> 00:06:21,760
that's coming into the system,

200
00:06:21,760 --> 00:06:23,520
I think is very much played into their hands.

201
00:06:23,520 --> 00:06:25,120
You know, as organizations

202
00:06:25,120 --> 00:06:26,040
move away from paper

203
00:06:26,040 --> 00:06:29,080
to having stuff in on computers,

204
00:06:29,840 --> 00:06:31,080
and that's incredibly efficient,

205
00:06:31,080 --> 00:06:32,680
allows the business to move quite quickly,

206
00:06:32,680 --> 00:06:34,280
but it does make it more fragile.

207
00:06:34,280 --> 00:06:36,040
We saw that during the novel Covid

208
00:06:36,040 --> 00:06:38,440
pandemic, where supply chains became fragile

209
00:06:38,440 --> 00:06:39,840
because they were spread out.

210
00:06:39,840 --> 00:06:41,840
And I think we see exactly the same situation

211
00:06:41,840 --> 00:06:44,840
that's playing into this ransomware card.

212
00:06:44,840 --> 00:06:46,360
I don't think that's a good alternative.

213
00:06:46,360 --> 00:06:47,160
I'm not suggesting

214
00:06:47,160 --> 00:06:48,520
we go back to working on paper,

215
00:06:48,520 --> 00:06:49,200
but it is a thing

216
00:06:49,200 --> 00:06:51,120
for organizations to be aware of.

217
00:06:51,120 --> 00:06:53,200
there's still a school of thought out there.

218
00:06:53,200 --> 00:06:53,680
I don't think it's

219
00:06:53,680 --> 00:06:54,680
particularly popular now,

220
00:06:54,680 --> 00:06:56,160
but I think certainly exists that

221
00:06:56,160 --> 00:06:57,840
when it comes to backups,

222
00:06:57,840 --> 00:06:58,080
you know,

223
00:06:58,080 --> 00:06:59,080
because threat actors

224
00:06:59,080 --> 00:07:00,480
got so good at infiltrating

225
00:07:00,480 --> 00:07:02,320
the backups themselves,

226
00:07:02,320 --> 00:07:04,960
you know, are old fashioned tapes

227
00:07:04,960 --> 00:07:05,920
a better solution?

228
00:07:05,920 --> 00:07:07,840
You know, they're not sort of electronic.

229
00:07:07,840 --> 00:07:09,520
that that's one option.

230
00:07:10,480 --> 00:07:11,640
but it did.

231
00:07:11,640 --> 00:07:12,920
The observation I think I have

232
00:07:12,920 --> 00:07:15,280
is that against that

233
00:07:15,280 --> 00:07:17,840
threat landscape that we've seen,

234
00:07:17,840 --> 00:07:20,840
you know, the the law has also evolved.

235
00:07:21,080 --> 00:07:23,240
Wouldn't say it's quite kept pace.

236
00:07:23,240 --> 00:07:26,240
but for example, we've gone from,

237
00:07:26,560 --> 00:07:26,840
you know,

238
00:07:26,840 --> 00:07:28,560
Data Protection Act 1998

239
00:07:28,560 --> 00:07:30,560
where there was no mandatory

240
00:07:30,560 --> 00:07:32,120
breach reporting regime,

241
00:07:32,120 --> 00:07:34,160
albeit it was still encouraged by the regulator

242
00:07:34,160 --> 00:07:36,040
at the time.

243
00:07:36,040 --> 00:07:37,120
and we're now in a situation,

244
00:07:37,120 --> 00:07:37,480
of course,

245
00:07:37,480 --> 00:07:40,840
we have the GDPR sort of 72 hour time frame.

246
00:07:41,360 --> 00:07:43,920
If you're telecoms provider,

247
00:07:43,920 --> 00:07:44,680
you might be required

248
00:07:44,680 --> 00:07:47,680
under PaCA to notify within 24 hours.

249
00:07:47,720 --> 00:07:50,720
If you were a payment service provider,

250
00:07:50,920 --> 00:07:52,320
you might be required to notify

251
00:07:52,320 --> 00:07:54,400
within four hours on the psd2.

252
00:07:54,400 --> 00:07:57,200
So timescales are getting shorter.

253
00:07:57,200 --> 00:07:57,560
And that,

254
00:07:57,560 --> 00:07:58,760
of course, is a reaction

255
00:07:58,760 --> 00:08:00,760
to the severity of the threats,

256
00:08:00,760 --> 00:08:02,480
that these organizations are facing.

257
00:08:03,520 --> 00:08:05,320
And then in terms of the perhaps the

258
00:08:05,320 --> 00:08:08,680
the threat actors, we can see I expect that,

259
00:08:10,160 --> 00:08:13,480
if you cybercrime is so much more straightforward

260
00:08:13,480 --> 00:08:14,000
in some ways

261
00:08:14,000 --> 00:08:15,400
and physical crime

262
00:08:15,400 --> 00:08:18,000
because you can do it to anyone from anywhere.

263
00:08:18,000 --> 00:08:21,280
And in an area where we're working from home

264
00:08:21,280 --> 00:08:22,480
is a, thing.

265
00:08:22,480 --> 00:08:24,800
Now, someone with the right jurisdiction.

266
00:08:24,800 --> 00:08:26,520
Agnostic. Yeah.

267
00:08:26,520 --> 00:08:29,520
And you've got all the kind of, I guess,

268
00:08:29,880 --> 00:08:31,120
challenges one might have

269
00:08:31,120 --> 00:08:32,440
you know we look at if

270
00:08:32,440 --> 00:08:34,080
we are dealing with organizations

271
00:08:34,080 --> 00:08:35,560
that are victims of,

272
00:08:35,560 --> 00:08:37,520
thefts and or,

273
00:08:37,520 --> 00:08:40,320
let's say, the financial diversions we see

274
00:08:40,320 --> 00:08:41,280
actually tracing the money

275
00:08:41,280 --> 00:08:42,640
can be financially difficult because of that,

276
00:08:42,640 --> 00:08:44,240
because you find that the money

277
00:08:44,240 --> 00:08:46,720
will ping around those different jurisdictions.

278
00:08:46,720 --> 00:08:48,240
but it does mean that

279
00:08:48,240 --> 00:08:49,800
you can't just look within your own

280
00:08:49,800 --> 00:08:51,920
sort of jurisdiction for the risk

281
00:08:51,920 --> 00:08:52,960
you're trying to manage, a risk

282
00:08:52,960 --> 00:08:54,920
that is sort of,

283
00:08:54,920 --> 00:08:55,920
extra jurisdictional

284
00:08:55,920 --> 00:08:57,560
that could come from from anywhere.

285
00:08:57,560 --> 00:08:59,400
And that makes the challenges,

286
00:08:59,400 --> 00:09:01,040
even more difficult for

287
00:09:01,040 --> 00:09:02,960
but for both of you, I guess.

288
00:09:02,960 --> 00:09:05,160
You know, some of these cyber criminals,

289
00:09:05,160 --> 00:09:08,480
they operate, I won't say with impunity,

290
00:09:09,080 --> 00:09:11,880
but sometimes it's not far off that, particularly

291
00:09:11,880 --> 00:09:13,000
if they're in territories

292
00:09:13,000 --> 00:09:16,000
where, you know, is there activity

293
00:09:16,200 --> 00:09:17,920
state sponsored,

294
00:09:17,920 --> 00:09:20,920
or is the state simply turning a blind eye?

295
00:09:20,960 --> 00:09:23,800
You know, certainly they know it goes on.

296
00:09:23,800 --> 00:09:25,920
so it's very difficult

297
00:09:25,920 --> 00:09:28,280
if you're the victim organization,

298
00:09:28,280 --> 00:09:31,840
identifying precisely who it is,

299
00:09:31,840 --> 00:09:32,760
who are the attacker,

300
00:09:32,760 --> 00:09:34,080
who is the threat actor,

301
00:09:34,080 --> 00:09:36,600
where they're like, where are they located?

302
00:09:36,600 --> 00:09:37,800
And as you say Tim trying to

303
00:09:37,800 --> 00:09:41,080
then trace a Bitcoin payments through

304
00:09:41,080 --> 00:09:44,080
the Bitcoin chain is tremendously difficult.

305
00:09:44,520 --> 00:09:46,520
And that's it. Attribution,

306
00:09:46,520 --> 00:09:48,640
so literally just knowing who's done

307
00:09:48,640 --> 00:09:50,360
this is difficult

308
00:09:50,360 --> 00:09:53,080
and therefore really quite expensive.

309
00:09:53,080 --> 00:09:55,000
And therefore for private organization

310
00:09:55,000 --> 00:09:57,120
to try and do that themselves would be

311
00:09:57,120 --> 00:09:58,560
it is a very heavy burden,

312
00:09:58,560 --> 00:09:59,640
and it's not the kind of burden

313
00:09:59,640 --> 00:10:02,400
that we expect organizations to, to take on.

314
00:10:02,400 --> 00:10:02,920
Yeah, yeah.

315
00:10:02,920 --> 00:10:03,960
I guess

316
00:10:03,960 --> 00:10:06,200
starting with that instant response piece in that

317
00:10:06,200 --> 00:10:07,560
I've been hit.

318
00:10:07,560 --> 00:10:10,280
What do I do? We're probably the ones

319
00:10:10,280 --> 00:10:13,760
operating the the hotline as the call comes in.

320
00:10:14,080 --> 00:10:16,400
Jamie, do you want to sort of

321
00:10:16,400 --> 00:10:18,920
talk our audience through that first sort of

322
00:10:18,920 --> 00:10:19,640
call them what

323
00:10:19,640 --> 00:10:20,120
what happens,

324
00:10:20,120 --> 00:10:21,760
what we're looking to do. Well,

325
00:10:21,760 --> 00:10:23,000
let's give the proper context

326
00:10:23,000 --> 00:10:26,000
to that first call, because you'll be dealing

327
00:10:26,000 --> 00:10:29,000
with an organization who's probably experiencing

328
00:10:29,840 --> 00:10:31,560
the most stressful day

329
00:10:31,560 --> 00:10:32,840
of their professional lives,

330
00:10:32,840 --> 00:10:34,640
or certainly one of them,

331
00:10:34,640 --> 00:10:38,520
and you might have on the call, perhaps,

332
00:10:38,520 --> 00:10:40,920
a GC general counsel from the business

333
00:10:40,920 --> 00:10:42,440
and also somebody from the I.T

334
00:10:42,440 --> 00:10:45,440
who's responsible for security, perhaps a CISO,

335
00:10:45,440 --> 00:10:47,240
if they have one,

336
00:10:47,240 --> 00:10:50,520
that I.T person will be feeling particularly,

337
00:10:50,960 --> 00:10:54,680
stressed and vulnerable because it's their job

338
00:10:54,680 --> 00:10:56,680
essentially to look after security.

339
00:10:56,680 --> 00:10:59,880
So you need to display as the external counsel

340
00:11:00,080 --> 00:11:02,840
empathy towards that person's position

341
00:11:02,840 --> 00:11:04,920
because they're worry and stress.

342
00:11:04,920 --> 00:11:06,280
Know it does.

343
00:11:06,280 --> 00:11:08,840
It does have some logic behind it

344
00:11:08,840 --> 00:11:11,400
because we've seen recently, haven't we, some

345
00:11:11,400 --> 00:11:14,720
personal liability attaching to executives.

346
00:11:14,720 --> 00:11:15,320
For example,

347
00:11:15,320 --> 00:11:17,760
in the Uber case, SolarWinds

348
00:11:17,760 --> 00:11:19,160
also a case called Drizly.

349
00:11:19,160 --> 00:11:21,320
So it's that empathy towards

350
00:11:21,320 --> 00:11:23,720
the victim organizations is an important piece.

351
00:11:25,440 --> 00:11:27,560
the other bit of important context

352
00:11:27,560 --> 00:11:31,960
to that first call is that the the priority.

353
00:11:32,160 --> 00:11:34,960
And often, you know, I, as external counsel, need

354
00:11:34,960 --> 00:11:36,360
to emphasize this point

355
00:11:36,360 --> 00:11:38,600
to the victim in the first call,

356
00:11:38,600 --> 00:11:41,080
the initial priorities is all about containments,

357
00:11:41,080 --> 00:11:42,920
you know, stopping the bleeding,

358
00:11:42,920 --> 00:11:45,760
stopping the threat actor from perpetrating

359
00:11:45,760 --> 00:11:47,880
further attacks against the company.

360
00:11:47,880 --> 00:11:50,120
Exfiltrating data.

361
00:11:50,120 --> 00:11:53,120
it's often the case, understandably,

362
00:11:53,200 --> 00:11:54,360
when you're speaking to a client

363
00:11:54,360 --> 00:11:55,480
for the first time,

364
00:11:55,480 --> 00:11:57,680
they want to skip the containment

365
00:11:57,680 --> 00:11:58,800
and eradication steps

366
00:11:58,800 --> 00:12:01,040
and jump straight to recovery.

367
00:12:01,040 --> 00:12:04,280
I can think one case in particular, for example,

368
00:12:04,280 --> 00:12:05,720
just quickly

369
00:12:05,720 --> 00:12:08,960
where we got a call, the very first call,

370
00:12:09,320 --> 00:12:11,200
by the time we receive that call,

371
00:12:11,200 --> 00:12:13,040
the client was already three days

372
00:12:13,040 --> 00:12:14,920
deep into the breach

373
00:12:14,920 --> 00:12:16,200
that the muddling the way through

374
00:12:16,200 --> 00:12:17,880
as best they could on their own

375
00:12:17,880 --> 00:12:20,040
got to a point where they couldn't cope,

376
00:12:20,040 --> 00:12:22,240
phoned us for support.

377
00:12:22,240 --> 00:12:24,920
it transpired by the time they called us,

378
00:12:24,920 --> 00:12:26,280
they had already completely

379
00:12:26,280 --> 00:12:28,960
wiped the affected servers.

380
00:12:28,960 --> 00:12:31,960
So the idea of preserving and collecting data,

381
00:12:32,080 --> 00:12:34,240
digital evidence had just gone out the window.

382
00:12:34,240 --> 00:12:37,400
so so with that context, out of the way,

383
00:12:37,680 --> 00:12:40,600
my first question's usually going to be,

384
00:12:40,600 --> 00:12:43,400
you know, are we confident this line,

385
00:12:43,400 --> 00:12:45,080
this telephone line, teams

386
00:12:45,080 --> 00:12:47,880
platform or zoom platform, is it secure?

387
00:12:47,880 --> 00:12:48,200
You know,

388
00:12:48,200 --> 00:12:49,760
how do we know that

389
00:12:49,760 --> 00:12:50,840
there's a well-worn phrase

390
00:12:50,840 --> 00:12:52,280
and incident response, you know,

391
00:12:52,280 --> 00:12:54,640
assume compromise.

392
00:12:54,640 --> 00:12:57,640
My next question is going to be, are you insured?

393
00:12:57,680 --> 00:12:59,880
you know,

394
00:13:01,000 --> 00:13:02,800
every cyber policy

395
00:13:02,800 --> 00:13:05,160
will usually require the insureds

396
00:13:05,160 --> 00:13:08,160
to notify their insurer in a timely manner,

397
00:13:08,400 --> 00:13:10,480
particularly of a ransomware attack.

398
00:13:10,480 --> 00:13:11,960
and if they don't do that, you know,

399
00:13:11,960 --> 00:13:14,960
they might jeopardize the cover.

400
00:13:16,040 --> 00:13:17,440
after that, we really get

401
00:13:17,440 --> 00:13:20,440
to the information gathering phase.

402
00:13:20,680 --> 00:13:21,640
So I'm in listen mode.

403
00:13:21,640 --> 00:13:23,760
I'm asking questions. You know, what happened?

404
00:13:23,760 --> 00:13:25,120
how did it happen?

405
00:13:25,120 --> 00:13:28,120
What part of the network was compromised?

406
00:13:28,960 --> 00:13:30,200
do you have backups still?

407
00:13:30,200 --> 00:13:31,680
Are they are they in a good state? What?

408
00:13:31,680 --> 00:13:33,040
What's their status?

409
00:13:33,040 --> 00:13:36,080
How many end points do you have?

410
00:13:36,160 --> 00:13:38,160
What's your operating system?

411
00:13:38,160 --> 00:13:40,160
And who's responsible for your security?

412
00:13:40,160 --> 00:13:41,720
Do you handle it yourself?

413
00:13:41,720 --> 00:13:43,360
or do you have a third party

414
00:13:43,360 --> 00:13:45,840
managed service provider?

415
00:13:45,840 --> 00:13:47,080
And I need answers to that,

416
00:13:47,080 --> 00:13:48,400
not just for my own benefit

417
00:13:48,400 --> 00:13:49,840
so I can assist the company,

418
00:13:49,840 --> 00:13:50,960
but also

419
00:13:50,960 --> 00:13:51,800
because I know my next

420
00:13:51,800 --> 00:13:54,280
call is going to be to Ollie.

421
00:13:54,280 --> 00:13:56,240
and to give Ollie a heads up

422
00:13:56,240 --> 00:13:59,400
so he can come to the follow on call,

423
00:13:59,400 --> 00:14:00,360
slightly prepared.

424
00:14:00,360 --> 00:14:01,320
Is obviously,

425
00:14:01,320 --> 00:14:03,120
you know, really important,

426
00:14:03,120 --> 00:14:05,120
all the things we want to know.

427
00:14:05,120 --> 00:14:07,520
What have you done so far?

428
00:14:07,520 --> 00:14:09,600
and what actions have they taken?

429
00:14:09,600 --> 00:14:11,560
Have they deleted anything?

430
00:14:11,560 --> 00:14:12,800
Who have they called?

431
00:14:12,800 --> 00:14:14,880
Have they notified anybody?

432
00:14:14,880 --> 00:14:16,960
And what resources do they have internally?

433
00:14:16,960 --> 00:14:19,960
What internal capabilities that they have?

434
00:14:20,080 --> 00:14:23,080
And what external support might they require?

435
00:14:23,160 --> 00:14:25,480
As I'm asking all these questions

436
00:14:25,480 --> 00:14:26,040
going on

437
00:14:26,040 --> 00:14:26,640
in my head, it's

438
00:14:26,640 --> 00:14:29,040
a sort of a running risk assessment.

439
00:14:29,040 --> 00:14:31,040
So I'm thinking, what is the timeline?

440
00:14:31,040 --> 00:14:32,680
When were they breached?

441
00:14:32,680 --> 00:14:34,000
What regulatory

442
00:14:34,000 --> 00:14:37,040
notification clock's already started ticking.

443
00:14:37,800 --> 00:14:40,720
So all that's going on at the same time.

444
00:14:40,720 --> 00:14:41,880
you know, I, I'm working out

445
00:14:41,880 --> 00:14:43,480
what support do we need?

446
00:14:43,480 --> 00:14:44,280
You know,

447
00:14:44,280 --> 00:14:45,920
typically, as we all know, it's

448
00:14:45,920 --> 00:14:47,920
sort of digital forensics.

449
00:14:47,920 --> 00:14:49,960
It's a PR crisis.

450
00:14:49,960 --> 00:14:54,000
Communications experts, obviously legal counsel.

451
00:14:54,120 --> 00:14:55,920
And if it's a ransomware incidence,

452
00:14:55,920 --> 00:14:58,480
then a sort of counter extortion,

453
00:14:58,480 --> 00:14:59,640
ransom negotiator

454
00:14:59,640 --> 00:15:00,640
with typically

455
00:15:00,640 --> 00:15:01,200
the,

456
00:15:01,200 --> 00:15:02,240
external disciplines

457
00:15:02,240 --> 00:15:03,720
that we would look to bring in,

458
00:15:03,720 --> 00:15:04,960
as a, as a, you know,

459
00:15:06,200 --> 00:15:08,240
an urgent first step.

460
00:15:08,240 --> 00:15:10,360
And then we sort of at that point

461
00:15:10,360 --> 00:15:12,880
thinking about the nature of the organization,

462
00:15:12,880 --> 00:15:13,960
what what they do,

463
00:15:13,960 --> 00:15:16,200
what information they hold as well in terms of

464
00:15:16,200 --> 00:15:18,160
so feeding that into your.

465
00:15:18,160 --> 00:15:21,160
Yes, regulatory thinking and and strategic.

466
00:15:21,560 --> 00:15:22,200
Exactly.

467
00:15:22,200 --> 00:15:22,640
I mean,

468
00:15:22,640 --> 00:15:25,040
a deeper dive on

469
00:15:25,040 --> 00:15:26,760
that would probably come into the second call,

470
00:15:26,760 --> 00:15:27,960
but certainly when you're asking

471
00:15:27,960 --> 00:15:30,080
those initial questions about,

472
00:15:30,080 --> 00:15:31,920
you know, what part of network was impacted,

473
00:15:31,920 --> 00:15:33,040
what servers,

474
00:15:33,040 --> 00:15:34,000
you'd also want to know

475
00:15:34,000 --> 00:15:35,360
at the same time, ideally,

476
00:15:35,360 --> 00:15:36,600
what sort of data do

477
00:15:36,600 --> 00:15:39,480
we think was on that servers, on those servers.

478
00:15:39,480 --> 00:15:41,000
And sometimes the client will know,

479
00:15:41,000 --> 00:15:44,000
but quite often that they won't know.

480
00:15:44,160 --> 00:15:45,960
And then with that being said, about

481
00:15:45,960 --> 00:15:47,320
what are the things that

482
00:15:47,320 --> 00:15:49,000
put a smile on your face in that situation?

483
00:15:49,000 --> 00:15:50,240
What are the things that make your heart sink

484
00:15:50,240 --> 00:15:51,680
in terms of the answers you get?

485
00:15:51,680 --> 00:15:54,360
So talking about what makes me feel like

486
00:15:54,360 --> 00:15:56,840
this is going to be a successful call,

487
00:15:56,840 --> 00:15:58,680
there are, probably clear ones.

488
00:15:58,680 --> 00:16:00,280
There's the they've got good backups.

489
00:16:00,280 --> 00:16:01,440
We know they're great.

490
00:16:01,440 --> 00:16:04,200
It hasn't impacted large parts of the network.

491
00:16:04,200 --> 00:16:06,560
I think sort of a softer side of this was

492
00:16:06,560 --> 00:16:09,200
would be that there's a skeptic on the call.

493
00:16:09,200 --> 00:16:10,440
I think a lot of us,

494
00:16:10,440 --> 00:16:11,800
you know, the reason why we're good at

495
00:16:11,800 --> 00:16:13,720
this is because we walk into the call

496
00:16:13,720 --> 00:16:14,680
and we we absolutely

497
00:16:14,680 --> 00:16:16,000
listen to what we're hearing,

498
00:16:16,000 --> 00:16:18,280
but we know that that might not be the

499
00:16:18,280 --> 00:16:19,760
the absolute ground truth.

500
00:16:19,760 --> 00:16:21,720
Does that influence as well I presume

501
00:16:21,720 --> 00:16:23,880
that goes into the mix with that people dynamic

502
00:16:23,880 --> 00:16:24,840
that Jamie was talking about,

503
00:16:24,840 --> 00:16:26,680
that we know that

504
00:16:26,680 --> 00:16:29,680
this is a distress situation for the the victim.

505
00:16:29,680 --> 00:16:31,160
The people are under the cosh.

506
00:16:31,160 --> 00:16:33,040
There's a huge amount of pressure.

507
00:16:33,040 --> 00:16:34,800
And you kind of

508
00:16:34,800 --> 00:16:37,400
we've got to arrive with a, a cynical mindset,

509
00:16:37,400 --> 00:16:37,840
as you say.

510
00:16:37,840 --> 00:16:39,600
But we've got to reassure people that that

511
00:16:39,600 --> 00:16:41,040
that isn't because we don't believe them.

512
00:16:41,040 --> 00:16:42,640
It's yeah.

513
00:16:42,640 --> 00:16:44,640
And that's it. You've got to set out.

514
00:16:44,640 --> 00:16:45,720
This is,

515
00:16:45,720 --> 00:16:46,320
you know,

516
00:16:46,320 --> 00:16:48,440
we're standing shoulder to shoulder with you.

517
00:16:48,440 --> 00:16:50,520
We absolutely believe what you're saying.

518
00:16:50,520 --> 00:16:51,600
But we need to verify

519
00:16:51,600 --> 00:16:53,160
that something else hasn't changed.

520
00:16:53,160 --> 00:16:54,200
That in the meantime is

521
00:16:54,200 --> 00:16:56,520
is broadly the way you're coming to this,

522
00:16:56,520 --> 00:16:58,080
particularly when you start saying,

523
00:16:58,080 --> 00:16:59,480
okay, we're now going to start,

524
00:16:59,480 --> 00:17:00,640
notifying regulators

525
00:17:00,640 --> 00:17:02,600
or putting out press statements

526
00:17:02,600 --> 00:17:04,480
because there's someone who's sitting out there

527
00:17:04,480 --> 00:17:06,120
who would love to be able to say,

528
00:17:06,120 --> 00:17:08,160
that's not how it is. It's actually this.

529
00:17:08,160 --> 00:17:10,080
That it’s someone that's willing to,

530
00:17:10,080 --> 00:17:10,920
you know, immediately

531
00:17:10,920 --> 00:17:12,360
rebut that potentially he's

532
00:17:12,360 --> 00:17:14,520
had access to your systems for months.

533
00:17:14,520 --> 00:17:14,800
Yeah.

534
00:17:14,800 --> 00:17:17,880
And, you know, the usual course of events

535
00:17:17,880 --> 00:17:20,880
would be in those first 24, 48 hours.

536
00:17:21,040 --> 00:17:23,040
You probably know very little,

537
00:17:23,040 --> 00:17:24,800
and even the things that you think,

538
00:17:24,800 --> 00:17:26,560
you know, you know, might not be correct.

539
00:17:26,560 --> 00:17:27,840
You know, threat actors these days

540
00:17:27,840 --> 00:17:30,840
to deploy measures, measures such as,

541
00:17:30,920 --> 00:17:33,240
you know, anti forensics will cover their tracks.

542
00:17:33,240 --> 00:17:35,360
They'll sort of delete logs,

543
00:17:35,360 --> 00:17:37,360
they'll try and distract you.

544
00:17:38,320 --> 00:17:40,800
there's the risk of secondary attacks.

545
00:17:40,800 --> 00:17:41,840
so you need to,

546
00:17:41,840 --> 00:17:42,080
you know,

547
00:17:42,080 --> 00:17:43,520
bare all these things into account

548
00:17:43,520 --> 00:17:45,600
and work through things properly.

549
00:17:45,600 --> 00:17:48,040
so once we've

550
00:17:48,040 --> 00:17:48,680
made the phone

551
00:17:48,680 --> 00:17:51,160
calls, we've got our experts on board,

552
00:17:51,160 --> 00:17:56,120
our team, you know, there then becomes

553
00:17:56,480 --> 00:17:59,480
some fairly significant operational

554
00:17:59,520 --> 00:18:01,320
considerations to work through.

555
00:18:01,320 --> 00:18:04,040
Because if you are bringing in,

556
00:18:04,040 --> 00:18:06,840
you know, several external third parties

557
00:18:06,840 --> 00:18:09,960
to work alongside, but several internal parties,

558
00:18:10,520 --> 00:18:11,600
you can't assume

559
00:18:11,600 --> 00:18:13,080
that's just going to be on itself.

560
00:18:13,080 --> 00:18:14,840
There needs to be a significant element

561
00:18:14,840 --> 00:18:16,920
of project management.

562
00:18:16,920 --> 00:18:20,120
and what you certainly can't have is everybody,

563
00:18:20,120 --> 00:18:21,680
you know, from forensics,

564
00:18:21,680 --> 00:18:25,240
comms legal in the same meeting together.

565
00:18:25,640 --> 00:18:27,760
So we split out into separate work

566
00:18:27,760 --> 00:18:28,880
streams,

567
00:18:28,880 --> 00:18:30,360
So things can be done in parallel

568
00:18:30,360 --> 00:18:31,520
at the same time.

569
00:18:31,520 --> 00:18:32,360
Should we run through

570
00:18:32,360 --> 00:18:34,600
perhaps for our audience what,

571
00:18:34,600 --> 00:18:35,520
what we're going to be looking at

572
00:18:35,520 --> 00:18:36,920
in that situation in terms of which

573
00:18:36,920 --> 00:18:38,840
what streams will be looking at

574
00:18:38,840 --> 00:18:40,600
and who would be bringing in?

575
00:18:40,600 --> 00:18:41,440
But typically,

576
00:18:41,440 --> 00:18:42,560
as I mentioned earlier,

577
00:18:42,560 --> 00:18:45,360
you know, it's forensics, it's PR comms.

578
00:18:45,360 --> 00:18:47,920
It's a ransom negotiator.

579
00:18:49,720 --> 00:18:51,640
You know, even if the client is adamant

580
00:18:51,640 --> 00:18:53,520
that they don't want to pay the ransom,

581
00:18:53,520 --> 00:18:55,560
there's still,

582
00:18:55,560 --> 00:18:58,080
a logic for having that ransom negotiator

583
00:18:58,080 --> 00:18:58,720
at the table

584
00:18:58,720 --> 00:19:01,720
for reasons we can we can come on to,

585
00:19:02,800 --> 00:19:04,880
external legal counsel, obviously.

586
00:19:04,880 --> 00:19:07,520
and that they're the main ones at the start.

587
00:19:07,520 --> 00:19:09,080
You might want additional ones

588
00:19:09,080 --> 00:19:10,840
as you get further down the line for example,

589
00:19:10,840 --> 00:19:14,320
I might be a stream on, restoration mediation.

590
00:19:14,680 --> 00:19:16,720
there might be a stream on data analysis,

591
00:19:16,720 --> 00:19:18,960
but initially it's those core ones

592
00:19:18,960 --> 00:19:19,920
we've talked about.

593
00:19:19,920 --> 00:19:23,040
So, you know, as I say, there are operational

594
00:19:23,040 --> 00:19:24,320
things that need to be done

595
00:19:24,320 --> 00:19:26,680
to get those streams up and running properly.

596
00:19:26,680 --> 00:19:29,680
so who's who's going to lead each stream?

597
00:19:30,120 --> 00:19:32,600
How frequently are the meetings

598
00:19:32,600 --> 00:19:33,280
going to take place?

599
00:19:33,280 --> 00:19:34,840
What's the cadence of meetings?

600
00:19:34,840 --> 00:19:35,560
So typically

601
00:19:35,560 --> 00:19:37,040
you'd have a morning meeting,

602
00:19:37,040 --> 00:19:39,720
you'd have an afternoon end of day meeting.

603
00:19:39,720 --> 00:19:42,360
you'd want to know,

604
00:19:42,360 --> 00:19:42,640
you know,

605
00:19:42,640 --> 00:19:45,640
who is the ultimate decision maker client side.

606
00:19:45,760 --> 00:19:48,640
So who who's got the no or no go call

607
00:19:48,640 --> 00:19:49,920
on all of the big decisions

608
00:19:49,920 --> 00:19:52,040
that you know you're going to have to make.

609
00:19:52,040 --> 00:19:54,280
And then there's some operational structure

610
00:19:54,280 --> 00:19:56,800
you will need or would want to have things like,

611
00:19:57,760 --> 00:20:01,440
a decision log, an action tracker.

612
00:20:01,880 --> 00:20:02,240
You know,

613
00:20:02,240 --> 00:20:04,720
those artifacts are things that can help you

614
00:20:04,720 --> 00:20:05,680
when you come on later

615
00:20:05,680 --> 00:20:08,680
down the line to deal with regulatory inquiries.

616
00:20:09,000 --> 00:20:11,600
from the legal side,

617
00:20:11,600 --> 00:20:13,360
everything I've just talked about,

618
00:20:13,360 --> 00:20:14,880
we would be looking to wrap that

619
00:20:14,880 --> 00:20:17,880
in a legally privileged envelope,

620
00:20:17,960 --> 00:20:19,400
to protect the clients

621
00:20:19,400 --> 00:20:22,400
from the confidentiality perspective.

622
00:20:22,680 --> 00:20:23,680
and obviously the steps

623
00:20:23,680 --> 00:20:25,840
we need to work through to achieve that.

624
00:20:25,840 --> 00:20:26,720
so first, on.

625
00:20:26,720 --> 00:20:28,200
With a sort of litigators

626
00:20:28,200 --> 00:20:31,120
hat on and a claims hat on, you see, all of that

627
00:20:31,120 --> 00:20:33,680
sort of material is being requested by claimants

628
00:20:33,680 --> 00:20:34,440
very early on.

629
00:20:34,440 --> 00:20:35,360
So we

630
00:20:35,360 --> 00:20:37,720
we need to be alert to the fact that one day,

631
00:20:37,720 --> 00:20:40,360
if there is a claim or a group action,

632
00:20:40,360 --> 00:20:41,760
whatever it might be,

633
00:20:41,760 --> 00:20:42,880
people are going to be knocking on the door

634
00:20:42,880 --> 00:20:43,360
asking for that

635
00:20:43,360 --> 00:20:45,400
so that that's a crucial piece of the.

636
00:20:45,400 --> 00:20:45,960
Yeah, you might

637
00:20:45,960 --> 00:20:47,320
you might still be on day one,

638
00:20:47,320 --> 00:20:48,480
but you're having to think about

639
00:20:48,480 --> 00:20:50,520
what are the downstream implications.

640
00:20:50,520 --> 00:20:51,200
You know,

641
00:20:51,200 --> 00:20:53,920
weeks, months, years down the line potentially.

642
00:20:53,920 --> 00:20:55,720
So if we start with forensics,

643
00:20:55,720 --> 00:20:56,360
perhaps as the

644
00:20:56,360 --> 00:20:57,320
the first workstream

645
00:20:57,320 --> 00:21:02,440
to chat in more detail about, you know, ideally,

646
00:21:02,720 --> 00:21:06,280
it would be external counsel instructing only,

647
00:21:06,280 --> 00:21:08,440
perhaps through a sort of tripartite agreement

648
00:21:08,440 --> 00:21:10,720
with the insurers, to sort of

649
00:21:11,680 --> 00:21:14,680
ensure that privilege is in place.

650
00:21:14,680 --> 00:21:17,680
and then what that would essentially look like is

651
00:21:18,240 --> 00:21:21,240
the letter of engagement, which would speak to,

652
00:21:21,440 --> 00:21:24,440
these being instructed in order to,

653
00:21:25,360 --> 00:21:27,760
assist the lawyers with the technical

654
00:21:27,760 --> 00:21:30,840
aspects of the breach, in order

655
00:21:30,840 --> 00:21:33,320
to inform legal advice that we would give

656
00:21:33,320 --> 00:21:34,960
to the victim organization.

657
00:21:34,960 --> 00:21:37,400
And so that's, you know,

658
00:21:37,400 --> 00:21:39,520
how you could go about setting privilege up.

659
00:21:39,520 --> 00:21:40,800
You'd also look, obviously,

660
00:21:40,800 --> 00:21:41,880
to carefully control

661
00:21:41,880 --> 00:21:44,880
the parameters of the investigation.

662
00:21:44,880 --> 00:21:47,680
For the moment Jamie calls you then Ollie what's, what's

663
00:21:47,680 --> 00:21:49,080
going through your,

664
00:21:49,080 --> 00:21:49,960
your mind in terms of

665
00:21:49,960 --> 00:21:51,640
what have I got to do what it is.

666
00:21:51,640 --> 00:21:52,800
There is

667
00:21:52,800 --> 00:21:55,880
a broad playbook for you terms of. Definitely.

668
00:21:55,960 --> 00:21:58,960
And and I think that the broad

669
00:21:59,240 --> 00:22:01,440
outline that Jamie's given there is,

670
00:22:01,440 --> 00:22:03,240
is true for every single player

671
00:22:03,240 --> 00:22:04,800
in in that role below.

672
00:22:04,800 --> 00:22:05,880
It's going in

673
00:22:05,880 --> 00:22:08,280
trying to get as much information as possible,

674
00:22:08,280 --> 00:22:11,000
understanding how we fit within the wider hole,

675
00:22:11,000 --> 00:22:14,360
because all of those different workstreams

676
00:22:14,360 --> 00:22:15,840
need information from all the others.

677
00:22:15,840 --> 00:22:17,400
We need to make sure that we're all playing

678
00:22:17,400 --> 00:22:19,000
to the same tame

679
00:22:19,000 --> 00:22:20,880
score here,

680
00:22:20,880 --> 00:22:22,000
without necessarily

681
00:22:22,000 --> 00:22:23,040
having to set up a meeting

682
00:22:23,040 --> 00:22:24,000
with 20 different people.

683
00:22:24,000 --> 00:22:25,080
So making sure that all of that

684
00:22:25,080 --> 00:22:27,720
communication is in place is really clear.

685
00:22:27,720 --> 00:22:29,080
That priority around making sure

686
00:22:29,080 --> 00:22:30,960
that you're containing the incident

687
00:22:30,960 --> 00:22:33,480
before you start to remove things

688
00:22:33,480 --> 00:22:34,920
for secure recovery as well.

689
00:22:34,920 --> 00:22:35,640
What,

690
00:22:35,640 --> 00:22:37,240
what are the agreed procedures

691
00:22:37,240 --> 00:22:38,760
that you're following there,

692
00:22:38,760 --> 00:22:39,440
bearing in mind

693
00:22:39,440 --> 00:22:40,120
that in

694
00:22:40,120 --> 00:22:41,560
many of these situations, this

695
00:22:41,560 --> 00:22:43,120
the client we don't know we don't know

696
00:22:43,120 --> 00:22:44,680
the ins and outs of their infrastructure.

697
00:22:44,680 --> 00:22:45,760
So we want to be really clear

698
00:22:45,760 --> 00:22:46,760
when we're doing something,

699
00:22:46,760 --> 00:22:47,760
it's not going to be something

700
00:22:47,760 --> 00:22:49,400
potentially disruptive.

701
00:22:49,400 --> 00:22:51,080
So make sure that's clear.

702
00:22:51,080 --> 00:22:53,640
Being really aware of what systems are fragile,

703
00:22:53,640 --> 00:22:56,640
what which systems are critical to the business

704
00:22:56,640 --> 00:22:57,560
that are still running.

705
00:22:57,560 --> 00:22:59,960
You don't want to hurt them on the on the way up,

706
00:22:59,960 --> 00:23:02,880
but also being as clear as possible about,

707
00:23:03,960 --> 00:23:04,800
the fact that

708
00:23:04,800 --> 00:23:06,840
things might get worse in the short term

709
00:23:06,840 --> 00:23:08,080
if you want them to get better,

710
00:23:08,080 --> 00:23:09,840
that may be things you need to be turning off.

711
00:23:09,840 --> 00:23:12,840
There may be,

712
00:23:12,960 --> 00:23:14,520
some actions that you've already taken

713
00:23:14,520 --> 00:23:15,600
that you need to roll back.

714
00:23:15,600 --> 00:23:16,880
So, so being really clear that

715
00:23:16,880 --> 00:23:18,960
that sort of slowing down,

716
00:23:18,960 --> 00:23:20,440
making deliberate decisions

717
00:23:20,440 --> 00:23:21,680
to contain the incident,

718
00:23:21,680 --> 00:23:22,560
to stop the bleed,

719
00:23:22,560 --> 00:23:23,440
to protect the data

720
00:23:23,440 --> 00:23:26,440
that you still have is critical.

721
00:23:27,120 --> 00:23:30,560
The business can then, Jamie’s done his excellent work

722
00:23:30,560 --> 00:23:32,120
of identifying the key decision

723
00:23:32,120 --> 00:23:32,960
makers, making sure

724
00:23:32,960 --> 00:23:35,440
that they can be briefed on things

725
00:23:35,440 --> 00:23:37,440
so that when we bring them questions

726
00:23:37,440 --> 00:23:39,280
or I wouldn't want to call them problems,

727
00:23:39,280 --> 00:23:40,440
but challenges,

728
00:23:40,440 --> 00:23:40,920
you know,

729
00:23:40,920 --> 00:23:41,800
you've got a situation

730
00:23:41,800 --> 00:23:43,680
where it's going to take us a week

731
00:23:43,680 --> 00:23:45,080
in order to do the forensic analysis

732
00:23:45,080 --> 00:23:47,080
on a particular piece of hardware,

733
00:23:47,080 --> 00:23:48,680
but that's so critical to the business

734
00:23:48,680 --> 00:23:50,000
that if it's not brought up in a week

735
00:23:50,000 --> 00:23:52,640
that the business is going to exist anymore,

736
00:23:52,640 --> 00:23:54,200
who's actually making the ultimate decision

737
00:23:54,200 --> 00:23:55,800
on whether or not you get to proceed

738
00:23:55,800 --> 00:23:57,120
without doing investigation?

739
00:23:57,120 --> 00:23:58,800
So our job is to provide the advice.

740
00:23:58,800 --> 00:24:00,400
It's going to, you know, this is

741
00:24:01,640 --> 00:24:03,320
so critical to our investigation.

742
00:24:03,320 --> 00:24:05,640
We're not going to know.

743
00:24:05,640 --> 00:24:07,360
But obviously that's completely useless

744
00:24:07,360 --> 00:24:09,480
if that's not going to the right decision maker.

745
00:24:09,480 --> 00:24:10,680
So there's that.

746
00:24:10,680 --> 00:24:13,960
And then finally the the point here around,

747
00:24:15,200 --> 00:24:16,960
making it really clear

748
00:24:16,960 --> 00:24:18,840
when we're advising the client

749
00:24:18,840 --> 00:24:20,960
what they're likely to know, when

750
00:24:20,960 --> 00:24:21,360
I think

751
00:24:21,360 --> 00:24:23,400
that the one of the most uncomfortable things

752
00:24:23,400 --> 00:24:24,360
for senior executives

753
00:24:24,360 --> 00:24:26,000
that we see in these incidents are

754
00:24:26,000 --> 00:24:28,040
they're used to having a good amount

755
00:24:28,040 --> 00:24:28,600
of information

756
00:24:28,600 --> 00:24:29,640
about the things that they're trying

757
00:24:29,640 --> 00:24:31,120
to make a decision on.

758
00:24:31,120 --> 00:24:33,720
And unfortunately, incidents aren't like that.

759
00:24:33,720 --> 00:24:36,600
You start off knowing basically nothing

760
00:24:36,600 --> 00:24:38,040
and having to make some pretty impactful

761
00:24:38,040 --> 00:24:40,600
decisions in,

762
00:24:40,600 --> 00:24:43,600
usually a subject area you're not familiar with.

763
00:24:43,600 --> 00:24:45,040
And that's incredibly uncomfortable

764
00:24:45,040 --> 00:24:45,960
for almost everybody.

765
00:24:45,960 --> 00:24:47,440
I wouldn't want to sit in that chair,

766
00:24:48,840 --> 00:24:49,480
so try

767
00:24:49,480 --> 00:24:49,920
to give them

768
00:24:49,920 --> 00:24:52,920
an idea as to what they can expect the next day,

769
00:24:53,000 --> 00:24:55,760
week, month to look like.

770
00:24:55,760 --> 00:24:56,440
You know,

771
00:24:56,440 --> 00:24:57,320
it might be bad now,

772
00:24:57,320 --> 00:24:58,400
but it's going to get better.

773
00:24:58,400 --> 00:25:02,600
Basically, is is important, is critical.

774
00:25:02,600 --> 00:25:04,840
And it's also a thing that generally,

775
00:25:04,840 --> 00:25:06,000
the internal teams

776
00:25:06,000 --> 00:25:07,440
struggle with because they're going through

777
00:25:07,440 --> 00:25:09,160
that same journey themselves.

778
00:25:09,160 --> 00:25:11,600
And from an IT perspective, perhaps

779
00:25:11,600 --> 00:25:12,680
what I've seen is certainly

780
00:25:12,680 --> 00:25:15,680
that internal teams can be, primarily

781
00:25:15,680 --> 00:25:17,000
focused on some functionality

782
00:25:17,000 --> 00:25:18,800
on the day to day running of the system.

783
00:25:18,800 --> 00:25:20,520
And, and that security piece

784
00:25:20,520 --> 00:25:21,480
is slightly different.

785
00:25:21,480 --> 00:25:22,480
You might have,

786
00:25:22,480 --> 00:25:25,600
as we do I from them I.T security architect

787
00:25:26,160 --> 00:25:27,200
specialists,

788
00:25:27,200 --> 00:25:30,000
but they perhaps have got a different, approach,

789
00:25:30,000 --> 00:25:30,560
a different skill

790
00:25:30,560 --> 00:25:31,760
set to you and your team

791
00:25:31,760 --> 00:25:33,720
because you're coming into

792
00:25:33,720 --> 00:25:35,120
to a sort of distress situation

793
00:25:35,120 --> 00:25:36,560
with,

794
00:25:36,560 --> 00:25:39,200
a business that's been hit with encryption and,

795
00:25:39,200 --> 00:25:42,200
and on getting that backup to to speed

796
00:25:42,200 --> 00:25:44,960
and back on the straight and narrows is,

797
00:25:44,960 --> 00:25:46,160
is a slightly different skill set.

798
00:25:46,160 --> 00:25:47,600
So it's complementary blend.

799
00:25:47,600 --> 00:25:50,520
You need to work with the internal team,

800
00:25:51,640 --> 00:25:54,000
but also bring your own.

801
00:25:54,000 --> 00:25:55,040
Yeah.

802
00:25:55,040 --> 00:25:58,240
and or work with any third party MSP.

803
00:25:58,480 --> 00:26:02,600
and you know, thankfully in the vast

804
00:26:02,600 --> 00:26:05,960
majority of cases, you know, the client will be,

805
00:26:07,720 --> 00:26:08,960
you know, doing everything

806
00:26:08,960 --> 00:26:10,320
they can to give all the

807
00:26:10,320 --> 00:26:12,880
everything he needs in terms of access,

808
00:26:12,880 --> 00:26:16,320
information, requests, log evidence,

809
00:26:16,400 --> 00:26:17,800
whatever it may be.

810
00:26:17,800 --> 00:26:22,080
but we have had, a case or two, haven't we?

811
00:26:22,080 --> 00:26:22,880
Ollie that we've worked

812
00:26:22,880 --> 00:26:25,880
on where that hasn't been the case and where

813
00:26:26,960 --> 00:26:29,960
a sort of third party MSP has actually

814
00:26:30,600 --> 00:26:32,800
been instructed not to hand over

815
00:26:32,800 --> 00:26:34,320
certain material.

816
00:26:34,320 --> 00:26:35,840
It didn't add. Up. No.

817
00:26:35,840 --> 00:26:37,120
and so we

818
00:26:37,120 --> 00:26:38,400
you know what that meant,

819
00:26:38,400 --> 00:26:40,680
as well as creating a delay in the,

820
00:26:40,680 --> 00:26:42,400
the incident response,

821
00:26:42,400 --> 00:26:44,200
it's also meant on the legal side that,

822
00:26:44,200 --> 00:26:46,360
you know, mid breach

823
00:26:46,360 --> 00:26:47,000
you're having dealing

824
00:26:47,000 --> 00:26:48,120
with dealing with other issues

825
00:26:48,120 --> 00:26:51,120
such as, you know, potentially

826
00:26:51,520 --> 00:26:55,000
liability of the MSP, the sort of third party,

827
00:26:55,440 --> 00:26:57,640
the potential H.R issues

828
00:26:57,640 --> 00:26:58,960
if people aren't handing over what

829
00:26:58,960 --> 00:26:59,760
they should be handing over

830
00:26:59,760 --> 00:27:03,040
or properly cooperating so things things can,

831
00:27:03,600 --> 00:27:05,160
get a lot more complicated.

832
00:27:05,160 --> 00:27:06,520
And of course,

833
00:27:06,520 --> 00:27:07,920
another thing we haven't touched on yet,

834
00:27:08,920 --> 00:27:09,640
you know,

835
00:27:09,640 --> 00:27:10,960
for those larger breaches

836
00:27:10,960 --> 00:27:13,120
to have an international elements,

837
00:27:13,120 --> 00:27:16,120
you there might be three, four, five

838
00:27:16,280 --> 00:27:18,320
plus different C suites.

839
00:27:18,320 --> 00:27:20,000
So the C so in Europe a C

840
00:27:20,000 --> 00:27:22,080
so A pack C so in the Americas,

841
00:27:22,080 --> 00:27:24,840
all of whom want to input into how best

842
00:27:24,840 --> 00:27:25,800
to respond to the breach.

843
00:27:25,800 --> 00:27:27,520
And probably in

844
00:27:27,520 --> 00:27:30,520
some cases Ollie makes your life a bit bit harder.

845
00:27:31,320 --> 00:27:32,000
Definitely.

846
00:27:32,000 --> 00:27:34,120
I mean,

847
00:27:34,120 --> 00:27:34,760
when you end up

848
00:27:34,760 --> 00:27:36,520
with those really complicated situations

849
00:27:36,520 --> 00:27:37,720
where you've got

850
00:27:37,720 --> 00:27:39,880
different C suites or, you know, a

851
00:27:39,880 --> 00:27:41,560
sort of a group organization,

852
00:27:41,560 --> 00:27:42,400
and particularly

853
00:27:42,400 --> 00:27:44,080
when you start dealing with multiple different

854
00:27:44,080 --> 00:27:45,640
jurisdictions of law enforcement,

855
00:27:45,640 --> 00:27:46,960
I think that's where that can become

856
00:27:46,960 --> 00:27:48,400
really complicated.

857
00:27:48,400 --> 00:27:49,840
We've got the Italian postal police

858
00:27:49,840 --> 00:27:50,560
knocking on the door

859
00:27:50,560 --> 00:27:52,000
asking about something at the same time as

860
00:27:52,000 --> 00:27:53,680
you've got the FBI in the US

861
00:27:54,640 --> 00:27:56,960
making sure that you can

862
00:27:56,960 --> 00:27:58,680
answer the questions sensibly,

863
00:27:58,680 --> 00:28:00,480
taking the information they're giving you,

864
00:28:00,480 --> 00:28:02,440
because also,

865
00:28:02,440 --> 00:28:03,960
depending on the size of the organization,

866
00:28:03,960 --> 00:28:04,640
the type of breach,

867
00:28:04,640 --> 00:28:06,240
they might be telling you something.

868
00:28:06,240 --> 00:28:07,880
You'll never know where that's coming from.

869
00:28:07,880 --> 00:28:09,240
You don't know how true or accurate

870
00:28:09,240 --> 00:28:10,480
that's necessarily going to be,

871
00:28:10,480 --> 00:28:11,920
not because they're trying to mislead

872
00:28:11,920 --> 00:28:13,000
you just because,

873
00:28:13,000 --> 00:28:13,200
you know,

874
00:28:13,200 --> 00:28:16,200
you're a much smaller piece of a much wider hole,

875
00:28:16,360 --> 00:28:18,720
and that can add lots of complication.

876
00:28:18,720 --> 00:28:20,560
It can create a lot of frustration

877
00:28:20,560 --> 00:28:22,320
at the senior executive level,

878
00:28:22,320 --> 00:28:25,320
because people always want to believe, you know,

879
00:28:25,520 --> 00:28:27,000
when you've got that kind of entity

880
00:28:27,000 --> 00:28:30,000
turning up at your door, you want to act on it

881
00:28:30,000 --> 00:28:30,800
for good reason.

882
00:28:30,800 --> 00:28:32,920
But it can take a lot of really useful time

883
00:28:32,920 --> 00:28:33,920
out of a system at a time

884
00:28:33,920 --> 00:28:35,560
where there isn't any spare time.

885
00:28:35,560 --> 00:28:37,000
And a quick, quick

886
00:28:37,000 --> 00:28:37,960
interjection here

887
00:28:37,960 --> 00:28:40,120
that these are some of the difficulties

888
00:28:40,120 --> 00:28:43,120
that you can potentially resolve

889
00:28:43,120 --> 00:28:44,680
or certainly improve

890
00:28:44,680 --> 00:28:47,400
by some of the pre breach populations.

891
00:28:47,400 --> 00:28:49,400
In terms of incident response, if you

892
00:28:49,400 --> 00:28:52,960
if you already know the the victim, you know,

893
00:28:53,320 --> 00:28:54,680
have their systems,

894
00:28:54,680 --> 00:28:57,120
you know, the people, you know the drills

895
00:28:58,360 --> 00:28:59,680
that will make,

896
00:28:59,680 --> 00:29:02,800
a fundamentally sort of tangible difference to

897
00:29:03,320 --> 00:29:05,600
how quickly and efficiently you can

898
00:29:05,600 --> 00:29:06,920
you can sort of respond

899
00:29:06,920 --> 00:29:08,720
to the incident enormously.

900
00:29:08,720 --> 00:29:09,880
So and

901
00:29:09,880 --> 00:29:12,440
so your mention of the first call.

902
00:29:12,440 --> 00:29:13,400
And when you're going through

903
00:29:13,400 --> 00:29:14,920
asking those questions,

904
00:29:14,920 --> 00:29:15,960
if what we've if we've done

905
00:29:15,960 --> 00:29:17,240
that three months earlier

906
00:29:17,240 --> 00:29:19,040
and we've already asked those same questions,

907
00:29:19,040 --> 00:29:21,040
and it's actually a validation exercise.

908
00:29:21,040 --> 00:29:23,040
And because when we did it three months earlier,

909
00:29:23,040 --> 00:29:25,240
it wasn't a Saturday morning at 2 a.m..

910
00:29:25,240 --> 00:29:27,000
It was a reasonable time that had been scheduled

911
00:29:27,000 --> 00:29:28,240
everyone's diaries.

912
00:29:28,240 --> 00:29:29,920
And we didn't just have the IT team.

913
00:29:29,920 --> 00:29:30,760
We had certain parts

914
00:29:30,760 --> 00:29:32,080
of the operational part of the business

915
00:29:32,080 --> 00:29:33,840
that understood the wider context.

916
00:29:33,840 --> 00:29:34,960
So when we're running through,

917
00:29:34,960 --> 00:29:36,680
we can say, well, you told us this,

918
00:29:36,680 --> 00:29:38,160
is that still the case? Yes.

919
00:29:38,160 --> 00:29:40,920
No, you you're not relying on someone's memory

920
00:29:40,920 --> 00:29:42,480
at an incredibly stressful time.

921
00:29:42,480 --> 00:29:42,960
You know,

922
00:29:42,960 --> 00:29:43,840
you're meeting

923
00:29:43,840 --> 00:29:45,440
with the best people at the best time.

924
00:29:45,440 --> 00:29:46,840
And you've also got a list

925
00:29:46,840 --> 00:29:49,320
then of the people you need on the calls.

926
00:29:49,320 --> 00:29:50,480
You know, fishing around

927
00:29:50,480 --> 00:29:52,960
for who would be in charge of this, who knows it.

928
00:29:52,960 --> 00:29:55,080
You've got that structure in place ready to go.

929
00:29:55,080 --> 00:29:58,280
Okay, well, X deals with I.T security.

930
00:29:58,480 --> 00:30:01,400
Why is the HR lead not to say it's

931
00:30:01,400 --> 00:30:03,400
going to be our sort of board

932
00:30:03,400 --> 00:30:05,600
level decision maker and off you go.

933
00:30:05,600 --> 00:30:06,320
Yeah. Exactly.

934
00:30:06,320 --> 00:30:07,000
Yeah, exactly.

935
00:30:07,000 --> 00:30:08,280
And I think

936
00:30:08,280 --> 00:30:10,080
threat actor engagements are a good example

937
00:30:10,080 --> 00:30:11,040
where you know

938
00:30:11,040 --> 00:30:12,280
the pre breach testing

939
00:30:12,280 --> 00:30:15,080
can really, pay dividends.

940
00:30:15,080 --> 00:30:17,800
because you know, making a big decision

941
00:30:17,800 --> 00:30:20,840
such as do we want to engage the threat actor.

942
00:30:21,160 --> 00:30:23,120
Do we want to pay the ransom?

943
00:30:23,120 --> 00:30:24,000
If you're doing that

944
00:30:24,000 --> 00:30:26,840
for the first time conceptually,

945
00:30:26,840 --> 00:30:29,840
in a live breach, it's going to be slow.

946
00:30:29,840 --> 00:30:31,760
You know, there's going to be lots of people

947
00:30:31,760 --> 00:30:32,680
and stakeholders

948
00:30:32,680 --> 00:30:33,880
need to be in the conversation

949
00:30:33,880 --> 00:30:35,480
that need to be assuring.

950
00:30:35,480 --> 00:30:36,720
There's going to be lots of questions

951
00:30:36,720 --> 00:30:38,680
around the legalities of payments,

952
00:30:38,680 --> 00:30:39,520
the mechanics,

953
00:30:39,520 --> 00:30:40,840
who makes payments,

954
00:30:40,840 --> 00:30:42,640
who speaks to the threat actor?

955
00:30:42,640 --> 00:30:46,400
all of that stuff can be worked through.

956
00:30:46,720 --> 00:30:49,720
you know, when you're not in a crisis situation.

957
00:30:49,920 --> 00:30:52,800
So you've got a plan that's been tested

958
00:30:52,800 --> 00:30:53,920
and that will just make your

959
00:30:53,920 --> 00:30:54,960
your incident response

960
00:30:54,960 --> 00:30:56,640
go that much smoother and quicker,

961
00:30:56,640 --> 00:30:58,720
meaning you can, you know, recover faster.

962
00:30:58,720 --> 00:30:59,440
And for the two of you,

963
00:30:59,440 --> 00:31:00,960
what does

964
00:31:00,960 --> 00:31:02,200
what does good look like

965
00:31:02,200 --> 00:31:05,320
when when you're called in terms of a victim

966
00:31:05,320 --> 00:31:07,960
giving you the information about where they are

967
00:31:07,960 --> 00:31:08,880
in terms of, say,

968
00:31:08,880 --> 00:31:09,560
from your point of view,

969
00:31:09,560 --> 00:31:12,720
perhaps only on on system resilience, on backups.

970
00:31:13,200 --> 00:31:15,760
So I think that the critical part is, is

971
00:31:15,760 --> 00:31:17,120
someone being able to be

972
00:31:18,160 --> 00:31:19,840
to see the wider organization.

973
00:31:19,840 --> 00:31:22,840
So the best responses I've been part of

974
00:31:23,040 --> 00:31:24,880
have been with

975
00:31:24,880 --> 00:31:26,920
a senior CIO from the business

976
00:31:26,920 --> 00:31:28,000
that has probably got quite

977
00:31:28,000 --> 00:31:29,760
a lot of operational responsibility.

978
00:31:29,760 --> 00:31:31,720
They've been there for quite a lot of time.

979
00:31:31,720 --> 00:31:34,680
They understand the IT systems, but also how the

980
00:31:34,680 --> 00:31:36,360
the actual human side

981
00:31:36,360 --> 00:31:38,440
of the business functions as well.

982
00:31:38,440 --> 00:31:41,040
well, if you need to ask this kind of question

983
00:31:41,040 --> 00:31:43,120
about operations, you speak to that person.

984
00:31:43,120 --> 00:31:43,800
They understand

985
00:31:43,800 --> 00:31:45,160
how the business is going to react

986
00:31:45,160 --> 00:31:46,800
to this sudden change in risk.

987
00:31:46,800 --> 00:31:48,240
They have a good relationship

988
00:31:48,240 --> 00:31:49,520
with general counsel.

989
00:31:49,520 --> 00:31:52,640
That's that's really what good looks like

990
00:31:53,080 --> 00:31:54,720
the the opposite side of sorry.

991
00:31:54,720 --> 00:31:56,200
So so that was one of the lessons

992
00:31:56,200 --> 00:31:56,800
and perhaps is

993
00:31:56,800 --> 00:31:57,800
is for organizations

994
00:31:57,800 --> 00:32:01,080
to make sure that they are plugging their CIO

995
00:32:01,080 --> 00:32:04,600
into, into their sort of C-suite, into the GC,

996
00:32:04,600 --> 00:32:06,640
so that those relationships are there

997
00:32:06,640 --> 00:32:08,560
so that when we come, when we come knocking.

998
00:32:10,080 --> 00:32:10,440
yeah.

999
00:32:10,440 --> 00:32:10,720
I mean.

1000
00:32:10,720 --> 00:32:12,320
They can put us in the right direction and.

1001
00:32:12,320 --> 00:32:13,200
And same for you.

1002
00:32:13,200 --> 00:32:14,560
Jamie what

1003
00:32:14,560 --> 00:32:16,640
what are the the sort of things where you go.

1004
00:32:16,640 --> 00:32:18,560
pleased to hear that.

1005
00:32:18,560 --> 00:32:18,840
Yeah.

1006
00:32:18,840 --> 00:32:22,040
It's always nice when there's a very clear, line

1007
00:32:22,040 --> 00:32:23,240
of authority at,

1008
00:32:23,240 --> 00:32:25,520
you know, who is making the decisions.

1009
00:32:25,520 --> 00:32:27,240
something that we've seen,

1010
00:32:27,240 --> 00:32:28,880
you know, more than one occasion,

1011
00:32:28,880 --> 00:32:29,840
which can really slow

1012
00:32:29,840 --> 00:32:33,120
things down, is a sort of decision paralysis

1013
00:32:33,680 --> 00:32:34,440
where, you know, it's

1014
00:32:34,440 --> 00:32:35,600
such a big decision

1015
00:32:35,600 --> 00:32:36,920
potentially, you know, in

1016
00:32:36,920 --> 00:32:39,480
some of these extreme cases,

1017
00:32:39,480 --> 00:32:41,200
the future viability of the business

1018
00:32:41,200 --> 00:32:42,640
could literally be,

1019
00:32:42,640 --> 00:32:46,440
you know, you know, in question,

1020
00:32:46,920 --> 00:32:50,440
and therefore having somebody who, you know,

1021
00:32:50,440 --> 00:32:52,000
going to this person,

1022
00:32:52,000 --> 00:32:53,720
you're going to get an answer

1023
00:32:53,720 --> 00:32:56,720
and that person has the authority to tell you yay

1024
00:32:56,720 --> 00:32:58,720
or nay regarding a certain action, for example,

1025
00:32:58,720 --> 00:33:00,480
you turning off the network,

1026
00:33:00,480 --> 00:33:02,480
making a ransom payments,

1027
00:33:02,480 --> 00:33:04,520
bringing extra support in,

1028
00:33:04,520 --> 00:33:07,200
all those are big questions,

1029
00:33:07,200 --> 00:33:10,200
which can consume a lot of time and resource,

1030
00:33:10,320 --> 00:33:11,560
particularly

1031
00:33:11,560 --> 00:33:14,360
when there's not a clear line of decision making.

1032
00:33:14,360 --> 00:33:16,320
so that certainly makes,

1033
00:33:16,320 --> 00:33:18,200
not only my life easier.

1034
00:33:18,200 --> 00:33:18,520
Yeah.

1035
00:33:18,520 --> 00:33:19,760
But I think the sort of victim

1036
00:33:19,760 --> 00:33:21,560
organizations recovery.

1037
00:33:21,560 --> 00:33:22,600
And do you see situations

1038
00:33:22,600 --> 00:33:23,800
where there's a bit of a

1039
00:33:23,800 --> 00:33:25,120
push pull within the business?

1040
00:33:25,120 --> 00:33:28,360
I remember one where, people

1041
00:33:28,360 --> 00:33:30,080
I work with dealt with,

1042
00:33:30,080 --> 00:33:31,520
a logistics business where,

1043
00:33:32,520 --> 00:33:33,960
like, classically, the threat

1044
00:33:33,960 --> 00:33:35,400
actors hit you with a bad time.

1045
00:33:35,400 --> 00:33:36,560
So say, for example,

1046
00:33:36,560 --> 00:33:37,880
you've got that Christmas

1047
00:33:37,880 --> 00:33:38,680
run up,

1048
00:33:38,680 --> 00:33:40,280
you've got warehouses full of stuff

1049
00:33:40,280 --> 00:33:41,840
you need to deliver,

1050
00:33:41,840 --> 00:33:44,800
you've been hit and you've got that push

1051
00:33:44,800 --> 00:33:46,360
pull within the business or people going, oh,

1052
00:33:46,360 --> 00:33:47,880
I can't access my emails.

1053
00:33:47,880 --> 00:33:49,120
And the chairman's

1054
00:33:49,120 --> 00:33:51,000
sort of saying, someone get my email sorted out.

1055
00:33:51,000 --> 00:33:51,800
Whereas in fact,

1056
00:33:51,800 --> 00:33:52,680
perhaps for the business,

1057
00:33:52,680 --> 00:33:54,040
the important thing is to

1058
00:33:54,040 --> 00:33:55,040
get into the warehouses,

1059
00:33:55,040 --> 00:33:57,200
do a stocktake, work out what needs to be where,

1060
00:33:57,200 --> 00:33:59,320
start putting together systems

1061
00:33:59,320 --> 00:34:01,440
that will enable the business to function,

1062
00:34:01,440 --> 00:34:02,760
and you've got to park

1063
00:34:02,760 --> 00:34:04,400
some of the sort of you've got to identify

1064
00:34:04,400 --> 00:34:05,960
what's a luxury, what's a must have,

1065
00:34:05,960 --> 00:34:07,280
I guess early on.

1066
00:34:07,280 --> 00:34:09,920
do you see that sort of prioritization process

1067
00:34:09,920 --> 00:34:11,960
so emerge relatively early in a.

1068
00:34:13,760 --> 00:34:14,080
Yeah.

1069
00:34:14,080 --> 00:34:14,840
You do.

1070
00:34:14,840 --> 00:34:15,640
I mean, you know,

1071
00:34:15,640 --> 00:34:17,480
of course you need to look at what

1072
00:34:17,480 --> 00:34:18,400
what has been

1073
00:34:18,400 --> 00:34:20,520
the operational impact on the business

1074
00:34:20,520 --> 00:34:22,200
from the cyber attack.

1075
00:34:22,200 --> 00:34:23,480
and once you know that,

1076
00:34:23,480 --> 00:34:25,440
then you can start to put in a plan in place to

1077
00:34:25,440 --> 00:34:28,280
to sort of get, you know, back up and running.

1078
00:34:28,280 --> 00:34:29,080
I'm not sure

1079
00:34:29,080 --> 00:34:31,400
whether I'm pinching one of your sayings earlier,

1080
00:34:31,400 --> 00:34:32,920
whether it's some somewhere

1081
00:34:32,920 --> 00:34:34,160
else, but,

1082
00:34:34,160 --> 00:34:34,720
you know,

1083
00:34:34,720 --> 00:34:35,960
once you've had the attack

1084
00:34:35,960 --> 00:34:38,160
and you're starting to get back on your feet,

1085
00:34:38,160 --> 00:34:41,000
you're starting to bring systems back on line,

1086
00:34:41,000 --> 00:34:41,440
you know, so,

1087
00:34:41,440 --> 00:34:43,480
so perhaps one at a time, one

1088
00:34:43,480 --> 00:34:44,920
application for certain.

1089
00:34:44,920 --> 00:34:47,320
You perhaps the finance application,

1090
00:34:47,320 --> 00:34:48,640
might be one of the early ones.

1091
00:34:48,640 --> 00:34:50,320
Maybe HR

1092
00:34:50,320 --> 00:34:50,800
what you can

1093
00:34:50,800 --> 00:34:52,240
sometimes have is

1094
00:34:52,240 --> 00:34:54,360
what's sometimes referred to as a sort of a

1095
00:34:54,360 --> 00:34:54,840
The Hunger

1096
00:34:54,840 --> 00:34:56,360
Games scenario, where

1097
00:34:56,360 --> 00:34:57,240
different business

1098
00:34:57,240 --> 00:34:58,720
heads are competing

1099
00:34:58,720 --> 00:34:59,920
for their application

1100
00:34:59,920 --> 00:35:01,440
to be put back online first, which.

1101
00:35:01,440 --> 00:35:02,160
Is perfectly natural,

1102
00:35:02,160 --> 00:35:02,480
I guess,

1103
00:35:02,480 --> 00:35:04,160
but it's slightly Darwinian in that

1104
00:35:04,160 --> 00:35:06,200
everyone's sort of jockeying for position

1105
00:35:06,200 --> 00:35:08,520
to get in. And yeah, it's completely natural.

1106
00:35:08,520 --> 00:35:11,520
and, you know, from our perspective,

1107
00:35:11,520 --> 00:35:12,600
you know, we need to make sure

1108
00:35:13,920 --> 00:35:14,840
it's done properly.

1109
00:35:14,840 --> 00:35:17,600
So systems are, you know, we

1110
00:35:17,600 --> 00:35:19,400
again, I'm speaking to Ollie’s bit here,

1111
00:35:19,400 --> 00:35:20,200
but we want to make sure

1112
00:35:20,200 --> 00:35:22,160
that anything brought back online is clean.

1113
00:35:22,160 --> 00:35:23,960
And we verified it's clean.

1114
00:35:23,960 --> 00:35:25,320
It's safe.

1115
00:35:25,320 --> 00:35:27,560
we want to be, you know, comfortable.

1116
00:35:27,560 --> 00:35:28,000
Look,

1117
00:35:28,000 --> 00:35:30,120
you know, any risk of a sort of secondary

1118
00:35:30,120 --> 00:35:31,080
or following follow

1119
00:35:31,080 --> 00:35:32,520
an attack has been removed insofar

1120
00:35:32,520 --> 00:35:35,040
as we can possibly have that for sure.

1121
00:35:35,040 --> 00:35:36,080
And if you've got that,

1122
00:35:36,080 --> 00:35:37,640
I guess the two pronged thing

1123
00:35:37,640 --> 00:35:41,120
we see now with encryption and exfiltration

1124
00:35:41,680 --> 00:35:42,800
of what's the point?

1125
00:35:42,800 --> 00:35:44,200
I guess Ollie it is for you.

1126
00:35:44,200 --> 00:35:47,080
are you looking for traces of exfiltration?

1127
00:35:47,080 --> 00:35:49,080
So essentially, immediately.

1128
00:35:49,080 --> 00:35:51,040
But almost every incident these days,

1129
00:35:51,040 --> 00:35:51,520
we know that

1130
00:35:51,520 --> 00:35:53,360
that's going to be a critical work stream.

1131
00:35:53,360 --> 00:35:53,880
The business

1132
00:35:53,880 --> 00:35:54,840
being able to understand

1133
00:35:54,840 --> 00:35:56,200
what happened

1134
00:35:56,200 --> 00:35:59,560
is a so important, you know, it runs

1135
00:35:59,560 --> 00:36:00,760
in parallel with containment.

1136
00:36:04,360 --> 00:36:06,360
so therefore being able to be clear

1137
00:36:06,360 --> 00:36:09,360
with the victim in this case,

1138
00:36:09,480 --> 00:36:10,280
these are the kind of things

1139
00:36:10,280 --> 00:36:11,240
we're going to be looking for.

1140
00:36:11,240 --> 00:36:12,800
Please don't touch those kind of systems.

1141
00:36:12,800 --> 00:36:13,920
Understanding when,

1142
00:36:13,920 --> 00:36:16,480
logs are likely to time out,

1143
00:36:16,480 --> 00:36:18,000
but only keep a week, 2

1144
00:36:18,000 --> 00:36:20,680
or 3 weeks or longer in logs

1145
00:36:20,680 --> 00:36:22,360
and taking a snapshot.

1146
00:36:22,360 --> 00:36:23,920
Now, even if we're not going to start

1147
00:36:23,920 --> 00:36:25,080
looking at them for a few days

1148
00:36:25,080 --> 00:36:27,360
because we're prioritizing containment,

1149
00:36:27,360 --> 00:36:29,120
doing that kind of stuff early

1150
00:36:29,120 --> 00:36:30,400
allows you to make sure that you haven't

1151
00:36:30,400 --> 00:36:31,680
made those those kind of errors.

1152
00:36:31,680 --> 00:36:32,080
you know,

1153
00:36:32,080 --> 00:36:33,160
as Ollie touched on,

1154
00:36:33,160 --> 00:36:35,800
as far as exfiltration is concerned,

1155
00:36:35,800 --> 00:36:37,040
pretty much every incident

1156
00:36:37,040 --> 00:36:38,600
these days, ransomware incident,

1157
00:36:38,600 --> 00:36:41,640
there'll be an exfiltration component,

1158
00:36:41,640 --> 00:36:45,440
and usually get quite quick,

1159
00:36:45,440 --> 00:36:46,720
confirmation of that.

1160
00:36:46,720 --> 00:36:49,160
So there can be some telltale clues.

1161
00:36:49,160 --> 00:36:51,200
Forensically, there might be a big spike

1162
00:36:51,200 --> 00:36:53,360
in network traffic going to an unknown IP.

1163
00:36:53,360 --> 00:36:54,360
Address.

1164
00:36:54,360 --> 00:36:56,840
2:00 in the morning, whatever it might be.

1165
00:36:56,840 --> 00:36:59,080
but so also the threat actors themselves,

1166
00:36:59,080 --> 00:36:59,960
you know,

1167
00:36:59,960 --> 00:37:02,960
they've definitely shortened the amount of time

1168
00:37:03,160 --> 00:37:06,800
that they take between carrying out the attack

1169
00:37:07,160 --> 00:37:08,400
and then posting something

1170
00:37:08,400 --> 00:37:10,240
on one of the leak sites.

1171
00:37:10,240 --> 00:37:13,760
might just be, an allegation

1172
00:37:13,760 --> 00:37:15,080
that they've taken the data.

1173
00:37:15,080 --> 00:37:18,080
It might be initially a small snip of the data,

1174
00:37:18,160 --> 00:37:19,560
very small at sample.

1175
00:37:21,160 --> 00:37:21,600
it might

1176
00:37:21,600 --> 00:37:22,760
be that they've decided

1177
00:37:22,760 --> 00:37:24,720
to talk directly to certain

1178
00:37:24,720 --> 00:37:26,120
cyber journalists again,

1179
00:37:26,120 --> 00:37:28,760
as a sort of a pressure leverage tactic.

1180
00:37:28,760 --> 00:37:30,080
and of course, all of these things,

1181
00:37:30,080 --> 00:37:31,360
as you can imagine,

1182
00:37:31,360 --> 00:37:35,200
significantly also feed into the comms strategy,

1183
00:37:35,680 --> 00:37:37,240
and what comms,

1184
00:37:37,240 --> 00:37:39,360
if any, the business decides to sort of push out

1185
00:37:39,360 --> 00:37:40,400
and when.

1186
00:37:40,400 --> 00:37:40,640
And it's

1187
00:37:40,640 --> 00:37:42,760
that sort of speed of action

1188
00:37:42,760 --> 00:37:45,760
on the part of the threat actor, perhaps,

1189
00:37:45,800 --> 00:37:47,800
a reaction to the fact that perhaps detection

1190
00:37:47,800 --> 00:37:50,240
systems are better than they used to be.

1191
00:37:50,240 --> 00:37:50,520
Sort of.

1192
00:37:50,520 --> 00:37:51,600
A large amount of data

1193
00:37:51,600 --> 00:37:52,960
is taken out of the system.

1194
00:37:52,960 --> 00:37:55,280
An alarm bell might sound someone they know.

1195
00:37:55,280 --> 00:37:56,960
For example, that

1196
00:37:56,960 --> 00:37:57,600
that might trigger

1197
00:37:57,600 --> 00:38:00,600
a set of actions internally that might

1198
00:38:00,920 --> 00:38:02,560
stop them going about their business.

1199
00:38:02,560 --> 00:38:04,640
So they want to move a bit quicker

1200
00:38:04,640 --> 00:38:05,520
than perhaps they used to

1201
00:38:05,520 --> 00:38:06,640
when systems weren't as good

1202
00:38:06,640 --> 00:38:09,120
at spotting that kind of.

1203
00:38:09,120 --> 00:38:11,520
So I think that's happening, what we used to call

1204
00:38:11,520 --> 00:38:13,280
still sort of happen to be called dwell time.

1205
00:38:13,280 --> 00:38:14,960
So before they get getting up to

1206
00:38:14,960 --> 00:38:16,880
the point of encryption has

1207
00:38:18,120 --> 00:38:19,000
has decreased.

1208
00:38:19,000 --> 00:38:21,720
that's happening much faster.

1209
00:38:21,720 --> 00:38:24,080
also the,

1210
00:38:24,080 --> 00:38:24,560
the different

1211
00:38:24,560 --> 00:38:26,600
the time between encryption and a client,

1212
00:38:26,600 --> 00:38:29,480
a victim being aware of what's happened here

1213
00:38:29,480 --> 00:38:32,480
and then being named has shortened because

1214
00:38:33,600 --> 00:38:35,760
threat groups realize there's no real advantage

1215
00:38:35,760 --> 00:38:36,640
to hanging around.

1216
00:38:36,640 --> 00:38:38,200
They don't want to keep this data any longer

1217
00:38:38,200 --> 00:38:41,200
than they need to in order to extort people.

1218
00:38:41,200 --> 00:38:43,840
and

1219
00:38:43,840 --> 00:38:45,400
I think to a certain degree,

1220
00:38:45,400 --> 00:38:47,000
they've realized that if an organization

1221
00:38:47,000 --> 00:38:48,920
isn't hasn't paid in a certain amount of time,

1222
00:38:48,920 --> 00:38:50,760
they're probably not going to

1223
00:38:50,760 --> 00:38:52,200
this is a numbers game for them

1224
00:38:52,200 --> 00:38:53,280
that trying to roll through this

1225
00:38:53,280 --> 00:38:54,520
as quickly as possible,

1226
00:38:54,520 --> 00:38:56,680
which very much to Jamie's point around

1227
00:38:56,680 --> 00:38:58,720
making sure that your

1228
00:38:58,720 --> 00:39:01,880
prepared to negotiate quickly is important

1229
00:39:02,080 --> 00:39:03,480
if you do want to engage,

1230
00:39:03,480 --> 00:39:04,600
if you do need to either

1231
00:39:04,600 --> 00:39:06,400
buy time or get additional information,

1232
00:39:06,400 --> 00:39:09,400
not engaging fast enough could well be the

1233
00:39:09,720 --> 00:39:10,280
you know,

1234
00:39:10,280 --> 00:39:12,240
you may well be beaten to the punch by the

1235
00:39:12,240 --> 00:39:13,160
the press and up.

1236
00:39:13,160 --> 00:39:14,880
Well, I hope that was all very useful.

1237
00:39:14,880 --> 00:39:16,320
And, thank you for joining us.

1238
00:39:16,320 --> 00:39:19,200
And we hope you will join us next time for the,

1239
00:39:19,200 --> 00:39:20,720
the next episode in the series.

1240
00:39:20,720 --> 00:39:21,560
Thank you very much.

1241
00:39:23,320 --> 00:39:24,360
Thank you for listening to

1242
00:39:24,360 --> 00:39:27,360
Risk Matters the DWF insurance podcast.

1243
00:39:27,400 --> 00:39:28,720
We hope you join us again soon

1244
00:39:28,720 --> 00:39:30,400
for future podcasts in our series.

Episode 3 part two

1
00:00:14,699 --> 00:00:18,202
What are the things that would encourage you to or make you think about engaging?

2
00:00:18,202 --> 00:00:21,865
Or are the things to weigh up, perhaps is the best way to put it.

3
00:00:21,865 --> 00:00:22,826
Yeah.

4
00:00:22,826 --> 00:00:23,606
So.

5
00:00:24,098 --> 00:00:31,264
I think it's useful to separate out the concept of engaging with the threat actor and
paying the ransom.

6
00:00:31,264 --> 00:00:33,265
know, they're two different things.

7
00:00:33,546 --> 00:00:40,371
And conceptually, sometimes organizations can take some time to accept that.

8
00:00:40,412 --> 00:00:46,117
They can have an allergic reaction to engaging with a threat actor because they think it's
akin to paying the ransom and it's not.

9
00:00:46,117 --> 00:00:52,642
So some of the reasons why you might decide to engage, you might want to

10
00:00:53,038 --> 00:00:54,359
play for a bit of time.

11
00:00:54,359 --> 00:01:01,823
That time might help you secure the environments, eradicate the threat actor from the
environment, cetera, sort your backups out.

12
00:01:02,303 --> 00:01:08,486
You might want to obtain proof of life, i .e., that they've actually got the data they
claim to have got.

13
00:01:08,887 --> 00:01:18,772
Another reason might be, it might help you with the process of attribution, knowing who
the threat actor actually is, perhaps during the negotiation.

14
00:01:19,493 --> 00:01:22,294
Further intel might arise which might help you.

15
00:01:22,638 --> 00:01:24,899
be more confident about that attribution.

16
00:01:25,400 --> 00:01:37,106
And then does attribution, so just as an aside, can that affect your strategy as well on
the basis of say, it's only too much like a hotel guide, but some are more reliable,

17
00:01:37,106 --> 00:01:38,257
better performers than others.

18
00:01:38,257 --> 00:01:51,044
that if you're dealing with someone who's got a poor reputation for returning data or
deleting data, bad reputation for dumping it, or a reputation for taking ransoms and then

19
00:01:51,044 --> 00:01:51,764
not.

20
00:01:52,114 --> 00:01:55,976
providing keys that will factor in.

21
00:01:56,497 --> 00:02:00,939
So if we're talking about, so there might be three reasons potentially why attribution
would be useful.

22
00:02:00,939 --> 00:02:08,444
First one would be sanctions and I'll let the two people I'm sitting with who are much
more qualified to talk about that than I am.

23
00:02:08,444 --> 00:02:12,566
But having an understanding of who they are around the sanctions point.

24
00:02:12,566 --> 00:02:15,428
The second, to help your containment efforts.

25
00:02:15,428 --> 00:02:19,854
Do we know this group or this sub entity within the as a service function they're working?

26
00:02:19,854 --> 00:02:22,025
Do we know that they like to get in via a certain way?

27
00:02:22,025 --> 00:02:24,776
Have we made sure that we've looked and locked that down?

28
00:02:25,897 --> 00:02:35,731
that mean that with that ransomware as a service, back in the day perhaps, if you saw a
particular style of operation of particular tools being deployed, you would say, know it's

29
00:02:35,731 --> 00:02:36,281
that group.

30
00:02:36,281 --> 00:02:44,315
Whereas now, because you've got that sort of franchise system, you might recognize the
tools, but it might not be the creator of the tools who's responsible.

31
00:02:44,315 --> 00:02:47,086
It might be someone who's rented them.

32
00:02:47,190 --> 00:02:51,694
That link is certainly less clear these days.

33
00:02:51,694 --> 00:02:53,355
It's a marketplace.

34
00:02:53,455 --> 00:02:53,775
Yeah.

35
00:02:53,775 --> 00:02:56,628
You've also got the idea of access brokers, haven't you?

36
00:02:56,628 --> 00:03:00,520
So people who just specialize in breaking in essentially.

37
00:03:00,921 --> 00:03:04,985
So once they've compromised in environments, that might be as far as they go.

38
00:03:04,985 --> 00:03:12,350
Then they'll sell that access to another party who will then deploy the ransomware and do
the extortion and so on.

39
00:03:12,491 --> 00:03:16,887
So Oli might be looking at the way someone's accessed the system, but that doesn't mean
that the person who...

40
00:03:16,887 --> 00:03:21,739
did that is a person who will ultimately be engaging with, who'd be making the demands.

41
00:03:21,739 --> 00:03:34,713
And you know, that circles back sometimes in an insurance sense because sometimes there'll
be a condition in the policy that, you know, a ransom payment under a policy might not be

42
00:03:34,713 --> 00:03:45,786
authorized unless you do know who the threat actor is because the insurance might not be
comfortable paying a ransom if that particular threat actor has got a track record of

43
00:03:45,858 --> 00:03:50,882
then not honoring the ransom payments and not giving you the data back, not deleting the
data.

44
00:03:51,903 --> 00:03:58,109
So there are insurance ramifications as well to the idea of attribution.

45
00:03:58,109 --> 00:04:03,974
And that third point there is critical, the point around trust, which I appreciate is a
slightly ridiculous statement.

46
00:04:03,974 --> 00:04:14,102
We're talking about how much can you trust someone that's ransomed your organization, but
it is something that you kind of have to walk up to in these cases.

47
00:04:14,146 --> 00:04:21,092
There are some things that you can trust reasonably, but they get complicated, like you
saying, they get messy.

48
00:04:21,092 --> 00:04:28,718
So there are lots of cases that Jamie and I have worked together where threat actors have
claimed to have stolen data and haven't.

49
00:04:28,718 --> 00:04:32,101
So that's probably not a thing that you can necessarily trust has happened.

50
00:04:32,101 --> 00:04:34,643
You wanna validate that, that's the proof of life.

51
00:04:34,803 --> 00:04:37,405
You wanna ask for a list of all the data.

52
00:04:37,465 --> 00:04:40,338
They should then hopefully give you a choice.

53
00:04:40,338 --> 00:04:43,350
We would like this file back to prove they have actually stolen it.

54
00:04:43,350 --> 00:04:44,490
kind of thing.

55
00:04:45,091 --> 00:04:51,116
What you can probably trust, they have a big incentive that if you pay them, that they're
going to give you the decryption keys.

56
00:04:51,116 --> 00:04:57,821
That's the business model and groups that don't do that don't last long because no one's
going to continue to pay them ransoms.

57
00:04:57,821 --> 00:05:07,428
Where that becomes messier is where either the encryption hasn't worked properly on your
system and therefore the decryption key doesn't work, or as we've seen quite a lot

58
00:05:07,428 --> 00:05:10,146
recently where this is a group that's currently being

59
00:05:10,146 --> 00:05:19,602
targeted by law enforcement, they might be going through some sort of takedown and you
make a payment on day one, they're gonna provide you the key, but suddenly the FBI has

60
00:05:19,602 --> 00:05:28,999
taken them down and they don't have access to the decryption keys or suddenly the parent
organization and the as a service other party aren't able to speak to each other and

61
00:05:28,999 --> 00:05:32,361
you've paid entity A, entity B wants the money.

62
00:05:32,481 --> 00:05:40,002
So where these things get messy, because this is ultimately a criminal enterprise, you
can't trust the outcome.

63
00:05:40,002 --> 00:05:44,755
you might be able to trust the incentives, but that these things get really complicated
very quickly.

64
00:05:44,755 --> 00:05:47,287
So there's an element where you have to keep up.

65
00:05:47,287 --> 00:05:49,439
But on sanctions and things like that, that's...

66
00:05:50,620 --> 00:05:52,021
Yeah, I mean...

67
00:05:52,241 --> 00:05:54,582
Nobody wants to pay a ransom, do they?

68
00:05:54,582 --> 00:05:57,003
Nobody wants to fuel that criminal enterprise.

69
00:05:57,003 --> 00:06:12,760
And obviously there's been lots of press recently, people like ICO, Law Society, publicly
making statements about how paying ransoms is frowned upon.

70
00:06:12,760 --> 00:06:20,653
However, if you are that business where you will literally go out of business unless you
can...

71
00:06:21,325 --> 00:06:35,257
recover your systems or perhaps if you are at hospital unless you can get your computer
systems back online which can support your medical devices then there's a life and death

72
00:06:35,257 --> 00:06:48,809
decision to be made then you can understand why in some cases payment of a ransom is the
only option so if you're a business in that position once you've taken that

73
00:06:49,071 --> 00:07:03,964
big decision or as part of the decision process, you need to know whether paying the
ransom, is it going to be lawful or are you going to commit a criminal offence potentially

74
00:07:03,964 --> 00:07:05,295
by paying the ransom?

75
00:07:05,295 --> 00:07:17,545
So just quickly, as a matter of first principles, making a ransom payment isn't unlawful
in the UK and many other jurisdictions.

76
00:07:17,839 --> 00:07:29,575
but you can unwittingly commit another offence by making the payment if, for example, the
person you are paying is a named entity on a sanctions list.

77
00:07:29,575 --> 00:07:36,499
So we're talking here principally in the UK about the OFSI list in the US, obviously it's
OFAC.

78
00:07:37,660 --> 00:07:44,183
So there's a process that needs to be worked through to understand whether the payment can
be made lawfully.

79
00:07:44,904 --> 00:07:47,985
And that usually looks something like...

80
00:07:48,079 --> 00:07:50,830
being really clear about attribution.

81
00:07:51,191 --> 00:07:57,475
So we knew we speak to Ollie, how certain are you Ollie, that the threat actor is so and
so?

82
00:07:57,475 --> 00:08:07,362
And obviously we'd look to push the sort of forensic experts to commit to that, ideally in
writing as to who the FET actor is.

83
00:08:07,522 --> 00:08:14,286
And also if there's you know, ransom negotiator on board, there'd be intel gained from
them too that go into the mix.

84
00:08:14,867 --> 00:08:17,679
Once we were as clear as we can be,

85
00:08:17,679 --> 00:08:25,817
and we had some confidence around who the threat actor is, that knowledge then enables you
to search against sanctions lists.

86
00:08:25,817 --> 00:08:32,840
there's a number of mitigations that the organisation can also perform to reduce that risk
even further.

87
00:08:32,840 --> 00:08:46,214
For example, notifying law enforcement, for example, speaking to OFAC or OFSI about what
you're thinking of doing, do they have any allergic reaction to it?

88
00:08:46,214 --> 00:08:51,875
know, documenting all of this, and that can all reduce the risk.

89
00:08:51,875 --> 00:09:01,638
You can never eliminate the risk in these situations, and that's made very clear in legal
advice, but you might be able to reduce it to an extent to which you can be.

90
00:09:01,840 --> 00:09:06,444
as comfortable as you can be in these sorts of unfortunate circumstances.

91
00:09:06,444 --> 00:09:15,850
you've got an idea from the instance you deal with of the MOs of various outfits and the
kinds of

92
00:09:16,963 --> 00:09:26,783
tools that are deployed and the way people go about things that will assist you in forming
a view as to who they likely or who the most likely sort of...

93
00:09:26,783 --> 00:09:27,783
100%.

94
00:09:27,783 --> 00:09:37,503
And it's one of the things that the industry is fairly good at, got a lot better at, which
is sharing information in these groups.

95
00:09:37,503 --> 00:09:46,359
So thankfully we all know that there are the really baddies and the ones that...

96
00:09:46,359 --> 00:09:50,462
you know, we're willing to tolerate slightly above some of the others.

97
00:09:50,462 --> 00:09:57,648
So identifying the ones that we absolutely want to make sure no one is paying any kind of
ransom to and want to, you know, get out of the system.

98
00:09:57,648 --> 00:10:01,830
Are there situations where you will actually go, that were these people before?

99
00:10:01,911 --> 00:10:02,391
Yeah.

100
00:10:02,391 --> 00:10:03,261
Yeah.

101
00:10:03,272 --> 00:10:09,296
and you know, it's funny, I've got colleagues that have, you know, thrown their arms out.

102
00:10:09,296 --> 00:10:13,339
It's the fifth one of these that I've dealt with in the last six months.

103
00:10:13,749 --> 00:10:18,082
Unfortunately, these things are slightly, you know, they go in campaigns, they go in wave.

104
00:10:18,082 --> 00:10:21,603
And I've had colleagues equally.

105
00:10:21,603 --> 00:10:29,687
It's happened to me as well, where I've had negotiations where I know that I've come off
one straight onto speaking to the same person again on the next incident.

106
00:10:29,687 --> 00:10:34,251
And I've known it's the same person because the language has been very similar.

107
00:10:34,251 --> 00:10:37,532
And I'm now in the situation where I'm making sure that my language isn't the same.

108
00:10:37,532 --> 00:10:42,336
I don't want them necessarily to know that it's the same person doing that kind of work as
well.

109
00:10:42,336 --> 00:10:52,501
is there a flip side as well to paying because if someone's going to leak the fact that
you paid, it's like other areas of crime perhaps, you've become a sort of repeat victim.

110
00:10:52,542 --> 00:10:59,885
Have you seen incidents where the bad guys come back for a second go because they think
having paid up once should pay up again?

111
00:11:01,166 --> 00:11:03,047
It's talked about a lot.

112
00:11:03,468 --> 00:11:06,309
I don't think it's borne out by the data.

113
00:11:06,621 --> 00:11:08,432
I mean, unfortunately, fortunately, I'm not sure.

114
00:11:08,432 --> 00:11:15,444
Yeah, so because people are just, made themselves, are post incident make themselves a bit
more resilient and learn from it pretty rapidly?

115
00:11:15,444 --> 00:11:16,124
Possibly that.

116
00:11:16,124 --> 00:11:18,845
I think also the targeting is quite broad.

117
00:11:18,845 --> 00:11:27,007
know, when we're talking about the kind of groups that are performing ransomware as a
service encryption, they're looking at entire sectors.

118
00:11:27,007 --> 00:11:34,749
If that, they're probably actually looking at everything on the internet and they're
trying to find the organizations with revenue over a certain amount.

119
00:11:35,629 --> 00:11:43,344
it doesn't really work in their favor to be saying, we're now gonna look at the, instead
of the however many hundred thousand million organizations that have over a hundred

120
00:11:43,344 --> 00:11:49,877
million in revenue, we're now gonna look at the thousand in the world that have paid a
ransom in the last year.

121
00:11:50,338 --> 00:11:52,158
The two don't marry up.

122
00:11:52,379 --> 00:12:03,301
In terms of pattern of victims, is there a tendency to focus on, I guess from an
attacker's point of view,

123
00:12:03,301 --> 00:12:13,608
bigger the organization, the bigger surface area, the more valuable, but the more likely
it is to have resilience and insurance and cyber response teams and preparedness.

124
00:12:13,788 --> 00:12:24,055
And then you scale down to tiny organizations that might not have many of those or any of
those things, but perhaps haven't got the funds to provide you with a ransom that makes it

125
00:12:24,055 --> 00:12:26,156
worth your while and there's everything in between.

126
00:12:26,877 --> 00:12:32,495
Is there a sort of, does it ebb and flow or is there a sort of a spread of attacks?

127
00:12:32,495 --> 00:12:37,248
It's certainly a spread I'd say, but both ends of the spectrum are covered.

128
00:12:38,210 --> 00:12:47,577
what you have is obviously a significant reconnaissance phase that the threat actors would
engage in to sort of understand the targets.

129
00:12:47,577 --> 00:12:58,446
And as part of that reconnaissance phase, they might already have intel about whether that
organization's insured, for example, that might factor into their decision -making.

130
00:12:59,307 --> 00:13:02,109
Or it might just be a certain sector of the market.

131
00:13:02,541 --> 00:13:12,828
Olly alluded to, I mean, a classic one in recent years, of course, has been law firms
themselves, know, convincing transactions, you always been right pickings for sort of BEC

132
00:13:12,828 --> 00:13:16,790
attacks and payment diversions and whatnot.

133
00:13:17,852 --> 00:13:19,834
So nobody's immune.

134
00:13:19,834 --> 00:13:20,915
I suppose.

135
00:13:21,059 --> 00:13:30,304
The only place where the targeting changes slightly is where we're talking about
organizations that might be legitimately targets of financially motivated nation states.

136
00:13:30,304 --> 00:13:33,696
Those are the groups that really are potentially looking at that.

137
00:13:33,696 --> 00:13:42,071
So if you're a financial institution that holds Bitcoin, then Lazarus are probably well
aware of most people that work in your IT teams.

138
00:13:42,071 --> 00:13:45,473
They're probably getting messages on LinkedIn on a fairly regular basis.

139
00:13:45,473 --> 00:13:48,114
That sort of targeting does happen.

140
00:13:48,114 --> 00:13:49,965
It's a small subset of

141
00:13:50,499 --> 00:13:53,470
organizations that are being targeted, but it is there.

142
00:13:53,470 --> 00:13:57,623
I think that that kind of thing is gonna happen more and more in the future,

143
00:13:57,623 --> 00:14:09,256
in terms of where we are at the moment, the things you're sort of actively sitting on your
to -do lists, is there anything that's sort of jumping out in terms of type of attack,

144
00:14:09,256 --> 00:14:15,068
where they're coming from, how they're evolving that you're able to share?

145
00:14:15,868 --> 00:14:21,590
So I've been saying the same thing for three years now, but ransomware is top of mind.

146
00:14:21,620 --> 00:14:26,052
I think has to be the principal risk for any organization that's thinking about
cybersecurity.

147
00:14:26,052 --> 00:14:28,133
It is getting more sophisticated.

148
00:14:28,133 --> 00:14:30,094
It's targeting basically everybody.

149
00:14:30,094 --> 00:14:37,016
If you've got any kind of presence on the internet or ability to be impacted, you're a
potential victim.

150
00:14:37,837 --> 00:14:39,698
It's extremely profitable.

151
00:14:39,698 --> 00:14:42,819
The amount of ransoms paid are still going up every year.

152
00:14:42,819 --> 00:14:47,201
We're seeing some improvement in terms of the resilience activities from lots of
organizations.

153
00:14:47,201 --> 00:14:50,998
Is the amount the overall sum that's being paid in ransoms or?

154
00:14:50,998 --> 00:14:54,698
the number of people who are paying up in terms of a percentage of people affected.

155
00:14:54,698 --> 00:15:02,178
It sounds like the amount is going up, but the resilience means that fewer people are
having to.

156
00:15:02,178 --> 00:15:12,078
So we're certainly seeing, so over the last two, three years, we've seen the number of
people pay go from sort of 60 % down to where we're sort of around 30%.

157
00:15:12,078 --> 00:15:13,918
So it's about half from our data.

158
00:15:13,918 --> 00:15:14,438
Yeah, yeah.

159
00:15:14,438 --> 00:15:16,158
So that's an important and.

160
00:15:16,158 --> 00:15:17,278
Yeah.

161
00:15:17,632 --> 00:15:24,704
Bearing in mind there could be some measurement bias or other things in there, but
certainly I think if you speak to anyone in this industry about what they're seeing from

162
00:15:24,704 --> 00:15:27,985
their victims, that's the case.

163
00:15:27,985 --> 00:15:33,426
The amounts are absolutely going up and I think the number of victims are also increasing.

164
00:15:33,687 --> 00:15:42,339
So that's why you're seeing the increase in overall payment going up, even though
organizations are better able to recover without having to pay.

165
00:15:42,339 --> 00:15:46,358
And does payment increase probably tie in with, I guess what I saying right at beginning
that

166
00:15:46,358 --> 00:15:50,338
the dependence, people's dependency on the kit has increased.

167
00:15:50,338 --> 00:15:59,598
And so the attackers are in that sort of better negotiating position because the
organization can't function because it's IT systems are locked up.

168
00:15:59,598 --> 00:16:01,018
Is that the bottom line?

169
00:16:01,018 --> 00:16:09,058
Partly, I wonder if there is this sort of an economic Pareto 80 -20 thing going on as well
where, know, threat actors are, you know, understanding that a certain number of people

170
00:16:09,058 --> 00:16:14,934
aren't going to have to pay, but some of them are going to have to pay and therefore
they're going to start off higher.

171
00:16:14,934 --> 00:16:16,764
they're not gonna negotiate down as much.

172
00:16:16,764 --> 00:16:22,194
It used to be that you'd start off with a $100 million ransom and you end up getting it
down to 10.

173
00:16:22,194 --> 00:16:24,194
That's happening less and less.

174
00:16:24,194 --> 00:16:33,714
Threat groups are being much more controlled about what discounts are allowed within,
before they're...

175
00:16:33,714 --> 00:16:42,494
Yeah, it's almost like the thing Jamie was talking about that, the professionalism of the
threat actors is seeping through, not just from the early days when the focus might have

176
00:16:42,494 --> 00:16:44,502
been on the tools they deployed.

177
00:16:44,502 --> 00:16:59,242
to attack someone, now to that whole strategic comms piece, to even their negotiators are
now more experienced, more capable, more sort of, they've got a thought out approach that

178
00:16:59,242 --> 00:17:00,422
perhaps they didn't have early on.

179
00:17:00,422 --> 00:17:08,942
And I suppose just before I let Jamie give his, also the importance of understanding that
sort of data theft element of this as well.

180
00:17:08,942 --> 00:17:13,812
So we've seen in the last 12 to 18 months, a couple of very large.

181
00:17:13,812 --> 00:17:24,957
supply chain attacks, so targeting a central software vendor that has given access to lots
of organizations' data and then trying to get some kind of ransom off all of those.

182
00:17:24,957 --> 00:17:29,689
I think that that proved to be pretty profitable for the organization that did it.

183
00:17:29,689 --> 00:17:31,349
I think that we'll see more of that in future.

184
00:17:31,349 --> 00:17:32,490
There's a bit of an outlay.

185
00:17:32,490 --> 00:17:36,091
You've got to find your zero day, your vulnerability for that kind of vendor.

186
00:17:36,212 --> 00:17:42,294
So those vendors are likely to be, I don't know, the cloud service providers, they're
likely to be.

187
00:17:42,326 --> 00:17:47,276
as good as they can be and to be very aware of the importance of their IT security.

188
00:17:47,276 --> 00:17:51,986
But if you crack one, you've hit a gold You've got 5 ,000 organisations.

189
00:17:52,846 --> 00:17:55,796
Yeah, it's the idea of a sort watering hole attack, isn't it?

190
00:17:55,796 --> 00:18:00,236
know, lots of people drinking out of the same fountain or watering hole.

191
00:18:00,236 --> 00:18:06,886
If you hit the watering hole, then you can potentially get a lot of victims in one sort of
foul swoop.

192
00:18:06,886 --> 00:18:12,378
I think what I'd say in terms of what we see most often on the books at the moment

193
00:18:12,786 --> 00:18:17,968
is ransomware attacks that have just skipped the encryption elements.

194
00:18:18,348 --> 00:18:29,533
So it's the same old ransomware groups who are perpetrating the attacks, but rather than
going to the trouble of encrypting the organization systems, they are simply sneaking in,

195
00:18:29,693 --> 00:18:37,776
exfiltrating the data, and then ransoming the victim because of the data theft and the
threat of leaking.

196
00:18:38,337 --> 00:18:42,458
I think that's an acknowledgement of

197
00:18:42,710 --> 00:18:44,430
people having better backups.

198
00:18:44,951 --> 00:18:49,732
And it's also partly, I think, for factors just making growing lives easier.

199
00:18:50,412 --> 00:18:59,815
Obviously they have seen a return from people paying ransoms because of leaking threats,
threats of leaking data.

200
00:18:59,815 --> 00:19:01,916
So it certainly works.

201
00:19:03,697 --> 00:19:07,819
So that is something that we see more and more and seems to be a sort of continuing trend.

202
00:19:07,819 --> 00:19:18,006
have you seen, sort of, in terms of, say, who the threat actors are, where they're based,
any changes over the last sort three, four, five years?

203
00:19:18,006 --> 00:19:21,538
Is it a reliable pool of...

204
00:19:23,436 --> 00:19:28,128
teams or locations where we would sort of see attacks coming from?

205
00:19:28,128 --> 00:19:38,982
Generally, I think we saw a bit of a complicated situation during the most recent outbreak
of conflict in Ukraine because you suddenly had people that were used to be working

206
00:19:38,982 --> 00:19:41,634
together with the suddenly on opposite sides of conflict line.

207
00:19:41,634 --> 00:19:44,855
So that created some tension in groups.

208
00:19:44,855 --> 00:19:50,297
didn't last particularly long, but I think it did see, we saw a drop off in the number of
ransomware events.

209
00:19:52,620 --> 00:19:56,961
broadly where these attacks are coming from is pretty consistent.

210
00:19:56,961 --> 00:20:00,651
But that's because I think they're linked to sort of economic drivers.

211
00:20:00,651 --> 00:20:07,994
These are generally people that are relatively well educated in places where they can't
find good employment in legitimate industries.

212
00:20:07,994 --> 00:20:11,105
People don't become criminals tomorrow because they've got good jobs.

213
00:20:11,105 --> 00:20:17,697
They have it because they don't have another outlet for that kind of expertise, I suppose,
in general.

214
00:20:18,917 --> 00:20:19,508
agree with that.

215
00:20:19,508 --> 00:20:21,186
It's largely the same.

216
00:20:21,186 --> 00:20:23,707
countries that we've always been dealing with.

217
00:20:23,827 --> 00:20:25,207
We all know who they are.

218
00:20:25,948 --> 00:20:27,589
Name and shame.

219
00:20:27,589 --> 00:20:36,512
But then I guess that brings me then on to against that backdrop, what do we see coming
down the pipeline, so to speak?

220
00:20:36,512 --> 00:20:44,596
I one of the things I'll throw in straight away is obviously because it's something
everyone's talking about things that AI is acting to affect things.

221
00:20:44,596 --> 00:20:50,368
I've seen a fair amount of material around and understandably perhaps because

222
00:20:50,368 --> 00:20:59,847
organizations just apocryphally talk to friends, are finding that AI has been very good on
things like customer complaints processes, customer interaction, but it doesn't take a

223
00:20:59,847 --> 00:21:07,584
genius to think, well actually, we could fine tune that for phishing attacks, we could
fine tune it for that sort of.

224
00:21:09,122 --> 00:21:18,886
groundwork of trying to solicit information from organisations, from individuals, try and
get passwords or details, all the kind of things that might make an attack easier.

225
00:21:19,206 --> 00:21:28,189
Do either of see AI having a role in being deployed by, well, on the good guy side or the
threat actor side going forward?

226
00:21:28,550 --> 00:21:38,912
Yeah, I'll give you a quick comment on AI and I'll mention what perhaps is coming down the
tracks as it were, on AI generally.

227
00:21:38,912 --> 00:21:44,206
I think it's still too early to say that we're detecting any real patterns by threat
actors.

228
00:21:45,387 --> 00:21:47,379
I think they're still getting to grips with this as well.

229
00:21:47,379 --> 00:21:50,611
also, their existing methods work.

230
00:21:51,412 --> 00:21:54,074
why, if it's not broke, don't fix it sort of thing.

231
00:21:55,176 --> 00:22:04,563
But there have certainly been cases and reports when it comes to ransom negotiations,
threat actors are starting to deploy.

232
00:22:04,563 --> 00:22:06,404
And again, this is anecdotal.

233
00:22:08,050 --> 00:22:12,391
AI powered chat bots in place of a live negotiator.

234
00:22:12,651 --> 00:22:19,303
So you the victim are having to try and negotiate with an AI chat bot, which can't make it
any easier.

235
00:22:19,303 --> 00:22:24,934
So that's one example.

236
00:22:25,215 --> 00:22:37,218
And also, there's an interesting paper recently from, I think it was the University of
Illinois, who had developed a GPT -4 powered

237
00:22:39,229 --> 00:22:52,930
autonomous SQL injection bot that would just, without any human intervention at all,
deploy SQL injection attacks, like complicated ones, which I think had sort of 38

238
00:22:52,930 --> 00:22:54,630
different steps to them.

239
00:22:54,870 --> 00:23:00,690
And yet this system using CHAP GPT -4 could do that, pump those attacks out.

240
00:23:00,710 --> 00:23:05,300
And I think they worked out that it was something like a 70 % success rate.

241
00:23:05,300 --> 00:23:06,176
Wow.

242
00:23:06,431 --> 00:23:17,618
And it cost us the it cost it literally a few dollars per attack so it's not hope that
doesn't foretell the future in terms of what might be coming down the track, but One of

243
00:23:17,618 --> 00:23:22,234
the most interesting stories I saw recently was was this

244
00:23:23,996 --> 00:23:33,633
idea that the UK might, UK governments might be on the verge of launching a consultation
about whether ransom payments should be licensed.

245
00:23:34,614 --> 00:23:40,178
Now there wasn't much detail at all about how that would work or who would do the
licensing.

246
00:23:40,178 --> 00:23:50,826
I presume that OFSI and at the same time or similar time there was a cyber review
completed by Stephen McPartland MP.

247
00:23:51,466 --> 00:23:57,768
And one of the outputs from that was to call for mandatory ransomware payment reporting.

248
00:23:57,788 --> 00:24:03,529
That's something they have in the States now under the CIRCIA legislation.

249
00:24:03,610 --> 00:24:07,491
If you're designated as a critical infrastructure.

250
00:24:08,351 --> 00:24:09,861
But I understand Mr.

251
00:24:09,861 --> 00:24:15,073
McPartland's one of the recent casualties who's resigned from the Conservatives.

252
00:24:15,073 --> 00:24:18,374
So think that's going to fall by the wayside along with a few other...

253
00:24:18,964 --> 00:24:20,135
initiatives.

254
00:24:20,135 --> 00:24:24,759
So, you know, there's a political element to this in terms of what the government's going
to do about anything.

255
00:24:24,759 --> 00:24:29,764
Yeah, that obviously feeds into our world in terms of legal and regulatory.

256
00:24:29,764 --> 00:24:34,047
Well, DPDI Bill was another casualty, wasn't it, recently?

257
00:24:34,548 --> 00:24:40,794
Anything on your radar in terms of what might be coming down the line?

258
00:24:40,794 --> 00:24:41,224
You're right.

259
00:24:41,224 --> 00:24:43,596
think AI is interesting.

260
00:24:45,428 --> 00:24:46,388
It is a double -edged sword.

261
00:24:46,388 --> 00:24:56,142
It's a classic double -edged sword in that it brings so much to the party that those
organizations that can engage with it, that do implement it properly to run parts of their

262
00:24:56,142 --> 00:25:04,045
security, are going to almost essentially wipe out old school versions of certain types of
cybercrime.

263
00:25:04,126 --> 00:25:11,249
So AI is really quite good at spotting things like phishing emails or particularly sort of
whaling emails.

264
00:25:11,249 --> 00:25:15,030
The ability to sort of train it on that kind of data and for it to spot it is...

265
00:25:15,166 --> 00:25:17,668
It's really, really good at that already.

266
00:25:18,529 --> 00:25:26,226
Obviously what that means is that those organizations that do that, it'll go away and then
there'll be a whole load of others where suddenly you've got the chatbots that are being

267
00:25:26,226 --> 00:25:35,634
written to sort of scrape LinkedIn profiles and write really convincing phishing emails
for almost no money at all are going to be targeted at those that haven't engaged, haven't

268
00:25:35,634 --> 00:25:38,887
bought, can't afford that kind of technology.

269
00:25:38,887 --> 00:25:42,764
Almost like what we saw, I would say, sort of four or five years ago with

270
00:25:42,764 --> 00:25:49,066
sort of a huge number of BEC events when everyone moved to cloud email from on -prem email
exchanges.

271
00:25:49,066 --> 00:25:55,548
And I don't know what you saw, but it was a large number of those kind of BEC events with
fraud.

272
00:25:55,548 --> 00:26:01,359
So just for the audience benefit, it might be worth just expanding what that looks like
and what it is.

273
00:26:01,359 --> 00:26:06,321
So around five years ago, there was this big adoption of cloud email.

274
00:26:06,321 --> 00:26:10,742
So everyone went from having an email server inside their environment that you all logged
into and that worked.

275
00:26:10,742 --> 00:26:11,982
And suddenly,

276
00:26:12,002 --> 00:26:19,022
everyone realized it was much cheaper and more effective to use Microsoft 365 or G Suite
or one of the others.

277
00:26:19,922 --> 00:26:28,142
Threat actors realized that this meant that you needed one login platform as long as you
got someone's email address and their password, you could log in with their email and

278
00:26:28,142 --> 00:26:35,962
download all of the mailboxes, get in the middle of all of the conveyancing transactions,
if that was an example, but essentially any email chain where you were trying to get

279
00:26:35,962 --> 00:26:38,642
someone to put a large amount of money in a bank account.

280
00:26:39,050 --> 00:26:46,904
If you were able to find that in a mailbox somewhere, you were able to hide the
communication from whoever was actually meant to be on that email, redirect that money to

281
00:26:46,904 --> 00:26:48,796
your own bank account and move on.

282
00:26:49,039 --> 00:27:00,939
a good example I think of the school of thought that know cyber criminals often wait until
software has a certain degree of market saturation point before they will invest the time

283
00:27:00,939 --> 00:27:04,339
and energy to compromise it.

284
00:27:04,639 --> 00:27:12,345
MS 365 is a good example of that and you might say there's a similar case can be made for
certain types of AI.

285
00:27:12,549 --> 00:27:25,487
So if a dominant AI platform merges that lots of businesses start to deploy, then I think
at that point we can see on a much bigger scale, threat actors try and target that.

286
00:27:26,589 --> 00:27:27,851
Yeah, definitely.

287
00:27:27,851 --> 00:27:34,633
And now with the next sort of evolutionary cycle, there are different pieces of kit and
tools that people are using.

288
00:27:34,633 --> 00:27:42,179
And it sounds like you would be looking at the use of AI from a defense point of view,
Ollie, but equally you're

289
00:27:42,179 --> 00:27:47,840
sort of the people you're having to engage with would be using it for an offensive
purposes.

290
00:27:47,901 --> 00:27:52,402
Yeah, and I think the defenders are making better use of AI now.

291
00:27:52,402 --> 00:27:56,223
I think that there are sort of notional use cases for threat actors.

292
00:27:56,223 --> 00:27:58,184
It's not very good at writing malware.

293
00:27:58,184 --> 00:28:03,285
It is quite good at writing a phishing email, but obviously it's also good at finding a
phishing email as well.

294
00:28:03,525 --> 00:28:10,887
So finding those sort of asymmetric points where the threat actor can use that advantage,
they only need to be right once kind of thing is...

295
00:28:10,971 --> 00:28:12,831
That's where it's going to tell.

296
00:28:13,211 --> 00:28:22,351
think another area where things are going to change is we're already seeing this, and
we've sort of talked about it a bit, but the world is going to get a lot messier over the

297
00:28:22,351 --> 00:28:25,351
next 12, 24, 36 months.

298
00:28:26,351 --> 00:28:34,831
The NCSC, the FBI, the Australian federal authorities are being much more proactive in
what they're doing against these groups.

299
00:28:34,831 --> 00:28:37,264
And the reaction to that is...

300
00:28:37,453 --> 00:28:45,249
is a marketplace that isn't as well defined, is not really knowing who you're dealing with
and losing negotiations part way through because someone's been impacted.

301
00:28:45,249 --> 00:28:50,183
So I think that in the long term, I suspect that's a good thing.

302
00:28:50,183 --> 00:28:57,759
We all want to work in a world where I'd love to go back to network engineering rather
than necessarily doing incident response because it was no longer a thing anymore.

303
00:28:57,759 --> 00:28:59,780
I think we're a long way off that.

304
00:29:00,060 --> 00:29:03,803
But I do think that it's going to get more.

305
00:29:03,803 --> 00:29:09,047
painful to deal with these kind of things from that perspective, at least in the short
term, whilst they figure out what's going on.

306
00:29:09,047 --> 00:29:20,865
And I guess sort of following on from that perhaps just as a final takeaway perhaps, if
you were sort of had the opportunity to say to organisations who are listening, here are a

307
00:29:20,865 --> 00:29:27,880
few things I suggest you do to make yourself a bit more resilient in the next year, the
next two years.

308
00:29:27,880 --> 00:29:32,083
What would be your sort of shopping list, so to speak?

309
00:29:32,827 --> 00:29:34,887
For me it's all in the preparation.

310
00:29:35,067 --> 00:29:37,847
As they say, practice makes perfect.

311
00:29:38,287 --> 00:29:43,507
Having an incident response plan that is actually effective.

312
00:29:43,647 --> 00:29:46,407
not a 40 or 50 page plan that looks nice.

313
00:29:46,407 --> 00:29:49,767
And it's filed in the cabinet somewhere that no Yeah, gathering dust.

314
00:29:50,047 --> 00:29:53,927
But one that actually is going to be helpful to the C -suite.

315
00:29:53,927 --> 00:29:57,087
And it's more about communication and coordination.

316
00:29:57,087 --> 00:29:58,047
That's what they need.

317
00:29:58,047 --> 00:30:00,267
How are the different business units going to interact?

318
00:30:00,267 --> 00:30:01,967
Who's going to take the lead?

319
00:30:01,967 --> 00:30:11,351
that's the sort of plan that you need to having that plan in place, a good plan and then
thoroughly testing that plan against a range of different scenarios not just once but on a

320
00:30:11,351 --> 00:30:13,932
regular basis, certainly perhaps annually.

321
00:30:14,412 --> 00:30:18,554
That would be my biggest bang for your buck takeaway.

322
00:30:19,614 --> 00:30:24,546
And I would completely agree but given that that's a boring answer and there needs to be
two.

323
00:30:24,546 --> 00:30:25,777
I'd say we need a bit of disharmony.

324
00:30:25,777 --> 00:30:31,499
Normally we get two lawyers at least in a room we can have a bit of a dust up but if
harmony is broken out that's tremendous.

325
00:30:32,287 --> 00:30:32,987
Rigor.

326
00:30:32,987 --> 00:30:41,947
So from a technical perspective, I think there's a lot of focus and I appreciate that I've
just spent some time talking about the benefits of AI controls, but I think that

327
00:30:41,947 --> 00:30:51,167
organisations focusing on the basics, making sure that you're doing, you've got patching
in place, making sure that you've got multi -factor on emails, that the basics are going

328
00:30:51,167 --> 00:30:53,727
to stop 99 % of these kind of threats.

329
00:30:53,727 --> 00:30:59,287
And also, as an aside, the private may have all the coverage work I have to do, which
would be great.

330
00:30:59,287 --> 00:31:00,123
But we don't.

331
00:31:00,123 --> 00:31:04,486
At end of the day, I don't think the market wants coverage issues and policyholders don't
want them.

332
00:31:04,486 --> 00:31:14,763
So if people can do all those things, then that would be tremendous as well, because then
you don't have to run into any of the fights you might otherwise have, because the system

333
00:31:14,763 --> 00:31:16,764
hasn't been patched and has been compromised as a result.

334
00:31:16,764 --> 00:31:20,337
that would be fab news on my side as well.

335
00:31:20,337 --> 00:31:21,217
Sorry, I interrupted.

336
00:31:21,217 --> 00:31:30,063
Is there anything else on the, so all those traditional things, the patching, the making
sure the systems are up to speed, the.

337
00:31:30,145 --> 00:31:33,357
MFA when you can, backups, are they still...

338
00:31:33,418 --> 00:31:35,979
Making sure you're logging and monitoring stuff.

339
00:31:36,640 --> 00:31:41,463
Exactly, it's those things that feel basic and boring.

340
00:31:41,463 --> 00:31:47,928
And I fully understand, know, I've managed a network, I've sat in those seats, it's nice
to talk about the interesting stuff.

341
00:31:47,928 --> 00:31:53,872
But ultimately, if you do the basics right, you're probably not gonna have a problem.

342
00:31:54,273 --> 00:31:57,786
What a sensible note to perhaps wrap up on.

343
00:31:57,786 --> 00:32:04,843
I hope that was all very useful and thank you for joining us and we hope you will join us
next time for the next episode in the series.

344
00:32:04,843 --> 00:32:06,143
Thank you very much.

Legal Services

Legal Operations

Business Services

Solutions

Commentary

Latest

Resources

Cyber Incident Response

Listen to the podcast

Subscribe to Risk Matters via Apple Podcasts and Spotify

Audio Transcripts

Watch the video

Previous episodes

Key contacts

Tim Smith

Jamie Taylor

Further Reading

Legal Services

Legal Operations

Business Services

Solutions

Commentary

Latest

Resources

Legal Services

Legal Operations

Business Services

Solutions

Commentary

Latest

Resources

Cyber Incident Response

Listen to the podcast

Subscribe to Risk Matters via Apple Podcasts and Spotify

Audio Transcripts

Watch the video

Previous episodes

Key contacts

Tim Smith

Jamie Taylor

Related Sectors

Related Services

Further Reading