Select Page
Our Ransomware Panelists Answer Your Questions

Our Ransomware Panelists Answer Your Questions

CISO Interviews, Featured

Charles Carmakal, SVP & CTO at FireEye Mandiant, Jonathan Holmes, Supervisory Special Agent at FBI Cyber – Major Cyber Crimes Unit, Teresa Tonthat, Vice President of IT & CISO at Texas Children’s, and Thomas Millar, Senior Advisor at Cybersecurity and Infrastructure Security Agency (CISA) collaborated to answer viewer questions from our latest webinar, “Don’t Be Held Up for Ransom(ware)”. If you missed this webinar or would like to watch it again, you can view it below.

What are one or two of the top strategies (at a high level), that organizations can implement to drastically lower their risk of a successful ransomware attack?

At a high level, organizations should do the following:

1. Reduce their attack surface (e.g. MFA on remote access, patch Internet-facing systems, and strong DMZ controls)

2. Minimize credential exposure when on systems (e.g. disabling wdigest, Protected Users Security Group)

3. Minimize lateral movement within the internal network.

More technical details can be found here.

What is the likelihood that bad actors will start to sell information about how to breach the victim companies, so that even if they don't do it again, someone else gets a head start on doing it?

It is possible that some actors will publicize details of how they breached organizations, likely to further embarrass victims. However, the same general approach is used to break into organizations over and over, so it's well documented.

At times it appears as though communication with the FBI is a one-way street where private organizations provide but we don’t get robust context or actionable information in return. I understand that a lot of this is due to confidentiality, but how can we make collaboration with the FBI more valuable bi-directionally to get ahead of these campaigns?

While organizations may not see immediate results, the FBI has had several positive outcomes with respect to indictments, arrests, and other actions that have helped organizations over the long term.

Charles, while I generally agree with your view on "Pay or not Pay," I still lean towards not paying. Why? Because I am not a believer in the trustworthiness of criminals. As you later mentioned, there will still be backdoors, they still have a copy of your data, and there is no guarantee that they will provide the decryption keys. What are your thoughts on this?

I agree, you can only trust threat actors so much. Before paying an actor, we look at historical track records with actors. Have they provided working decryption tools? Have they published data after being paid? Etc. You will also ask the threat actor for proof of working decryption tools (i.e. you provide them with a sample of encrypted data to decrypt) or a list of the files that were stolen. Those data points are considered as part of the payment evaluation process. And yes, I do agree that threat actors are criminals, and they can go back on their word at any time.

What should a company do when they realized they have no option but to pay the ransom? What’s the first step they should take, and can you name a few entities who they should reach out to first? How should they approach such entities (especially when there is no prior engagement)?

They should seek advice from the experts: legal, forensics, negotiator, and law enforcement. Let me know if you'd like specific recommendations of firms that can help.

What is the approximate frequency of Ransomware attacks?

We are aware of multiple intrusions almost every single day.

If you enjoyed this webinar, be sure to visit Second Thursdays for other great cybersecurity webinars.


Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: Episode 4

Stagehand: Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Mitre Disrupting Advanced Persistent Threats
Share This