Our Ransomware Panelists Answer Your Questions

Our Ransomware Panelists Answer Your Questions

CISO Interviews, Featured

Charles Carmakal, SVP & CTO at FireEye Mandiant, Jonathan Holmes, Supervisory Special Agent at FBI Cyber – Major Cyber Crimes Unit, Teresa Tonthat, Vice President of IT & CISO at Texas Children’s, and Thomas Millar, Senior Advisor at Cybersecurity and Infrastructure Security Agency (CISA) collaborated to answer viewer questions from our latest webinar, “Don’t Be Held Up for Ransom(ware)”. If you missed this webinar or would like to watch it again, you can view it below.

What are one or two of the top strategies (at a high level), that organizations can implement to drastically lower their risk of a successful ransomware attack?

At a high level, organizations should do the following:

1. Reduce their attack surface (e.g. MFA on remote access, patch Internet-facing systems, and strong DMZ controls)

2. Minimize credential exposure when on systems (e.g. disabling wdigest, Protected Users Security Group)

3. Minimize lateral movement within the internal network.

More technical details can be found here.

What is the likelihood that bad actors will start to sell information about how to breach the victim companies, so that even if they don't do it again, someone else gets a head start on doing it?

It is possible that some actors will publicize details of how they breached organizations, likely to further embarrass victims. However, the same general approach is used to break into organizations over and over, so it's well documented.

At times it appears as though communication with the FBI is a one-way street where private organizations provide but we don’t get robust context or actionable information in return. I understand that a lot of this is due to confidentiality, but how can we make collaboration with the FBI more valuable bi-directionally to get ahead of these campaigns?

While organizations may not see immediate results, the FBI has had several positive outcomes with respect to indictments, arrests, and other actions that have helped organizations over the long term.

Charles, while I generally agree with your view on "Pay or not Pay," I still lean towards not paying. Why? Because I am not a believer in the trustworthiness of criminals. As you later mentioned, there will still be backdoors, they still have a copy of your data, and there is no guarantee that they will provide the decryption keys. What are your thoughts on this?

I agree, you can only trust threat actors so much. Before paying an actor, we look at historical track records with actors. Have they provided working decryption tools? Have they published data after being paid? Etc. You will also ask the threat actor for proof of working decryption tools (i.e. you provide them with a sample of encrypted data to decrypt) or a list of the files that were stolen. Those data points are considered as part of the payment evaluation process. And yes, I do agree that threat actors are criminals, and they can go back on their word at any time.

What should a company do when they realized they have no option but to pay the ransom? What’s the first step they should take, and can you name a few entities who they should reach out to first? How should they approach such entities (especially when there is no prior engagement)?

They should seek advice from the experts: legal, forensics, negotiator, and law enforcement. Let me know if you'd like specific recommendations of firms that can help.

What is the approximate frequency of Ransomware attacks?

We are aware of multiple intrusions almost every single day.

If you enjoyed this webinar, be sure to visit Second Thursdays for other great cybersecurity webinars.


Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: Episode 3

Stagehand: Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Cyber Trends and Predictions for 2021
Share This