Decoding Cyber Risks: Five Hot Cyber Topics – Questions and Answers

[00:00:00] Lisa Frist: Hi everybody. And welcome to McGriff decoding cyber series. Today, we will be discussing some cyber hot topics with Johnny Lee of Grant Thornton. I am Lisa Frist. I am a claims advocate and account executive in our executive risk advisors team in Atlanta. Johnny, just to start, could you give us a brief introduction of Grant Thorton and as well as yourself and what you do there?

[00:00:35] Johnny Lee: Happy too. Good to be with you, Lisa. I appreciate it. Grant Thorton is the fifth largest accounting and advisory firm in the world. We were in about 150 countries, just under 60,000 headcount globally. And I am in the advisory practice, which is what everyone else calls consulting, and specifically within the forensics practice of that consulting arm and our team, forensic technology, focuses on the use of applied technology to forensic agendas, which are typically investigative in nature and illustrated nicely by the reason we're talking, which is sort of the intersection of cyber security and forensics.

So our team is the firms incident response team that deploys when, when our clients have bad news and need to respond and investigate into cyber incidents.

[00:01:29] Lisa Frist: Thank you so much for that background. I know that your services are utilized by many companies these days, as we have seen seen the cyber attacks continue.

Okay. And now for the fun part of the presentation today, we have five hot topics in the cyber world that we are going to ask our expert today, Johnny Lee of Grant Thorton. So first question. Johnny. What is some advice that you would give to a client who has not yet experienced a cyber security attack, but really wants to be prepared to potentially navigate one and what can they do ahead of time to kind of prepare for that worst case scenario? Some of the events that we've all seen in the news.

[00:02:18] Johnny Lee: Well, thanks for the question. It seems like the questions lately and by lately, I mean over the last two years or, or more, it's certainly the bulk of my presentations to boards and audit committees.

That that is the question I get asked. And I think, you know, at a high level organizations who are truly resilient, those that are capable of withstanding an incident are are those that treat cyber security, like an enterprise risk phenomenon. And by that, I mean, they don't relegate it to an IT domain as an issue.

So I know that's very broad advice, but I think it's really crucial that companies try and encapsulate or, or at least contextualize the risk for what it is, which is, it includes multiple disciplines. It includes lots of different systems. It includes third parties, partners, vendors, suppliers, customers.

And if you're not contemplating that from an enterprise perspective and treating it specifically like a technological phenomenon, you're definitely going to be less resilient than you could be. So that's the, that's the sort of governance answer to the question. In terms of preparedness on the more technological level, I would say that it, it has been an interesting evolution, right?

We could probably spend the full 20 minutes on this question, but I won't, we are seeing one particular advancement around endpoint detection and response as a really meaningful, almost game-changing way to be more prepared and to make the, the duration and intensity of an attack, less severe. And that, that endpoint detection and response technology is today.

What antivirus was just three or four years ago, it's sort of the mandatory minimum. And so if companies were to make one technological investment, I would say it would be in that. But to my earlier point, the investments really should be more than technological. They should be training and awareness oriented.

They should be involving IT and finance and HR and legal and, and the various operational domains of the company to ensure that there's a plan and everyone's clear about their roles and their responsibilities when the flare is in the air. And that extends to how they work with their underwriters and how they work with their third party specialists.

[00:04:47] Lisa Frist: And let me ask one kind of follow-up to the first question. I know we hear a lot about incident response plans and companies kind of having those ahead of time. Would it be critical that they should test that plan prior to an attack?

[00:05:04] Johnny Lee: Yeah, I think that's true because the plan is sort of a fig leaf, right?

It's a document that may or may not be worth anything. But the essence of this resilience phenomenon is really muscle memory. So without practice, you don't have it. And without it, you're going to suffer longer and worse than, than you would, if you were something that th- that you had run through the paces before.

And that could be as simple as a tabletop hypothetical, where you're simply talking about what you would do first and what you would do next and then after you're done with that hypothetical exercise, doing a post-mortem to examine where the breakdowns in communication or coverage or conflicting responsibilities or priorities or sequences were, or it could be something much closer to an actual simulated event where parts of the network are being taken offline to, to see how the organization actually responds in the event of a serious incident.

So it's all about that muscle memory and you can't do that by writing a document or reading a document. You have to exercise it.

[00:06:12] Lisa Frist: That's that's fantastic advice. Let's move on to question number two. So when a company does experience a cyber security incident or a data breach, how does your team kind of come in and help the company get back up and running in a short amount of time as possible?

Because as we all know, time is always of the essence. When these attacks occur.

[00:06:34] Johnny Lee: Indeed. And I think the essence here is really around a phenomenon that forensic geeks referred to as containment and eradication and the nouns sound exactly as they should. Right. The first thing we're trying to do is to triage the environment, to identify affected machines or servers or hosts or anything on the network, that's been compromised and to take them offline so that the threat doesn't propagate or get worse.

And then once we've done that containment, once we've stopped the thing from spreading, we start to sanitize everything within that ring fence, and we try to eradicate the threat. There's multiple layers of that, and we certainly don't have time to go into all of them, but they basically consists of scrubbing malicious code, looking for indicators of backdoors or other movement from a malicious actor, or at least an unauthorized.

And then once we've achieved that eradication, then we'd begin to slowly introduce the hosts that were compromised. And if we're doing all of that very efficiently, we're doing it in a way that also introduces a new kind of monitoring, right? A way to ensure that having brought a sanitized system back into its logical purpose so that it is not re compromised.

As, as good as we try to be in containment, it is an artful science. And so there is a real threat of not identifying and truly eradicating the multiple kinds of payloads that come in some of these attacks where you're, you're solving for two thirds of them. But the minute you bring the system back online that third of the three raises its head and starts to propagate and start the bad day all over again. So it really is a question of identifying machines that are compromised and, try and contain that threat as quickly as possible, allowing the network to persist without that threat, and then slowly cleaning the environment and introducing truly sanitized machines back into their, their logical purpose.

[00:08:39] Lisa Frist: Yeah, thanks for that. I know that that all happens in, in such a short amount of time, and there's so much kind of pressure in the situation when that happens. So that's, that's all great advice. Okay. Hot topic, number three, this is a big one that everybody's talking about. How are we seeing threat actors changing their behavior and evolving their tactics?

I know I've heard a lot of kind of buzzwords in the industry with ransomware 1.0 and ransomware 2.0. So talk to us kind of what you've seen from your end about the threat actors kind of having to come up with new strategies and come up with new ways to get into systems and then encrypt and deal data and potentially publish it.

[00:09:24] Johnny Lee: Yeah, it's a, it's a great way to frame the question because in the same way that I would encourage in response to the first question, I would encourage companies to think holistically about their risk appetite. All right. And the kind of expertise they bring from their in-house ranks and their outside specialists to think bigger about the problem.

That same perspective exists in the criminal underground as well. And it is important to appreciate. Your adversary. These are not stupid people. They're dishonest criminals, but they're not stupid. And they evolve. And I think that's the key takeaway. So the evolution, just in the microcosm of ransomware, has moved from, you know, just locking up your systems to ruin your day to in version two dot O, if you will, to exfiltrating data.

And then if you're able through viable backups to bounce back from encrypted system. There's a second leverage point they can apply, which is doxing you publishing your data for, for embarrassment sake or perhaps creating regulatory problems for you or litigation exposure for you or both. And there's, there's even been a third wave, right?

They will also reach into those data and start contacting the individuals that are affected by those data to encourage them to call you as the compromised company to pay the ransom or their personal data gets published. And there's even another iteration that we've seen with denial of service attack. So the, the takeaway here isn't that there's a lot of bad news.

I think that's sort of self-evident it's that if you can't secure these data, there's always going to be another wave of ways to leverage it. And criminals are perhaps sophisticated in one sense, right? The markets evolve based on the efficacy of these tactics. But they're also pretty lazy. Right? Many times we're working on incidents where they don't even know the industry of the company that they've compromised.

So they don't have any concept because they haven't looked at the data they've stolen. They just presume it's of value to you as an ongoing concern. And so if you refuse to pay the ransom or you take too long to negotiate a ransom, they may begin to look inside those things. And that is really crucial. So part of that containment and eradication lifecycle is, is looking at once we've solved for the threat as an ongoing problem, do we know what left the building and do we care about what left the building? And so very often companies are looking at that in, in that sort of same tactic, right? The-, these markets evolve, these tactics will always be sort of nefarious and, and iterative. But if you can quickly get to that containment and that exfiltration question, you may be able to bounce back without any interaction with the bad actor much less payment of a ransom.

And I think that's really hard to do because it presupposes a lot of hygiene about where your systems are and what your housing on those systems. And a lot of organizations struggle with that for good reason. It's very challenging work.

[00:12:32] Lisa Frist: Yeah, I, I totally agree. And I think it transitions into our hot topic, number four, which, you know, at McGriff in the large ransomware attacks that I've seen personally. There's nothing that's going to get the CEO, the C-suite, the management committee attention more than a, than a ransomware attack or a cyber attack. So question number four is we know that an attack by a threat actor can cause a lot of anxiety and panic within the organization and what are some of the most common common mistakes that companies make in the middle of a crisis when there's so many moving parts and so many different pieces of the company, whether it's legal, the C-suite, everybody is trying to figure out what to do?

[00:13:20] Johnny Lee: Well, I, I think this circles back nicely to the, the dialogue we had about the first question too, which is sort of on the best practice side.

This is the antonym of that, right. The thing that I see as most damaging is not having any muscle memory about how to do this. And so not having a plan, not having clearly delineated roles, not making it clear if there is to be a public disclosure, who makes that disclosure on behalf of the company or from what script that person reads and who writes that script and who blesses that script and those, those segregation of duties are very, they can be very thoughtfully considered and committed to paper and a plan. But if they're not exercised, you tend to do things out of sequence and you basically create liabilities where they could have been rather well-managed PR gambit. So I would say that's the principle mistake that people make is that they either don't have a plan that they've exercised or they don't follow the plan they've written down.

That's probably the Cardinal sin in this area. And the reason for that is just a very human element, right? Nothing accentuates personalities like a crisis. So if you're going to have an executive step up and, and take ownership of something, it sure would be nice if she or he were the one that's most informed or the most logical person that can balance the risk considerations that are going on.

And is informed by counsel by the forensic efforts, by the carrier and the other exposures that they may be facing downstream. And so there's a real difference between sort of going into these things as privacy exercises, where you're just worried about the sort of proforma contacts to states' attorney generals and, and, and disclosure notices and things like that, as opposed to a more holistic, legal risk analysis, where you're looking at how the regulators might hook up to this or whether there is a litigation exposure here as well, and those things can come with practice, but if they haven't been practiced, they very rarely get done on the fly in a, you know, in a suitable fashion. They, they create more risks than they solve for. That's the biggest thing I've seen.

[00:15:39] Lisa Frist: That's great. I completely agree with all of that advice and things that I'm kind of testing things out beforehand is, is definitely, you know, best practice question number five.

Our last question, you have worked on a great deal of cyber claims, including ransomware claims. What are some of your biggest lessons learned that other companies may be able to kind of benefit from as far as lessons?

[00:16:06] Johnny Lee: Yeah. So I I'd say all of the answers sort of fall under the general, excuse me. Uh, under the general rubric of preparedness, right?

I would say that it's as a forensic investigator, it never ceases to amaze me how my client's decisions that are made in the normal course of running their business can either enhance my ability to be effective or completely hamstring it. So a great, just minor example of that is if you're a log retention, period is only 90 days, but the average dwell time of a bad actor is six months by logical extension you've hindered my ability to tell you how long this has been going on in your environment and what damage may have done and where it's spread and what left the building, because we're looking at different chronology and there's an analog there to the other aspects of, of that preparedness comment that we had starting with your first question which is, okay, well, which systems are on the network? We've walked into environments where we've had to do asset inventories on the fly during an investigation. That is a really poor practice. I don't want to do that because we don't have the luxury of the time needed to enumerate systems when we should be isolating known systems and testing for known systems that are of high concern, as opposed to treating some print server with the same priority as the server containing the crown jewels or the active directory server. So asset inventory, is part of preparedness, you know, good IT hygiene matters here. Other lessons learned really include similar preparedness motifs. Right. Have you worked with the law firm that you've brought in?

Do they know you organizationally, personally? Do they know your environment? Do they know what you do for a living? The same thing applies to your forensic providers. Have you ever met them before the flare was in the air? Have you cleared this with your insurance company? Have you vetted that they're not going to have an allergic reaction to the law firm or the PR firm or the forensics firm in the mix?

Those are all things that can be sussed out before the bad day, but they're really important lessons learned because precious time gets wasted on conference calls that have nothing to do with containment or eradication or exfiltration in those early days. And you're taking really scarce resources to have those conversations when you should be fighting a fire.

So I think all of those sorts of preparedness things really come back to me as the biggest lessons learned.

[00:18:42] Lisa Frist: That is fantastic advice and we should all, all follow that advice. And, you know, just being prepared I think is, is the most critical thing that companies can do. Thank you, Johnny so much. Johnny Lee of Grant Thornton.

Thank you everybody for listening to today's episode. I want to remind everybody to tune in for our next installment of Decoding Cyber Risks. And thank you again from Johnny Lee and myself. And that's it.

[00:19:24] Narrator: Hi, everyone. Thanks again for joining us for another episode of Decoding Cyber Risks. Before we go, our legal team wants to remind you that this podcast provides general information and does not constitute legal advice. McGriff its representatives and affiliates do not offer legal advice. Please consult your legal professional regarding your specific situation.

Thank you.