A CISO Guide to Cyber Resilience E-Book

A CISO Guide to Cyber Resilience

A how-to guide for every CISO to build a resilient security program

Debra Baker

A CISO Guide to Cyber Resilience

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Book Project Manager: Ashwin Kharwa

Senior Editor: Divya Vijayan

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Proofreader: Divya Vijayan

Indexer: Tejal Daruwale Soni

Production Designer: Prafulla Nikalje

Senior DevRel Marketing Executive: Linda Pearlson

DevRel Marketing Coordinator: Marylou De Mello

First published: April 2024

Production reference: 1050424

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-83546-692-6

www.packtpub.com

To my parents, who always kept me on the right path and taught me the value of hard work and ethics. To my husband, Bill – I would not have been able to write this book without his love and support. To my children, who are always cheering me on.

– Debra Baker

Foreword

While CEO of RedSeal, Inc. in San Jose, California, I had the privilege of working with Debra Baker. RedSeal, a cyber security analytics company, had a robust business assessing the network risks of enterprises. Our many customers included large Fortune 500 companies as well as many US Government civilian agencies, branches of the armed services, and the IC. During this time, in the late 201X’s, ransomware evolved to be the #1 attack on companies. It seems the bad guys had indeed found where the money was, and that was in ransoming data. Debra came to RedSeal with a mission in mind, and that mission was to secure the nation.

Debra has a wealth of knowledge, practical real-world experience, much hearty advice, and most importantly, a great way of communicating all that to me, to RedSeal, and to our customers. She rocks when it comes to certifications, of which there are too many to list. She was a sought-after expert in the RedSeal world. Ultimately, Debra was selected as one of the 10 Most Eminent Women Leaders in Security (2021), successfully completed several management programs with an emphasis on cybersecurity, and was eventually named among the “Top 100 Women in Cybersecurity.” She, simply put, is one to be reckoned with if you are a cyber bad guy.

Cyber is ever-changing. Attacks are increasing in number and complexity. Their success rate is enough to still make the news. And the skills required to defend an organization remain scarce. To be able to discuss, understand, and ask the right questions in order to trust your cyber team and leadership is essential. Debra brings all that home in a way we all can understand. So, it was no surprise when she reached out to me about her book, A CISO Guide to Cyber Resilience. It made perfect sense that she, of all people, should share her experiences with us all through the printed word. If I had to commission someone to write such a book, Debra would be my first call.

A CISO Guide to Cyber Resilience is both a strategy and a tactics knowledge set. A former CISO herself, she gets the power of a policy and the intricacies of implementing it. She lays out in plain management English how to think about the data in your organization and how to protect it. She talks clearly about unencrypted data, phishing, malware, third-party vendor compromise, software vulnerabilities, unintended misconfigurations, and the many other things that contribute to an organization’s vulnerability.

Cyber vulnerability is here to stay. Therefore, Debra’s book, A CISO Guide to Cyber Resilience, is an invaluable resource for you, tattered corners and all. I highly recommend it to all managers of any organization.

Ray Rothrock Former CEO, RedSeal Author, Digital Resilience (2018) Feb 7, 2024

Contributors

About the author

Debra Baker is a cybersecurity expert with over 30 years of experience. She began her career in the U.S. Air Force and has worked at IBM, Cisco, and Entrust DataCard. As President of TrustedCISO, she specializes in strategic cybersecurity, risk management, and compliance advisory services, helping clients navigate complex frameworks such as NIST, SOC2, ISO27001, FedRAMP, and StateRAMP. A CISSP and CCSP holder, Debra has a provisional patent for an AI-driven vendor assessment tool and founded Crypto Done Right. She’s recognized as one of the top 100 Women in Cybersecurity.

About the reviewer

Jean-Luc Dupont is a seasoned Chief Information Security Officer with a proven track record in strengthening global corporations, especially in highly regulated industries. With over 25 years of experience in cybersecurity, he has served as a CISO for companies such as Kestra, American Credit Acceptance, IDEMIA, and Oberthur. He holds a Bachelor of Science in applied computing from Newcastle Polytechnic (UK) and a Master of Science from EPITA (France). His passion for cybersecurity extends beyond his professional duties to side projects such as Security Rabbits, a daily security digest, and his book Secur-What?! Learning Cybersecurity from Mistakes, Independently published.

Alex Bazay is the CISO of Align, a leading provider of cloud-based IT solutions for the financial industry. He oversees the security strategy, operations, and governance of the company's global network and data. Alex boasts over 25 years of experience in designing, implementing, and managing intricate IT infrastructures and security systems for hedge funds and asset managers, with multiple certifications in information systems auditing and security.

Alex excels in insider threat detection, network security, risk management, data center, and vulnerability management. He is passionate about protecting the integrity, confidentiality, and availability of his clients' data and assets and ensuring compliance with industry standards and regulations. Collaborating with a skilled and diverse team of security professionals, he partners with internal and external stakeholders to deliver innovative and effective solutions that address the evolving needs and challenges of the financial sector.

Table of Contents

Preface

Part 1: Attack on BigCo

1

The Attack on BigCo

BigCo – the attack

BigCo – cross-team co-ordination

BigCo – recovery

BigCo – the anatomy of an attack

Summary

Part 2: Security Resilience: Getting the Basics Down

2

Identity and Access Management

Two-factor authentication and why you need it

Something you know

Something you are

Something you have

Password complexity and NIST 800-63-3B

Application security

Password manager

Quick reference

Summary

3

Security Policies

Where are your policies, and are they being used?

Compliance begins with laws and regulations

Nortel hack

Importance of Due diligence

Summary

4

Security and Risk Management

What is risk management?

Identifying risks

Risk assessment

Monitoring your controls

Key performance indicators (KPIs)

Quick reference

Summary

5

Securing Your Endpoints

Antivirus/anti-malware

Virtual private network (VPN)

What is phishing?

Moving to remote work

LastPass hack

Testing your home firewall

Network access control (NAC) and Zero Trust

Application firewall

Mirai botnet

Securing your browser

Turning on your application firewall

Okta hack

Quick reference for endpoint security

Summary

6

Data Safeguarding

Offline backups

Testing your backups

Cryptographic hashing

Availability in the cloud

Business continuity

Recovery time objective (RTO)

Recovery point objective (RPO)

Maximum tolerable downtime (MTD)

Succession planning

AWS DDOS attack

Disaster recovery

Redundancy in architecture

Disaster recovery roles and responsibilities

Testing disaster recovery

Summary

7

Security Awareness Culture

Security awareness training is foundational

Security is everyone’s responsibility

Materiality assessment

Disclosure requirements

Governance and management

Third-party involvement

Security awareness training is mandatory and tracked

8

Vulnerability Management

What are software vulnerabilities?

Common Vulnerabilities and Exposures

What is the NIST definition of software vulnerabilities?

CVSS

Common Weakness Enumeration

Known Exploited Vulnerabilities

CVE, CWE, and KEV

What we’re up against

Prioritizing your remediations

CISA’s KEV Catalog

CVSS metric – Attack Vector

CVSS metric – Attack Complexity

CVSS metric – Privileges Required

CVE priority

Starting with vulnerability scans

Making it fun

In the cloud

Securing your code

IaC

SAST

DAST

IAST

Software composition analysis

OWASP

Summary

9

Asset Inventory

Asset inventory

Identifying your assets

What is the NIST definition of asset inventory?

Automating your asset inventory

Change management

NIST security-focused change management

Phase 1 – Planning

Phase 2 – Identifying and implementing configurations

Phase 3 – Controlling configuration changes

Phase 4 – Monitoring

Mobile device management (MDM)

Knowing your network

Quick reference for asset management

Summary

10

Data Protection

Encrypt your data!

Introduction to encryption

History of encryption

Encryption basics

Encrypted data means there is no breach!

What is PII? It depends…

NIST’s definition of PII

Third-party risk management

SolarWinds attack

Vendor management policy

Vendor management contract clauses

Critical vendors

Train your staff

Vendor risk rating

Data loss protection

Insider threats – the hidden danger

Quick reference for data protection

Summary

Part 3: Security Resilience: Taking Your Security Program to the Next Level

11

Taking Your Endpoint Security to the Next Level

Endpoint detection and response (EDR) – Focusing on the “R”

Managed detection and response (MDR)

Extended detection and response (XDR)

SOAR

Cloud security posture management (CSPM)/Cloud-native application protection program (CNAPP)

What is CSPM/CNAPP?

Zero trust vs. software-defined perimeter

How a typical TLS session works

What is mutual authentication?

DNS protection

What do DNS protections provide?

Quick reference for zero trust

Summary

12

Secure Configuration Baseline

Security baseline

What compliance does your company have to meet?

System and Organizational Controls (SOC) 2

International Standard Organization (ISO) 27001

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP)

Cybersecurity Maturity Model Certification (CMMC)

NIST 800-171 vs. CMMC

SOC 1

Sarbanes-Oxley Act (SOX)

Payment Card Industry Data Security Standard (PCI-DSS)

Health Insurance Portability and Accountability Act (HIPAA)

Health Information Technology for Economic and Clinical Health (HITECH)

HITRUST

NIST 800-53 – One framework to rule them all

Creating your security baseline

Quick reference for creating a security baseline

Summary

13

Classify Your Data and Assets

Start with your data

Shared Responsibility Model

Classifying your assets

Monitoring

Subnetting

Segmentation

Sony hack

Quick reference for securing critical assets

Summary

14

Cyber Resilience in the Age of Artificial Intelligence (AI)

ChatGPT

Securing ChatGPT

What can go wrong with ChatGPT?

Artificial intelligence (AI)

Machine learning (ML)

Natural language processing (NLP)

Deep learning (DL)

Generative AI (Gen AI)

What is responsible AI?

EU AI Act

Secure AI framework (SAIF)

AI and cybersecurity – The good, the bad, and the ugly

The good

The bad

The ugly

AI bias

Systematic bias

Statistical bias

Human bias

NIST AI RMF

Summary

Index

Other Books You May Enjoy

Preface

Greetings, fellow cybersecurity enthusiasts! Welcome to the world of cyber resilience, where the goal is to build a security program that enables your organization to not only withstand cyber-attacks but also to recover swiftly. As the United States Department of Homeland Security aptly defines it, cyber resiliency is the “ability to resist, absorb, recover from or successfully adapt to adversity or a change in conditions.”1 It’s not just a process; it’s an ultimate state of readiness. An organization achieves resilience when it can bounce back from any disruption, be it a ransomware attack or any other cyber threat, without major disruptions.

In today’s landscape, cyber-attacks are becoming increasingly sophisticated and prevalent. In the book Big Breaches2, it is highlighted that the root causes of nearly every data breach can be traced to six key factors:

In this book, we will explore practical safeguards that you can implement immediately to defend against these root causes of data breaches. These safeguards will not only enhance your information security program but also make it cyber-resilient, ready to face the latest threats. We’ll delve into some of the most significant cyber-attacks in recent history and discuss what could have been done to prevent or mitigate their impact. Most importantly, this book will guide you on how to transform your network into a cyber-resilient fortress, ensuring your organization’s ability to recover swiftly from any cyber-attack.

This book takes you on a journey, partly fictional, where you’ll witness a catastrophic cyber attack on BigCo and see how Megan, the Chief Information Security Officer (CISO), responds decisively. Megan’s actions will stop the attack, initiate responses, and put measures in place to prevent future attacks. As the saying goes, it’s not a matter of if your company will be cyber-attacked, but when. Chapters 1 to 10 will provide you with foundational tools to prepare for and respond to cyber-attacks. Chapters 11 to 14 will elevate your company’s IT security program to the next level of cyber resilience. You’ll find step-by-step guidance on implementing the necessary safeguards in your security program, whether your organization is small, medium, or large. Each chapter focuses on a specific safeguard, and the good news is that the steps you’ll learn here not only form the foundation of cyber defense but also assist your organization in meeting various compliance frameworks, standards, and laws while becoming cyber-resilient.

Who this book is for

This book is for CISOs, directors of information security, aspiring CISOs, and cybersecurity professionals at all levels who want to learn how to build a resilient security program. Cybersecurity professionals will uncover valuable insights for enhancing their strategic and operational roles. This book is crafted to serve the following key personas in the cybersecurity field:

Each chapter of the CISO Guide to Cyber Resilience includes real-world examples, actionable recommendations, and distilled wisdom from my extensive experience in the field. This book is more than a guide; it’s a companion in your journey toward mastering cyber resilience.

What this book covers

Chapter 1, The Attack on BigCo, explains a ransomware attack on a fictional company, what worked to limit the damage, and how they recovered. It explains what ransomware is, how it can bring down a network, and how to recover.

Chapter 2, Identity and Access Management, explains that 99.99% of account attacks can be prevented by using two-factor authentication (2FA). It also includes a discussion on methods to use for 2FA and password managers, as well as how NIST 160-3 can be successfully utilized.

Chapter 3, Security Policies, explains that security policies are foundational to guide your organization’s security program. It covers how your security policies meet laws and regulations, and the importance of due diligence.

Chapter 4, Security and Risk Management, explains that security and risk management is the process of balancing cyber risks, the controls to thwart attacks, and the budget. Business is about making money. Security and risk management is the process of choosing the controls that work for your company’s budget. Your company can’t be 100% secure, nor can there be 0% risk. Security is a balance of what is most important, what can wait, and what risks are acceptable to your business.

Chapter 5, Secure Your Endpoints, talks about securing your endpoints. At a very basic level, you need an antivirus. Endpoint security has evolved. For getting the basics down, we’ll talk about antivirus and anti-malware. In addition, we will discuss testing your home firewall to ensure it is configured properly.

Chapter 6, Data Safeguarding, explains that good backups are critical. More importantly, ensuring offline backups is paramount to secure your company’s data. We will be discussing the importance of testing backups, leveraging the cloud, and business continuity.

Chapter 7, Security Awareness Culture, explains the importance of developing a security awareness culture. No matter what tools and security controls you have deployed, you still need security awareness training for everyone in your company.

Chapter 8, Vulnerability Management, explains the importance of vulnerability scanning and patching security vulnerabilities. If you stay up to date with the latest threats, you will understand that it’s not easy to keep up with patching all those thousands of vulnerabilities. We’ll be discussing practical strategies to prioritize vulnerability patching, as well as ensuring your source code is secure.

Chapter 9, Asset Inventory, explains the importance of creating an asset inventory. To know what to protect, you have to understand what assets you have, whether they are software, hardware, or ephemeral. An asset inventory is foundational in a cyber-resilient organization. We’ll also discuss mobile device management and knowing your network.

Chapter 10, Data Protection, explains the importance of encrypting your company’s data, whether in transit or at rest. The reason is that if an attacker can gain access to your network or even steal an employee’s laptop, if the data is encrypted, then the data is protected. The most amazing part is that there is no breach if the data stolen is encrypted.

Chapter 11, Taking Your Endpoint Security to the Next Level, explains the importance of moving past the basics and into more advanced safeguards. The latest antivirus is called Endpoint Detection and Response (EDR). It takes the traditional antivirus to the next level. Some even include 24/7 helpdesk support, also known as Managed Detection Response (MDR). We’ll also demystify Extended Detection Response (XDR), Cloud Security Posture Management (CSPM), and the Cloud Native Application Protection Program (CNAPP).

Chapter 12, Secure Configuration Baseline, explains the importance of creating a security baseline. Essentially, this is a configuration that is applied across devices, hosts, and the cloud. For the commercial space, the Center for Internet Security (CIS) is typically used, whereas for the federal government, it’s STIGS.

Chapter 13, Classify Your Data and Assets, explains the importance of classifying your data and assets. A fully developed, mature, advanced information security program has an asset inventory and has classified those specific assets with sensitive data as critical.

Chapter 14, Cyber Resilience in the Age of Artificial Intelligence (AI), explains the importance of cyber resilience in the age of AI. With the rush to use and deploy AI, there are new cybersecurity concerns such as data leakage, use of AI by hackers, and bias in AI. This chapter will discuss responsible AI and measures to take to ensure your company deploys AI in a safe manner.

To get the most out of this book

It is good to have a basic understanding of information security and the cloud before reading this book. I will explain each concept and each chapter builds on the previous, providing a roadmap of how to build a resilient cybersecurity program.

Download templates and the roadmap to cyber resilience

You can download the following templates and my roadmap to cyber resilience from my TrustedCISO website (https://trustedciso.com/e-landing-page/ciso-guide-to-cyber-resilience/):

Conventions used

There are a number of text conventions used throughout this book.

Bold: Indicates an important word(s), command, topic, or title. For example, words that need to be taken into consideration such as this example: “>nslookup google.com”

Italics: emphasizing an important word or topic. An example is “This is a big caution. I can’t recommend not using a complex password.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, select your book, click on the Errata Submission Form link, and enter the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Share Your Thoughts

Once you’ve read A CISO Guide to Cyber Resilience, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your e-book purchase not compatible with the device of your choice?

Don’t worry!, Now with every Packt book, you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781835466926

Part 1: Attack on BigCo

In this part, you will follow a fictional company called BigCo as it undergoes a ransomware attack. You’ll get to see firsthand how Megan, BigCo’s CISO, leads the company through the attack and how it recovers. You’ll learn how to limit the damage caused by these kinds of attacks, mastering what ransomware is and how it can take down a network. Most importantly, you’ll see how to prepare for and recover from a ransomware attack.

This section contains the following chapter:

1

The Attack on BigCo

This chapter is fictional and based on a horrendous cyber-attack on BigCo and how Megan, the Chief Information Security Officer (CISO), responds. Megan will decisively stop, respond, and put measures into place that will help prevent another attack. As the saying goes, it’s not if your company will be cyber-attacked; it’s when. By the end of this chapter, you will understand how the hackers gained access to BigCo’s network, how the ransomware was deployed, and the measures that were taken in order to make the network resilient.

In this chapter, we’re going to cover the following main topics:

BigCo – the attack

Megan, the Chief Information Security Officer (CISO) of a multi-national corporation, gets the call at 3:00 AM about major sections of her company BigCo’s network being down. The CISO is responsible for the cybersecurity of the company, ensuring compliance, risk management, and sufficient defenses are in place. It’s the highest-level position in cybersecurity. It can be at the Director level, Vice President, or directly under the CEO, depending on the importance of cybersecurity within an organization. Megan is a Director of Information Security at BigCo with the title of CISO, and she reports to the Chief Information Officer (CIO). Typically, the CIO will exist over the information technology and information security departments. In this case, Megan reports to the CIO, Mark.

Megan knows getting a call at 3:00 AM means this outage must be bad because she typically wouldn’t be called in the middle of the night for a typical network outage. First, she quietly gets up so as not to wake her partner. She goes to her home office and calls Mark, the CIO of BigCo. Megan says, “Mark, hi. What happened?” Mark replies, “Well, from what we can tell, it wasn’t a bogus email link like last time.” “The new security awareness program you introduced is working as well as the email phishing campaign and email filtering tool we deployed. Honestly, we aren’t exactly sure how the attackers got in yet. Headquarters and three of five major data centers are down. Our human resources data and much of our critical personally identifiable information (PII) data, which includes sensitive details such as names, addresses, and social security numbers of both employees and customers, for both employee and customer data have been encrypted.”

Megan replies with, “Ugh.” She takes a deep breath in for 1, 2, 3, and holds for 3, and then breathes out for 1, 2, 3, 4, and 5. She says, “Okay, it sounds like a ransomware attack. Well, we have good backups, right? What have we lost 6 hours or…” Mark interrupts, “Well some of the backup servers were encrypted also. We have them set up as online backups and the problem with this ransomware is that it encrypts all attached USB drives and mapped drives.” Megan replies, “Sh**. We must immediately isolate the subnets affected so that the ransomware is unable to propagate through the network. Also, unplug any affected devices, so they can’t propagate to unaffected devices. It can take hours for ransomware to propagate, so we may be able to halt some of the damage. Quick! Call the IT department director and let them know.” Mark replies, “Sure, I’m on it.” Megan replies, “Okay.”

Megan says, “Let’s call an emergency meeting with all of the department heads from InfoSec, IT, and SecOps first thing in the morning so we can get aligned. We need to know where we are and what steps to take next. Oh man, I wish we had gotten the endpoint detection response (EDR) deployment completed.” Mark replies, “Actually, we were alerted by some hosts where the new EDR had been deployed. Yeah, the subnets where it was deployed were not affected.” Megan replies, “Well, that’s some good news, I guess. It also shows due diligence; we were working on the deployment. Oh, and we just signed a cyber-insurance policy.” She lets out a deep breath. Mark replies, “Yes!” Megan continues, “We’ll probably be hearing from the attackers soon. Some more advanced ransomware attackers will steal your data prior to launching the attack to ensure a payout.” Mark replies, “What? Really, this is not what we need right now. Now we are looking at potential lawsuits and fines.” Megan replies, “Yep! Let’s get Legal involved and activate our incident response retainer. We’ll also need to co-ordinate with our insurance company to check on our cyber insurance coverage. Mark replies, ”I’mon it.”

BigCo – cross-team co-ordination

Mark begins, “Thanks to all the leaders from the networking, infosec, and security ops teams for being able to make it to this meeting. You’ve probably already heard that BigCo is the victim of a ransomware attack. Currently, headquarters and three of the five major data centers are down. Our human resources data and much of our critical PII data for both employees and customers have been encrypted. We do have mostly good backups and, of course, we have backups at our disaster recovery site in case any online backups have been encrypted. There were also some online backups that were encrypted. To avoid this from happening, backups need to be offline or done intermittently since online mapped drives will also be encrypted by ransomware. Whether it is a USB drive or a cloud drive, any online connected drives will be encrypted by ransomware.” Megan says, “I’m glad we invested in that disaster recovery as a service last year.” Mark continues, “The network teams have been shutting down routers so that infected workstations can’t self-propagate the ransomware to other subnets. The teams responsible for maintaining the hosts and servers have been working through the night trying to either turn off infected hosts and servers or begin restoring from backup.” The Network Manager, Dave Brown, asks, “With COVID-19, most of our employees are working from home, so how have they been affected?” Mark replies, “Luckily, because they are on separate subnets on their home networks, they have been largely unaffected. The way they have been affected is that a server they might be trying to access may be down. A few remote employees’ computers were infected when they tried to go to a shared resource using NetBios, which has been infected. The other good news is that since we are running Office 365 in the Azure cloud, email and other documents stored in Azure are unaffected. Kudos to Megan for getting the endpoint protection software deployed. We were mid deployment, but the good news is where had deployed it; these hosts and servers were protected. We discovered the ransomware infection from an alert from one of these EDR protected endpoints.”

Megan begins, “I received a call from a ransomware group that wants us to pay a USD 10 million ransom in Bitcoin. This is typical for ransomware gangs now. They will steal your PII data before they launch the ransomware attack. By doing this, they ensure that the ransom is paid even if you have good backups. I have contacted the FBI to help us to deal with this situation. I’m also talking to a company that specializes in incident response and am negotiating with ransomware groups. In general, law enforcement does not want us to pay the ransom. But, in some circumstances, it makes sense. In many cases the ransom can be negotiated down to a lower price. I remember with the Colonial Pipeline ransomware attack a few years ago, the FBI was able to hack and get the ransom that was paid back from the ransomware gang. We are definitely following law enforcement’s lead regarding the next steps and we are dealing with the ransomware gang. Now, since we have good offline backups, we’ll continue to restore the hosts and servers from backup. The ransomware gang is threatening to dump the stolen PII data onto the dark web. This will cause not only privacy and security concerns for our employees and customers but will be damaging for BigCo’s reputation. This is another reason we brought in the FBI and are talking to a specialized incident response firm experienced in dealing with ransom attacks and these gangs. Although law enforcement, in general, advises not to pay the ransom, sometimes, it makes sense. The reason is that it ensures the safety and security of our customer and employee data.” Nate, the Director of IT, interjects, “But what if they don’t have our PII data? What if they are bluffing?” Megan responds, “Yes, you are correct; there is a chance that they did not steal our PII data. We should be able to ask for proof that they have the data. We can ask for a sample of the data they claim they have. Let us see how the FBI wants us to respond. Now, the downside is if you pay the ransom, there is a tendency for these ransomware groups to come back and hit the same company.” Nate injects, “You mean the ransomware gangs hit the same company multiple times to get the ransomware payment”? Megan replies, “Yes, the same company will get attacked by the same ransomware gang multiple times. I have a meeting set up with the FBI and the incident response firm right after this meeting. Unless you have something urgent where you can’t attend this afternoon’s call, please be available. Of course, responding to this ransomware attack and dealing with the ransomware gang is everyone’s highest priority.”

Figure 1.1 illustrates the more sophisticated ransomware attack, where the attackers gain access to the corporate network and maneuver their way around to find high-value data such as human resources PII on all employee data. Hackers are typically looking for databases with source code, intellectual property, and PII data. Essentially, any data that your company would pay to get back and not want sold on thedark web.

Figure 1.1 – Ransomware attack

Step 1 is how most hackers gain access to a corporate network: email phishing, RDP, or SMB. Phishing is where an attacker crafts an email with either malware attached or a link to a server that will download malware. Remote desktop (RDP) is commonly used to remotely access another desktop. It uses TCP port 3389. When you configure it, you need to use two-factor authentication (X.509 certificate, Microsoft Authenticator, or Google Authenticator) along with a complex 14-character password. Ensure RDP is disabled and only enabled for specific users as needed. Moreover, privileged accounts should never be able to RDP directly to a server. They should use a jump station. Ideally, add VPN access to avoid direct access to RDP from the internet. Server message block (SMB) is used to access shared resources such as printers, files, and serial ports on the network. SMB (ports 139, 445) should be secured by the following:

Steps 2 and 3 illustrate that hackers have found the sensitive data they want to steal and have exfiltrated it offsite (Step 3).

Step 4 illustrates the deployment of ransomware onto the network.

Step 5 shows the ransomware self-propagating over RDP and SMB, infecting other computers on the network.

Megan begins the meeting by introducing FBI Agent Smith. Megan says, “Thank you everyone for making this meeting. Agent Smith is our assigned FBI Agent who is experienced in dealing with ransomware gangs and negotiations. Agent Smith, over to you.” Agent Smith replies, “Thank you Megan. I am so glad BigCo reached out to the FBI. Dealing with these international ransomware gangs is tricky. You need our help in this. There is a trend where the attackers will find an entry point into your network using insecure RDP, SMB, or email phishing attempts. Once the attackers gain access to your network, they will quietly traverse through it. I say quietly because if their movements on your network are not carried out in such a way, then your IDS, IPS, and SIEM will alert you that something is wrong. In doing this, the hacker will search for the PII data on your network. This can be human resources data or customer data. Typically, they are looking for databases that can be compromised. The more sensitive and important the data that are exfiltrated are, then the more likely BigCo will pay the ransom to ensure that it is not leaked onto the dark web. Once the hackers find that database with the PII data, they will compromise it, gain administrator privileges, and then export the data. Again, very quietly, they will exfiltrate the data offsite to a server controlled by the hacker. Once they have secured copies of your data, they will deploy the ransomware. This way, even if you have good offline backups, you still must pay the ransom.” Agent Smith continues, “The ransomware gangs know that once the data are released on the dark web, it opens the company up to more fines such as the EU General Data Protection Regulation (GDPR). GDPR fines can go up to 4% of the company’s annual revenue, with a maximum of EUR 20 million, and these ransomware gangs know it. Also, we have to notify the EU about the breach within 72 hours. Recently we saw this with the CyrusOne breach, where the ransomware gang REvil posted on a dark web forum that they had gained access to the CyrusOne network and would sell their data to their competitors or post it on the dark web. The REvil gang even mentioned GDPR fines.”

Figure 1.2 – REvil dark web post on CyrusOne1

Agent Smith continues, “Law enforcement recommends not to pay the ransom. In some situations, we will recommend the company pay the ransom to get the systems up quickly and avoid sensitive data from being released. You must understand that most companies only get 61% of their data decrypted even if they pay the ransom.2 I worked on the Colonial Pipeline hack, and the FBI was fortunate enough to be able to recover USD 2.3 million of the bitcoin that was paid to the ransomware gang.3Do you remember that time in 2021 when there were long gas lines and it ended up being related to the Colonial Pipeline ransomware attack? It was all over the news. With the supply chain shortages, most people have heard of it. The breach was so bad that Colonial had to take the pipeline offline. The day Colonial realized their network had been breached, they paid the ransom which was USD 4.4 million in bitcoin. The pipeline was offline for 6 days. The only bright side was that the FBI recovered 52% of the ransom.”

Megan asks, “In BigCo’s case, what do you suggest? Should we pay the ransom?” Agent Smith responds, “In BigCo’s case, I think we should negotiate the ransom down. The original ransom was much higher for Colonial Pipeline, and we negotiated it down the ransom down considerably.” Megan replies, “Okay, sounds good. What are our next steps?” Agent Smith continues, “At this point, I’ll work with the ransomware incident response firm you are contracted with to begin negotiations with the REvil ransomware group. I’ll be in constant contact; well, as much as I can be from here on out. I’ll provide you with hourly updates as to our progress. Many times, it takes 12 hours to get a response from a ransomware gang. They want you to sweat and be ready to pay once they respond.”

BigCo – recovery

Later in the day, Megan gives Mark, the BigCo CIO, a call. Mark answers the phone. “Hello Megan, how are you?” Megan replies, “Hi, Mark. Well, I’m a lot better knowing that we finally got all the affected systems recovered or restored from backup. Mark replies, “Yes, that was a tough few days, but we did it. Finally, the network is back up and operational. When the ransomware was propagating, we shut down the routers on the affected subnets so that the ransomware could not self-propagate.“ Megan says, “I think we were very fortunate to have been able to recover 100% of our data between paying the ransom and our good backups. Mark replies, “Yes, and the endpoint protection (EPP) software deployment has been escalated so that it will be rolled out to all datacenters and employee laptops by the end of the month.” Megan replies, “We’ve completed our proof of concept of a segmentation solution and are now focused on getting it installed, deployed, and up and running. We’ve co-ordinated with the network and security teams to work closely on the deployment. Mark says, “Patching, operational system maintenance, and the segmentation of the network are critical to ensure ransomware can’t automatically propagate on the network. With a segmentation product, we can segment those subnets with critical assets as well as ones that have old machines and operating systems that can’t be patched. By segmenting the network, ransomware can’t propagate as easily. An unsegmented network is also called a flat network. The ransomware can easily self-propagate over RDP and SMB.”

Megan says, “Back to the Basics, as I like to say. We will review our network inventory to ensure any old operating systems, especially pre-Windows 10, have been upgraded to ensure that SMB 3.0 is in use. Making sure SMB 1.0 is disabled is imperative to ensure the self-propagation can’t occur.” Megan continues, “For the cloud, we are deploying a cloud-native application-protection program (CNAPP) that will map our cloud environment and monitor the configurations and workloads. In this way, we can stay in compliance on a continual basis. This will help us maintain PCI