Breaching the Boardroom

Breaching the Boardroom is a high-level podcast designed to explore the intersection of leadership, growth, and technology. Each episode brings industry leaders, experts, and innovators together for candid conversations on how to navigate the evolving tech landscape while driving business success. We’re on a mission to simplify complex topics like AI, cyber threats, and IT strategy, making them accessible and actionable for executives in mid-market businesses.

All Episodes

Breaching the Boardroom

The Dark Web

December 17, 2024

Discover the hidden layers of the internet in this eye-opening episode of Breaching the Boardroom. We’re joined by expert speakers Nathan Borghardt, VP of Business Development at Lockton Affinity, John Spiehs, Head of Claims at Converge Insurance, and David Mauro, VP of Business Development at NetGain Technologies as they delve into the dark web and its impact on businesses.

🔍 What You'll Learn:
- What the dark web is and how it operates
- Emerging cybercrime trends and their implications
- Real-world case studies of cyberattacks and how businesses recovered
- Actionable tips to protect your business from cyber threats

Whether you’re a business leader, IT professional, or just curious about the shadowy side of the internet, this discussion offers valuable insights to strengthen your cybersecurity defenses.

💡 Don’t forget to like, comment, and subscribe for more expert insights on cybersecurity, technology and leadership!

Learn more about our services: netgainit.com

#Cybersecurity #DarkWeb #BusinessLeadership #TechPodcast #LocktonAffinity #ConvergeInsurance

🌟 Who Are We?

NetGain Technologies is a leading managed IT and security service provider with over 40 years of experience helping small to mid-sized businesses succeed. 💻✨ Specializing in IT management, cybersecurity, and strategic consulting, we empower businesses in healthcare, finance, manufacturing, and beyond to turn technology into a competitive advantage. 🚀

☎️ Connect with Us

🌐 Website: www.netgainit.com
💼 LinkedIn: NetGain Technologies
📅 Meet with Us: Schedule a Meeting

0:05

Welcome everyone and thank you for joining us for the Dark Web and Cybercrime Unmasked. We're excited to have you with us as we delve into the hidden layers of the internet and examine the realities of cybercrime. By the end of this session, our goal is for you to leave with a deeper understanding of the risks and actionable steps to strengthen your defenses. For those of you who aren't familiar with NetGain technologies, I'll give a brief introduction. We've been a trusted partner for businesses looking to make IT a strategic advantage for 40 years. As a SOC 2 Type 2 certified managed security services provider, NetGain offers local around the clock support and a dedicated cybersecurity team committed to keeping organizations secure. We encourage questions throughout the presentation, so feel free to use that feature. We will also have a dedicated Q &A at the end to cover any additional questions you may have. And as a thank you for attending, you'll receive a copy of the recording and slide deck after the webinar so you can revisit the insights and share them with your team. With that, let's dive in. Our speakers are ready to introduce themselves, so I'll hand it over to David. Thank you again for joining us. Thank you, everybody, for attending. We encourage participation, so please throw your questions right in the chat. I'm David Mauro, Vice President of Business Development and NetGain. As Ashley said, we're a top ranked MSSP as well as a premier managed IT company that's been around since 1984. I'm also a proud member of InfoGuard, which is the public private coalition nonprofit in conjunction with the FBI and the public sector to help protect the United States critical infrastructure. I'm excited to be joined by two gentlemen today who work with helping small and mid-sized businesses transfer and reduce risk. And today you're also going to get exclusive insight into what actually happens once a data breach attack occurs and best practices of reducing that risk. With that, I'm going to turn it over to John. John, go ahead. Thanks, David. And thanks, everyone. appreciate the invitation to join today's webinar. My name is John Spies. I am the head of claims at Converge. Converge is an insure tech MGA, which is a managing general agent or underwriter. We provide cyber insurance to small businesses. I have roughly 20 years of claim handling experience in the industry. And I'm looking forward to our discussion today. Thank you. Thanks everyone. Nathan Borgaard with Locked in Affinity. I've been at Locked in Affinity for just about 15 years and we help ensure small to medium sized businesses with focus on cyber insurance. Excited to be here. And again, like David said, we encourage participation in questions. Excellent. We're going to kick things off today with a poll question. I'm interested to see what everybody knows. You can click right here on your screen. I'll launch it right now. How much of the internet is readily accessible by the common computer user? It's cool to see the answers pop through. All righty, so that's interesting. Yeah, would you like me to address the results? Please do. Yeah, so the answer is actually 4%. So do you want to go to the next slide where we show the? So the internet as we mostly use it is only 4 % of the internet. The vast bulk of it is called the deep web and that is behind paywalls, right? It's research, academic, medical journals, like that, aspects like a university and their deep research. And then there's another section of that. a subsection of that, which is larger than the internet that we all use on a regular basis. And that's the dark web. So it's important to shine a light on the dark web since it shows the modus operandi of cyber crime, what cyber crime and cyber criminals plan to do and how they do it. That's their modus operandi. Without awareness, businesses are really flying blind. So what exactly is the dark web and how's it different? than the internet that we all use every day. Think of the internet as a vast library or shopping mall with lots of products and resources. The dark web is a hidden room over in the back. It's accessible only with special keys or in this case, special software and special tools. And unlike the open web, it's not searchable by Google. You can't get there without the special tools. And instead of like a dot com URL, it's going to have a dot onion URL, which is for the, the onion router. And some of those special tools are like the tour browser, which is the onion router to you are, user identities are hidden and a lot of things occur on the dark web. It's a haven for cyber crime. can you share what the dark web looks like for everybody? We went there and we took a video of it that we wanted to share. So here on the dark web, illegal goods and services are exchanged in marketplaces just like Amazon. There's also private forums and websites hosted by cyber crime gangs where they sell their malware services, recruit new gang members, provide tools of the trade, et cetera. So why should we care? I mean, why do business leaders need to know about the dark web or need to care? Can ignoring it kind of put your organization at risk? The answer to that is absolutely yes. Criminal groups operate just like legitimate businesses, selling stolen credentials, violence for hire, even murder for hire, human and drug trafficking, stolen intellectual property, and even offering ransomware as a service. Ransomware as a service is a turnkey platform that are built by these cybercrime gangs. Black Hat, Lockbit, Akira, Ransom Hub, some of the ones you hear about in the media. And these turnkey platforms operate just like Salesforce or HubSpot, except they track extortion campaigns rather than marketing campaigns. Small businesses generally believe in a myth. And the myth is that they're too small to be targeted. And most lack adequate defenses, making them easy targets, or they become collateral damage in larger attack campaigns that are launched through these ransomware as a service and malware as a service platforms. And they have all those vulnerabilities found right there on the dark web. To keep customers trust and to maintain a competitive edge, leaders really need to know first, is your data on the dark And not only now, is it in the future being discussed, meaning are they talking about hitting your sector? Are they talking about hitting your type of business in your type of state? Because right there on the dark web, they're talking about that and monitoring that and checking that allows you to understand the modus operandi so that you can defend yourself. It's the old phrase that the FBI uses and that is you can't defend against the foe you don't know. Right? So you have to know who it is and what they're going to be attacking with. Having 24 seven eyes on glass, not only for the dark web, but for your devices and for the applications that you use is absolutely critical. Does anybody have any questions on the dark web? again, throw them in chat. John and Nathan. I see a lot of small businesses, medium sized businesses, and a lot of the feedback I get from them is that, I'm too small. These, cyber gangs aren't targeting me. What were they? What would they want with my data? And the thing that I always have to explain is that they're not targeting you, you know, John business owner, they're targeting your software or the vulnerabilities in your software or your network. and they're just launching this stuff on a mass scale. So they're not really looking at you as the retail shop on main street. They're looking at. you know, the Microsoft vulnerability that you haven't patched yet, or they're looking that you're using an outdated system. And that's where they go after. They're not going after you specifically. It is really just a broad attack on vulnerabilities in the system. Yeah. And it really gets into what a hacker is, right? Because these platforms are so plug and play. When we think of a hacker or what Hollywood and the media has portrayed hackers as being is what? What comes to mind? What's the picture in your mind? When I say a hacker, we think of a kid in a hoodie, right? Cracking red bull, like right now this complicated code in mom's basement, launching all these sophisticated attacks. That's not real. Like, yeah, they exist, right? We, we, we all know one, right? But the, but the point is, that they really don't need to be very technical. Right? Because these platforms are so user friendly and plug and play that all you have to do is have criminal intent and to do the action. And there's a lot more people with criminal intent than there are with the technical chops to write code and do that. You don't need to know the code. You just need to buy the platform and subscribe to it and use it. And that's why we've seen such a massive spike and rise in attacks like ransomware and other vulnerabilities. Just real quick, David, just to jump off your and Nathan's points. When I think of the dark web, I think of where novice criminals go to become expert cyber criminals, because you can buy access to compromised networks from an access broker. You can buy login credentials, credit cards, social security numbers, PII, stolen goods. Social engineering and phishing kits. mean, the Naaman's Shame sites where we have to go to communicate with these threat actors when ransomware hits, they're out there. The data where they publish is out there. That's just, you know, it's just one of those areas where I've never actually gone myself because I'm too scared, but I've seen it used and it's a pretty scary place. So. Yeah. To David's point on the kid in the hoodie in the basement, I that's not the case. These are sophisticated businesses. They offer 401k, dental, vision, health insurance, high pay. They have office buildings where people go and report to work every day. I these are actual legitimate businesses in the countries and the areas that they operate in. You know, that was really surprising to me when I got an insight into that a few years ago. But yeah, it's legitimate big business. Yeah, when you think of cyber. What should I do if my Microsoft or Google account notifies me my info is on the dark web? Great point. You need to work with a security person because what needs to occur is you need to identify where it's located, like what the compromise is, change the passwords, engage multi-factor authentication, and then re-scan. those are generally top steps. Keeping multifactor authentication engaged and on on all of your platforms, it's out there, it's involved in almost every social media as well as all of your Microsoft 365 platforms. And it's really, really important as we'll get to in just a bit. Do you want to show us the next slide? To that last question, I would say contact your insurance carrier. Submit a claim. They can help you out. They have resources that they can point you to. Yeah, another thing to notice and make sure it's legitimate. Make sure that that notification is actually legitimate. Yeah, because that is one of the red flags of phishing emails is that your account has been compromised. If there's a sense of urgency and that Microsoft is going to do something. within a short period of time, otherwise something's bad is going to happen and it creates evokes emotion in you. It's not legitimate. I want another poll question. The answer to this really surprised me. how long are threat actors inside networks undetected. another question here for you after we end this. I'll go ahead and ask it if these criminals operate as businesses, why are they not caught and prosecuted? Great question. I love this question. So the reason is it's not illegal where they operate from. They operate in a part of the world where they operate with impunity. OK, the United States does not trade with several countries and they operate from those countries predominantly while they will engage some other pieces and some various, you know, associates of them may live in other parts of the world. The core groups live in areas that we don't trade with. So if they bankrupt a small to mid-sized business in the United States, nothing's going to happen. Less than 3 % of cyber criminals are ever prosecuted despite what we do. Right. in, and if they steal a fancy word like Exfiltrate is the word you'll hear us say, but it's a fancy word for steal. They steal and bankrupt us, right? And they bring millions of dollars to their town and they're able to spend it on their economy. They are high-fived. They are congratulated. They operate with impunity. The only rule that they have is they are not allowed to target any CIS countries, any organizations within the CIS countries. CIS countries for lack of a better phrase, are the former USSR. I'm going to end and share these results here. So got it correct. Yeah. So a lot of people did get this correct. So why does this poll matter? Well, it's because not all breaches are created equal. There are some that occur quickly and there were a lot of best practices ahead of time and they're able to restore quickly. They don't have to notify their customers and it costs money and they were down a little bit, but they bounced back pretty well. That occurs when organizations do the best practices ahead of time. which is part of the reason why CISA and the FBI say to do the best practices, because it not only reduces your insurance premiums, but it reduces the claim amount and it reduces the fact that you'll ever be breached in the first place. Most organizations do not do a lot of the best practices and criminals, cyber criminals are inside for a long time. During that time, they will encrypt backups. They will create back doors. So in case you do come across them and kick them out, they can get right back in. They will also gather up intelligence. If they get inside somebody's email, the first thing they're going to do is go into your scent box and see all of the intellectual property and sensitive information that you've sent out months ago that you forgot that you sent. People keep too much data. They know that that's one of the things that they'll do. The longer they're in undetected is worse. Think of it like somebody having your wallet and they're using your credit cards for more than six months without you knowing it, without you being able to call your credit card and have them cancel it because that's what occurs. So John, do you want to kind of walk us through some of the ways that, they actually get in, in the first place? Sure. So the next slide is the top cyber threats that are typically seen. So the first one, and one of the most common is the email. So essentially, this is when a threat actor is able to gain unauthorized access to a business email account. And the most common way that this is done is via a phishing email. So essentially, what happens is, is a user will get an email that looks legitimate, and it'll ask them to reset their password, or it'll say, you know, log into your account, you will enter in your login credentials, and boom. they have them, they've even, they'll be able to steal that cookie or that token. think about the damage that they can do once they're inside your email account. So it depends on whose email account that is, right? But think about six months spending in a CFO's account or an accounts receivable clerk or the HR director. Like how much information is in there? And as you mentioned, David, people keep a lot of stuff they don't even remember that they have. So it's always one of my biggest pet peeves is that the lack of data hygiene that some of businesses practice in that they don't delete old data, don't archival data, and that they don't get rid of data that is outdated, like six, eight years old, 10 years sometimes. what the point of all of this is is that the threat actor will be in there and they will try to monetize the data. whatever they can find in there, whether it's PII, which is personally identifiable information or PHI, it's health information. Can they use that? Invoices, bank account information or banking information, customer information, other email addresses, they'll send out phishing, know, 6,000 emails to your customers in hopes that they'll click on that link and enter their credentials in. So it just goes on and on and on. So... The point is really that they'll get in there and they will use whatever they can find to monetize that data. The second kind of attack here is the DDoS attacks, which is a distributed denial of service attack. Essentially, the threat actor makes a machine or network or resource unavailable to its intended users, usually by overwhelming a website or something like that, so that people who actually want to go out and use it can't. And eventually, you can start racking up losses there, loss revenues and things like that. Social engineering, this is kind of where people are manipulated into performing actions or divulging information. That's the phishing, that's the phishing, fishing, quishing, all of those, then solicitation, all of those tactics. Right, it can be done email, text, phone, all three, you name it, it can be done. Some of the more common types of social engineering that we see are when someone is purports to be an employee and they change payroll information. So then all of sudden, you know, every two weeks their paycheck goes someplace else. One of the hallmarks of social engineering is that the threat actor will pretend to be somebody who's very important within the organization, like a CEO, CFO, board member, somebody who, and it's always really urgent, you know, it's, I muted myself. It has to be done right now. So please do it and don't ask questions. So what happens is, is when you have that type of situation, the user is not likely to validate or question those instructions because it's someone who is their superior. So another type of variation on social is an invoice manipulation where instead of making a payment request internally to send out the insured's funds to pay someone else, the invoice or the insured's own invoices for services that they provide get sent out with altered instructions or maybe they're fraudulent altogether. And that way, your client will pay the threat actor, the client's out money and you don't get paid for the services that you provided. So that's really kind of a double win. And then finally, ransomware is the final matter, which is the one that most people really love to hear about. But that's malware that encrypts or locks all files and data on the insurance network. which makes them inaccessible unless you're able to restore from a backup or you have to pay ransom to obtain a decryption tool. The decryption tool will then unlock or decrypt all those encrypted files and allow the insurer to get back to business. Often now you'll see a second layer of extortion more common than or more often than not, like on top of the encryption. you will see before the payload, the ransomware payload is dropped, you will see the threat actor coming around again for weeks, months, days, whatever, finding that most sensitive data and then downloading it or exfiltrating it onto an offsite server. So that way, even if you can restore from backups, they'll say, hey, we took 500 gigabytes or a terabyte of your data or eight terabytes, which is a case we'll talk later. And if you want that to not be published on the dark web, which we've been talking about, you need to pay us a ransom. And then finally, a third type of extortion where there's no decryption whatsoever. The threat actor will just go in, steal the data, and then try to extort that way. So really three different kinds of extortion that we see most commonly. I a question about the BEC attack portion is how do they get your customers information to send emails to them looking like it comes from you? They come through your email so they'll find an email to that customer. They'll go back, you know, because again you don't know what's in your emails. If you don't delete your old sent emails, you can go back and find you know a customer or an invoice or something that you sent this person to and you're like, well there's the controller at that at that location, I'm going to send them an email. I'm going to alter the invoice, the banking account information and hope that they don't verify. Or they may buy the credentials on the dark web, right, which are sold on these marketplaces. A lot of people have got a really good password, but they use it on everything. Right. And once that is used on a platform that's been breached, that's for sale on the dark web. They will go and do various tactics called like credential stuffing, password spring. They will take those credentials and log in as you, which again is another reason to have multifactor authentication engaged. Nathan, were you about to say something? Yeah, I just want to make a comment on the social engineering part. And if you guys have a cyber insurance policy, it might be listed as social engineering. It might be listed as fraudulent instruction. It's under your cybercrime. ensuring agreement in most cases, but all carriers call it something different. But this is the easiest one in what I've seen to mitigate. If you're transferring funds and you're getting instructions via email or text to transfer those funds, call a verified number to confirm that the instructions are accurate and correct. You can limit about 90 % of your financial loss just by making a phone call to a verified number. So it's it's not really a software that you can buy it's just a practice that you have to instill into your employees who are in charge of sending those fonts And it just gets to being vigilant on spotting phishing emails as well everybody Believes whenever somebody's gonna do security awareness training everybody believes. we know how to spot a fish but yet we don't write over 80 % of all data breaches still come in through social engineering. A vast majority still come in through phishing. So you started deep fake David, like we were discussing earlier that question on where their $25 million was sent through social engineering scheme that included deep fakes. Correct. So deep fakes are synthetic video, audio, and pictures that are made to impersonate somebody saying and doing things that they did not do. And in the last six months, they have become and evolved so much and they've gotten so good that they are virtually undetectable by the human eye, which is really exciting for creators. Right. And there are a lot of legitimate businesses that sell these products because they claim that you can scale your ability. You can hold sales calls, marketing calls, internal customer service. calls and be in multiple locations at the same time, letting AI think and act and appear like you on live video, except that cyber criminals get a hold of that. And they leverage that for social engineering. In the last six months, there have been four major ones that occurred here in the United States. So here's how they happen. Cause they've all kind of happened the same way. Imagine getting an email. That's a phishing email. It's asking you to release sensitive information. You follow. Nathan's advice and you try and reach the CEO, CFO or the HR person and verify it. But you can't get in touch with them, let's say. So then you receive another email and it's a calendar invite and it's a team's video call or a Zoom meeting and you get on that call and on that call is your boss or the HR person or both of them or more people that you know, people that you may know of, right? They're part of your organization and they look and sound and think just like them. And you're able to ask all your questions, alleviate all of your concerns, go ahead and release the sensitive information only to find out later in the day or the next day that that wasn't in fact them. And if we think that's something out of science fiction or the future, that is actually happening today. It has already happened four times in the last six months. totaling $141 million stolen in the United States. And it's going to be something that we see more often. So in terms of that, let's move on to the next batch of things to consider. So change healthcare, which I think a lot of us have heard of, it's a massive breach. It's been in the news all over the news, the CEO, actually had to testify in front of Congress. Why is this important? Well, it's the largest healthcare breach in US history, and it was completely preventable. It impacted over 100 million Americans, which is one in three of us on this webinar right now. It disrupted medical care and claims across the United States. According to the American Medical Association, 80 % of medical practitioners have been detrimentally affected by this breach and the recovery, even though the breach occurred back in February, the recovery is still ongoing. All of the systems still aren't back up and running yet. It's led to 55 current class action lawsuits. So the story is really just beginning. Who was behind it? A Russian backed ransomware gang called Black Cat, which originated from the original Conti gang, was one of the goats, one of the original run of ransomware gangs of all time. What's interesting is this for months, they discussed doing this attack on the dark web. They talked about targeting health care. They named change health care in their plans. They discussed it openly and yet it still occurred. The entry point and how it happened, an open server to the Internet that lacked a basic security measure, multifactor authentication. So while multifactor authentication might seem inconvenient, it would have prevented the largest health care breach in U.S. history. It really goes to show the effectiveness of the ransomware as a service model, right? Because you had Black Hat that created the platform, the software, the extortion campaigns has the forums, offers the health insurance, all of this. They go and they retain affiliates, which are digital mercenaries. And one of their affiliates went and did the attack, launched the attack, collected the data, right? And then sent it to Black Hat. Black Hat provided the negotiation, the money laundering and collected $22 million from Change Healthcare. Then Black Hat did what's called an exit scam. They said, no, the FBI got us and they put a big banner over their website and they ripped off their digital mercenary, their affiliate, and they closed up shop. And they haven't been seen since. And what's interesting is the digital mercenary, the hacker, He made a copy of the data. after they have to change health care, paid twenty two million dollars to Blackhat. The hacker went out, joined another gang called Ransom Hub and said, knocked on the change health care door and said, by the way, I still have your data. So if you don't pay me twenty two million dollars again, I'm going to go ahead and release it. And that is currently ongoing. So when we think about ransomware and what it's like in the battlefield in the day of the life. I want to turn over to John to explain what he sees and all of the different facets, because here's what happens in a ransomware attack. All of your icons on your PC will turn white because they don't know what to make of it. Right. There will be a text file on there and there will be a banner and it'll have a countdown timer. Right. For the ransomware. for the extortion. When you open up that text file, it'll say, welcome, good sir, because of your poor security hygiene, right? You need to get on our talks channel and negotiate with us within a certain time period. Otherwise, all these bad things are going to happen. Most small business owners are not prepared to get on a talks channel on the dark web, right? And negotiate with a Russian ransomware gang that's very, very good at their job and has vast amounts of resources. So we transfer some of that risk over to cyber insurers and our security providers. And I like John to kind of walk us through after boom happens and what it's like in the day in a life. Thanks, David. Excellent segue. So. I'll take it off, take a kick off from, I guess, when the insured finds that ransom note. It's like, what's wrong with my network? And they find this ransom note. What do they do next? Do they have an IR plan that's ready to go? Do they know who that first phone call is going to go to? We service a lot of small, all small insureds under $300 million in revenue. And most of them don't know how to negotiate or they don't have the ability to go get Bitcoin. They don't know what legal ramifications might arise from what's about to happen. So they need to have an incident response plan in place first. So they know either who they're going to call or they're going to call their insurance carrier because they have, we have resources at standing by that are ready to go. So first thing would be to reach out and set up a scope and call with privacy council or breach council and digital forensic investigative and investigative response. essentially that's digital forensics provider and then they also assist with restoration. So we can get that call set up within the hour, within two hours. And so that way the insured feels like, hey, something's happening, something's moving, I'm getting some help here. Jump on that call and they're provided, the forensics provider will ask a bunch of questions about their network, the size of their network, the... the footprint, how much data they may have, do they have immutable backups and immutable means that they're offline and they're air-gapped, things like that. And so then they'll prepare a scope of work for the insured and the insured will be able to say yes, or the insurance carrier will be to say, yes, we approve of this, please help me. So the next step then is usually where they'll kick off. They'll provide the insured with a list of instructions for what to do next. They'll start collecting forensics data. they'll try to immediately lock down the insurance network to eliminate persistence, which is the ability for the threat actor to get in and out to stay in the network. And they'll deploy what we call endpoint monitoring solutions, like a CrowdStrike or Sentinel-1 or something like that, so they can monitor every single endpoint on the network to see if there is persistence or movement or things like that to make sure that that threat actor is no longer in the So, you know, one of the things that is important is speed, because if it's a known vulnerability that hit them, then there's up to, you 100 other threat actors out there that might also see it, and they may be racing to get it. We've seen cases where there's been double encryption. Two threat actors have hit the same shirt at the same time. Because criminals talk, right? And if they get, as soon as they're inside your network, they are on their forums on the dark web. Going I'm in I mean I mean this is what we're getting right and then other ones find out about it. Yeah, they use the same the same tools as well. So after the scoping call you know you'll set up. You know a set of calls that will take place multiple times per day every day. You know like how what's going on? Do you are your backups ready to go? Are they are they are they viable so? One other thing that you'll want to do is set up an out of band communication with with all the key players with forensics, with counsel, all the insurers who want to be involved in the situation, because why is that important, John? So just just interrupt. Like having an out of band communication is important because we don't know at this point whether they're watching what you're saying. Like you can't use your work email because you don't know if they're on your work email. Correct. Correct. That's absolutely right. and so then the next step is to, kind of diverge on multiple, concurrent paths. So one path is the forensic output. So you'll have a root cause analysis by the forensic team. So there are multiple teams within this provider. So there's a forensics team, there's a restoration team, and then there's a, an intelligence team, a threat intelligence teams that will, they will talk, they will talk to the threat actor. The restoration team focuses only on, Hey, In short, do you have backups? Do you need help? Can we get boots on the ground? Do you need remote help? Things like that. And then the forensics team, they're the ones collecting the forensics data, trying to figure out the root cause analysis and things like that. So one thing that is often that we see a lot of is that maybe all the logging capabilities are not used on an insurance network or their hardware or software or whatever. So one thing we would always suggest is make sure that Insured turns on their logging capabilities on all of their hardware, software, operating systems, applications, and things like that so that the forensics can go back and try to connect the dots. Another thing is if you know you have restoration or backups that you can restore from, don't delete that data. Don't delete the logs. Don't wipe everything. You know, we want to preserve that forensics data so that you know where the root cause was because you're going to want to know how you got hit, why you got hit so that you can remedy that right for going forward so that your security stack is strong. so while there's, know, then we have the dual path of negotiations versus restoration. So if you have backups, great, you'll be able to get back up and running sometimes within a matter of hours and usually a couple of days. And depending on the network, could actually take a few weeks. But you'll want to prioritize. You'll want to know, this is why an incident response plan is important. You want to know exactly what servers do you want backup and running first? Which ones are key business, know, core operation servers that you need? So if you have that, great, you're off and running, you kind of push the negotiations off to the side. You keep them warm because you want to make sure that in case something bad happens and you have the ability to go back to the threat actor, You don't want to pay that ransom, but you want to keep them warm just in case you have to. Right. So if you have to negotiate with them, let's say they actually succeed in deleting your backups or encrypting your backups and you have no other way to restore your network, then you're going to want to negotiate for that decrypter tool. sometimes in your experience, what percentage of small to mid-sized businesses pay a ransom versus don't pay a ransom? It varies. It actually varies from quarter to quarter. But really, we're talking about the decrypter tool, almost all pay. I mean, unless there's another way that they can restore their data, rebuild their network entirely, it's almost all pay if they have to get the decryption tool. But if they don't have to pay to get the decryption tool. I've seen, or we've seen somewhere between 20 and 40 % paying the ransom just for the data suppression. I think- Meaning, even though they're able to get up and running, they still have a copy of the data and they're going to publicize it. So that second level of extortion, they want to keep it from going public. That's And keep in mind that data is out there on the dark web that's only available by the people who- know how to get out there. So, you know, the and the other thing about the change healthcare matter that I thought was a really good point to make is, is that, you know, one thing you have that you have to do is you don't really get, I mean, the proof of deletion of your data after you've paid a ransom for data suppression, essentially, is some screenshots, you never actually get more than that. So you have to trust a threat actor. And in the case of change healthcare, obviously, there was no trust there. The affiliate had the data and used it even though the ransom was initially paid. So two ransoms actually had to be paid. But as you're negotiating, you need to get a couple of things. You need to get proof of life to decrypt, meaning you take a couple of encrypted files, send them to, or you share those with the threat actor. They are able to show you that they're able to decrypt those files. So you're like, okay, good to go. We know that the decrypter works, right? You get proof of data exfiltration, meaning different files from different parts on your network. So you know that they were in the places that they say they were. And that way, you know, okay, well, they took eight terabytes of data and they say they took them from these locations. Okay, it looks like we have to assume that they have it, right? So that's kind of the point of this. And this can take days and it could take hours, it could take days. It just depends on how quickly the threat actor responds. So one thing to note, whether you negotiate or not, whether you store from backups or by purchasing the decrypter tool, it's going to be a lengthy process. One of the misguiding beliefs out there is that you pay the ransom and the lights come on. That's not true. You're going to have to rebuild your network, restore your network. You're to have to decrypt that data, which depending on the amount of data can take a long time. And then, you know, set your network back up again and off you go. So it's no faster than restoring from backups in my experience. So a couple of questions, John. So regardless of whether somebody has cyber insurance, if they do, then. you guys have the resources and you guys will be doing this. If somebody goes without cyber insurance or goes without enough cyber insurance, then they have to do all of this. Like this stuff has to be done no matter what. Right? Like these are the steps that occur post breach, regardless of whether your insurance company foots the bill or not. And then the other thing is I I've heard some small business leaders say like, well, what do I care if my data gets leaked on the dark web? Nobody goes there. It's like, no, no, that's not true. Like they will go. There's a couple of things depending on your vertical, right? You still have to notify certain organizations. So it becomes surface web stuff. So everybody finds out, but also mainstream media monitors that stuff because it's newsworthy. They're looking for stories and security researchers and mainstream media. As soon as a breach in a leak site gets published, That's news. And so they will go and report on it. So it makes it bleeds its way over to that 4 % of the service web where most of us live. And that's part of the legal analysis piece on number five is that once you determine through the forensic analysis, through the purchase of the data, through getting those keys from the insured or sorry, from the threat actor, you're gonna know mostly what the... what the universe of the data was that they took, and you're gonna have to figure out what's in there, right? You're gonna have to figure out, it client data that I have a contract with that I have to notify that person because of a contract? Is it PII or PHI or other data that is regulated by the states or federal government that requires notification and maybe even credit or identity monitoring for those individuals? But regardless of whether or not you pay the ransom for the data suppression, let's say they don't publish it on the dark web because you paid X amount, you're still going to have those legal obligations. So we usually advise against payment for data suppression because those obligations still exist. You still have a limit to your policy. You want to use those as expeditiously as possible. whether it's through notification, whether it's through future liability because of a class action, because they're becoming more common. If you have to notify a population of more than a thousand or 10,000 people, the odds of getting hit by a class action go up the more people that you have to notify. really, there's the first day, there's the second day, and then three, four weeks later, you get the legal compliance, you get the whole picture kind of put together. What was the root cause? What did they take? What are my legal obligations? And what might my liability be going forward? Excellent. So in terms of segueing over to how do we reduce this? Because this sounds, and it is, pretty arduous endeavor, like once it ran somewhere. or a data breach occurs. There's a lot of factors that are involved. let's go over to, actually, if we can move on to like, are some of the best practices that the industry recommends? when we, I'm interested to hear from Nathan and John, like these best practices, when organizations do these things, a couple things happen, right? the likelihood of an incident itself happening goes down, right? Is that a fair statement? As well as the fact that the amount of damage, because not all breaches are created equal, the amount of damage, the amount of liability, and the likelihood of whether you wind up in the news, right, goes down also when you do these things. As well as, I would imagine, your insurance premiums too. Yeah, that's absolutely. I mean, something that I've found really helpful in explaining this to new cyber insurance buyers, because everybody's bought property and casualty insurance. You ensure your home, you ensure your car, you ensure your business and putting it in terms that people are accustomed to not having some of these best practices in place is like trying to ensure your house without a roof on it. And that's really the example I use when we're talking about multifactor authentication, all carriers. regardless are requiring some form of multi-factor authentication just to be insurable. So that example seems to resonate with people just because again they're accustomed to the property casualty insurance of insuring their building. And you're exactly right. It makes them a more desirable insured because the practices are there. They've got skin in the game. They're taking action to say, I want to protect my business again, just like in the building reference, you're making sure that the building is in good repair. You're taking care of crack sidewalks. You're replacing damage that might occur. All of those things are the same here when it comes to cyber insurance. Absolutely. And then, you know, updating software is really important. That goes without saying because it's not just new features and benefits or bug fixes, right? It is, you know, security vulnerabilities that are being rolled. And incident response planning, John, isn't that absolutely, absolutely important? when I think of incident response planning and testing of your incident response planning through practices like tabletop exercises, to me, there's a, first of all, it still shocks me that less than 24 % of small and midsize businesses do that. And then to realize that we spent all this time and money and resources building up these great brands, and yet we don't run fire drills. We all had fire drills as a kid. We did that because should there be a fire, we would die and they would show us we have to run down this hall. We have to make a left, not a right. And we have to go do this. Realizing what needs done, hour one, what data needs to be, who needs to do what. It's almost like a living, breathing, racy document. I'm still shocked that most organizations still don't do Absolutely. I'm a big fan of the five P's. if you guys are with that is proper preparation prevents poor performance. I try to tell this to my kids all the time, but yes, have an incident response plan. And if you have insurance, even better, incorporate that into your plan. And that just doesn't mean know who to call. That means know what the next step is and the step after that and the step after that. Because in my world, it's all about speed and efficiency. You can't spend a half a day or two days haggling over a an agreement like a service agreement with a with an outside provider, right? You you have to you have to move. So we have, you know, resources in place who have all worked with each other before. They've all used each other's service agreements before their engagement agreements. So there is no question that they can just move with the speed of light, really. because people still reuse passwords, right? We're like, before the push was always You know, you use a better password, make it more complex, et cetera. Right now, NIST has come out and said length matters. So that's good. But what most people do, they're like, I got a really good one, but I'm using it on everything. Right. And that's not good. Right. We can't do that. But even if we did that, having multifactor authentication and not falling for the social engineering trick of multifactor authentication fatigue when they steal your data, they buy those credentials, and then they keep spamming you with all these notifications. If you didn't try and log in, don't ever approve that. But having multifactor authentication is absolutely critical. Well, back to your point real quick on testing your IR plan. We have had situations where insurers think they have backups, and they go to their backup provider, and for whatever reason, they're not there. Right, they haven't been tested. If they had tested their backups, A, you know, know, if they're good or not, and B, you know, how long it would take you to restore if you had to use them, right? Those are very important pieces of information to have. And then back to a point on software and updating your software, you know, we're seeing faster and faster responses to those, releases of those known vulnerabilities. So we've had situations where a notice goes out on Friday and there's ransomware hitting the system by Monday. Right. Because they also notify the bad guys. So let's wrap this up. We're going to send this out to everybody, but let's get to some of the Q &A and some of the questions. Thanks, David. We had some great questions come in. So I just want to make sure we had time for this. It's almost becoming normal for big businesses getting hacked and then all of our information is leaked on the dark web. I don't see how we can actually protect from this thoughts. I think that we may have just kind of answered that a little bit. you protect from it on this page. That's the answer. I know one thing I do. I have credit freezes with all three. Yeah, I mean on a personal basis we have a whole bunch of suggestions, but freeze your credit. Every American, it's free. It used to be hard to do. It's super easy. Freeze your credit because that protects a lot of people. And then for organizations, these are the best practices. What happens when a fake to breach notification letter arrives and you sign up to credit monitoring with your legitimate information into a bad website? You have been socially engineered. Next question. No, what you need to do is you need to. there are actually sites that before you do that, you can put the URL, you can put the website in for that to see if it's a scam website. So there's a lot of free resources where you can check that. But should that occur, then you need to have credit monitoring. And again, if you freeze your credit, you're going to be fine. Freezing your credit does not stop you from being able to use credit cards, et cetera. It's just that if you want to take a new loan out, you just have to unfreeze your credit, have them run your credit score, and then refreeze your credit. It's that simple. But they cannot damage your credit or take money out in your name, take loans out in your name, et cetera, when your credit is frozen. And from a personal aspect, there's a lot of tools and resources out there that people may not be aware of. Look at your credit cards. Sometimes there's a service provided with your credit card or your bank. accounts might have something available to you like a credit monitoring service or the resources available to you that you can access that are included in your subscriptions already. Absolutely. Any other questions? Yes. Are there any government agencies actively monitoring the dark web? Yes. Okay. Would you like to know which ones? And I have a question, a follow up. Yeah, I would say, I would say a lot of them are. So I know the NSA does, FBI does, CISA does, like almost all of them that you would want doing it are monitoring. The problem is, is we know who the members are of the cyber crime gangs. We just can't get to them because we don't have extradition treaties in place. So that might answer the follow up. If so, why wasn't change healthcare tipped off before the breach happened? Well, yeah, because I don't know. I haven't been involved. I will tell I will say this. You can get my email through here. Reach out to me in about four to six months, because as the class action lawsuits become public and the depositions occur, then we'll be able to answer that question. That's one of the questions I. When you pay for data suppression, what percentage of your data is still leaked? Great question. John, I'm going to turn that one over to you. I guess that gets into can you trust the cyber criminals when you give them 22 million bucks not to still sell your data? So the answer is your data is still leaked. payment for data suppression just stops them publishing it on the dark web. it does not change the fact that they got in and stole it in the first place. based upon the fact that it was accessed, taken, exfiltrated, whatever you want to call it, you already have those legal obligations to notify everyone. So you're going to have to tell people that this happened. So then back to does it get leaked anyway? I don't know. I mean, there's some evidence out there that you can't trust these threat actors that, you the FBI or international law enforcement has taken down some of these groups and has found evidence that they actually don't believe what they say they're going to believe. So it really comes down to shocking that you can't trust a criminal, but it really comes down to trusting a criminal. And how much do you want to pay to do that when you could use those funds in shoring up your security stack or preparing for liability from customers, clients, et cetera. One more question in 60 seconds or less and then I want to get to our collaborative whiteboard session. Once data is leaked on the dark web, what should you do? If you haven't been talking to counsel, you're going to need counsel. mean, John, why don't you address that one? Yeah, I mean, that's the right answer. You're going to need to contact, well, you probably need to contact your insurance carrier. But so I'm assuming at this point, you've already been in, you you've had a ransomware incident, you've had some kind of email compromise where you know your data is about to be leaked on the dark web. In that case, you've already got a process in place and good for you because you contacted your insurance carrier and you've gotten all the resources in place. If you just find out out of the blue that your data is on the dark web, call your insurance carrier, contact a data breach privacy attorney that specializes in this because then they can tell you what your legal obligations are arising from it because, and you're probably going to want to do a forensic investigation and hope that you still have logs going back far enough that can tell you how they got in. Right. Cause you should be able to, because you should be able to find where that happened. Right. There, there, there will be a digital breadcrumb of, of where that happened. Yeah. Yep. So, so one of the things that, that we're offering every, all the attendees is really a roadmap and there's no cost, no strings attached, nothing salesy, but we're going to walk organizations and we do this pretty regularly where we will identify best practices. in your vertical, in your specialty, identify what you're doing, find cost effective ways. It doesn't have to be anything that we necessarily sell, but find ways where you can implement these policies, identify the gaps, and then give you a roadmap so that you can actually, you know, set a game plan out a year, three years, short term and long term to really improve and evolve your security. We do this as a public service because we are under attack. We've been under attack for over 10 years and it's been something that is long standing and there's a lot of things that don't involve us, which is why we are. But the point is, is we really need to help each other kind of improve our digital hygiene as organizations. And so we offer this, we encourage everybody to take advantage of it. I guarantee. you will get value. Thank you all so much for coming today. We really appreciate your time. We value your time. We hope to hear from you, some of you all, about a collaborative whiteboard session. Keep an eye out in your inboxes for a slide deck and a copy of the reporting. Should be fairly soon, today or tomorrow. Excellent. John, Nathan, thank you very much for lending your expertise today. Thank you. You are welcome, and thank you for having me. Appreciate it. Thanks, Ashley. You did a great job. Thanks. Bye. Thanks, everyone.