Season 1 Episode 1: Our business has been hacked – what the hell do we do?
Bastien: So you arrive to work on Monday morning and you notice that all your machines have come up with the CryptoLocker screen. You have an email on your phone advising that all your information is in the hands of some evil entity. What do you do about this?
In your experience as former chief of cyber risk at AON Insurance, what are the steps we’d take after something like this happens?
Fergus: Depends whether or not you’ve got an incident response plan as to what the next steps are that you take from there. Most companies don’t have an incident response plan, so what a lot of companies tend to do in this situation is that they run around like chickens with their heads cut off trying to figure out what they’re going to do. The thing with CryptoLocker, for example, is that no one can access their files. The business is then rendered useless because it can’t operate. What tends to happen is that people tend to ring their IT service providers. Now the majority of IT service providers are not security experts. They might try to help and give you some advice, for example in this case they would tell you that you have a choice to make as to whether or not you stored a backup or you pay the ransom.
When you don’t have a backup (or the backups are also crypto-locked) then you have some serious decisions to make. This is what needs to also be in the incident response plan. So a business who handles it sensibly would immediately form their crisis management team. If you’re a small company of five people, then the crisis management team would probably be the CEO and whoever does the most IT administration. Once you’ve formulated a team, you need to make informed decisions. In the case of CryptoLocker, do you go to your backups and if that’s not possible do you pay the ransom?
Bastien: What about the examples where we’ve seen poor old mum and dad businesses who actually do pay the ransom, which is usually anywhere between $1,500 – $8,000? We’ve seen a few examples recently where they’ve paid and then the FBI over in the US will shut down the servers before the key is returned. What do we do then?
Fergus: Well, you’re in trouble. Paying the ransom is very common in the US whereas Australians commonly don’t like to pay the ransom. The scary statistic is that less than a third of people who pay the ransom actually get the decryption key, so your chances are pretty slim.
Bastien: Whilst in this episode we’re talking about what to do when you’ve just been hacked, I want to stress that you need to think about the potential of you being hacked before you are actually hacked. The CryptoLocker example happens often and to all kinds of businesses. CryptoLocker is an executable virus that enters your network via email, USB key or clicked link on a browser and essentially encrypts all your files across your network. You have to then pay a ransom to decrypt your files. As Fergus said, one in three businesses are getting these decryption files to retrieve their own files. So if you don’t have a backup or if your backups aren’t disconnected from your normal network and you happen to be hit by a CryptoLocker and can’t get your files, the impact to your business is going to be huge. You are going to lose every piece of data within your business. I stress that you need to think about this before the event happens. If you haven’t done so already, listen to episode 4 where we talk about preparing for a hack or cyber incident.
Fergus: Say you’re an organisation that pays the ransom, and you’re familiar with the fact that on the dark web, which is this criminal world wide web that’s not visible from the normal world wide web, that there are lists of companies that are soft targets, the sort of companies that will pay the ransom. So if you get hit once, organised crime is potentially going to come after you again. There is an example of an SME in South Australia a couple of years ago, I received a distraught phone call from them, they had received a CryptoLocker demand for $3,000 in Bitcoin. I said to him that he had two options: either pay the ransom or go back to backup. Apparently there was a problem with the backups, they had implemented this system that backed up everything every half hour. But when they had configured it the folder that contains all of their IP was not on the backup list. So he’d lost a year’s worth of IP at his manufacturing company.
Bastien: We go to our overarching point here, you’ve got to decide what’s important to your business to find the criticality of your data and make sure it’s protected with various controls. One particular control might be a backup. So you are an organisation who has taken some preliminary steps, and for some reason you’ve been hacked. Whether that be CryptoLocker, some stolen data, a key logging device has been detected on site, or you know that a criminal organisation has been listening to your email conversation for the past six months. What are the steps from your point of view, Fergus, that any organisation should take after that event?
Fergus: The first step that needs to happen is that they need to think about this as a business crisis, and start acting like they’re in a crisis situation. Then it needs to be decided what resources should be brought in. Another question is to have a look and see whether you’ve got insurance, but then you need to put some sort of response panel. There are a couple of things that you’re going to need to do. One is that you’re going to need to fix your problem, find out what has gone wrong and fix it, that could be an IT service provider or you might need to start looking at forensics, if you can be bothered to find out who perpetrated the attack, start the process early. It’s a very good idea to speak to a lawyer if there’ve been records involved or lost. Again, IT service providers are not necessarily cyber risk and cybersecurity professionals. So make sure you’re getting a lawyer who actually understands what the ramifications are in terms of notification. Then you’ve got to think about how to do the communications. How do you tell people what’s happened? Say your business has gone down for two days before you managed to fix your CryptoLocker problem. You’re going to have to explain to your customers the reason why you couldn’t do any business for them, and you need to be very careful about how you word it. You also need to tell the regulator; there’s thirty days before you have to notify the privacy commissioner, do you notify your customers before this? Think about all of this because these are the steps that need to take place.
Certainly any company that’s used our notifiable data breaches service will have all of those components documented down in their incident response plan. When they have an incident they’ll know who we call and the order that we do it in, and so on.
Bastien: When an organisation is hacked, one of the things that is often misconstrued is they might find the attacker in the email system. But when we get paid to target organisations, especially if it’s in the case that a criminal organisation has targeted your organisation specifically and they’re trying to achieve a goal whether that be take data, money, extort you, it’s very unlikely that that hacker has used one single means of attack. Usually we would have gained entry via the email system or by talking to people over the phone, gained information by social media or by dropping USB keys around the place – there are multiple entry points.
You really must take the time after you’ve been hacked to really identify and check each system. Hopefully you have a security incident monitoring solution in place so you can forensically look back through the logs and notable behaviours. Notable behaviours would be little bizarre things that don’t make sense when you add them up. A hacker will exploit multiple little things that you’ve done incorrectly within your business, whether it might be that someone gives too much information over the phone for example about someone being away sick that day. When they know someone is sick they can attack their laptop, sit at their desk, compromise their email system, and talk to clients while they know someone won’t be monitoring that system.
There are multiple paths in and after you’ve been attacked you really must sit down and pull it apart. It’s probably not worthwhile trying to figure out where it came from, but try and figure out where your failure was in the controls that you set up to prevent this, and put the correct controls in place so it doesn’t happen again. Whilst at the same time you’re still trying to deal with and juggle the public perception, the legal side of things, and returning to business as usual (that might be more of an IT function). But it really is a group of people working together to solve this problem of a cyber breach.
Fergus: Regarding organised crime, let’s say I’m a hacker and I’ve got access to someone’s network. I’ve got a couple of choices here: I could do a smash and grab or I could do a land and expand. This will get you into multiple parts of a network where you’re looking for all sorts of things. A real life example from quite a few years ago happened to one of the large global retail chains. What happened was a hacker managed to hack into this easy-to-hack air conditioning company (HVAC). They got in and started looking around and realised that this major retail chain was connected to them via a network connection that they already had access to, and they had access directly into this retail chain’s network. What they did was very organised, they did their reconnaissance in and around the retail chain’s network and they found a point of sales system. They then put something on that system that allowed them to skim credit card details, they knew they would probably get busted for this so what they did was they waited for Black Friday, which is a day of sales in retail stores that they have every year. They waited till then so that they could maximise the amount of credit card details that they could get.
I’m using this example to say that they are very organised and they might be all over your network. You’re going to have to do a very good job of the cleaning because if you’ve been hacked once, then it’s about five times more likely for you to be hacked again. Make sure that the people coming in and helping you to look for stuff know what they’re doing in terms of security and being able to find the signs of infection and that kind of stuff. To be honest, I don’t see much forensic capabilities in SMEs. I don’t see a lot of logging or evidence of that, but if you go to the bigger companies of course you’ve got it. So SMEs aren’t spending the money for these forensic tools.
Bastien: Which is a shame because they are pretty affordable.
To cover off, when you’ve been hacked what do you need to do? You need to remove the infection and the hacker. There’s four steps to this: removing the breach, the infection, the hacker is step one, and a lot of these tasks are happening in parallel. Secondly, a different team, perhaps a legal, PR or HR team are involved in advising the organisation, your staff, and the people who’ve been impacted on the damage. Thirdly, and obviously happening at the same time, is restoring business as usual activities. The fourth step, which is often critically missed by organisations, is having a look to see how this happened and preventing it from happening again in the future. Like Fergus said, once you’ve been hit once you’re five times more likely to be hit again because your information is likely to be on the dark web. Other people are going to see it and see if they can target you again. So prevent future attacks by really defining what’s important to your business, and really defining what controls are going to stop a hacker from entering your network. Make sure those controls are effective, and even monitor the effectiveness of those controls using things like threat intelligence.
Large businesses have somewhat implemented these systems, sometimes not well, but there are some really cost effective software technology and consulting solutions out there. These will nicely step into any SME or startup to solve this problem and prevent it from happening in the first place, or at the very least protect from the depth of an attack you’d see if you had nothing in place.
Fergus: I think also what we do see is that people don’t do anything about this. Some of the more basic steps have been provided by the government, the ACSC’s essential eight is a set of eight things that people should do to stop themselves from getting hacked. So people don’t do anything and then what tends to happen is that they do all sorts of stuff and overreact where they could have taken basic steps in advance. That again goes back to planning, but I also suggest to calm down as the first reaction. Once everyone is calm they can talk rationally about what the options are. There are organisations out there, such as ourselves, who can be on site very quickly to help you out and provide advice on what we’ve seen before, whether this is a real threat, whether it’s an actual attack, whether you might be infected in other places, the advice is out there from your security companies.
Bastien: That’s an important point, if you’re a small organisation and you don’t have the skillset to solve this problem there are incident response teams ready and willing to help. We’ll jump on a plane, we’ll be in your business within a matter of hours and help you with those four steps, which is to remove, advise, restore, and prevent.
Fergus: And you know that you can get your insurer to pay for it. The insurers actually have existing panels that are ready to go that actually have cast iron agreements with the insurance companies because it’s in their interests to fix the problem quickly and cheaply.
Bastien: Another point to cover is that sometimes hacks aren’t even perpetrated by cybercriminals, they’re quite often accidentally perpetrated by your internal staff. A good example of that is one of the big four banks here, their medical data was privacy breached, which was all over the media. They decided that it was not in their best interests to notify the privacy commissioner or the individuals that had been affected. It ended up being a huge media mess because it eventually came out anyway. It ended up costing a significant amount of money and their reputation was dragged through the mud. It’s an example of an internal hack or misappropriation of data which led to some significant loss of funds and damage to reputation. That’s an example of a privacy breach that didn’t go well, Fergus, do you have an example of one that went well?
Fergus: A couple of years ago there was an incident with the Australian Red Cross Blood Service, whereby they had a website where donors could go and enter their details as opposed to filling a survey when you get to the blood donation place. There was an issue where it was found that the database was vulnerable, and obviously there’s sensitive information there about blood type and sexual proclivities. About three percent of the Australian population were impacted by this potential breach. What happened was that someone found that the database was vulnerable, I call them a hacker with a heart of gold. They contacted a security researcher by the name of Troy Hunt and he contacted the Red Cross and they immediately started to act. Now in the case of the Red Cross they had cyber insurance and with that they had an incident response plan, and everyone knew what they had to do. So what happened was the crisis management team came together, the chairman and CEO both signed a statement that was put up on the website, and they texted every single affected person and notified the authorities. Because of that the incident was handled quite well, it was announced on a Friday and by Tuesday it had pretty much blown over. That’s an example of a well handled incident and the reason was that they had a plan and they knew what to do, that’s how they minimised their brand and reputation damage, and I don’t know that they churned many donors.
Bastien: Once you’ve been hacked you need to prevent this from happening again, so take a good look in the mirror and ask if you have things in place to prevent this from happening again. You may not even be able to make that assessment yourself, you may need to get someone to come in and tell you for example what are the data elements held, the compliances that must be adhered to, the fines that have to be paid if that fails, the business interruption – you will end up building a risk matrix.
Once you’ve got that information you can review the controls that need to be in place to prevent that. For low level data it can be some fairly low level controls, but for high level data that’s really going to have a severe impact on your business, we often see organisations just not taking it seriously enough and not implementing the correct controls. When they do that dance with the devil of user interactivity or usability and then sometimes user frustration with two factor authentication, they opt not to implement two factor authentication to keep their users happy. But they put themselves at huge risk there.
Fergus: A couple of years ago Equifax had a very large and public breach of people’s credit records. This one upsets me because they hold records of people that don’t even know that their records are held. If someone does a credit check on you, like a bank for example, then all of a sudden your records will appear on Equifax, and there’s only a couple of these companies in the world. All of a sudden hundreds of millions of people’s credit records and scores were out flying in the wind on the dark web. We didn’t really get an apology and I don’t know what action they took internally to make sure it didn’t happen again, but they’re still in business. I know that they’re being supported because they’re one of the only credit reference agencies in the world. That’s an interesting one in itself, but you’d want to think that they are taking measures and you’d want to think that they would be punished for not looking after those records. I just think that we really have to see that these things are impacting individuals.
In the US, identity theft is absolutely rife due to data breaches. We’ve been the lucky country in Australia so far, we haven’t seen as many happening but it’s definitely coming.
Bastien: It’s interesting when you say it’s coming, we’ve seen in the last three months Speedrun get hacked, Australia Post, Bank of Queensland, Kathmandu, Citrix, Melbourne Hospital, Coffee Meets Bagel, Honey, Toyota Australia, ANP, just to mention a few. We’re kind of here and businesses that aren’t waking up to this fact and who don’t have the right things in place, who don’t have the right technologies and are not getting the right assistance from companies like us (we’re out there and we’re ready to help), they’re kind of asking for it.
It’s surprising that these large organisations are getting hit, it’s not surprising that the SMEs and even large enterprises when they’re Australian are getting hit because we’ve just been ingrained with that “she’ll be alright” attitude, and we can’t do that anymore. It has to be taken seriously now, we have to take steps to prevent ourselves from being hacked. You as a business have a responsibility to your clients and the data that you hold to take it seriously and protect it. If you do have a breach you have the responsibility to advise those individuals.