10.1.1 Know What You’re Trying to Protect

Many victims of cyber extortion are shocked by the amount of data that adversaries steal—often because the victims didn’t know they were storing all that data in the first place. An inventory is the foundation of every strong cybersecurity program. It’s also critical for responding quickly to cyber extortion events, particularly when concerns arise about potential data exfiltration and/or publication.

Emergency inventories are extremely expensive and are never as effective as a proactive, ongoing inventory process. All organizations should conduct routine, proactive inventories of sensitive data to understand the scope of their cybersecurity program, identify risks, and prepare for response.

10.1.2 Understand Your Obligations

The potential costs and ramifications of cyber extortion incidents depend, in part, on the victims’ legal, regulatory, and contractual obligations. Cyber extortionists often remind victims that they may suffer lawsuits, regulatory investigation, and shame if third parties are notified or impacted.

What’s more, these obligations may directly or indirectly require victims to conduct an investigation, perform a risk analysis, make notifications to data subjects, or take other actions.

Common obligations include the following:

• Federal, state, and local cybersecurity incident and data breach notification laws

• Cybersecurity and privacy laws and regulations (such as the General Data Protection Regulation [GDPR] in the European Union, or the Health Information Portability and Accountability Act [HIPAA] and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 [CIRCIA] in the United States)

• Industry-specific regulations (such as HIPAA/HITECH in the United States)

• Contractual obligations (such as merchant agreements that require adherence to the Payment Card Industry Data Security Standard [PCI/DSS])

Well before an attack occurs, a qualified cyber attorney should evaluate the organization’s regulatory and contractual obligations with respect to cybersecurity. This assessment should consider the organization’s industry, geographic areas of service, type and volume of information stored, key existing contracts, insurance coverage, and any other factors that counsel believes are relevant. The results should be used to inform incident response processes, as well as proactive cybersecurity investments.

Cybersecurity-related laws are emerging rapidly, the regulatory landscape is constantly evolving, and new contracts increasingly include cybersecurity-related clauses. All organizations should have a process for continuously tracking laws, regulations, and contractual obligations, and updating policies and procedures as needed.

10.1.3 Manage Your Risk

Whole books have been written on managing cybersecurity risks—and even then, it’s impossible to capture every nuance of an effective cybersecurity program. Every organization is unique, and therefore every cybersecurity program is different.

Here are high-level steps that every organization needs to take to effectively manage cybersecurity risks:

• Assign roles and responsibilities.

• Build your cybersecurity program.

• Choose and use a cybersecurity controls framework.

• Budget for cybersecurity.

• Develop your risk management plan.

• Engage in training and awareness.

• Fund your cybersecurity program.

• Get cyber insurance.

10.1.3.2 Choose and Use a Cybersecurity Controls Framework

A cybersecurity controls framework is essentially a checklist for your cybersecurity program. It serves as the foundation for the organization’s cybersecurity efforts, ensuring that the organization takes a methodical approach that is in line with industry standard best practices. Rather than reinvent the wheel, most organizations choose a widely used framework such as the NIST Cybersecurity Framework or ISO 27001, customizing it as needed to fit their organization’s unique needs.

Definition: “Security Control”

According to the U.S. National Institute for Security and Technology (NIST), a “security control” is defined as follows:⁴

4. “Security Control,” U.S. National Institute for Security and Technology, Computer Security Resource Center, https://csrc.nist.gov/glossary/term/security_control.

A safeguard or countermeasure prescribed for an information system, or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

Once the framework is selected and customized, you can use it as the basis for defining the cybersecurity program, planning investments, identifying gaps, and informing risk assessments (see Section 10.1.4).

10.1.3.4 Develop Your Risk Management Plan

There is no such thing as “perfect” security—it is all about risk management. To develop a truly effective and efficient cybersecurity program, each organization should implement and maintain a plan for prioritizing and addressing risks so that the residual risk is aligned with the leadership team’s appetite. This plan should be updated as often as practicable to take into account evolving risks and the state of the organization’s cybersecurity controls.

Historically, many organizations conducted an annual risk assessment (particularly in highly regulated industries such as healthcare or finance). As cybersecurity tools mature, more organizations are embracing continuous risk management, using centralized risk-tracking tools to identify and document risks on an ongoing basis. This, in turn, facilitates the development and maintenance of ongoing risk management plans that are routinely kept up-to-date as new threats and vulnerabilities are identified.

Sections 10.2 and 10.3 provide details on specific high-impact security technologies that should be considered for inclusion in every organization’s risk management plan.

Tip: Proactively Manage Supplier Risks

Supply-chain risks are a growing area of concern, as we have seen throughout this book. The Kaseya ransomware attacks described in Chapter 1 perfectly illustrate how criminals can leverage technology suppliers to launch cyber extortion attacks against thousands of organizations in one fell swoop. In this case, the adversary exploited a vulnerability in the Kaseya remote management product, which was often deployed by third-party managed services providers (MSPs) on behalf of their customers.

For cybercriminals, attacks against the technology supply chain have proved to be an effective strategy, enabling them to maximize their reach and profit. It’s critical for every organization to proactively monitor and manage supplier cybersecurity risks. To implement effective supplier cybersecurity risk management:

• Start by clearly assigning responsibility for vetting and follow-up.

• Establish clear requirements for supplier cybersecurity and include these in vendor selection processes.

• Enumerate all suppliers.

• Assign a risk rating to suppliers based on factors such as volume of confidential data that the supplier can access and criticality of the supplier for day-to-day operations.

• Ensure that supplier contracts clearly articulate cybersecurity requirements such as proactive cybersecurity measures, routine assessment and reporting, and incident notification.

• Vet suppliers routinely, prioritizing them based on their potential risk to the organization’s cybersecurity posture.

• Monitor and follow up consistently on any areas of concern.

• Include key suppliers in the organization’s cybersecurity incident response processes.

Supplier risk management has become an integral part of every effective cybersecurity program.

10.1.3.7 Get Cyber Insurance

Cyber insurance has evolved to play a critical role in cyber extortion risk mitigation and response. First, like other types of insurance, cyber insurance is a vehicle for transferring residual risk to a third party. Certain types of coverage are especially useful for transferring risks relating to cyber extortion:

• Business interruption, which covers lost revenue due to technology outage.

• Data recovery, which can cover costs associated with restoring data from backups, decrypting data, manually recreating lost data, and more.

• Cyber incident and breach response, which typically covers costs for investigating and responding to a potential breach. This can include legal guidance, incident response consulting, threat hunting, forensic investigation, notification costs, and more.

• Information security and privacy liability, which can cover litigation expenses in the event of lawsuits, regulatory fines, and more.

Cyber insurers are also key players in the extortion response process. Insurers have a vested interest in supporting effective response practices and minimizing damage, since they foot a portion of the bill in the event of a claim. Unlike with car accidents, in cyber extortion cases the insurer has time to influence the outcome of the incident by providing support and guidance in the response process.

Many organizations do not have the resources to maintain their own trained and experienced cyber incident response staff in-house. To fill this gap, cyber insurers have put together cyber incident response teams and provide valuable services during the response process. These services often include, but are not limited to:

• Hotline for reporting cyberattacks

• Panel of vendors (often vetted) that provide:

  • – Incident response services

  • – Ransom negotiation

  • – Legal guidance (especially important for breach investigations)

  • – Public relations

  • – Crisis management support

• Funding for response/recovery services and ransom payment

• Business interruption coverage

As a result of this kind of support, victims of cyber extortion often fare much better when cyber insurers are involved. Indeed, victims with cyber insurance coverage are more likely to have access to experienced professionals who can provide them with proper guidance and support, as well as the funds needed to engage these providers during a crisis.

Once cyber insurance coverage is selected, it’s important to integrate it into the organization’s incident response programs. Make sure to document the appropriate contact information and processes for notifying your cyber insurance carrier and assign responsibility for notifying the carrier (including after hours and on weekends, if needed). Include your cyber insurer in tabletop exercises and incident response training.

Heads Up! Cyber Insurers Incentivize Effective Security Controls

Because cyber insurers have a vested interest in reducing risk, they often provide valuable risk-reduction resources for insureds, and play a pivotal role in incentivizing the adoption of effective cybersecurity measures.

“Insurance historically helps set standards and we are doing the same now for cyber,” said Bob Wice, Head of Underwriting Management, Cyber and Tech at Beazley,⁵ in an interview with the authors. “We are in a prime spot to be able to evaluate where organizations are having problems and are seeing losses … and then we transparently inform the prospective insureds and current buyers.”

5. Interview with the author via Zoom, August 11, 2021.

Cyber insurers often offer value-added services, such as training, policy templates, or proactive scanning, which can be useful for IT staff and leadership. The terms of your cyber insurance policy may also inform aspects of your proactive cybersecurity program. Ensure that any requirements needed to maximize the value of your policy are communicated to IT leadership, such as documentation or technologies that should be implemented.

10.1.4 Monitor Your Risk

Cyber extortion risks are constantly evolving. It’s important for every organization to maintain an accurate understanding of current risks, so that it can effectively protect its information resources.

“Monitoring risk” refers to the process of evaluating threats and vulnerabilities, assessing the potential impact and likelihood of a negative event, and determining the effect of security controls in place.

An effective risk monitoring program typically includes at least three components: cybersecurity controls assessment, technical security testing, and risk assessment. The organization should also track, evaluate, and report on any cybersecurity incident to identify gaps and the costs associated with security issues.

By accurately understanding the organization’s risk profile, leadership can effectively invest funds where they are needed most and make efficient use of limited resources.

10.2.1 Phishing Defenses

Phishing attacks have consistently been among the top vectors of entry for adversaries for the better part of two decades. Although most people associate “phishing” with emails, adversaries can leverage any medium for communication, including SMS (“smishing”), voice (“vishing”), social media, fax, and more. Ultimately, the adversary’s goal is to trick the recipient into taking an action that will give the adversary information or access, typically by clicking on a link, opening a malicious attachment, or responding to a request for information.

Phishing is often paired with a malicious website designed to steal the victim’s credentials or install malware. As the Verizon Data Breach Investigation Report (DBIR) explained, “Phishing continues to walk hand-in-hand with [use] of stolen credentials in breaches as it has in the past.”⁶

6. Verizon, Data Breach Investigations Report, May 2021, p. 16, www.verizon.com/business/resources/reports/dbir/2021/masters-guide/summary-of-findings/.

Many tools and techniques are available to thwart phishing attacks. Among the most commonly used options are the following:

• Spam filtering

• Web proxies

• Training platforms

We will discuss each of these in turn.

10.2.2 Strong Authentication

Cyber extortion attacks often begin with credential theft. Adversaries may steal user credentials through phishing attacks, or simply purchase stolen credentials on the dark web from an initial access broker (as discussed in Chapter 3). They may then use these stolen credentials to access remote login interfaces and gain a foothold to install malware within the victim’s network or break into cloud storage and download repositories of sensitive data.

Multifactor authentication and password managers are two key technologies that can help foil credential theft.

10.2.3 Secure Remote Access Solutions

Unfortunately, many cyber extortion attacks begin with the adversary accessing the victim network through remote access services. Remote access is a necessity for staff, IT administrators, and vendors at organizations around the world.

Attackers constantly scan the Internet for available remote access interfaces such as RDP (as discussed in Chapter 3). Armed with a list of accessible remote access services, they can target these services with authentication attacks such as credential stuffing or vulnerability exploits. Adversaries can also leverage trust relationships between technology vendors and customers to leapfrog between environments.

Many organizations allow employees to use LogMeIn, GoToMyPC, or similar tools to connect directly to their workstations from their home computers. However, this practice introduces significant risk: If the user’s personal computer becomes compromised, the adversary can then use these same tools to access the organization’s internal network and hold it hostage.

Here are three popular ways to facilitate remote access while reducing risk:

• Disable less secure remote access services such as RDP, particularly for Internet-facing systems. Simply disabling these services can prevent compromise and dramatically reduce the risk of cyber extortion incidents.

• Deploy virtual private network (VPN) software. Modern VPN clients offer critical security features, such as a hardened operating system designed to resist attacks. Many VPNs can also be configured to scan remote systems for security issues before allowing connectivity.

• Use virtual desktop infrastructure (VDI). VDI consists of virtual workstations that are accessible via the Internet. VDI environments can be designed to limit user access and offer only specific applications. In this manner, they can reduce the risk associated with a compromised remote endpoint and facilitate quick containment of cybersecurity incidents.

By disabling less secure remote access models such as RDP in favor of tools such as VPNs and VDI suites, organizations can prevent cybersecurity incidents and thereby reduce their risk of cyber extortion.

10.2.4 Patch Management

Adversaries constantly scan and search for vulnerable software across the Internet. As discussed in Chapter 3, software vulnerabilities are often used to quickly gain a foothold inside the victim’s environment. Once access is gained, the adversary may sell access to other cybercriminals or take advantage themselves. Since cyber extortion is so profitable, it is often the end result of a cyberattack, whether or not it is the initial intent of the adversary who gains access.

Cyber extortion gangs also directly leverage software vulnerabilities to escalate privileges once inside an environment. For example, the Conti gang’s playbook, leaked by a disgruntled affiliate in 2021¹³ and reviewed by the authors of this book, included step-by-step instructions for taking advantage of the common “PrintNightmare,” “ZeroLogon,” and “EternalBlue” flaws. At the time of the leak, the Microsoft patch to fix “PrintNightmare” had been available for less than a month—yet it had already been incorporated into the step-by-step instructions distributed to Conti affiliates.

13. Lawrence Abrams, “Angry Conti Ransomware Affiliate Leaks Gang’s Attack Playbook,” Bleeping Computer, August 5, 2021, www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/.

To counter these sophisticated adversary training and distribution processes, defenders need to patch effectively and routinely.

Let’s discuss what makes a patch management program successful.

• Know what to patch. All too often, software remains unpatched because the organization’s IT staff is simply not aware that it is deployed in the environment. For this reason, it’s important to maintain an accurate inventory of software and dependencies. Depending on the size and complexity of an organization, tracking may be accomplished using a simple spreadsheet or a sophisticated asset management system. Make sure to include application software, operating systems, and firmware in your program. Devices such as firewalls, routers, and VPNs must be updated regularly as well.

• Patch quickly. Many organizations have monthly or bimonthly patching cycles. However, when a critical vulnerability is announced, hackers may actively try to exploit your server within hours or days—not weeks. By the time a patch is applied, the system has already been hacked. Make sure to document standard patch time frames and audit routinely to confirm that they are consistently applied. Carefully consider the risks of waiting versus the time needed to fully test and deploy a patch.

• Use supported software. These days, it is common to have software running on a network even after the vendor has stopped releasing patches. Such software is highly vulnerable to exploitation. Of course, it is best to discontinue the use of outdated software, but in some cases the organization must keep running it, at least for some period of time, to support critical business processes. In these cases, defenders can reduce their risks by placing outdated software on an isolated or highly segmented part of the network with very limited traffic. Carefully track this software and regularly review its usage.

• Make time to patch. Many organizations don’t apply patches regularly because it is difficult (or even impossible) to find a good time to apply patches and restart critical systems. Architect your infrastructure with redundancy, so that you can reboot a critical system to install a patch without impacting the ongoing operations. Remember that planned downtime is better than emergency downtime in the event of a cybersecurity incident.

• Plan for the unexpected. Even the most well-tested patch deployments can cause problems. Fear of “breaking something” can cause system administrators to delay patching. To alleviate this issue, develop and implement a software patch test plan whenever possible, to increase the likelihood of a successful deployment. Have a strategy for rolling back patches quickly in the event that a patch impacts system functionality.

• Monitor patch status. As seen in the “Unpatched Exchange Server” case study, often victims are taken by surprise because they thought a patch was fully installed and it was not, due to error or oversight. Patch verification is a critical component of every successful software patch process. Make sure to routinely check systems’ patch status using automated patch verification software. Alert IT staff of issues and correct failed patch deployments quickly.

10.3.1 Endpoint Detection and Response

Endpoint detection and response (EDR) software represents the latest evolution in endpoint protection. It typically includes features from traditional antivirus tools, host-based intrusion detection/prevention systems, vulnerability scanners, and more. A hallmark of modern EDR software is that all alerts are reported back to a central console, and the EDR software includes built-in features to facilitate the response.

A growing cyber extortion trend is for adversaries to leverage normal IT tools to exfiltrate data and prime the victim’s environment, thereby enabling the adversary to evade traditional signature-based detection mechanisms. Modern EDR software can facilitate detection even when the adversary uses legitimate IT tools, by leveraging behavior-based detection methods in combination with more straightforward signature-based solutions.

Responders can leverage features of EDR software to quickly take action, such as proactively blocking and isolating remote workstations. This ability makes EDR software uniquely valuable in the event of a ransomware attack. As detailed in Chapter 5, EDR software is a critical tool that can be used to isolate infected systems, halt ransomware encryption/data destruction, stop data exfiltration, and lock out the adversary.

When selecting EDR software, consider the ease of deployment, compatibility with existing software, and availability of support, in addition to cost and features. A centralized EDR system can also be monitored by an external vendor to increase the effectiveness and speed of the response.

10.3.2 Network Detection and Response

Network detection and response (NDR) tools provide capabilities that complement EDR software. A modern adversary that has compromised an endpoint can obscure much of their activity by leveraging commonly used IT software, encrypting payloads, and blending their actions into the system’s normal behavior. As a result, EDR or antivirus software may fail to alert on malicious activity—but traffic moving between hosts can contain clues a responder needs to detect unauthorized access, stop lateral spread, determine the incident scope, and prevent further compromise.

Enter NDR solutions, which monitor network activity and facilitate real-time response. Products such as ExtraHop’s Reveal(x) and Cisco’s Stealthwatch often utilize machine learning to establish normal activity profiles, then identify potentially malicious activity that deviates from that baseline. The features included in traditional IDS/IPS have been incorporated into modern NDR solutions, which now include more behavioral detection capabilities and tools to facilitate real-time response.

Like EDR software, many of today’s NDR tools are available as cloud services. This enables responders to access the data even if the internal network is completely down.

10.3.3 Threat Hunting

Threat hunting, as described in previous chapters, refers to the process of proactively and manually searching a technology environment for indications of threats. While threat hunting is an essential part of cyber extortion response, it can also be used proactively to identify and prevent cyber extortion attacks.

Recall that a primary use of threat hunting is to root out malicious activity before a full network takeover occurs. Often, EDR software is used both to conduct routine threat hunting and to facilitate a quick response. Additionally, threat hunters need to be specially trained to detect these subtle indicators of compromise and interpret their meanings accurately. Many organizations outsource threat hunting because it requires a specialized skill set and qualified cybersecurity professionals are in high demand.

When developing threat hunting processes, consider the following issues:

• Software and licensing costs

• Third-party vendor contracts

• Testing frequency

• Training time and costs

• Acceptable software use

Threat hunting should be a routine part of your cybersecurity program. For an in-depth discussion of threat hunting in cyber extortion cases, see Chapter 5.

10.3.4 Continuous Monitoring Processes

More than three-fourths of all cyberattacks happen outside of normal business hours, according to a 2020 study by FireEye.¹⁵ The reasoning behind this strategy is obvious: If there is nobody around to notice or respond to an attack, then the adversary has a much higher chance of fully deploying ransomware or stealing data without interruption.

15. Kelli Vanderlee, “They Come in the Night: Ransomware Deployment Trends,” Mandiant, March 18, 2020, www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends.

Of course, IT staff need to sleep at some point or another. Adversaries are aware of this, which is why they frequently target victims during times and days when IT staff may be limited in numbers or not on the clock at all.

Continuous monitoring is critical for ensuring that detection and response can occur consistently, regardless of when attackers strike. A large enterprise with rotating shifts of cybersecurity staff might be able to accomplish this, but small to midsized (and many large) organizations don’t have sufficient staff to implement effective 24/7 monitoring.

Outsourced monitoring services can be invaluable for ensuring 24/7 coverage, particularly at times when adversaries are most likely to strike—outside normal business hours, including weekends and holidays. This coverage can facilitate early detection of malicious activity and prevent serious cybersecurity incidents. In addition, outsourced monitoring providers can identify trends and patterns across a wide range of customer environments, benefiting even large organizations.

Effective continuous monitoring programs are carefully integrated into the organization’s incident response procedures, ensuring that all qualified indicators of attack or compromise elicit an appropriate response within the expected time frame.

Importantly, continuous monitoring programs should be tested routinely to ensure that they are effective and to identify any weaknesses. This is typically accomplished by using attack simulation and response testing, in which a team of trained cybersecurity professionals conduct planned, timed testing designed to trigger various aspects of the detection and response processes. In this manner, gaps can be identified and addressed.

10.4.1 Business Continuity Plan

An effective business continuity plan (BCP) can avert a potential disaster. In a cyber extortion attack, one of the first steps is to assess the functionality of information systems and identify which services have been impacted. The results of this evaluation then inform the response processes and influence the negotiations.

The BCP outlines how your organization will maintain operations when critical elements of the organization’s normal systems are not functioning properly. This can occur because of natural disasters, service outages, cyberattacks, or other scenarios where normal operations are not possible for an extended period. At minimum, a BCP should include these elements:

• Alternate contact information for members of the response team and organization’s leadership. This can include phone numbers, backup email addresses, physical locations, and more.

• Out-of-band communication methods for distributing information quickly in the event that normal communications channels are compromised or unavailable. Given the myriad of cloud-based communication options available today, many choices are possible, including chat platforms such as Slack, videoconference platforms, encrypted communication apps such as Signal or Telegram, third-party notification systems, and communications systems that do not involve the organization’s infrastructure.

• Current and complete inventory of information systems, including physical locations, the purpose of each asset, and the specific software installed. This can help recovery teams quickly assess which services are unavailable and what their priority is during restoration.

• Alternate workflows for critical processes, including steps such as utilizing cloud infrastructure as a failover, redirecting traffic to a colocation facility, manual data recovery, and more. Consider how to maintain continuity when it comes to key processes such as invoicing, payroll, client management, and communications.

• Process documentation (including incident response procedures) stored in an alternate location so that if normal systems are impacted, the response team can still access them.

• Credential repositories for key systems, so that responders can recover and reconfigure them in the event of a disaster. Password vaults, such as LastPass and Dashlane, can be integrated into BCP workflows.

• Training processes for responders and leadership who may need to implement and execute the BCP. The response team needs to be familiar with the BCP and efficiently execute the playbook to minimize downtime and negative impacts.

Most importantly, the BCP needs to be established long before an incident takes place. An effective BCP is not something that can be created on the fly. A trusted security partner can help you get started, and ongoing testing of the plan using activities such as tabletop exercises will help an organization fine-tune the plan for its environment.

10.4.2 Disaster Recovery

The disaster recovery (DR) plan is your roadmap for restoring functionality after an impactful event such as a ransomware attack. Your choices in the response process can significantly impact the time to reach recovery milestones, which in turn impacts the potential damage. By following an established roadmap, responders can minimize downtime and avoid costly slowdowns.

Key components of a DR plan include the following:

• Contact information for recovery team members

• Critical data locations

• Infrastructure and software inventory

• Backup and recovery instructions

• Recovery time objective (RTO) and recovery point objective (RPO) (See Chapter 4 for details.)

• Resources such as instructions for gaining access, keys, and credentials

Technology infrastructures evolve quickly, as do threats. As a result, DR plans need to be tested, reviewed, and adjusted on an ongoing basis. Even small changes in configuration and software usage can be important when it comes time to recover.

When developing your DR plans, consider your recovery environment. Certain environments can be designed to support instant failover to a separate network infrastructure, or to support immediate deployment of clean virtualized environments that can facilitate fast recovery of operations even while the original environment is unavailable.

10.4.3 Backups

Backups are a critical component of cyber extortion response processes. The availability of effective backups can reduce an adversary’s leverage and obviate the need for a victim to pay a ransom demand. In this section, we review the key components of a backup solution, the importance of testing backups, the emergence of “immutable” backups, and key issues involving offsite backup restoration.

10.5.1 Data Reduction

When cyber extortionists start to publish data, victims are often shocked at the volumes of data exposed. It is frequently an eye-opening experience, in part because they didn’t realize they were storing such a vast volume of sensitive data to begin with.

The first step in reducing the risk of data theft is simple: Store less of it. Reductions in the amount of data held by an organization correlates with reduced risk. In 2019, Cisco’s Data Privacy Benchmark Study showed that “GDPR-ready” organizations had an average of 79,000 records impacted in breaches with a 37% probability of a high-dollar data breach loss (exceeding $500,000), compared with organizations furthest from GDPR readiness, which had an average of 212,000 records impacted in breaches and a 64% probability of a high-dollar data breach loss. “With fewer records impacted … it is not surprising that the GDPR-ready companies experienced lower overall costs associated with data breaches.”¹⁸

18. “Maximizing the Value of Your Data Privacy Investments: Data Privacy Benchmark Study,” Cisco, 2019, www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/dpbs-2019.pdf.

A strong data and asset inventory process is essential for accomplishing data reduction. “Organizations which have done the work to inventory their data have much better visibility to their data, how it is used, and the associated risks,” said Robert Waitman, a director at Cisco’s Security and Trust Office.¹⁹ See Section 10.1.1 for more details on conducting an inventory.

19. Dan Swinhoe, “Does GDPR Compliance Reduce Breach Risk?,” CSO, March 19, 2019, www.csoonline.com/article/3369461/does-gdpr-compliance-reduce-breach-risk.html.

Once the data inventory process is conducted, organizations are better positioned to reduce their inherent risk of data exposure by reducing the amount of unnecessary sensitive data they retain. This, in turn, enables defenders to invest in securing a smaller volume of data.

Three key tactics may be used to reduce the volume of stored data:

• Abstain: Refrain from collecting sensitive data in the first place. To accomplish this, organizations need to understand how data enters their information systems. This typically requires interviews with personnel, data mapping, and process review. Then, identify opportunities for eliminating data collection.

• Devalue: Replace sensitive information with less hazardous data. Often, this is accomplished using tokenization, such as when payment card numbers in a merchant’s systems are replaced with random strings that cannot be used to make purchases elsewhere.

• Dispose: Once sensitive data is no longer needed, purge it from the organization’s systems. This seemingly simple activity can be surprisingly challenging to accomplish regularly. It requires that organizations routinely track data, assign responsibility for its disposal, identify information that is no longer needed, create a deletion process for various systems (including hard drives, databases, cloud repositories, and more), and then implement, track, and audit disposal activities.

By reducing the volume of data stored, organizations increase the per-record budget for information security and reduce cyber extortionists’ potential leverage.

10.5.2 Data-Loss Prevention Systems

Data-loss prevention (DLP) tools are software applications designed to identify, track, and protect sensitive data within an organization’s environment. For example, a DLP tool may be configured to identify Social Security numbers in email and block any unencrypted emails from leaving the organization’s network if they contain this type of sensitive information.

DLP solutions can reduce the risk of a cyber extortion event, or even prevent it altogether, by blocking an adversary from exfiltrating sensitive information and generating an alert. Effective DLP solutions come in many varieties, and normally fall into one of three categories:

• Endpoint: Protects information stored on workstations and servers

• Network: Monitors data in transit on the network

• Cloud: Protects data stored in cloud applications

DLP tools are very effective at protecting structured data with a clear and easily recognizable format, but can be less effective for protecting unstructured data such as sensitive, scanned information; intellectual property; or other information that can’t quickly and accurately be identified through automated means.

Consider where your data is stored when selecting and configuring DLP software. For example, data stored in AWS needs to be protected and audited very differently than data stored on a locally accessible file server. While many DLP solutions are designed to operate in one type of environment, other tools can monitor endpoints, the network, and the cloud simultaneously. Prior to implementing a DLP solution, make sure to conduct a data inventory so that you can select the appropriate software and implement it effectively.

10.6.1 Get Visibility

Only a small percentage of cyber extortion cases ever become known to the public or law enforcement. Extortion cases that have an extreme impact on the public—such as those involving hospitals, schools, and municipalities—might make the news, but (based on the authors’ firsthand experience) a huge number of cases are simply not of great interest to the media or are quietly resolved and fly under the radar. Even when cyber extortion cases are reported, the root cause is rarely publicly identified (and is often unknown), making it difficult to pinpoint widespread risk factors or implement truly effective solutions.

Victims of cyber extortion attacks justifiably fear their cases becoming public, lest they suffer reputational damage, lawsuits, regulatory investigations and fines, or other unhappy consequences. Quite often, victims take great pains to keep their attack quiet, making ransom payments through trusted third parties and hiding behind a veil of secrecy.

There might be legal or regulatory requirements for victims to report, in some cases, but victims are not always aware of these mandates. Reporting requirements vary based on jurisdictions—even within the same country—and might be specific only to industries such as healthcare or banking. Most organizational leaders have little to no experience in managing cybersecurity incidents. As a result, it can be challenging for organizations to understand their reporting obligations on a good day, let alone their worst. In cyber extortion cases, victims are under enormous stress and typically experiencing cash flow difficulties, and leaders are overwhelmed and unprepared. Unless they have access to expertise (through a cyber insurer or experienced IT firm), they often prioritize emergency recovery efforts and never report a cyber extortion event, even if doing so is encouraged or required.

To get visibility into the problem, it’s essential to establish clear, easy-to-understand, widely applicable cyber extortion reporting requirements that are carefully designed so as to not overly burden victims. Everyday leaders need to clearly understand their reporting obligations even in the midst of a cyber extortion attack. Consider including incentives for conducting a root-cause analysis, so that proactive security measures can be appropriately prioritized.

10.6.2 Incentivize Detection and Monitoring

Victims rarely detect cyber intrusions in the early stages. Why? In the physical world, it’s easy to tell that a burglar has entered. A window is broken; drawers have been opened; jewelry is gone. When a thief steals a car, the victim notices it’s missing.

Not so with data. Hackers can quietly gain access to the victim’s network with no obvious signs, and copy information without that action immediately impacting the victim. To trace the hackers’ footsteps, victims have to record their activity. They also have to pay for someone to review the records of activity, which takes time and expertise.

Many organizations do not see strong reasons to invest in effective detection or monitoring. As a result, they don’t have visibility into their own environments. They have no way of detecting a potential cyber extortion incident in the early stages, so they cannot shut down these attacks before large volumes of data are stolen and/or ransomware is deployed. The lack of detection capabilities contributes to the epidemic of cyber extortion incidents.

Certain organizations have more incentive than others to invest in logging and monitoring. For example, in the United States, healthcare providers are incentivized to investigate cyber extortion cases more fully and are more likely to collect evidence since it can be used to “rule out” a breach. In late 2016, the Department of Health and Human Services clarified that for healthcare providers and other covered entities, ransomware cases should be considered a potential data breach unless the victim conducts a risk assessment and demonstrates otherwise.

Incentivize investment in detection and monitoring to nip cyber extortion attacks in the bud and facilitate investigations when they do occur.

10.6.3 Encourage Proactive Solutions

As discussed earlier in this chapter, many cyber extortion attacks are preventable. Looking to public health as a model, risks can be mitigated throughout entire communities with a combination of education, incentives, and direct funding. These are typically implemented as a collaborative effort among government agencies, insurers, and nonprofit organizations. The same type of collaboration needs to occur with cybersecurity to reduce the number of victims and ensure that all organizations have access to knowledge, funds, and resources that can proactively reduce their risk.

Proactive prevention measures are key. Policymakers can, and should, work collaboratively with government agencies, cyber insurers, response firms, IT companies, cloud providers, and more to reduce the risk of cyber extortion attacks.

10.6.4 Reduce Adversaries’ Leverage

As previously discussed, victims can reduce attackers’ leverage in many ways:

• Develop BCPs to maintain operations during crises (see Section 10.4.1)

• Roll out disaster recovery processes to mitigate threats to availability (see Section 10.4.2)

• Implement backups to ensure availability of data (see Section 10.4.3)

• Reduce the volume of sensitive data stored (see Section 10.5.1)

• Implement DLP solutions (see Section 10.5.2) to reduce the risk of data exfiltration

All of these strategies can be reinforced and encouraged on a macro scale through government policies, funding, and insurer requirements, among other methods.

That said, one major strategy for reducing adversaries’ leverage cannot be implemented on an organizational level: providing a path to mitigate harm after sensitive information has been leaked. Today, adversaries dangle sensitive information over the cliff of the Internet, threatening to release it to the public unless the victim pays a ransom demand. Frequently, the stolen data includes customer, patient, student, or employee personal information.

Once information is leaked, it may be downloaded, shared, analyzed, leveraged for commercial purposes, and distilled into data products. In many countries, data subjects have little to no control over the use of their personal information once it is leaked.

Lack of consistent regulation over data exchange and use gives cyber extortionists enormous leverage over the victims that they hold hostage. Once sensitive information is released, there is no way to control or undo the damage. When the stolen data affects third parties such as patients, students, and clients, this puts additional pressure on the hacked organization, because victims do not have a way to mitigate harm to these third parties except by paying the ransom demand.

Track and regulate how sensitive data is used, and give people opportunities to control the use of data that affects them. Taking this step would empower society to mitigate the harm of data exposure even after an adversary publishes stolen data, which in turn would reduce cyber extortionists’ leverage over their victims.

10.6.5 Increase Risk for the Adversary

Throughout the history of cyber extortion, adversaries have rarely suffered consequences. When ransomware and cyber extortion attacks began hitting the headlines in 2016, law enforcement agencies were largely stymied by cryptocurrency and the dark web, which enabled cybercriminals to hide their identities and evade apprehension.

As public attention increased, however, so did funding and international coordination. Over time, law enforcement agencies began to make progress in tracking down high-profile cyber extortion groups. For example, in 2021, an international law enforcement operation took down the infamous and prolific REvil ransomware gang’s servers. Other cyber extortionists clearly took note. The Conti ransomware gang issued a public statement on their data leak website about the REvil takedown, complaining: “Is server hacking suddenly legal in the United States or in any of the US jurisdictions?”²⁰

20. Brian Krebs, “Conti Ransom Gang Starts Selling Access to Victims,” Krebs on Security, October 25, 2021, https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/.

Despite the irony of the Conti gang’s outrage, the subtext was clear: Law enforcement actions against high-profile cyber extortion groups had been noticed, and the criminals weren’t happy. Around the same time, cyber extortionists were ramping up their recruitment efforts, hiring affiliates and contractors to support their burgeoning industry.

Public reward programs further increased the risk for adversaries. For example, the United States’ Transnational Organized Crime Rewards Program (TOCRP) incentivized reporting.²¹ Under this program, the U.S. government offered up to $10 million rewards for information about the REvil and Darkside cyber extortion gangs. It is not difficult to imagine that a cybercriminal might be motivated to betray their associates in exchange for millions of dollars.

21. “Transnational Organized Crime Rewards Program,” U.S. Department of State, Bureau of International Narcotics and Law Enforcement Affairs, August 25, 2020, www.state.gov/transnational-organized-crime-rewards-program-2/.

In early 2022, 14 REvil members were reportedly arrested in Russia, resulting in a major public relations blitz that further shook the cybercriminal underground.

It’s important to continue to increase risk (and perceived risk) for adversaries and their ecosystem. By publicly bringing cyber extortionists to justice, law enforcement agencies foster a perception of risk that can deter cyber extortion.

10.6.6 Decrease Adversary Revenue

Cutting off cyber extortionists’ payments has the potential to kneecap their criminal enterprises. This can be accomplished in many ways. For example, there has been much debate about whether ransom payments should simply be outlawed. While this approach might seem straightforward, and therefore attractive, it can have devastating consequences for victims and the communities they serve, as discussed in Chapter 8.

In recent years, law enforcement agencies have successfully clawed ransom payments back from cybercriminals by seizing cryptocurrency wallet keys during raids and intercepting funds stored in cryptocurrency exchanges. For example, in the infamous 2021 Colonial Pipeline case, the U.S. Justice Department seized 63.7 Bitcoins (approximately $2.3 million at the time). “The extortionists will never see this money,” said Stephanie Hinds, acting U.S. attorney for California’s Northern District. “This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools and extortion for undeserved profits.”²²

22. Dustin Volz, Sadie Gurman, and David Uberti, “U.S. Retrieves Millions in Ransom Paid to Colonial Pipeline Hackers,” The Wall Street Journal, June 7, 2021, www.wsj.com/articles/u-s-retrieves-millions-paid-to-colonial-pipeline-hackers-11623094399.

Sanctions are another effective tool used to disrupt the flow of money throughout the cyber extortion industry. For example, in 2021, the U.S. Office of Foreign Asset Control (OFAC) ramped up efforts to regulate and penalize cryptocurrency exchanges that cyber extortionists use to store and transfer their ill-gotten gains. While the designation and imposition of sanctions against these types of organizations does not directly solve the cyber extortion problem, it makes it more difficult for adversaries to transfer, launder, and most importantly cash out their ransom payments.

For all these reasons, efforts are needed to further disrupt cyber extortionists’ revenue streams, through payment tracking, identification of illicit intermediaries, sanctions, and other methods.

Step 1: Build Your Victim

Choose one characteristic from each of the three columns to describe your victim’s organization:

Step 2: Choose Your Incident Scenario

Select from one of the following incident scenarios:

Step 3: Discussion Time

After the cyber extortion crisis has been resolved, you are asked to advise the victim’s leadership on how they can prevent similar attacks in the future. Given what you know about the victim and the scenario, answer the following questions:

1. How is a data and asset inventory useful for reducing the risk of cyber extortion incidents such as the one your victim experienced?

2. Name one preventive measure that you recommend for the victim and explain why it is important.

3. What does the term “immutable backups” mean, and why is it important?

4. Name three elements of an effective business continuity plan.

5. Why is it important to consider cyber insurance coverage when developing incident response plans, training, and tabletop exercises? Provide at least one example.