Interview with Senior Manager Cyber Incident Response, eRisk, Crum & Forster

Liz: One of the most frequently asked questions I receive is about ransomware.  Since the State of North Carolina is prohibited from paying a ransom, why does the State’s Cyber Insurance Policy include ransomware coverage?

Brandy:   Cyber insurance policies usually pay for approved expenses incurred by the named insured due to various types of cyber-related incidents, which usually includes ransomware events. If you can’t pay a ransom due to NC state law, you will likely still incur many other 

expenses associated with the ransomware event that cyber insurance can help with, such as expenses related to outside legal counsel specialized in cybersecurity and privacy (aka Breach Counsel), external digital forensics and incident response teams, public relations, restoration, data breach mining and notification services, regulatory fines, and defense costs. Your cyber insurance policy might also include business interruption coverage, which may help you recover some of your lost revenue due to downtime associated with the ransomware event.

Liz: How can an organization in NC be prepared for a ransomware event considering they cannot pay a ransom?

Brandy: It really comes down to backups. Does the organization have ransomware resilient backups? If you can’t pay a ransom, you should ensure all of your IT and security controls are in a good place, especially backups. Following a framework such as CIS Critical Security Controls is a great place to start https://www.cisecurity.org/controls/cis-controls-list. At the end of the day, if your backups are negatively impacted due to a ransomware event, you are in trouble, and not being able to pay a ransom could mean starting from scratch, if that’s even possible.

Strong backup controls to consider are noted below (in no specific order):

1. Immutability – Are backups immutable? In other words, backups cannot be modified or deleted even with escalated permissions based on settings that are in place.
2. Disconnected from network – Are backups stored on some form of media or in the cloud. If they are disconnected from the network this may prevent the “threat actors” from accessing and encrypting the backups in most cases.
3. MFA – Are backups protected by Multi Factor Authentication?
4. Limited Access - Make sure that people with access to backups are limited.
5. Credentials - Make sure back up credentials are not created or stored in active directory or in plain text (credentials must be secure). Threat actors typically compromise Active Directory to gain access to this and other privileged accounts.
6. Encrypted –Encrypt your backup data and ensure decryption keys are securely stored somewhere off the network.
7. 3-2-1 Back Up Rule – Follow this rule 3 copies of data, 2 media types and 1 copy off-site for disaster recovery.
8. Understand what you’re backing up.
   1. Data
   2. Infrastructure
   3. Both
   4. Sharepoint or One Drive
9. Restore Points - Understand that your restore points depend on when the environment was initially compromised. The forensics investigation will usually be able to identify the initial date of compromise that you will want to restore from to avoid potentially re-infecting your environment.
10. For cloud-based environments (SaaS, PaaS, IaaS) you should understand the shared responsibility model and what you need to do to back up your data securely. Some SaaS providers may offer data backup, but your cloud service provider does not backup your infrastructure and data by default, so you should have a plan in place just like you would with an on-premises environment. Threat actors are known for accessing data and backups in the cloud, exfiltrating the data, then deleting the data and demanding a ransom payment to return the stolen data. This is a trend we are seeing more of in claims.
11. Malware Scanning - Continuous and regular malware scanning of your backups.
12. Testing - Test your backup and recovery on a regular basis with business continuity and disaster recovery in mind.

Liz: Can you describe an Incident Response Plan?

Brandy: An incident response plan outlines your plan of action should a cyber-incident occur. It’s like playing a game of chess or football; if you don’t document and practice, you’ll never be good at the game. Remember that you are not alone, and outside providers may come in to help, which are outlined below.

How to Respond to a Suspected or Confirmed Incident:

1. Technical – detect and contain in an attempt to reduce overall impact.

1. Contain impacted systems to stop the spread of ransomware.
2. Protect critical business systems.
3. Simultaneously have someone reach out to get help:

• • Notify Cyber Insurance Company Breach Notification Hotline to engage legal and forensic vendors (listed on the front page of your insurance policy)
  • Notify the NC Joint Cyber Security Task Force – all state agencies.
  • Notify UNC System Office -16 Public Universities

2. Legal –Without Breach Counsel you are waiving your right for privileged communications. Breach counsel can also help you navigate any notification obligations, help with communications, and will engage all other breach response vendors on your behalf.
3. Forensics – The digital forensics team will investigate to determine how the threat actor got in, attempt to identify what the initial date of compromise was, what type of data was exposed, how much data was exposed, provide on-going monitoring of your environment to detect persistence and additional attacks by the threat actor, and more.
4. Public Relations and Crisis Communications – Depending on the situation, the media may get involved. While breach counsel can help with some of these communications, you may need to bring in specialized public relations and crisis communications teams to assist.
5. Restoration Teams – Rebuild, restore, and hopefully prevent future attack/intrusions by layering in additional defenses.
6. Data Breach Mining and Notification Teams – If forensics identifies that sensitive data was impacted, you may have an obligation to notify impacted individuals, which breach counsel will help you navigate. Data breach mining and notification is usually an expensive process and can take a long time depending on several factors, such as the volume and types of data exposed.
7. Post Breach Regulatory Action or Litigation – You may be the target of regulatory fines and/ or fees or be sued because of the cyber incident which will require defense counsel.

Liz: You have a lot of experience with cyber-attacks. Can you provide a few examples of breach response scenarios that were successful or unsuccessful?

Brandy:  Sure!  

One of the best breach response examples:

• Quick Detection – This organization was able to detect the threat actor (intruder) within 15 minutes due their around the clock detection and response capabilities.
• Quick Response – The quick detection triggered a quick response which reduced the overall impact and exposure.
• Good Backups – The organization had ransomware resilient backups. Backups were unscathed. There was limited impact on the systems and not much downtime.
• Data - Sensitive data was secure due to segmentation, least privilege, and encryption.
• Breach Response – Immediately engaged legal, forensics, and restoration teams. The system was fully restored/rebuilt within one week.

One of the most challenging breach response examples:

• Delayed Detection – The organization did not detect the intruder until ransomware was deployed throughout the whole environment (they did not have 24x7x365 detection and response in place)
• The backups were connected to the network and not stored elsewhere. The ransomware encrypted the backups rendering them useless.
• Sensitive Data - A ton of sensitive data was exposed which resulted in data breach notifications and eventually litigation.
• Ransom – Since the Organization could not access their backups due to the ransomware encryption, they were forced to pay the multi-million-dollar ransom demand. A lot of their backup data was corrupted, and they were down for a significant amount of time.

Liz: Brandy, thank you so much for your time today. You are always a wealth of information.

Brandy: It is my pleasure. Crum & Forster insures many of the Public Universities and State Agencies here in North Carolina. We are happy to support the State of North Carolina and look forward to the continued partnership.