Resilience in the face of ransomware: considerations for executives.

Ankura’s Christopher Todd Doss offered recommendations on responding to ransomware attacks, while Joe Carrigan from JHU ISI discussed how threat actors use social engineering to gain access to networks.

When an incident occurs, slow down and move with purpose.

Todd Doss, Senior Managing Director at Ankura and former Director of the FBI Crime Laboratory, offered advice on how organizations should respond to ransomware attacks.

“When an organization suffers an incident like that, the first thing I’m going to ask them to do is slow down, take a breath, see what’s going to happen next, and move with a purpose,” Doss said. “When I was in the FBI the one thing I taught all my new agents was, move with a purpose. Know what your next step is going to be. If you don’t, it could be your last. So please, just take a moment and slow down.”

Doss said that you should disconnect your systems from the internet, but you shouldn’t shut them down, as this will erase important data.

“The first thing I want you to do is, don’t unplug everything,” Doss said. “We’ve seen clients come in for many of these opportunities, and the first thing they do is reach for the plug and they’ll turn off their computers. And there are a lot of critical systems that run in the background. There’s data that holds stuff in memory, and we lose all of that when we do that. So I don’t want you to come in and try to recover immediately. We need system images of what is going on so we can try to figure out how they got in, and what did they see, steal, and take while they were in there.”

“So, ask your folks, don’t power anything down,” Doss continued. “Just disconnect it from the network. You know, all of these systems have to report back to the bad guys, so when you take it off the internet, it’s not going to report back to the bad guys. So I would encourage that part of it, just don’t disconnect the systems from the power supply.”

Doss added that you shouldn’t engage with the attackers before bringing in professional incident responders.

“Don’t talk to the threat actors,” Doss said. “If you reach out and start talking to these guys, it’s going to start a clock. It’s going to put more pressure on you for no reason. We deal with these threat actors on a daily basis. We talk to them in various cases and we know how to communicate with them. We’ve had clients come in and be very disrespectful to them, and it creates a pretty difficult situation when you start talking about ransom demands.”

Reconnaissance as a precursor to social engineering attacks.

Joe Carrigan, Senior Security Engineer at the Johns Hopkins University Information Security Institute, described how attackers perform reconnaissance on their targets before launching social engineering attacks.

“It starts with recon, and this recon can be anything from just gathering an email list and sending out a bunch of phishing emails, or doing a full open-source intelligence gathering effort,” Carrigan said. “They’re going to use Google, they’re going to use LinkedIn. LinkedIn is a remarkably powerful open-source intelligence tool. Be mindful, and tell your employees to be mindful of everything they put on LinkedIn, because it lets these guys essentially build an org chart of what your organization looks like from the outside – they don’t need to be inside. They’re going to look at your website to get all kinds of information. They’re going to know who your customers are from the available information that’s out there. This is before they’ve broken into anything.”

Carrigan explained that the attackers will then choose their target and craft a phishing attack (most often via an email).

“There’s an entire phase of the attack over which you have no control, and that’s the reconnaissance phase,” Carrigan said. “And the more effective or the more complete their reconnaissance, the more effective that initial attack will be.”