Incident Response is Crucial but Complex for Cybersecurity

The word today is highly digital and full of cyber risks. Cybersecurity isn’t just for large organizations anymore – it’s for everybody. It’s essential to know how to protect your sensitive data, have backs to restore from, and regularly pentesting to find vulnerabilities. But incident response is also part of your cybersecurity toolbox. And sometimes, how to respond to an incident isn’t straightforward or obvious.

See Ransomware, Phishing, and Fraud with Bryce Austin for a complete transcript of the Easy Prey podcast episode.

Bryce Austin is the founder and CEO of TCE Strategy. TCE stands for Technology and Cybersecurity Education. They offer vulnerability scans, pentesting, fractional CISO services, and incident response services. They try to keep clients one step ahead of real-world cybercriminal risks so that they don’t end up in the headlines because of something that happened to their company because of cybercriminals. Bryce is also a professional speaker on ransomware and other technology and cybersecurity topics, as well as a fractional CISO to many companies.

Finding a Career in Cybersecurity

Bryce always thought computers were fun, but they originally weren’t going to be his career. He got his degree in chemistry and planned to be a PhD chemist. Two years of grad school cured him of that idea. After dropping out of grad school, he got into tech as a career and ended up in the payroll space. Payroll takes a lot of company money and moves it to a lot of places, so criminals love it and cybersecurity is essential.

Bryce pushed his company to do more on the cybersecurity side for many years. Then his company got bought by Wells Fargo, and they eventually named him CIO. Wells Fargo was very strict on cybersecurity. They wanted everything secured to just one step below a nuclear missile silo. That just wasn’t compatible with payroll. They wanted every client to use multi-factor authentication, regardless of size. Back in the mid-2000s, customers wouldn’t accept that. Most of the time, Bryce pushed back on what Wells Fargo wanted. But when they had a good point, he worked hard to convince the people in charge to do it and find the money. It was great training for a cybersecurity company.

The Incident Response that Led to TCE Strategy

In the early 2010s, Bryce wasn’t working in cybersecurity. He was running a program to upgrade stores to the newest technology – new wifi systems, smart scales in delis, “buy online pick up in store” systems, those kinds of things. They launched a new system in 2013, and everything worked. But cybercriminals had gotten into the point-of-sale system, probably before Bryce took over the project. When the system went on, the criminals flipped their switch, too. They stole millions of credit card numbers per day. Bryce had no idea until the FBI and the Secret Service knocked on his door. He and his family quickly went from bonus checks to unemployment checks.

Even limiting their spending, it didn’t take Bryce and his family very long to burn through their savings. They had to rely on government assistance. Food stamps come through the Department of Agriculture, and they want to prove the efficacy of their program. If you have kids under five years old or are pregnant or a nursing mother, they draw your blood to prove you’re nourishing your kids. Watching his two-year-old have blood pulled out of his body because daddy was unemployed changed Bryce. He was angry and hurt and wanted to do something about it.

Bryce wanted to help other people not fall victim to what had happened to his family because some cybercriminal halfway around the world wanted to make a quick buck. TCE Strategy does a lot of things, including incident response, general cybersecurity assessments, internal and external pentesting and vulnerability scans, and fractional CISO services (similar to a part-time head of cybersecurity). He wants to do everything he can to keep what happened to his family from happening to anyone else.

Anybody Can Fall for It

As a fractional CISO, Bryce is a high-value target for a lot of criminals. So he gets included in his clients’ simulated phishing emails. Twice over those last eight years, he’s absolutely clicked those links. He’s also been a “victim” of the Pwn2Own contest, a computer hacking contest where security professionals compete to get someone to click on a link and then have five minutes to hack as much of their stuff as they can. That’s not necessarily a personal cyberattack, but it does show the importance of defense in depth. If Bryce, a security expert, can fall for it, anyone can.

If I can fall for it, anybody can.

Bryce Austin

He was also targeted by a unique spear phishing attack in 2018. The email claimed to be from a professor out of the University of London – the keynote speaker at a conference just dropped out and he wanted Bryce to be a replacement. Bryce didn’t get caught by it because he noticed a few things that were a little odd. One was that it seemed just a little too good to be true. It offered to pay for his spouse to come along, as well as his full speaking fee, which was unusual for an academic speaking gig. And the email address, though it looked legitimate, was from a Gmail account, not a .edu address like he expected from a university. His team tracked down the professor, who really did work at the University of London. But when he contacted him, it turned out the whole thing was a scam.

How Incident Response Works

Incident response kicks in when something bad happens from a cybercriminal standpoint and damage happens. That can either be direct financial loss, loss of sensitive data, or a ransomware attack. Ransomware is especially damaging because it locks down your data. Sometimes data isn’t even sellable, but wanted for emotional reasons or a company needs it to do business. Bryce, for example, lost his grandmother a few years ago, and it would be a terrible loss to lose the photos he has of her. Companies have data like that, too. Once ransomware gets into the network and encrypts the data, essentially turning it into gibberish, there’s no way to get it back without the criminals’ decoder ring.

Common Attack Vectors

Part of incident response is figuring out how the attack happened in the first place. And there are a few common ways it happens. With direct wire fraud attacks, it’s usually because a criminal has gotten into an email account. The biggest wire fraud case Bryce ever worked was in the high six figures. A client rented a big area in a hotel, and the head of marketing was running it without the Accounts Payable people involved. The hotel sent him an email with an invoice.

Unbeknownst to the client, the hotel had been hacked, and a bad guy was listening in on the hotel emails. The bad guy realized a bunch of money was about to change hands and set it up so they could edit all outgoing emails. They changed the hotel’s account information to their own. The client didn’t pick up the phone to validate the information and sent a ton of money to the wrong account. Nobody realized what had happened until the hotel asked where their payment was. By then, the money was long gone.

With ransomware, the most common way in is that someone falls for a phishing attempt. This could be a bad link in an email or a malicious attachment. Either it’s someone who has local admin rights to their computer – too many people do – or the computer isn’t properly patched. Once they get in, they’re in a race to get as much access as they can before the IT team notices something’s wrong and incident response kicks in.

From a ransomware standpoint, the most common infiltration is someone falls for a phishing scam.

Bryce Austin

How Ransomware Operates

Once they get in through phishing, bad guys planning a ransomware attack do some very specific things. First, they elevate their access until they can access everything. Then they enumerate the network – understanding where everything is and how it works. Next, they look at backups, how they work, and what they do, and then try to take them out as quietly as possible. They know that the best incident response plan for ransomware is to restore from a backup. Once all your backups are disabled, they run the encryption software and make their demands. They often execute at days or times when no one is looking, like 2:00 AM on a Saturday morning or midnight on Christmas Eve.

If you don’t detect it in time, bad guys will do a number of things in very specific ways.

Bryce Austin

One company Bryce worked for got hit with ransomware with an initial demand of over $8 million. It was one of the hardest professional things Bryce ever had to do, but the company ended up paying, though a smaller amount of just over $1 million. There were 800 jobs on the line, and other incident response methods had failed. He didn’t see another way out, so they did what they had to do.

That incident was unusual, because it didn’t actually get in through phishing. The company operated an internet-facing exchange server and hadn’t patched it. A bad guy found a vulnerability where a patch existed, but hadn’t been installed, and got in that way to install ransomware. Interestingly, the company’s antivirus tool was indicating something was wrong before the actual attack hit. It could have been avoided, but nobody was paying attention.

Paying the Ransom Can Be an Incident Response

There has been talk of making ransomware payments illegal because they are giving money to criminals. But Bryce thinks that’s impractical, for a couple reasons. One is that laws by themselves don’t change behavior. Laws also need enforcement and adequate penalties if they’re going to change anything. You can’t legislate a problem away.

Laws taking away paying ransoms as an incident response option also aren’t the best way to deal with the problem. It’s legal to sell internet-connected devices that come with a default username and password, and you can sell devices that have known vulnerabilities with no way to patch them. If we made those things illegal, that would do much more in the fight against cybercrime.

A computer does whatever someone can trick it into doing. They are completely morally agnostic.

Bryce Austin

Another issue is that when you buy devices for a purpose, you often think that’s the only purpose they can serve. But that’s not the case with computers. A computer can do anything you can trick it into doing. In 2016, a bunch of internet-connected security cameras attacked DNS company Dyn and took out the internet of much of the eastern seaboard in the U.S. Every time we buy an internet-connected device, we’re buying a candle. It can give us light or smell pretty – and it could also burn your or someone else’s house down.

Every time we buy one of these [internet-connected devices], we’re buying a candle. And that candle has the potential to burn your or someone else’s house down.

Bryce Austin

Legislation Isn’t the Answer

If you look at history, governments have a lot of fundamental flaws around cybersecurity. They often aren’t following protocols as closely as they should. Look at the 2015 breach on OPM, the U.S. government’s HR department. They lost five million people’s fingerprints from an unencrypted database. You can’t issue someone a new fingerprint. Bryce is sure that this was a loss of life event, because if a foreign government got it and there were undercover spies in that database, they probably aren’t here anymore.

In addition, incident response requires doing the things that are least risky. But often when you’re in a desperate situation, the least risky thing is still very risky. One of the examples Bryce uses is that if his kid gets badly hurt and he knows how to get to the hospital and has a working vehicle, he would absolutely break every possible traffic law while still being safe. If someone asks questions or he gets a ticket, so be it – he wants to get care for his kid as soon as possible.

Sometimes you’re in situations where you make the best move that you can at the time, even if the move isn’t great. You can’t legislate yourself out of a position where it’s 800 people at your company or $1 million to cybercriminals. At that point, you can only make the best possible decision, even if it’s still not great.

You Probably Won’t Get All Your Data Back

If paying the ransom still didn’t get you your data, there would be no point in paying. So interestingly, most of the time when your incident response results in paying the ransom, you do get that decryption key. Bryce has yet to see an incident where someone paid the ransom and didn’t get the key. But sometimes things happen after, such as the criminals keeping copies of your data and demanding more money.

The real problem is that encrypting data makes it more random. If you have a program to compress or de-duplicate your data, encryption breaks it. Your data is going to get bigger. Bryce always recommends his clients keep at least 35% of drive space free on every important drive. Because if that increased data size fills up the disk, the encryption keeps going, but everything it encrypts after that is unrecoverable forever. Bryce has yet to see a case ransomware case where the company got 100% of their data back. Mostly it was 60%-80%, with the rest lost to full drives or other errors. Cybercriminals, after all, aren’t known for strong QA testing.

Incident Response Planning to Protect Yourself

There’s no such thing as 100% secure unless you live in a cave with no technology. But there are steps you can take to get most of the way there.

On the proactive side, Bryce is a big fan of cybersecurity awareness training. Most companies don’t have it, but phishing is really good these days. You need it. Diligent patching is also essential. Apps on computers have new vulnerabilities all the time. If you don’t patch diligently, a criminal could theoretically get into just about anything from a simple phishing link.

On an ongoing basis, passkeys may eventually get somewhere, but right now we have passwords, and reusing them is a big problem. Bryce isn’t a fan of required password changes unless there’s an indication of compromise. But he is a fan of companies doing web scans, looking for any company email accounts in breaches, checking if passwords were harvested, and making sure they aren’t on the network. He also highly recommends password managers. He has over 700 passwords in his, and that’s way too many for one person to remember. Some people are concerned about their password manager getting hacked. That’s a valid concern. That’s why he likes companies that specialize in password managers. If they have a breach, they’re probably out of business, so they care as much as you do.

Do the Inconvenient Thing

Remember that one step of ransomware attacks is to destroy all the backups they can find. If you have immutable offline backups, they can’t get to those. They’re a pain, and they’re challenging for cloud-based services, but they can be done. You’ll be glad you went through the trouble when your incident response involves retrieving an offline backup and restoring it instead of paying a lot of money to get back only some of your data.

To protect from wire fraud and other similar issues, you also need to make moving money as much of a pain as possible. Follow the process so strictly that nobody wants to work with you. Take the grumpiest but most competent person you have and put them in charge. (Just make sure they have secure, unique passwords, because if they get hacked, you’re having a really bad day.) You absolutely have to jump through these hoops every time. Even if it just seems like a small amount of money, sometimes those can lead to bigger amounts. Take the extra steps, be cautious, and keep yourself safe.

You can find Bryce online and learn more about his company, TCE Strategy, at at bryceaustin.com. The website also has resources, a newsletter with best practices, and some articles on cybersecurity foundations.