SlideShare ist ein Scribd-Unternehmen logo

Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's Perspective

Shawn Tuma
Shawn Tuma

Shawn Tuma, a professional "breach guide" (aka, breach quarterback, coach, privacy counsel, etc), is an attorney who has practiced in cyber law since 1999. His day job as Co-Chair of Spencer Fane LLP's Data Privacy and Cybersecurity Practice is leading companies through the cyber incident response and recovery process. In this presentation, he provides a virtual tabletop exercise explaining the lifecycle of responding to a typical ransomware attack through a detailed timeline. The audio for this presentation, in podcast form, is here: https://www.secureworldexpo.com/resources/podcast-ransomware-attack-lifecycle

Recht
1 von 17
Downloaden Sie, um offline zu lesen
Spencer Fane LLP | spencerfane.com 1 Incident Response Planning Shawn E. Tuma Co-Chair, Data Privacy & Cybersecurity Practice Spencer Fane LLP Lifecycle of Responding to a Ransomware Attack
Spencer Fane LLP | spencerfane.com 2 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA
Spencer Fane LLP | spencerfane.com 3 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach
Spencer Fane LLP | spencerfane.com 4 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach” 12 – 72+ Hours Implement Interim Security Negotiate with Threat Actor OFAC Clearance Carrier Approval for Payment Begin Forensics Plan for PR and Potential Notification
Spencer Fane LLP | spencerfane.com 5 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach” 12 – 72+ Hours Implement Interim Security Negotiate with Threat Actor OFAC Clearance Carrier Approval for Payment Begin Forensics Plan for PR and Potential Notification +8 Hours Confirm Proof of Life Payment Transaction Obtain Decryptor Test Decryptor
Spencer Fane LLP | spencerfane.com 6 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach” 12 – 72+ Hours Implement Interim Security Negotiate with Threat Actor OFAC Clearance Carrier Approval for Payment Begin Forensics Plan for PR and Potential Notification +8 Hours Confirm Proof of Life Payment Transaction Obtain Decryptor Test Decryptor +12 – 72+ Hours Begin Data Decryption Process Follow-up with TA if Problems Obtain Interim Signals from Forensics
Spencer Fane LLP | spencerfane.com 7 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach” 12 – 72+ Hours Implement Interim Security Negotiate with Threat Actor OFAC Clearance Carrier Approval for Payment Begin Forensics Plan for PR and Potential Notification +8 Hours Confirm Proof of Life Payment Transaction Obtain Decryptor Test Decryptor +12 – 72+ Hours Begin Data Decryption Process Follow-up with TA if Problems Obtain Interim Signals from Forensics < 2 – 4+ Weeks Restoration of Operations After Action Review Implement Additional Security Complete Forensics & Obtain Report Determine Incident or Breach Notifications & Reporting if Breach
Spencer Fane LLP | spencerfane.com 8 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach” 12 – 72+ Hours Implement Interim Security Negotiate with Threat Actor OFAC Clearance Carrier Approval for Payment Begin Forensics Plan for PR and Potential Notification +8 Hours Confirm Proof of Life Payment Transaction Obtain Decryptor Test Decryptor +12 – 72+ Hours Begin Data Decryption Process Follow-up with TA if Problems Obtain Interim Signals from Forensics < 2 – 4+ Weeks Restoration of Operations After Action Review Implement Additional Security Complete Forensics & Obtain Report Determine Incident or Breach Notifications & Reporting if Breach 1 – 48 + Months Individual Notification Escalations Business Partner Escalations Regulatory Investigations Litigation
Spencer Fane LLP | spencerfane.com 9 Initial Discovery Basic Intel + Activate IR Plan & Team Triage Security + Backups Security Experts Data Recovery + Restoration Forensic Examination Incident or Breach? After Action Review Most Common Causes Ransomware Lifecycle
Spencer Fane LLP | spencerfane.com 10 Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
Spencer Fane LLP | spencerfane.com 11 DOWNLOAD: https://www.spencerfane.com/wp- content/uploads/2019/01/Cyber- Incident-Response-Checklist.pdf
Spencer Fane LLP | spencerfane.com 12 Most Common Causes & Solutions • This is random – scanning web for Internet facing RDP access • Virtual Private Network (VPN) with Multifactor Authentication (MFA) RDP Access • Email phishing tool • Workforce training and simulated phishing Phishing • Install patches timely • No unsupported software Unpatched / Outdated Software • Multifactor Authentication (MFA) • Longer passphrases Passwords • 3-2-1 Backup Process • Something comparable – you may end up with only your offline backup Backups, Backups, Backups!
Spencer Fane LLP | spencerfane.com 13 Most Common Causes Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
Spencer Fane LLP | spencerfane.com 14 Average Ransomware Payments Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
Spencer Fane LLP | spencerfane.com 15 Company Size Distribution Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
Spencer Fane LLP | spencerfane.com 16 Incident Response Considerations from a Breach Coach As we sit here today: 1. Have you collectively brainstormed to think about your greatest cyber risks? 2. Do you have an Incident Response Plan (IRP)? 3. Do you know when to activate the IRP? 4. Does each member of the Security Incident Response Team (SIRT) understand his or her role and responsibility under the IRP? 5. Do you have redundancies for those roles and responsibilities? 6. Do you know who is the “head coach” and, what if that person is unavailable? 7. Do you know what external parties are needed under the IRP? 8. Do you have easy access to all internal and external parties’ contact information, with redundancies, including personal cell numbers? 9. Do you have relationships already established with those third parties? 10. Do you have those third parties pre-approved under your cyber insurance policy? 11. Do you have your insurance policy, policy number, and claims contact information handy? 12. How will you access all of this information if your network is down? 13. Have you practiced a mock scenario to test your preparedness? What about if your “head coach” is unavailable? 14. Have you performed After Action Reviews (AAR) and revised your IRP for lessons learned?
Spencer Fane LLP | spencerfane.com 17 Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP 972.324.0317 stuma@spencerfane.com • 20+ Years of Cyber Law Experience • Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law • Council Member, Southern Methodist University Cybersecurity Advisory • Board of Advisors, North Texas Cyber Forensics Lab • Policy Council, National Technology Security Coalition • Board of Advisors, Cyber Future Foundation • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-20 • Best Lawyers in Dallas 2014-20, D Magazine • Chair-Elect, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology Committee of the American Bar Association • North Texas Crime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP)

Empfohlen

Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Software
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber Attack
Shawn Tuma
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
Shawn Tuma
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware Disaster
Spanning Cloud Apps
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
Veriato
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
anpapathanasiou
 
Cybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsCybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal Professionals
Shawn Tuma
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020
Netpluz Asia Pte Ltd
 

Empfohlen

Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Software
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber Attack
Shawn Tuma
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
Shawn Tuma
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware Disaster
Spanning Cloud Apps
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
Veriato
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
anpapathanasiou
 
Cybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsCybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal Professionals
Shawn Tuma
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020
Netpluz Asia Pte Ltd
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Lancope, Inc.
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
Stanton Viaduc
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
Martin Opsahl
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
Quest
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Storage Switzerland
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
marketingunitrends
 
Cylance Ransomware-Remediation & Prevention Consulting Data-sheet
Cylance Ransomware-Remediation & Prevention Consulting Data-sheetCylance Ransomware-Remediation & Prevention Consulting Data-sheet
Cylance Ransomware-Remediation & Prevention Consulting Data-sheet
Innovation Network Technologies: InNet
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
SaraPia5
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
James Anderson
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye, Inc.
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
marketingunitrends
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
Resilient Systems
 
Tech Demo: Take the Ransom Out of Ransomware
Tech Demo: Take the Ransom Out of RansomwareTech Demo: Take the Ransom Out of Ransomware
Tech Demo: Take the Ransom Out of Ransomware
marketingunitrends
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackIncident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
Shawn Tuma
 
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Shawn Tuma
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
Stanton Viaduc
 
Cylance Ransomware-Remediation & Prevention Consulting Data-sheet
Cylance Ransomware-Remediation & Prevention Consulting Data-sheetCylance Ransomware-Remediation & Prevention Consulting Data-sheet
Cylance Ransomware-Remediation & Prevention Consulting Data-sheet
Innovation Network Technologies: InNet
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
SaraPia5
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
Resilient Systems
 

Was ist angesagt? (20)

Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
 
Cylance Ransomware-Remediation & Prevention Consulting Data-sheet
Cylance Ransomware-Remediation & Prevention Consulting Data-sheetCylance Ransomware-Remediation & Prevention Consulting Data-sheet
Cylance Ransomware-Remediation & Prevention Consulting Data-sheet
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
Tech Demo: Take the Ransom Out of Ransomware
Tech Demo: Take the Ransom Out of RansomwareTech Demo: Take the Ransom Out of Ransomware
Tech Demo: Take the Ransom Out of Ransomware
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 

Ähnlich wie Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's Perspective

CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
Financial Poise
 

Ähnlich wie Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's Perspective (20)

Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackIncident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
 
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.
 
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
Diagnosis SOC-Atrophy: What To Do When Your SOC Is Sick
Diagnosis SOC-Atrophy: What To Do When Your SOC Is SickDiagnosis SOC-Atrophy: What To Do When Your SOC Is Sick
Diagnosis SOC-Atrophy: What To Do When Your SOC Is Sick
 
Cybersecurity and Data Protection Executive Briefing
Cybersecurity and Data Protection Executive BriefingCybersecurity and Data Protection Executive Briefing
Cybersecurity and Data Protection Executive Briefing
 
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and ClientsCybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and Clients
 
Lawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for CybersecurityLawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for Cybersecurity
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
How to Manage a Data Breach Involving Multiple Covered Entity Clients
How to Manage a Data Breach Involving Multiple Covered Entity ClientsHow to Manage a Data Breach Involving Multiple Covered Entity Clients
How to Manage a Data Breach Involving Multiple Covered Entity Clients
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Don't Get Stung - Student Data Security
Don't Get Stung - Student Data Security Don't Get Stung - Student Data Security
Don't Get Stung - Student Data Security
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
GlobalCollect Data Breach Factsheet
GlobalCollect Data Breach FactsheetGlobalCollect Data Breach Factsheet
GlobalCollect Data Breach Factsheet
 
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachThe Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
 

Mehr von Shawn Tuma

Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 
Cyber Incident Response Checklist
Cyber Incident Response ChecklistCyber Incident Response Checklist
Cyber Incident Response Checklist
Shawn Tuma
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Shawn Tuma
 

Mehr von Shawn Tuma (18)

The Dark Side of Digital Engagement
The Dark Side of Digital EngagementThe Dark Side of Digital Engagement
The Dark Side of Digital Engagement
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Cyber Hygiene Checklist
Cyber Hygiene ChecklistCyber Hygiene Checklist
Cyber Hygiene Checklist
 
Cyber Incident Response Checklist
Cyber Incident Response ChecklistCyber Incident Response Checklist
Cyber Incident Response Checklist
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
 
Something is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid ThemSomething is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid Them
 
Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
 
Cybersecurity Update
Cybersecurity UpdateCybersecurity Update
Cybersecurity Update
 
Effective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businesses
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
"What Could Go Wrong?" - We're Glad You Asked!
"What Could Go Wrong?" - We're Glad You Asked!"What Could Go Wrong?" - We're Glad You Asked!
"What Could Go Wrong?" - We're Glad You Asked!
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
 
Cybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber AttackCybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber Attack
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
 
The Essentials of Cyber Insurance: A Panel of Industry Experts
The Essentials of Cyber Insurance: A Panel of Industry ExpertsThe Essentials of Cyber Insurance: A Panel of Industry Experts
The Essentials of Cyber Insurance: A Panel of Industry Experts
 

Kürzlich hochgeladen

一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
Airst S
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
seri bangash
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
Airst S
 
Corporate Governance (Indian Scenario, Legal frame work in India ) - PPT.ppt
Corporate Governance (Indian Scenario, Legal frame work in India ) - PPT.pptCorporate Governance (Indian Scenario, Legal frame work in India ) - PPT.ppt
Corporate Governance (Indian Scenario, Legal frame work in India ) - PPT.ppt
RRR Chambers
 
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
A AA
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
Airst S
 
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
SUHANI PANDEY
 

Kürzlich hochgeladen (20)

一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptx
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
 
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
 
Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in Law
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 
Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentation
 
Corporate Governance (Indian Scenario, Legal frame work in India ) - PPT.ppt
Corporate Governance (Indian Scenario, Legal frame work in India ) - PPT.pptCorporate Governance (Indian Scenario, Legal frame work in India ) - PPT.ppt
Corporate Governance (Indian Scenario, Legal frame work in India ) - PPT.ppt
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
 
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargaining
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf
 
The Main Steps on Starting a Business in Spain
The Main Steps on Starting a Business in SpainThe Main Steps on Starting a Business in Spain
The Main Steps on Starting a Business in Spain
 

Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's Perspective

  • 1. Spencer Fane LLP | spencerfane.com 1 Incident Response Planning Shawn E. Tuma Co-Chair, Data Privacy & Cybersecurity Practice Spencer Fane LLP Lifecycle of Responding to a Ransomware Attack
  • 2. Spencer Fane LLP | spencerfane.com 2 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA
  • 3. Spencer Fane LLP | spencerfane.com 3 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach
  • 4. Spencer Fane LLP | spencerfane.com 4 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach” 12 – 72+ Hours Implement Interim Security Negotiate with Threat Actor OFAC Clearance Carrier Approval for Payment Begin Forensics Plan for PR and Potential Notification
  • 5. Spencer Fane LLP | spencerfane.com 5 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach” 12 – 72+ Hours Implement Interim Security Negotiate with Threat Actor OFAC Clearance Carrier Approval for Payment Begin Forensics Plan for PR and Potential Notification +8 Hours Confirm Proof of Life Payment Transaction Obtain Decryptor Test Decryptor
  • 6. Spencer Fane LLP | spencerfane.com 6 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach” 12 – 72+ Hours Implement Interim Security Negotiate with Threat Actor OFAC Clearance Carrier Approval for Payment Begin Forensics Plan for PR and Potential Notification +8 Hours Confirm Proof of Life Payment Transaction Obtain Decryptor Test Decryptor +12 – 72+ Hours Begin Data Decryption Process Follow-up with TA if Problems Obtain Interim Signals from Forensics
  • 7. Spencer Fane LLP | spencerfane.com 7 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach” 12 – 72+ Hours Implement Interim Security Negotiate with Threat Actor OFAC Clearance Carrier Approval for Payment Begin Forensics Plan for PR and Potential Notification +8 Hours Confirm Proof of Life Payment Transaction Obtain Decryptor Test Decryptor +12 – 72+ Hours Begin Data Decryption Process Follow-up with TA if Problems Obtain Interim Signals from Forensics < 2 – 4+ Weeks Restoration of Operations After Action Review Implement Additional Security Complete Forensics & Obtain Report Determine Incident or Breach Notifications & Reporting if Breach
  • 8. Spencer Fane LLP | spencerfane.com 8 Ransomware Timeline Hour 1 Initial Discovery Basic Intel Activate IR Plan & IR Team Triage Security + Backups Do Not Wipe Drives Start Preserving Evidence Do Not Communicate with TA < 12 Hours Notify Insurance Carrier Engage Security Experts Engage Data Recovery Experts Report to Law Enforcement Notify Employees Notify Key Business Partners Begin Data Recovery + Restoration Confirm Not Obvious “Breach” 12 – 72+ Hours Implement Interim Security Negotiate with Threat Actor OFAC Clearance Carrier Approval for Payment Begin Forensics Plan for PR and Potential Notification +8 Hours Confirm Proof of Life Payment Transaction Obtain Decryptor Test Decryptor +12 – 72+ Hours Begin Data Decryption Process Follow-up with TA if Problems Obtain Interim Signals from Forensics < 2 – 4+ Weeks Restoration of Operations After Action Review Implement Additional Security Complete Forensics & Obtain Report Determine Incident or Breach Notifications & Reporting if Breach 1 – 48 + Months Individual Notification Escalations Business Partner Escalations Regulatory Investigations Litigation
  • 9. Spencer Fane LLP | spencerfane.com 9 Initial Discovery Basic Intel + Activate IR Plan & Team Triage Security + Backups Security Experts Data Recovery + Restoration Forensic Examination Incident or Breach? After Action Review Most Common Causes Ransomware Lifecycle
  • 10. Spencer Fane LLP | spencerfane.com 10 Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
  • 11. Spencer Fane LLP | spencerfane.com 11 DOWNLOAD: https://www.spencerfane.com/wp- content/uploads/2019/01/Cyber- Incident-Response-Checklist.pdf
  • 12. Spencer Fane LLP | spencerfane.com 12 Most Common Causes & Solutions • This is random – scanning web for Internet facing RDP access • Virtual Private Network (VPN) with Multifactor Authentication (MFA) RDP Access • Email phishing tool • Workforce training and simulated phishing Phishing • Install patches timely • No unsupported software Unpatched / Outdated Software • Multifactor Authentication (MFA) • Longer passphrases Passwords • 3-2-1 Backup Process • Something comparable – you may end up with only your offline backup Backups, Backups, Backups!
  • 13. Spencer Fane LLP | spencerfane.com 13 Most Common Causes Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
  • 14. Spencer Fane LLP | spencerfane.com 14 Average Ransomware Payments Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
  • 15. Spencer Fane LLP | spencerfane.com 15 Company Size Distribution Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
  • 16. Spencer Fane LLP | spencerfane.com 16 Incident Response Considerations from a Breach Coach As we sit here today: 1. Have you collectively brainstormed to think about your greatest cyber risks? 2. Do you have an Incident Response Plan (IRP)? 3. Do you know when to activate the IRP? 4. Does each member of the Security Incident Response Team (SIRT) understand his or her role and responsibility under the IRP? 5. Do you have redundancies for those roles and responsibilities? 6. Do you know who is the “head coach” and, what if that person is unavailable? 7. Do you know what external parties are needed under the IRP? 8. Do you have easy access to all internal and external parties’ contact information, with redundancies, including personal cell numbers? 9. Do you have relationships already established with those third parties? 10. Do you have those third parties pre-approved under your cyber insurance policy? 11. Do you have your insurance policy, policy number, and claims contact information handy? 12. How will you access all of this information if your network is down? 13. Have you practiced a mock scenario to test your preparedness? What about if your “head coach” is unavailable? 14. Have you performed After Action Reviews (AAR) and revised your IRP for lessons learned?
  • 17. Spencer Fane LLP | spencerfane.com 17 Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP 972.324.0317 stuma@spencerfane.com • 20+ Years of Cyber Law Experience • Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law • Council Member, Southern Methodist University Cybersecurity Advisory • Board of Advisors, North Texas Cyber Forensics Lab • Policy Council, National Technology Security Coalition • Board of Advisors, Cyber Future Foundation • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-20 • Best Lawyers in Dallas 2014-20, D Magazine • Chair-Elect, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology Committee of the American Bar Association • North Texas Crime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP)