Avoiding a data breach should be amongst your top priorities, and understanding threats and causes helps you improve your preventative measures. Sharon Nelson and John Simek welcome back Craig Hoffman to unpack the findings of BakerHostetler’s 2022 DSIR Report. They outline the security mishaps that just won’t go away; talk about ransomware and companies’ interactions with “reliable” vs. “unreliable” threat actors; discuss the enhancement of security through training, training, training; and much more.
Craig Hoffman is a sought-after digital risk advisor who co-leads the Digital Risk Advisory and Cybersecurity team at law firm BakerHostetler.
Special thanks to our sponsors CaseFleet, Clio, Embroker, and PInow.
Intro: Welcome to Digital Detectives. Reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory but practical information that you can use in your law practice right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 137th Edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cyber security and managed information technology firm in Fairfax, Virginia.
John W. Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today, on Digital Detectives, our topic is Revealing Stats from the 8th Annual BakerHostetler Data Security Incident Response Report. Today, our guest is Craig Hoffman. A sought-after Digital Risk Advisor who co-leads BakerHostetler’s Digital Risk Advisory and Cybersecurity team. Distinguished by his wealth of experience in responding to information and data incidents, Craig is especially highly regarded for his representation of payment card providers. It’s great to have you with us today Craig.
Craig Hoffman: Thank you. I’m glad to be here.
Sharon D. Nelson: Well, let’s start by having you tell us a little about the BakerHostetler Data Security Incident Response Report. Craig, that’s a mouthful. How long has it been around and what is its purpose?
Craig Hoffman: We call it the DSIR. This was our 8th report and our focus is on the roots of how our overall practice grew. We help companies before, during and after security incidents. We collect data from the incidents we work on, extract key statistics and use that to build insights to help our clients prepare for incidents ahead of time and give them context and benchmarking during an incident. So we really dig into what allows incidents to occur,
how long do they last, what are the key steps so people have better context heading into an incident for what they’re about to encounter.
John W. Simek: Well, Craig, you’ve been doing this for a little while, but for this particular report, what was the most startling finding for you?
Craig Hoffman: Sometimes as an incident response attorney, you get a little jaded because you keep seeing the same things leading to incidents over and over, and you kind of expect at some point not to have that thing lead to an incident again. Thankfully, we’re not seeing lost unencrypted backup tapes anymore. I am surprised that we continue to see email account access because there are effective ways to keep people from getting into your email account after they phish you or socially engineer you. I think it’s one of those areas where most medium and large size entities have taken measures to effectively secure access to their email accounts, but we continue to see it on these smaller and medium sized entity side.
Sharon D. Nelson: Well, so do we, and it does surprise us but that balance between protecting yourself and inconveniencing as they see it themselves that’s the part that’s hard to get around. So what new subjects does this year’s report cover?
Craig Hoffman: So we have some additional features that cover topics for some of the teams that are part of our overall practice group, our digital asset and data management group. We have a focus on NFTs, we have a focus area on the California privacy laws and some statistics from that. So it does contain items from the teams in our group beyond just our core incident response and litigation teams, but it also contains some of the content that’s been there from day one. What I think is the most informative piece, especially when I do incident response training and tabletop exercises, I always use the timeline that shows you how long the incident had been occurring before the company learned of it, how long it took them to contain, how long it took them to investigate, and then how long it took them to notify. Because I think that shows companies both where they can improve, but also when they’re going to know certain things to help them avoid missteps that other companies have made in the past.
Sharon D. Nelson: It’s always helpful to know about that dwell time, which does seem to be dwindling.
Craig Hoffman: Yes.
John W. Simek: We lecture a lot about ransomware, and the report indicates that ransomware gangs, they might call your clients or your employees directly to apply that pressure to pay that ransom. But we’ve also — in our experience, seen where they’ll call the press, too. What do your stats tell you about that kind of public outing?
Craig Hoffman: You continue to see groups look for ways to increase leverage and pressure to extract a payment. At first, the first leverage point was just encrypting data, and it started as encryption of data on one device and that’s why in 2018, our average ransom payment was $30,000.00.
It’s a small impact, if you hit the right device, you create a little leverage and you get someone to pay. Then they learned if we use PowerShell or some other tool to script out deployment to many devices at once, we can really extract some leverage. Then in the end of 2019, you had a group decide if I steal data before I encrypt and create an additional leverage point, now we’re seeing groups go beyond that to call employees and say things like, “your IT team knows you’ve had a ransom incident, the only way you will get your data back is if you pay us. You should call them and let them know that we’re going to keep calling all of you until you pay us.” Another way they’ve expanded leverage is by creating publication sites on a dedicated tour site that creates publicity and kind of a threat and it works pretty well because if a company does not pay to prevent publication, then their files get published, media outlets report on it, and it increases the brand and also the threat factor. They can see that this ransom group is carried through on their threats to publish the stolen data. So it creates credibility for the ransom group, it creates a built in “if you don’t pay us, this is what will happen to you” and makes it easy for them to create leverage.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Sharon D. Nelson: As a lawyer, insurance is one of the last parts of your job you want to spend unbillable hours on. That’s why thousands of lawyers have switched to Embroker. Embroker offers A+ rated insurance for law firms. You can quote and buy instantly online. If you need help, they have experts on standby. Go from sign up to purchase in 15 minutes by visiting embroker.com/law. That’s E-M-B-R-O-K-E-R.com/law.
Sharon D. Nelson: What could be more important than knowing the facts of your case inside and out? CaseFleet’s powerful software makes it easy to create a chronology of each case and to track the evidence for each fact. With an intuitive interface, full text search and built-in document review, CaseFleet makes fact management easy. Sign up for a 14-day free trial at casefleet.com/digitaldetectives and get 10% off your first subscription.
Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is revealing Revealing Stats from the 8th Annual BakerHostetler Data Security Incident Response Report. I’m going to start shortening that, because there’s one more time I have to say it Craig. Our guest is Craig Hoffman, a sought-after Digital Risk Advisor who co-leads that Digital Risk Advisory and Cybersecurity team. Craig, your report suggests that ransomware criminals are and I think it’s even in quote in the report, “reliable criminals.” How do you define that?
Craig Hoffman: To me, I define a reliable criminal as someone who has behaved consistently in the past. So if you look at ransomware incidents and you talk to executive teams and they say, how do you decide whether to pay or not pay? One of the factors is the reliability of the group in delivering what you are going to pay them for. The primary two things that companies make a decision to pay a ransom for are; A, to get a Decryptor to restore systems that are encrypted. B, to prevent publication of stolen data. On the Decryptor side, that’s where you can have the most confidence in the reliability. There are firms who will help you with the negotiation and payment of a ransom and they track their history of negotiations with that group. So instead of talking to a CEO saying, I know you have no idea who this person is on the other side of the keyboard, and you have no idea whether they will deliver a Decryptor if you pay them, instead it is we’ve had 50 negotiations with Conti in the past six months. Out of those 50 negotiations, we’ve never had a matter where a company paid Conti and they failed to deliver the Decryptor.
So when you look back at their past behavior, you can get a track record. Is this a group that delivers when you pay or not? And then, by looking at that track record, you can also see outliers, the groups that are very likely to be unreliable. An easy example of an unreliable group, a group that you’ve never heard of before, the negotiation firm doesn’t have any prior history with them, they come in with a big number, you reply and say, that’s a ridiculous number we’re not paying that and they quickly drop the number by 90 or 95%. Of course, you would pay that number. That’s a classic tell-tale sign you’re about to be re-extorted. So you pay that small number and they come back and say, “no, sorry, I need another payment.” That’s the classic example of the unreliable ransomware group.
Sharon D. Nelson: Kind of interesting that Conti, which is Russian should be so reliable in this.
Craig Hoffman: They were the most active group most people saw in 2021, and they were very reliable. They’re now kind of in a different class based on some sanction changes as a result of the Ukraine war.
John W. Simek: Well, Craig, we’re a lot more worried today about vendors and supply chain incidents. Can you give us some insight as to what your report tells us about that?
Craig Hoffman: We continue to see at least around a third of incidents involve a service provider or third party in some way as the cause. As technology change, the pandemic and just overall security strategy evolves to having more service providers and more assets and resources in the cloud, you just increase the value of getting access to a third party for what it provides. If you can compromise a third party that supplies access to an entity, that gives you a lot of options for both financially motivated and kind of state sponsored motivated reasons. And so, when people would ask why do you rub banks? That’s where the money is, why would you target a service provider? Because that’s where the access is. I think we’re going to see even more focus there and because — when you put things in the cloud, it kind of takes away the importance of end point security and makes access management a little more important. So if you can socially engineer your way in, you don’t need to run malware. You’ve just gained access as a legitimate user, and so, in a way it can reduce the effort and level of sophistication needed to gain access and then when you’re in, you don’t need to drop an additional tools you have, the tools in the network are ready.
Sharon D. Nelson: Well, this next question of mine maybe related, but after the pandemic started, virtually everyone became cloud-based. I think we only have one client left that is ruggedly determined to stay with everything on prem. But mostly it’s a good thing when everybody went to the cloud. But what are some of the dangers that your report revealed?
Craig Hoffman: We’ve been tracking cloud asset related incidents for the last few years as a separate category. The early type of cloud incident was still the open S3 Bucket, the open Mongo database where authentication wasn’t required, and people that scanned the internet for those open cloud assets would find them and could grab the data, or it would just be crawled by a search engine. We’re seeing now, the next evolution of cloud asset access occurred a few different ways, sometimes it’s the programmer who stood up a new asset without putting the company’s baseline security measures on it. Sometimes we’ll see these occur after they get an upgrade, and somehow after the upgrade the security measures weren’t re-enabled and then sometimes the company or its vendor, they will leave their access keys somewhere public, like in a GitHub repository, and a person will find that and then be able to authenticate to the cloud asset.
Sharon D. Nelson: An error that’s going to bite you.
Craig Hoffman: Yes.
John W. Simek: Well, Craig, your report highlights MFA and EDR, something that Sharon and I are counting to audiences all the time, but for our listeners, could you explain what those terms are and what your report has to say about them?
Craig Hoffman: Yes. I think both are measures that are coming pretty close to being baseline, expected and required security measures in the eyes of a regulator and in the eyes of security professionals at an organization. MFA (Multi-factor Authentication) or two step verification, it’s something beyond a username and password as a way to secure access to an asset. EDR (Endpoint Detection and Response) tool. Examples are Microsoft Defender, ADP, CrowdStrike Falcon, SentinelOne, Carbon Black, there are multiple. They go beyond antivirus, which is a signature based way of detecting an unauthorized event to more of a heuristic. We look for the behavior of bad activity, not just the hash of a file that we know someone else previously identified as a bad file. The importance of them is you take users and say you should train your employees to avoid phishing and avoid social engineering and not clicking on things, which is good. But employees are fallible. The best training will still leave a workforce with people who will be tricked.
And so, you have to have a measure beyond the user. An EDR tool on an end point cures a lot of fallibility by employees, and so it’s kind of your backstop if something gets by that should be there to detect the event and quarantine it and isolate the device. Similar with MFA, you can tell people don’t reuse passwords, people still will, having an additional element for authentication that isn’t going to be found out on the internet is an effective way to secure access to something.
Sharon D. Nelson: And you’re quite right. I think that we have moved to actually telling audiences that under the definitions in Rule 1.1 and Professional Rules of Model Conduct 1.6, that the reasonable measures now necessary include MFA and EDR because they are reasonable and they are even reasonably priced for the smaller firms. So there are solutions that they can afford. So they can’t say, “well, I just can’t do that.” The truth is they can and it’s reasonable too.
John W. Simek: I think additional pressures to Craig to bolster your opinion is that cyber insurance carriers now, we’ve seen multiple renewal applications, et cetera, coming in and they’re asking specifically about those two items. So, you’re going to get that to force the clients to go that direction too.
Craig Hoffman: Yes, I think a lot of companies doing renewal would be happy if they were only being asked about MFA and EDR.
Sharon D. Nelson: That is so true.
Craig Hoffman: But in a way, I think cyber insurance has had a significant impact on the level of security of companies. After doing underwriting for years based on revenue and number of records, the true security and risk based underwriting that’s happened in the last two years has really been a driving force of companies implementing measures so they can be renewed and keep their premium at a place that is acceptable to them. And so, I really do think when people criticize cyber insurers for creating the ransomware market because they would reimburse companies who paid, they clearly had a benefit in enhancing security across industries through their underwriting and renewal process.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Sharon D. Nelson: Looking for secure legal software to help manage your firm’s matters in the cloud? With Clio’s cloud-based legal software, you can safely manage everything. From client intake to billing, from one secure platform so that attorneys can spend more time doing what they do best practicing all. To learn why over 150,000 attorneys, firm staff and IT leaders trust Clio, visit clio.com today. That’s Clio spelled C-L-I-O.com.
Jared Correia: They say, “the best things in life are free.” Which either means the Legal Toolkit Podcast is pretty awesome, or we’re totally committed to the wrong business model. You’ll just have to tune in to find out what it is. I’m Jared Correia, and each episode I run the risk of making total ass of myself so that you can have a laugh, learn something new and why not? Maybe even improve your law practice. Stop believing podcasts cannot be both fun and helpful. Subscribe now to the Legal Toolkit. Go ahead, I’ll wait.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Revealing Stats from the 8th Annual BakerHostetler Data Security Incident Response Report. Our guest is Craig Hoffman, a sought-after Digital Risk Advisor who co-leads BakerHostetler’s Digital Risk Advisory and Cybersecurity team. Craig, the big firms have started moving, and they’re moving fairly expeditiously to zero trust architecture. The smaller firms, not so much. What are your stats say about that?
Craig Hoffman: It’s a growing trend to see companies looking at the zero trust architecture and beginning to implement principles of it. It’s a different side of the coin to see someone fully implement that architecture. If you talk to a consulting firm, I think they’ll say the path from start to finish fully implementing can be years and millions of dollars. But you can start on the journey by looking at your environment, your risk profile, and implementing the principles that align to your risk and budget and security roadmap. So we were just talking about MFA and EDR, definitely two of the principles that would help you there. We’re seeing a lot of companies implement privileged access management solutions to control both privilege credentials, but also local admin credentials on endpoints. Definitely seeing MFA EDR, PAM Solutions and others on the path towards zero trust implementation.
John W. Simek: Well, Craig, we could probably sit around here for days talking about all this stuff, but what haven’t we asked you so far that we should have and what would those answers be?
Craig Hoffman: Great question. One would be, why did the average amount of ransom paid when our clients chose to pay go down? Why did the timeline extend the underpin for both of those? The reduction and ransom paid and the longer timeline from first awareness to payment is primarily driven by companies having better backups. We’re seeing more and more companies able to restore operations from backups as a way to respond to a ransomware incident. Which means when our clients are paying, it’s going down and that’s kind of consistent with what we’re seeing from other data sources too. They are primarily paying to prevent publication of stolen data, and that’s a timeline you can extend. You can drag out negotiations for that purpose, and you can negotiate a smaller payment amount. So I think better backups and better security measures are leading to smaller ransom payments because you’re dragging out the negotiations over a longer period of time.
Sharon D. Nelson: Well, that’s also consistent, I think what we’ve seen. So, we sure want to thank you for being our guest again today, Craig. As always, we’ve had a good time and I do think that we learn a lot each year when your report is released. So, it’s a great public service and as soon as we see it out, we devour it with strong coffee, but we devour it. But thank you very much for being with us as our guests. We sure appreciate it.
Craig Hoffman: John and Sharon, thank you very much for having me back. I enjoyed it.
John W. Simek: That does it for this Edition of Digital Detectives and remember, you can subscribe to all the Editions of this podcast at legaltalknetwork.com or in Apple Podcast. If you enjoyed our podcast, please rate us on Apple Podcast.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, managed technology and managed cybersecurity services at senseient.com. We’ll see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.