BakerHostetler’s Data Security Incident Response Report Released

Episode Notes

Transcript

[Music]

Intro: Welcome to Digital Detectives Reports from the Battlefront. We’ll discuss computer forensics, electronic discovery, and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 149th edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cybersecurity and managed information technology firm in Fairfax, Virginia.

John W. Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives, our topic is BakerHostetler’s Data Security Incident Response Report Released. Our guest today is Joe Brummer, who is a partner in BakerHostetler’s Digital Risk Advisory and Cybersecurity Team and is the Ohio Digital Assets and Data Management Leader. His practice focuses on data privacy, cybersecurity and data breach response. As a former litigator and associate general counsel for leading legal support services provider, Joe uses that experience to help clients identify practical, business-oriented solutions to data security incidents. It’s great to have you with us today, Joe.

Joe Bruemmer: Thank you, John. It’s a pleasure to be here.

John W. Simek: Well, let’s get started. This is the 9th edition of the Data Security Incident Report. So why don’t you tell our audience a little bit about the history of the report and why it continues to be such a great source of information on yearly data incidents.

Joe Bruemmer: Sure, I’d be happy to. We started the DSIR, as we call it, nine years ago, to provide our clients with actionable data and insights from the numerous matters that we handle each year. When we looked across the industry, we saw that no one else was putting out a report like this. And we wanted to find a way to get the information that we had from all of the incidents that we handled into the hands of clients and future clients to help them make informed decisions about what the threat landscape was and how we see other organizations responding to it.

It continues to be a rich source of information concerning data security incidents. But as we’ve grown over the years, so too has the report. Three years ago, BakerHostetler created the Digital Assets and Data Management Practice Group, which is a practice group that’s devoted to the entire lifecycle of data. It’s not just focused on incident response, and the report now reflects content from across that practice group.

This year’s report contains full sections on website tracking, technology, actions by the SEC, international data protection developments, updates on employee issues, FTC rulemaking and enforcement, information governance, advertising issues, state data collection laws, and digital assets and tech transactions. So it presents a holistic, well-rounded picture of what we’re seeing across the data privacy and security spectrum.

Sharon D. Nelson: Well, I think what everybody always wants to know is what was the most striking thing about this year’s report?

Joe Bruemmer: Yes, that is the question, isn’t it? To me, personally, I think the thing that most jumped out was the increase in the average ransom demands and payments and the increase in the average recovery times we saw in certain sectors. From 2018 to 2020, we saw a huge increase in average ransom that organizations were paying, but then as they became more attuned to the risk, enhanced their cybersecurity programs and their ability to prevent, detect and recover from ransomware incidents, we saw that figure drop in 2022, which is really heartening trend.

Unfortunately, this year we saw the number start to tick back up. Last year the average was about 511,000. This year, it’s about 600,000. At the same time, the average days from encryption to restoration increased across almost all industries. And in some, like healthcare and then the retail restaurant and hospitality industries, we saw the recovery times nearly double. Many companies took measures to enhance their ability to prevent and detect ransomware attacks and their ability to recover from them. But those that didn’t, I think, are finding it harder to recover and they’re having to pay more for a decryption key as a result.

So what we’re seeing a lot of now is either companies that did not take measures over the past few years to guard against or recover from ransomware, or what I’m actually seeing more frequently is established companies that acquire and integrate subsidiaries. And somewhere, either in the integration process or before the integration process has started, those subs get hit with ransomware and the company’s full security stack is not yet in place in those subsidiaries, which is causing primarily what we’re seeing on this front.

John W. Simek: Well, Joe, I don’t know if you have any other things that you want to say about the ransomware statistics and how they looked last year.

(00:05:00)

I think your comments were consistent with certainly a lot of the other reports that are out there. What were the stats like in 2022? I know you said there was a fall-off in some of the payments. Anything else that was significant?

Joe Bruemmer: Yeah, so I think it’s always helpful to hear the anecdotes, hear sort of the stories about what we’re seeing on the ground, but the numbers are also really useful. So if we look at the numbers, last year, the average ransom demands and payments increased again after a decrease the year prior, which I had mentioned. The average time to an acceptable level of restoration increased again. And I didn’t touch on this before, but we’re seeing that it takes about two weeks for companies get back to an acceptable level of restoration and that’s just an acceptable level that’s not complete recovery. So that’s really getting your core systems back up and running.

So sometimes when you’re dealing with clients who have just found out that their systems are encrypted with ransomware, they’ll start asking questions like, can we get back up and running in a couple of days? On very rare occasion that can happen, but very frequently, and I would say almost all the time, the real answer is, regardless of whether you are recovering from backups or whether you’re paying to purchase a decryption key, your recovery is not going to be immediate.

You’re going to be looking at something between 12 to 14 days to get your core systems back up and running, which means that in the interim, you’re really going to have to fall back on your manual workarounds and your business continuity plan. That leads us into a discussion of how frequently organizations were able to recover. And we saw many more organizations pay last year even though they were able to partially restore from backups. That figure increased from 33% of organizations paying in 2021 to 47% of organizations paying in 2022. Why is that happening? I think it is because even though companies have put good measures in place to protect their backups, they’re air gap, they’re immutable.

What we’re finding, or at least what I’m seeing across a number of the matters is that the backups were not structured in the way that the companies thought they were. So either they have good coverage for almost everything except that one critical server that they really needed, or they were backing up the operating system, but they were not backing up the data volume. Which means you’ve got a machine that can run it’s just that all the data that you want to see is locked up and you don’t have good backup for it.

So in those instances you see companies get part of their network back up and running, but they find a week into the process that there is some critical gap in their backups and they have to go by a decryption key to recover it. The other key component is data exfiltration, which goes hand in glove with encryption. In 82% of the matters that we handled, we found evidence of data exfiltration where there was a claim in the ransom note. And that’s almost all the time these days. It used to be the case that encryption was the name of the game. Then data exfiltration started to sneak into the picture and now I see it in almost every one of our matters.

Almost every time that a bad guy is claiming to have taken data from you, they probably did. And then the final stat I think that your listeners would be interested in hearing is how frequently companies pay just to prevent the data from being published on the bad guys’ leak site. This is a circumstance where a company does not need to buy a decryption key. They’re just concerned about the data being posted on the bad guys’ website. We saw a decrease in that statistic from 24% in 2021% to 16% in 2022.

I do want to note though, just because I think this is important and not everyone knows it. Just because you pay to prevent the data from being published, all you’re getting for that money is that the bad guy is not posting it on their publication site. I think there are very few people in the industry that believe that the bad guy is not somewhere in the background selling that data or using it for their own purposes.

Sharon D. Nelson: Well, that’s certainly consistent with our own findings, albeit they’re not in any study. But yeah, we have found exactly that. So are network intrusions still the most common kind of incident? And is there any good news on that front?

Joe Bruemmer: They certainly are. They represented 45% of the matters that we handled last year and ransomware represented nearly a third. Ransomware is the follow on to the network intrusions. The good news is that organizations are adapting and learning. More companies have put in place the kinds of measures that help them prevent, detect and recover from incidents. Those are things like Endpoint Detection and Response tools which not only look for known bad files, they look for malicious patterns of behavior that traditional antivirus won’t find.

So it’s a great way for organizations to identify activity that could be bad, even if it’s not from a known bad file. We’re also putting in place multifactor authentication, the push prompts that you get after you enter a username and password to log into a device or network or an application.

(00:10:02)

Companies are establishing security operation centers to monitor networks in real time. They’re segmenting their network so that if a bad guy gets into part of it, they don’t get into all of it. They’re putting patch management programs into place so that bad guys can’t leverage vulnerabilities in software or hardware to get into the network.

And as I’ve mentioned before, they’re putting immutable backups into place, which means even if the bad guy can get access to the backups, they cannot delete them, they cannot alter them, which greatly enhances a company’s ability to recover if their existing network is encrypted. And what we’re finding, Sharon, is that those measures yield results. The average times to detect, contain, and analyze network intrusions are all less for organizations with an endpoint detection and response tool, for example, than they are for those without one. We highlight those timelines in our report.

And as an example, if you have an endpoint detection and response tool, your average amount of time that a bad guy is in your network before you find them is 16 days. If you don’t have one, it’s 21. If you have an EDR tool, it’s three days until you contain the incident, meaning you cut off the bad guys’ ability to do bad things. It’s five days without one. And the time to conduct a forensic investigation is 31 days with the tool and 40 without. Not only does that help you figure out what the bad guy did more quickly, but it also cuts down on the forensic investigation costs. The less amount of time the bad guys in your network, the less opportunity they have to do stuff, which means the less opportunity you have to find or the fewer things you have to go try to figure out that they did.

Sharon D. Nelson: We’re glad to hear that there is some good news.

Joe Bruemmer: Yeah. And look, I mean, those are just in the matters that we see. Oftentimes these tools help companies prevent the incidents from getting far enough along to even get escalated to our view.

John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.

[Music]

Male: The ABA Journal Legal Rebels Podcast features the men and women in the legal profession who aren’t satisfied with good enough. These are the people who are changing the way law is practiced and setting the standards that will define the profession in the future. Each episode, we share their story. To hear insights from those with an eye fixed towards tomorrow, follow the Legal Rebels Podcast, part of the Legal Talk network.

Sharon D. Nelson: The Digital Edge Podcast where the law and technology intersect. I’m Sharon Nelson, and together with Jim Calloway, we invite professionals from all fields to discuss the latest trends, tips and tools within the legal industry. Stay up to date on the rapidly changing legal tech landscape with the Digital Edge on the Legal Talk Network.

Jud Pierce: Workers Comp Matters is a podcast dedicated to exploring the laws, the landmark cases, and the true stories that define our workers’ compensation system. I’m Judd Pierce, and together with Alan Pierce, we host a different guest each month as we bring to life this diverse area of the law. Join us on workers’ comp matters on the Legal Talk Network.

Craig Williams: Today’s legal news is rarely as straight forward as the headlines that accompany them. On Lawyer 2 Lawyer, we provide the legal perspective you need to better understand the current events that shape our society. Join me, Craig Williams, and a why variety of industry experts as we break down the top stories. Follow Lawyer 2 Lawyer on the Legal Talk Network or wherever you subscribe to podcasts.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is BakerHostetler’s Data Security Incident Response Report released. Our guest today is Joe Bruemmer, who is a partner in BakerHostetler’s Digital Risk Advisory and Cybersecurity Team and is the Ohio Digital Assets and Data Management Leader. His practice focuses on data privacy, cybersecurity, and data breach response. As a former litigator and associate general counsel for a lead legal support services provider, Joe uses that experience to help clients identify practical, business-oriented solutions to their data security incidents.

John W. Simek: To pick up on our discussion since the break here, and I know a lot of our listeners are the one thing that really, really drives them and what they’re interested in is money, right? It’s that financial piece of it. So can you talk to us a little bit about wire fraud and both the numbers for last year 2022 and what that success rate is for recovering some of those stolen funds?

Joe Bruemmer: Absolutely. If ransomware was the largest type of incident or the most common type of incident that we dealt with in 2022, business email compromises were a not too distant second.

(00:15:07)

And there are a number of encouraging figures and trends related to fraudulent fund transfers. Last year, we saw decreases in the total amount of fraudulent fund transfers, the average amount of fraudulent fund transfers, and the largest wire transfer. So the total amount of transfers dropped from 48 million to 27 million. The average transfer amount dropped from about 740,000 down to about 300,000, and the largest wire transfer dropped from 12 million to 7.6 million. There were also some figures that looked discouraging at first, but really, I don’t think are on closer inspection.

We did see the average and median recoveries decrease. But if you see the average amount of the transfers decrease, it just stands to reason that you’re going to see the average recoveries decrease as well because less money went out the door in the first place. I will say the one discouraging statistic, though, was that the percentage of matters with recovered funds dropped from 42% to 24%, and that is irrespective of the amount of money transferred.

The one recommendation I would make to any company that has discovered that funds have been transferred to a fraudulent account is you must take action quickly. The more quickly you can notify your bank, the better chance you have of recovering funds, and the sooner you get in touch with incident response counsel, the sooner we can help you recover those funds in coordination with law enforcement. The first 24 to 48 hours really are key. They represent your best chance to get your money back.

Sharon D. Nelson: They absolutely do. Joe, I know your report was for the year 2022, but we’re expecting that 2023’s report is going to have a lot to do with the rise in artificial intelligence, both assisting in cyberattacks and defending against them. What are your thoughts?

Joe Bruemmer: I think that’s a very realistic possibility. We already see the use of AI and machine learning with incident responders’ tools like Endpoint Detection Response tools, security information, and event management tools utilize machine learning to crunch large amounts of data to aggregate and correlate patterns of activity that help incident responders identify potentially malicious actions in a system.

It makes sense that threat actors are going to employ that same technology to their benefit whether it’s going to be generative AI use to make more convincing and realistic phishing emails, whether bad guys are going to try to use machine learning and AI to create malware that can evade the defensive tools that rely on those types of things, we will have to see. But I do think that certainly AI has taken the world by storm this year. I don’t see any reason why incident response would be any exception.

John W. Simek: In 2022, the attackers were enhancing their use of MFA bombing, social engineering, EDR, evading malware, SEO poisoning, those types of things.  I suspect and I think I’m pretty confident in stating that the majority of our listeners have no clue what I just said there. And what any of those things mean, but I know what they mean. Can you kind of explain what some of those things are for our listeners?

Joe Bruemmer: Absolutely. I think that the easiest way to explain them is threat actors adapting to all of the measures that companies put in place over the past few years to combat ransomware and business email compromises. Take MFA bombing, for example. Bad guys were using usernames and passwords. They were finding various ways to get them, whether it’s through phishing attacks or some other way. They would use them to log into people’s email accounts and company networks and then either redirect fund transfers or launch ransomware or steal data.

What did companies do in response? Many of them put multifactor authentication into place. Your listeners are probably most familiar with push-based MFA, which is the kind that they get where after they enter their username and password, they get a prompt on their mobile device that asks them to approve the login. Bad guys got wise to companies putting this in place, and so what they have started doing is they just repeatedly try to sign in with a username and password. The end user then gets multiple requests to approve. And instead of reporting this activity to their information security departments, users will either inadvertently hit approve or sometimes they’ll just get so sick of the prompts that they hit approve (00:19:40) the bad guy on the other end. And so now the bad guy is in.

Sharon D. Nelson: That’s so funny because John says that all the time. They just get tired of it and they hit okay.

John W. Simek: Push for T.

Joe Bruemmer: Absolutely push for T and we see it time and time again.

(00:20:00)

And so you’ve got incident responders pulling their hair out, asking, what more can we do? Well, you’ve got to train your employees at the same time. And I think everybody knows it, but it’s worth repeating. So what else have we seen bad guys do? Social engineering is another one. This is a term that’s used to describe a scenario where a threat actor impersonates a customer, a member of the IT team, or some other trusted source in conversations with an organization’s employee. And it’s not a onetime event.

In some cases, these communications can occur over a period of months with a threat actor gathering more information about the target over time. They then use that information to convince an employee to take some action, such as providing their credentials, approving a request to connect to an employee’s device, or providing information about an organization’s customers.

Sometimes you see bad guys find ways to get around endpoint detection and response tools. It’s not terribly common yet, I think it may become more common over time, particularly if AI really continues to rise in its use. But how are the bad guys doing it? Sometimes you see it with things like polymorphic malware. So John, if your users don’t know what MFA bombing is I’m sure they’re not going to know what that is.

John W. Simek: Yes, you’re right.

Joe Bruemmer: It’s basically malware that can change its signature, its shape over time so that traditional antivirus tools that look for known bad files don’t recognize it. And there are types of malwares like Qakbot that does just that. But more often what we’re seeing is companies that have coverage deficits where the endpoint detection and response tool was not installed on all assets. And so the bad guys find the areas where it’s not deployed and they will steal data from those places and they will encrypt those places.

Personally, I think the most insidious is what is known as SEO poisoning or Search Engine Optimization poisoning. This is where bad guys create fraudulent websites that mimic a client’s legitimate website and then use search engine optimization tactics to make the fraudulent website show up prominently in search results. So what does that mean as a practical matter? It means you could go into a search engine, type a common search, like what is the most common interest rate right now, or you could type in login page for a particular provider. The search engine will then display a number of results. And if the bad guy has used search engine optimization, the fraudulent website that they created might be the top hit. You click on that link, you go to that site, it looks just like the site you were expecting to see, or it looks like a legitimate site. It prompts you for a username and password, you enter it and now the bad guy has those credentials.

Sharon D. Nelson: Well, forensics investigations have always been costly. Did they ramp up again in 2022 Joe?

Joe Bruemmer: I’m afraid to say they did. We saw a modest increase in the average forensic investigation cost. It went up from about 75,000 to about 90,000. But we saw a more substantial increase in the cost for the 20 largest network intrusions. Those went up from about 445,000 in 2021 to approximately 550,000 in 2022. And here again we see proactive investments in cybersecurity yield results. I can tell you from experience that organizations that have put EDR tools in place that have forensic firms on retainer are able to respond more quickly, which then limits the extent of the unauthorized actors’ activity and thus the time to complete the investigation, which in turn reduces the cost.

Sharon D. Nelson: Well, before we move on to our next segment, let’s take a quick commercial break.

Welcome back to Digital Detectives on the Legal Talk network. Our guest today is Joe Bruemmer, who is a partner in BakerHostetler’s Digital Risk Advisory and Security Team and is the Ohio Digital Assets and Data Management Leader. His practice focuses on data privacy, cybersecurity and data breach response. As a former litigator and associate general counsel or lending legal support services provider, Joe uses that experience to help clients identify practical, business-oriented solutions to data security incidents.

John W. Simek: Well, Joe, from a practical standpoint, how can our listeners use this report to determine where to prioritize their efforts?

Joe Bruemmer: That’s a great question, John, and it really focuses on the core reason why we created the DSIR in the first place. I think there are a number of things that your listeners can do. First and foremost, at the beginning of the report, we have a key findings section that highlights the trends that we saw in the threat landscape and the way that companies are responding.

So we highlight things like the failures in MFA, the resurgence in ransomware at the end of this past year and into 2023, increases in ransom paid, increases in forensic investigation costs along, a road to recovery. That one page can provide a quick snapshot of a number of measures the organizations can take to try to effectively respond to the threat landscape.

(00:25:05)

A little further in the report, in the ransomware section, we have a page that highlights industry specific statistics. So it’s great to hear overall stats, but it’s, I think, also meaningful to understand how your industry is stacking up, both in terms of how much are the ransom demands in my industry? How much are people paying? How long does it take them to recover? And then how much are the forensic investigation costs? And then lastly, how many people are we notifying?

You can also read the report and focus on the particular sections that highlight core incident response areas. So we have statistics on ransomware, we have statistics on wire transfer fraud, we have statistics on how many incidents result in notice and how many of those incidents result in litigation. Over the time since, we’ve been handling incident response, we’ve handled over 15,000 matters, and last year we handled nearly 1,200. So across those matters, both from last year and across the lifecycle of our group, we have put together a number of insights that our clients and your readers and listeners can leverage to inform their cybersecurity strategies.

Sharon D. Nelson: One of the things I’ve noticed, Joe, is that litigation related to data breaches increased last year, and class actions are growing more common day by day. Why do you think we’ve seen such an uptick?

Joe Bruemmer: I think the simple answer is that this is an area that’s drawn increased attention over the years, and plaintiffs’ lawyers have determined that they can make some money on pages. Particularly, as ransomware became more prevalent, threat actors began stealing more information, which resulted in notices being sent to more individuals. Some state regulators also have started sharing more information about incidents like the total number of individuals notified, which plaintiffs’ firms can and likely do monitor to figure out what the new incidents are and determine whether it makes economic sense for them to solicit plaintiffs for a given incident.

If you look at last year as compared to 2021, we saw the total number of matters that resulted in notice drop from 536 in 2021 to 494 last year. But we saw the number of matters resulting in lawsuits increase from 23 in 2021 to 42 last year. And why is that the case? I think it’s because the momentum was already in place. The plaintiffs’ bar was already focusing more on data breach lawsuits. And so even though we saw the total number of matters resulting in notice drop, we saw the total number of matters resulting in litigation increase because the plaintiffs’ firms were already focusing more in this area and building their capabilities and their bench strength.

Sharon D. Nelson: Well, I agree with you entirely, and we certainly had a good number of laughs today. Some of them won’t make it onto the podcast and some will, but we’ve had a wonderful time, and certainly you’ve given us a lot of practical advice. The data is great. There’s a lot to be learned from it, a lot of practical advice in this particular podcast. So we are ever so grateful that you took the time out to spend some time with us and thanks for being with us.

Joe Bruemmer: Oh, Sharon, thanks so much for having me. It’s been a pleasure speaking with you and John, and I really appreciate you inviting me to speak.

John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or an Apple podcast. And if you enjoyed our podcast, please rate us on Apple Podcasts.

Sharon D. Nelson: And you can find out more about Sensei’s Digital Forensics, managed technology, and managed cybersecurity services at seanseient.com. We’ll see you next time on Digital Detectives.

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

[Music]