Best Practices for Surviving a Cyber Breach

Your organization is a victim of a cyber breach. Do you pay the ransom? Call the FBI? Here are best practices for minimizing the damage.

Rick Dagley

May 11, 2024

7 Min Read
Gillette Stadium

FOXBOROUGH, MA. — Blue Mantis hosted its inaugural cybersecurity symposium here earlier this week, set against the backdrop of the New England Patriots' six championship banners hanging in Gillette Stadium — a fitting venue since, as the saying goes, defense wins championships. The same holds true for organizations: A strong cyber defense can minimize the damage of a cyberattack, but a weak one could lead to devastating losses.

The focus of the symposium — "Unveiling the Anatomy of a Cyber Breach: A Beneath-the-Surface Exploration of the Harsh Realities" — was less on preventing cyberattacks and more on best practices for when you are breached. A panel of security experts discussed a real-life cyber breach, focusing on the victim's response and lessons learned.

Simple security measures, according to Jay Pasteris, chief operating officer at Blue Mantis, were not taken: Passwords were never required to change from the initial password; there was no multifactor authentication (MFA) requirement; and while there was extended detection and response (XDR) on the initial device that was compromised, the XDR was not configured properly.

"Ultimately, that agent's password got breached [and was] posted on the dark web, where a hacker group … was able to obtain that password," he said. That hacker was able to elevate privileges across the company's environment and build a ransomware package. "So with a push of a button on D-Day, they shut down that entire organization."

Related:Cybersecurity Quiz 2024: Test Your IT Security Knowledge

Have a Playbook and Follow It

What lessons should be learned from this cyber breach?

First and foremost, according to Kevin Powers, founder and director of the Master of Science in Cybersecurity Policy and Governance Programs at Boston College, organizations must be prepared. Similar to football, organizations will be targets of all types of attacks, so they must ensure they aren't scrambling to devise a plan after an attack occurs. They need a playbook that covers all scenarios. "When you think of incident response, you should really think of it is incident planning, response, and management," he said.

When hit with a cyber breach, the first thing you do is look at the incident response plan. "If you're discussing when you're in the middle of a breach, 'Should we call the FBI or not? Should we do that?' That's a problem," Powers said. "That's something you should already have planned for and had discussions. … When you're thinking instant response, you're thinking the plan first."

Pasteris added that it is vital to know what your assets are, as things fall through the cracks. Not only should you know what applications you use, but how you are protecting those applications. "A lot of organizations don't keep track of their assets," he said. "How are they protected, how they do defense in depth around those apps."

Powers pulled quote

You also need to take into consideration cyber insurance — not only making it part of your plan but understanding what it does and does not cover.

"The key to [cyber insurance] goes back to incident planning," Powers said. "If you're going like, 'Holy crap, our insurance covers none of that!' Well, that's your problem because you didn't actually plan accordingly and you're going to lose that battle."

It's important to understand that insurance is built on conditions, said Scott Lashway, partner at Manatt, Phelps & Phillips, LLP, and co-leader of Manatt's privacy and cybersecurity practice. "We are relying on cyber insurance to do things that cyber insurance is not built for. It's built on conditions. So there are nation-state exclusions. … There's warfare exclusions."

When To Involve the FBI

A big question, according to Jay Martin, security practice lead at Blue Mantis, is if and when you should call the FBI after a cyber breach, as a lot of companies worry about getting on the FBI's radar. "Do we call the FBI, not call the FBI?" he asked. "And what are they going to do for us when we call them?"

There are advantages to calling the FBI, said Joe Bonavolonta, managing partner at global risk and intelligence advisory firm Sentinel, who served more than 27 years with the FBI, including a stint as head of the FBI counterintelligence program. Bonavolonta assured the audience that the FBI takes a victim-based approach to such attacks. And they don't show up at your office with the raid jackets and lights and sirens blaring. The vast majority of incident responses are conducted via phone, email, or video conference, he said.

A big plus to working with the FBI is it may have a treasure trove of intel that can help your organization mitigate the threat as well as help keep other companies from falling victim to the same attack, Bonavolonta said.

In addition, the FBI may have the decryption key needed by your company. "That's why reaching out to the bureau and our partners is important because we may have that decryption key or, more importantly, we may have a partnership with a private sector entity that has a decryption key because they were a victim previously of that," he said.

Also, "if payments are made, in some cases we have the ability … to potentially cease and freeze some of these assets or some of these funds before they actually go out," Bonavolonta said. "Then there also are other situations where based on relationships that the bureau and our partners have with cloud providers, we have been actually able to retrieve stolen data from companies that were housed on certain servers."

Circling back to the need for a comprehensive cybersecurity playbook, Bonavolonta suggested that organizations be proactive by building a relationship with the FBI. "Have that name, phone number, email address, and put that name with the face before things really go south because that is not the time during a major crisis to try to have to reach out and develop those relationships," he said.

Do You Pay the Ransomware?

Perhaps the biggest question facing organizations hit with a ransomware attack is whether or not they should pay the ransom.

"It's a huge risk," Powers said. "You're dealing with criminals. You can sign a contract with the criminal. It's as good as a piece of toilet paper, really."

Bonavolonta said the FBI does not recommend payment. He's seen companies pay the ransom only to have the bad actors come back and say not only are they not going to decrypt their files, but that they also exfiltrated a significant amount of the data, which they will make public unless the company pays them again. "It's what we have dubbed internally 'double extortion,'" he said.

"I do not like to pay. I do not like to even negotiate," Lashway said. "We try to make it mechanical."

Lashway said there are three things you must do before making a ransomware payment: 1) go through a legal review to determine whether making the payment is even an option; 2) talk to the FBI because you could be potentially buying yourself a lot of legal criminal risk; and 3) if you do decide to make the payment, have someone else negotiate for you. "You're dealing with really bad people — really bad people who have tendencies of doing things like, 'I have your CEO's home floor plan,'" he reminded the audience.

No Excuses … Instead, Be Prepared for Anything

Lashway added that just because there is the narrative that it's not a matter of if but when your company will be breached, don't use that as an excuse. "We all need to take a look at ourselves in the mirror and really get rid of that mentality," he said. "It's become an excuse. It's become an excuse that lawyers use to justify companies getting compromised, and it's become an excuse in boardrooms when they're not funding your needs to build technology."

In other words, stop with the excuses, expect the unexpected, and prepare for it — just as the Patriots did in Super Bowl XLIX when despite all signs pointing to a run, they were prepared also for a pass, leading to a goal-line interception by Malcolm Butler that was the difference between triumph and crushing defeat.

About the Author(s)

Rick Dagley

Rick Dagley is senior editor at ITPro Today, covering IT operations and management, cloud computing, edge computing, software development and IT careers. Previously, he was a longtime editor at PCWeek/eWEEK, with stints at Computer Design and Telecommunications magazines before that.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.