Workshop | Your Path to Ransomware Resilience

Hello, and welcome to this pre cybersecurity leadership summit workshop and in the word, their workshop, it's, we're wanting it to be as interactive as possible, but remembering now it's a hybrid event. So I'm inviting the members of the audience here and everyone who's joining us from around the world online to just participate, raise your hand, ask a question, drop something in the comment and just let us know. And we can, you can unmute yourselves.

You can ask us questions, as I say, it's a hybrid event, so where we've gotta manage both audiences, but we want it to be as interactive as possible. And the reason we're all here this morning is because of ransomware. And if you are organized any organization connected to the internet and that it has to be connected to the internet to be successful today, doesn't it is either being hit by ransomware already, or is likely to be hit by ransomware very soon. Just ask media marked. I believe they're in the, in the midst of a ransomware crisis right at the moment. So that's the bad news.

The bad news is you've probably been hit already, or you're gonna get hit soon. The good news is that there is something that you can do about it. And the clue there is in the title of the presentation today, which is ransomware resilience. We're gonna be looking at the concept of resilience and what you can do to be as resilient as possible. And I say we I'm Warwick Ashford and I'm joined by my colleagues, Martin Kuppinger and Christopher Schutze will introduce ourselves in a little while, but we'll just carry on with the look at the agenda first, before we get into those details.

So as you can see, we're gonna have a look at the state of ransomware so that we have a common understanding, ensure that we know what the challenge is that we are addressing. And then we'll go in for a more technical look at the ransomware attack surface to see exactly where and how they can get in. And then from there, we'll go through the different stages. And this gets into the, the kind of real meat of the workshop today.

This is where we're going to be talking about ransomware resilience essentials, going through the phases of protection, sorry, preparation, protection response, and then most importantly, in a way recovery, because you need to carry on afterwards. So as I said earlier, we'd like it to be as interactive as possible.

I don't, is there anyone in the room who's willing to say whether they have been through a ransomware attack? Is there anybody who's who's who's had that experience, cuz we'd like to know where you guys are coming from and what, so we can build on that. So we get an idea of, of what it is that, that you're coming to, what your expectations are to all the people who are online. Please just add comments to the chat. If you've got any war stories you wanna share with us.

Because again, that's the great thing about a ware workshop is that we can swap war stories and say, look, this is what happened to us and this is how we got around it. And that kind of stuff's. So that would be really, really interesting and useful while we're just waiting for people to either.

Is there, are there any responses in the room? I I'm not getting any indications in the room. Nobody wants to, to, to share any of the war stories. So I will the handover then to my colleagues to introduce themselves Martin and Christopher. Okay. Yeah. So I'm Martin Kuppinger, I'm one of the founders of co coal acting as a principal Analyst. So my job is that I guide our research team and I'm on Walton and a lot of research we do. So have a long history in a longer history in identity, a long history in cybersecurity as well.

And following this entire team, surely I would say of cyber attacks probably since, since this started back in the days more or less. And, and yes, I think we, we are in a, in a, in an interesting phase let's phrase it friendly and some, some that that will last and, and so I will do some parts of that.

And I, I would dare to say my main focus always is on the, the recovery part because at the end of the day, when we look at resilience, then there's no a hundred percent guarantee that you won't be hit. And the ability to get back to work as fast as you can. That is one of the essential things. And I believe still not to, to say too much, I still believe that this is frequently overlooked. So protection is important, but it's not sufficient. That will be one of those things we'll discuss. I think that will be a very interesting workshop.

And again, to the online audience, feel free to enter comments, to enter questions at any time, we are constantly looking at this and, and we'll pick up these questions. Exactly. And we will.

Exactly, and we will also open the channels for you to actively discuss with us. So also with the onsite people here, we have prepared some questions, some discuss, discussing, discussing statements, really to keep it as interactive as possible. So going back to the introduction, my name is Christopher Schutze I'm on the one hand director for the practice, cyber security was copy a call, which means I'm doing advisory. I support customers in protecting their environments, their organization, things like that.

And on the other hand, I'm also the chief information security officer with copy a call, which means I'm not just telling Support. Oh. But if we were hit, he would be Guilty. Exactly. So I'm not only saying what people can do. I'm also responsible for doing this for our own organization, this justice background. Yeah. And with that, I would hand back to Warwick. Thank you.

So, as I said before, I'm Warwick Ashford. I've been with keeping a coal for just over two years. Now. I cover anything to do with cybersecurity and identity. But prior to that, I worked for about 15 years as a technology journalist and for the past eight years in cybersecurity. So I've seen the evolution of ransomware and the way it's really ramped up something that we very rarely saw it happened, but people didn't take it that seriously. And it seemed to be sort of peripheral.

But in recent years, especially last year during the pandemic or the beginning stages of the pandemic, we're still in the pandemic. We saw a huge, huge ramp up. So as I say, I've, I've, I've got a good overview of where, where it's come from and where it's going to. And so again, I hope you really have a good workshop today and please ask us any questions that you may have. So now we'll just get into the agenda properly. And as I said, we are gonna be looking at the state of ransomware. I'd like to just get an idea from you guys.

What, what, what you considered to be ransomware. I mean, is there anybody wanting to give me a definition of what you see as being ransomware or what are the main defining features of it?

And yeah, as I said before, if you have any experience, is there anyone in the room who has got any ideas? You know, if somebody from outside your business just said to me, I hear about this, this ransomware attack that's happening on media, mark, what is ransomware? You work in cyber security or you are responsible for that.

I mean, what, how would you define it? Is there anybody willing to, to venture a definition?

Okay, so let's move on to, to this definition that I have is ransomware's goal is to extort money from a target by using malware that locks or encrypts the target systems. I think that's a fair description. And so I just think if we use that as our, our, our working definition and a ransomware, a ransom payment is demanded to unlock and retrieve a file. So that's kind of the very basic thing. But as I said, ransomware is evolved a great deal. So from 19 18 9, can you believe it is one of the first recorded attacks of ransomware?

This was at a w H O conference where 20,000 floppy discs were mailed out to participants and just, just load this on your system for more information, of course, when they loaded it, it locked up their, their systems. And, and in those days you had to send a postal order to a PO box in Panama. But since then things have changed, right? The internet came along and then cryptocurrency happened and we were in business because now it was easy to infect them. And it was easy to get paid and get away with it. So you had this, the, the Genesis of a perfect business model.

And that, that is why we are, we are seeing what we are seeing today. So in 2009, cryptocurrencies were introduced.

That was, that was a great boost. And then, so we started to see an evolution. We saw pettier then we saw not pettier Branson ware started to become destructive. It became a lot more inventive there. Some of them became worms. So we saw kind of whole variation in the malware. And then we started double dipping. We're gonna encrypt your stuff. We're gonna demand a ransomware payment. And then once you've paid, we're gonna threaten to release it to the public unless you pay us again, perfect business model, you get two shots at the two bites at the cherry.

So it just got better and better for the cyber criminals. And that's why governments like the us and across Europe now are taking it really seriously. And last week, the FBI warn that now the targets are people who are, are going through sensitive financial transactions, merge mergers, and acquisitions, that kind of stuff. They'll get in. They'll get the information say, okay, you don't want your share price to be upset right now, do you, you can, you can pay if you don't want, if you don't want it to, to, to be exposed.

So that's why I say that's, the ransomware is now getting the attention of the authorities in the us and in Europe and people around the world are looking at it that hopefully the tide is gonna start turning. Now we're seeing more people identified. We are starting to see them gearing up to, to clamp down on cryptocurrencies and that kind of thing. And hopefully today we're gonna give you some tools to help turn the tide to All right, Warwick. We already have, have a, quite some discussion going on in the chat was the people attending online.

And that's one interesting question which came in, which is so, so one comment also was cryptocurrency drives us because the attackers can't be traced. And the fact we have the first type of crime, which is enabled by just by cryptocurrency. If we hadn't blockchain, Bitcoin, we probably wouldn't have to randomware problem in that way.

We have, we need to be realistic about it. But the other point, which is, I think interesting is there was a question which says, does extortion with the thread of publication of sensitive information also fall under your definition of ransonware. That is something where, where I think where we have different opinions, I personally would be a little reluctant because in ransomware there's this wear thing, which, which hints on a specific type of attack.

And the, the other thing is, is in, in some way, trust blackmail, I would dare to say which, which could be related to, to various types of attacks. So, so I, I would be a little careful with saying, well, Our, our definition is to extort money, so, Okay. But it's extortion basically. Yeah.

But, but by using, by using a specific malware that locks or encrypts the target system, that's, that's that part of the definition where I would say it doesn't fall under it, but at the end of the day, it's a problem. Anyway, the biggest problem on at the end, from my perspective really is that type of ware, which, which means you, you have something that is encrypted and you need to pay to decrypt to come back to work or take other measures as we will discuss later to come back to work. But I think where we all agree is we have a big, big problem Problem. Just short, just yeah, sure.

Would it Be possible to see also here over the screen, Would It be possible to see the chats on the screen over there so we can follow them? The only thing we could do is that we share the team session here, then you have everything. But the problem is if we share the team session, then the screens are, the screen is harder to read.

I, I have a suggestion just try to share. And we exactly, And, and we can switch if we have complex Graphics so we can follow the Discussions.

That's if, if we have complex graphics in the, on the slides, we will switch back to slide only. And otherwise we go with the, with the team window. Yeah. We have prepared some sections where we have discussion points and the plan was that we then shared. But if it's easier for you to follow here, that's fine. Just in a short addition to the discussion, usually attack us. Also use the extraction of data as an additional thing to push you, to pay the ran.

That's also also something and sometimes an intention, what they do, what Martin mentioned that it's more focused on encryption is it depends on the definition is most of the time true. Sometimes also the expect is part of it. So people are forced. If you do not pay, we don't, we do not give you the, the encryption or decryption key. And we also publish it for others just in addition from my end.

And I'm sure as Christopher discussed later is that by the time that you know that you've been hit by ransomware attack, these guys have been in for weeks and maybe months already, because a huge part of the ransomware now is, is not just a in hit out. It's in explore, decide exactly what I mean. This is part of the business model is decide what is valuable to this company. So they they're looking and like how likely are they to pay and all this kind of reconnaissance work that gets, that gets done beforehand. So where do we stand today?

As I was saying earlier with the, with the introduction of the internet and with the introduction of cryptocurrencies, ransomware is now an established cyber criminal business model. It's a business model and it's, it's something you can duplicate. It's professional, ransomware gangs are operating as professionals. They have customer service departments. They have ransomware negotiators, you know, it's just organized like your business.

There, there, there is a process. There, there is, there is a whole team attached to all of these things and they they're gonna get in. They're gonna analyze everything about your company and then they will base the demands on your cyber insurance. Do you have cyber insurance? What do you insured up to? So if you insured up to, to 10 million euros, well then, Hey, what, we're gonna demand at least 10 million euros, cuz we know that that's money in the bank. They're gonna find out what, what your revenue is and they'll decide exactly what it is that's gonna make you most likely to pay.

And they're gonna decide how much you are likely to pay for that threat. And as Christopher said, they'll use as extra leverage if necessary to say, well look, you know, pay this or we'll release the, the information on the public internet. So the other evolution of course is they're increasingly targeting infrastructures. We're seeing things like hospitals. And of course we had the famous pipeline in America, which brought gas stations to a halt. So the fact is that the number of ransomware attacks are increasing and the ransomware amounts are increasing.

So in the first half of, of, of this year, he has a stat that say we saw almost one and a half thousand ransomware attacks reported. So that was a 14% increase over the second half of 2020. So even though 2020 was the beginning of this Bonanza, there was a step up at the beginning of this year.

Again, again, was supporting this theme of things increasing in 2021, the attacks mainly target north America and Europe. And the reason for this is according to interviews with ransomware attackers is that it's the people in Europe and America who have got disciple insurance. And they're the more, they're the more wealthy companies and they're more likely to pay. So why would you bother go fishing in a pond where the pickings are, are, are lean. You're gonna go for the areas where you're gonna get the most money. So as I say, it's a business model.

These, these guys are organized. They're approaching their business as seriously. And as professionally as you are approaching your business, don't forget that Us worldwide. That was worldwide. There was a worldwide stat. Okay. The question was whether this is, could you repeat the question? Because otherwise the people online can't hear it. If you don't use the Microphone. Okay. There was a, there was a question from the audience here in the room, whether the stat of 1,497 ransomware attacks that that was a, a global figure that, that, that I got from my colleagues at computer weekly.

Okay. Are there any other questions, Martin? No. Okay. Right. And then the ransoms pay globally in 2019, increased 33% over those in 2018. So in 2019, the one stat that we have from Anisa, I think I should imagine they would know 10.1 billion euros paid. So this is, this is a billion dollar business, a billion Euro business multi-billion Euro business.

So again, I said, you know, if you think these guys aren't serious and they are making money, think again. And then the, the average ransom increased three times from 2019 to 2020.

So in, in 2019, we're looking at around $115,000 and it became up to 312,000 in 2020 on average. But of course we've seen higher. There there've been individual cases, which have been much higher than that. So now of course, There's the big question that you you're faced with few choices. Do you pay yes or no? Or do you just ignore them and try and rebuild or, well, those are your kind, your choices really.

So have, have any of you been in the room, been faced with a ransom way demand? Are you willing to talk us through the kinds of things you might have considered whether you would pay or why not? If you have any stories, please raise your hand, let us know. So now we can, we'll look at, we'll look at the implication of an attack on, on, on business continuity.

And we'll, we'll go through each of the things to consider whether to pay or not to pay. So the immediate implications, your business comes to a standstill. That's a huge implication. If you can't, if you can't access your, your key systems and your data, you've got a bit, you've got a big problem. And the reports say that 66% of the attacked organizations reported a significant loss of revenue. So that's what to consider straight away. But the medium term implications are that it extends beyond the core business.

So it's not just the superficial or we can't do business for a day or three it's it's wider than that. So it is, you have to, in most regions now you've got mandatory breach reporting. You've gotta report this. You've gotta, you've gotta let the authorities know, of course, there's the supply chain disruption. You may not be, be able to, to produce the goods at the same rate, as you were able to.

We, we all know about the aluminum factory in, in Scandinavia that was hit. They, they were, they had huge problems.

They, they couldn't supply all their, their obligations and the, the, according to the stats that we have, 25% of attacked organizations reported that they had an ongoing cessation of operations. So it wasn't just a week. It could have been several weeks and, and extending into months. So there you looking at reputational damage, oh, these guys can't supply, these guys are unreliable. So this is something that you have to manage and you have to, to get in, in front of, and also consider. So you think, okay, I'll just pay the ransom and then the problem will go away.

Well, will it let's look at the implications of paying the ransom. So first of all, you've gotta come up with the money. So if you've got the, your cyber insurance, that's fine. Hopefully it covers that. But if you don't, then you've gotta come up with the money to pay for this ransom. So that's a huge monetary loss. But then again, the stat that we have here is that 45% of attacked organizations paid the ransom, but half of them didn't get their data back so you can pay, but there's no guarantee that you're gonna get your data back.

And even if you get some data back, there's no guarantee that it's going to be uncorrupted. So there is that that to consider. So there's the, the lengthy process of decrypting using the decryption key that you're supplied with and then sorting out what's, what's good data, what's bad data. And then that kind of the insurance will come into this a little bit later in, in more detail. But the insurance sort of perpetuates that because in a way companies might be less guarded. I will. It's okay. We don't have to worry too much. We've got insurance and also it's a more attractive target.

So then let's look at, okay. We, won't sorry, Just one question. And when you're talking about non percentage, what is your idea about the, the percentage of, of, of customers really reporting that there are attack to their tons of people? It's not makes things right. Like two just said, Yeah. So the question we have in the room. Yeah. So the question we have in the room is, yeah. Do we have a stat on what the reporting percentages?

Well, unfortunately I don't have a, a stat, but I think it's fairly safe to say that probably I would say at least half don't report, it could probably be higher than that. I mean, I generally, for my rule of thumb, I, I, I would, I would double, you know, if you take the, the number of reports, I would at least double that because organizations, I dunno if you disagree, Christopher, You mean the, the, the number Of if five people say they've been attacked, it's more likely that it was really 10 or more, Probably much higher, probably much higher.

That's a discussion I had with Martin a few minutes ago, because there was a question regarding to the four thousand one thousand four hundred ninety two reported attacks, just take the number of potential ransomware software outside. And then it's probably times, 10 times, times 20 times 50. We don't know honestly, but it's much higher than we expect. And probably a lot of them pay the rent, even if it might.

Well, I, the stat that I have on that at the moment is like roughly a third. It seems to be roughly a third of organizations that are hit by ransomware, do just pay without, you know, that they, but it's because they're in that they they're in that position. So here the, the official recommendation is not to pay.

I mean, if you speak to the FBI and, and to all the European cyber authorities, I mean, they'll, they'll say like the official advice is not to pay, but that comes with a huge caveat. You've gotta be prepared. And that's what today's all about is about being prepared about being resilient, to make sure that you reduce the odds of them getting in, and that if they do manage to, to, to attack you, that you're gonna be able to mitigate that impact down to the lowest possible level.

So that's what we are talking about, making sure that you've got a crisis organization that's up and, and running that can, can be up and running to, to deal with it, that you are able to check and implement your backups and that you are able to respond in an efficient way and recover. Obviously, as I say, when we get into the meat of, of today, Christopher and, and Martin will be telling you how, how to have a good response and, and, and being able to recover.

So what happens if you pay, as we've already discussed paying doesn't always work well and, and it doesn't help you identify the attack. I think some people go in with the idea, okay, we'll pay, but then they'll be, they'll, they'll be a, you know, you know, the expression, follow the money. So we can trace this back to the attacker. And then the, the bad guys will, will get, get into trouble.

But as we said, cryptocurrency has enabled this business model in a big way, because it's typically demanded in a, in a cryptocurrency, you've gotta make that in Bitcoin or, or Manero, then you've gotta change your dollars pounds euros into, into the cryptocurrency. So then that goes through an exchange, an automatic clearing house, or comes through as a credit card payment, but then that goes into the, the wallet, but these things are synonymous.

So there, there is no very good link back to the attackers. You can't just say, okay, it's this wallet. He to blame, there is no quick link, but even, I mean, I know there are ways, and there are companies I've spoken to, to companies that specialize in working with the FBI and others, to be able to trace, to trace the payments, but it's very, very quickly goes into it, take it is taken out of these accounts and then it goes to be laundered through mixes.

So here, the, the transactions are mixed with all sorts of other cyber currencies and, and with other transactions. And then of course, it, it comes out in, into again, pounds, euros and, and dollars in usually in a jurisdiction that's got weak KYC and, and anti money laundering regulations. So the conclusion there that we draw is that the attacker is not likely to be traced. So really that's kind of not a good strategy to say, okay, well we'll pay, but we'll get him.

It's, it's, it's really not guaranteed. So let's look at the other side of that. We've already already discussed. Okay. You can get cyber insurance. That's fantastic. It reduces the, the damages in the, the case of the, of ransomware.

It, it hopefully covers the cost of the ransom. You don't have that immediate impact and it might handle the negotiating costs and so on, but you still gotta consider that you've, you've got your last income. And of course there is the, the, the, the reputational damage that I mentioned earlier. And I also mentioned this too, is that if you've, if you've got insurance, they're gonna know they're gonna know if you've got insurance. So they know you are more likely to pay. And if you pay, they know you're more likely to pay again.

So that's why the general advice is not to pay, because if you do pay it, it just reinforces that cycle. You just become a really good customer of this. So payments just fuels the crisis and, and, and the cycle, and is, is probably not a good idea. And with that, we come to ransomware attack, service and surface, and I will hand over to my colleague, Christopher, who will give you a more technical take on that. Perfect. Thank you very much, Warwick.

No, I missed the time to take my notebook. Sorry for that.

So, as you can see, we are live what we shared a lot of definitions. What is ransomware tech and how to deal with it in the next part, we will have a little bit more and a view on what is the technical way, how they proceed, what do attackers do if they want to gain access? What are the biggest threats?

And also, how does a typical ransomware attack look like? So what we shared the ideas of the media markets tune group, which is potentially under attack right now. So their cash register are encrypted in some way, at least the internet Twitter tested, and that you are only able to pay by cash. And I think this is a good example without pointing too much in the direction of this company, but there, you can see how an it system can at least break down such a whole organization, if you are not prepared.

And probably, and this is something we will discuss in the preparation and also in the resilience part or in the recover part, what you can do to prepare for something like that, maybe train your people that you, that you are still able to pay with cash or write down manual receipts for your customers if necessary, or on the other hand, I don't know if one of you follow the attacks against the healthcare system. There was one in west, fine. You need some kind of preparation.

If you are not able to see what, or if you're not able to see what are the medications for your patients, for your customers, then you have a huge problem. And this is something you have to solve. And this is something you have to solve before the attackers are there and encrypted all your stuff. So the next slide is basically to share a little bit the idea, what can be attacked, what are the, or what is the attack surface in your organization?

And to, to keep it short, it's really a huge attack surface. Just imagine what you are currently doing here in the room, or the people online you are using, maybe your private device, your personal computer, or a company on device via an VPN connection, maybe directly connected to join this session. Maybe in parallel, some of you write some emails or teams, messages, whatever. And this can also be an attack point. I love to say something like, do you use the public wireless line in this room?

Because usually then people try to disable it during I status, but all this things are potentially attack vectors. They, the attackers usually start with something like that. They don't drive to your organization and plug in some cable and do some magic stuff. It's much easier how they proceed. And therefore you need to know what is your overall attack surface? And this is, you might notice from other co a co presentations. On the one hand, we have the account, you, your identity and all your permissions in the it systems. This is the first thing.

If someone is able to steal your credentials, he can do whatever you can do, or your assistant or your chief executive officer, your it administrators, whatever. And the same is with's device. If you lose your device here at the conference, someone phone is stealing it at the barn, or someone is breaking in, in your office and stealed a device. And this is potentially maybe protected with some simple password credentials, some second factor or whatever. This is a potential attack thing here. And the same with your data stores, you have your databases, they use service accounts.

You have them on premise in, in your data center, you have them on stored at AWS Azure, Google cloud, whatever you use, accounts, service, accounts, access, and do a lot of stuff here. And it's maybe you configured it the right way and have some private networks in between your organization and all that stuff. Or it's public available. You have a customer facing website, all that stuff like an application, all the classic application. I don't know if one of you is using SAP here. For instance, it's also a huge system where you can do everything, have a very complex entitlement management.

And this is also part of it. I mean, they have firefighter using all the stuff, request, processes relevant, for sure. Then you also have the traditional systems. The simple example, I mentioned at the beginning, something in your data center, in the seller, a server where you can plug in, like you see in the fancy movies, someone was in USBC or USB stick and get access to your systems. And last but not least the networks, and this is honestly the, the dangerous thing, everything. Or if something is not connected to, to some other system, you cannot access it.

That's the easiest way to protect your data, your assets, your organization. But the reality is a little bit different because everything is connected. This transmission system here, this, this screen, this microphone, everything different protocols, different services, D level of security, but everything is in some way connected.

Even if you want to update something, if you have a traditional factory floor, for instance, building cars or manufacturing cars, something like that, maybe they are not permanently connected, but in some update and interval or maintenance interval, they are connected. And in that case, attackers might be able to install, implement something here and to modify something. And that is really a big thing you need to be aware of. If you are responsible for protecting your organization, any comments so far not, okay, then we proceed with the next slide, a huge attack surface.

And this attack surface has also a lot of threats. This is just a simple overview to share. Share little bit the insight. What is the most dangerous thing? No surprise. Ransonware is very high rated in the last years. It's part of mal malware. Here we have one. Third is malware. 21% is really unknown. So this can be everything from inside threat with the, and the UBC USBC stick, 50% account take over. And just imagine the, this the part with the identity over the account. So 50% account take over your credentials or the credentials of your it administrator.

Vulnerability management is also very critical things. Big organizations have to deal with a lot of updates on various systems. It's a complex process, and you need to be aware of it. And for instance, you have systems which are not, which cannot be updated once a month, once a week, only once a year. And this is something you need to be aware in your risk management approach and also in your update process.

I mean, what do you do if your mainframe in the seller needs a very important update and the next update cyclist in 11 months, even for criticals, because otherwise you are not able to do your everyday business, 6% targeted attack, which means maybe your competitor wants to have access to your systems to your data are then 3% misconfigurations. So the it administrator, which had a intensive weekend or whatever, was a new employee, which is not trained enough.

This is something the chief executive office of fraud is also very popular, popular, and also the distributed denial of service attacks still happen. Not as much as in the past years, because we have a lot of new technologies, which on one hand can detect. If you are under an DDO attack or not, we have auto scaling and all that stuff. And auto blocking here. This is something we can handle really good distributed denial of service attacks can take an important role in ransomware ransomware attack.

For instance, what happens if you are prepared for ransomware attack, have plan B, have an alternative system website, whatever, and you start it. But usually this alternative instances, environments are not as reliable as your normal one. And for instance, your normal stuff is encrypted. And the other stuff is under distributed denial of service attack, really to push you to pay the ransom. This happens. And this is a very common, additional attack vector. If you think about ransomware attacks. So this is something you need to be aware of.

And an important statement here is really, you have a lot of threats. Ransomware is one of them, but ransomware text can also be used with others. And usually, and ransomware tech starts not only with please click the following link or download the following word, attachment dot, exe, whatever. I think our it teams, our employees should be trained enough.

Martin, you are laughing. I, I, I think probably outta microphone, here we go.

I, I, I think that the point is really ransomware is using the, the same ways to come in as other malware, thus at the end of the day, just executes differently. I think this is what, what at the end makes a difference, but the usual entry point for Mel, I would say the, the most common entry point at the end is, is really the, the typical fishing approach. Still. I think we need still to be aware that at the end, it's all in, in many cases, it's the user followed by a miserable patch management followed by a zero day exploits. I would say probably this is the, the right order.

So at the end, the human is, is usually the weak link, the weakest link, because if you trust dry enough to send out enough fishing mails, someone will make a mistake unwillingly. And as I've said, then it's from my perspective, still closely followed. I still remember the numbers. Some of you might remember heart plead.

The, the problem is the SSL libraries and the number which really scared me most was that 50% of the systems remained unpatched. After one year. It was pretty exact 50% after one year. And the searching, as I said, is that there are too many open exploits. And I think last and least, and we'll touch this over this, the cause of this conference and many sessions, we, we must not underestimate this growing risk of sort of software supply chain attacks, where the, at least sort of the, the door openers in the software we get delivered, like, like we learned with solar wind and CAA.

So, so, and at the end, then what the attacker does with that, that is a different question that could be ransomware. That could be just data theft that could be running from their own advanced, persistent threat type of attack. I think there are so many ways than to do it, which is what, what at the end really unfortunately, sometimes needs to keep us awake a while to think about how, how we get better on this. And it will be an endless fight.

I believe, unfortunately, there always we can get better and we'll discuss a lot of these, but it's not super easy. There's also one comment users' local, Latin rights are the biggest issue for ware getting an initial hold because otherwise ware cannot launch drivers or, or hook interrupts. And I think, yes, that, that is, that is part of the game.

So yes, you need to, to get to the system and you need to then to, to spread from that system, which requires that, that there are options for the malware to spread at the end. It always is a combination of, of various things which leads to, to these problems. The other side is unfortunately the complexity of our it world is so big that we never will be able to close everything down. It looks like you have a question comment. No. Then Christopher back to you. Yeah. And I want to add some addition to this local admin rights discussion at the ESC.

We, we had an interesting presentation exactly about that there at, at the end local admin rights can be the entry door. Maybe you use something like an tool to get the local administrator rights and then force the domain admin to join you lock again. And then you have the domain admin rights, and that's the simple way to get access to the next server.

But to that topic, I want to share something, some more details on the next slide, but at the end, local admin can be one of the 1 million billion was to year systems to get higher privileges, to get the control of your systems and at the end to be able to encrypt it and to force you to pay something, You know, but sometimes really sort of, yeah. You know, I don't know how to phrase it best, but I remember I've been writing a monthly newsletter inside windows and tea back in the days where we had windows int and, and I looked at all these Microsoft security alerts back in the days.

And this is quite a while ago, as we remember windows and T has passed quite a long time ago, at least in, in certain environments, if you go to a shop floor, you might still find some NT systems in some other OT environments, probably as well. But the point is the local admin rights privileged elevation. It has been a big issue back then. And in some way it's frustrating probably that we still haven't really got a crib on that.

Even while this, this, this sort of door is open in different ways, different doors, but the same always the same problem, leaving the door open for, for such a long time. Yeah. And without blaming Microsoft in that case.

No, I, I think, you know, you find these open doors in, in different ways Everywhere. Exactly. And the attackers usually go the way where most customers are potentially in that, in most of the cases, Microsoft, because it, this special attack thing here to get the credentials or lock the credential. This is disabled by Microsoft since I don't know, 10 years, but you can reactivate it and then you are able to lock it. Then you do something on the computer, which forces the domain admin to check. Maybe you raise in support ticket with, I don't know all my desktop. I can disappear.

I cannot open the toolbar task bar, whatever this is possible. He locks in checks it.

And again, you have the credentials. Okay. So with many threats, maybe two words about motivations. Why do attackers attack us?

Me, you, your organization and Warwick already stated something 85% is really cyber crime, organized cyber crime. They want to earn money with you 9%. And this is an important topic, at least in the vaccination discussion in the development of an vaccination espionage to really get information. But for sure, all state driven investigations about other states two, and then only 2% cyber warfare and 1% activism. That's an average distribution here. And for those of you who, who counted the numbers, we also have 2% of unknown motivations here.

And this shows a little bit with what we have to deal in our organization, cyber crime. Okay. Next slide. How Attackers could get access to your system. This is really just a simple example, how they could proceed. Usually everything starts with fishing attacks, fishing, mails, whatever people send out, spamming mails, Hey, I'm your boss. Please click the following link, download the file, sign it, whatever you can send this to 10, 10 thousands of people. One will do it. And that's the easy thing. And that's not, not one thing. The typical ransomware groups will do.

Maybe they buy a list of compromised credentials, somewhere in the darkness, somewhere in the specific forums. That's another business model model. And then they really focus on the ransomware tech. They have credentials where I don't know, 50, 80% of them will work for accesses. My maybe for private accounts, like your Facebook account was out multifactor, maybe your normal Google drive account, whatever. And many people use same credentials and then just use it.

And, and when I read trust, one of these newsletters from yesterday evening where this trading platform Robin hood had to, to confirmed that have been hacked. And, and when it reached them a security breach that exposed names, email addresses from billions of users and extensive account details and stuff like that. Then we know that these are, it might be, it might include credentials. It might not include credentials, but it always gives a lot of information that as we all know, end up somewhere ends somewhere in the dark net that gets sold. There's a market for that.

And so they're, so it's so easy. If you want to get all the information you need to, to run an attack and to automate these things at the end, this is automated. This is an industry we we know. And I think there are so many numbers showing regular work hours in certain countries relate to what happens with cyber attacks, at least with the targeted part. And there's the automated part. And probably most of you have read about all these honey pots, pot things, etcetera set up on honey pot and the automated attacks start relatively early.

And, and there, they, as we all know, there are also search engines. You can use via APIs to find new systems. So who whom of you have heard about or ever looked at Showan for instance.

So the, the search engine for the IOT. And, and so, and so the sister engine, which helps you to find devices where you can search on whatever fine Linux servers in Germany, which still have a standard password more or less, or at least which have the standard sort of login information page, nothing changed. And so on all available there. And this is, I think, where the problem starts. There are too many ways to come in. Exactly. So maybe going back to the example, how potential attacker can get access.

So they bought some credentials, did some automatic pre scanning, which of them are valid. And then they start to get access, maybe remote access to your computer, maybe remote access to your oh 365 to your Google drive, whatever, and then force you in any way to open a specific file, depending on if they are a Google drive, they need you again to force to click some something on your company, device, your local computer, if they have direct access to your computer, they can for sure do something in the background.

Like my stated example, starting to manipulate something, to get at least local admin credentials, and then jump over to the domain admin rights, always with the goal to install something. Or the biggest goal of in ransomware tech is usually to get access, to investigate your network environment, to see what is there, what are your assets? What are the critical it assets? What are your relevant systems? And then to share, to install their, their ransomware software at the end, that's their goal. Maybe also to steal the data.

If they also want to force you to exploit it in the internet, in the dark net somewhere, that is also an important thing to do. And this is basically the idea. Just imagine jumping from one host to another, getting higher privileges, getting more information about your network and then preparing all of your systems to be encrypted at a single point in time. What we mentioned something like several weeks days, how they spend in your systems in your environments. And this really depends an average number is 72 days or more.

But even in the example, Martin stated with the solar wins, it could be part of the supply chain and then some potential threat, some zero day, whatever is part of an device you use in your car, in your factory floor, in your server room. We, we, we trust don't know. I think that's the point. We don't know how long they're in, because that is just guessing. It's maybe educated, guessing, but at the end of the day, we never will exactly know how long attackers are in the products that things are, are running. As Christopher said frequently, increasingly long are very well prepared.

And, and if you, as, as we've seen with solar instance was a very long running attack, but also when we go back 10 years to the RSA secured attack, that was a very long running attack. And at least for the ones who are from the drum speaking countries, many of you probably have read this book for mark Elba blackout, where, where the software supply chain attack in fact was prepared some, some years ahead of the effective attack against the entire system. So I think we need to be always be aware of the main two groups of the players.

You know, these are not whatever the kids with the pizza boxes and the empty Coca-Cola cans around them sitting in their, their kindled SIM in the children's room. But these are professional it's at the end, it's is organized crime or it's state driven attacks. These are the two groups of attackers we, we really need to face and thus, this will not go away. So it's not the, the individual one playing around a little.

It, it is that they have a business model, they have the money, they have the power to, to keep these things running also for quite a while. Exactly. And may maybe going back to, to the media market, to an example, again, only with not with knowing really details, but the attackers. So what we right now stated in the internet, we know how much of them this might be true or not, is that their cash systems are based on windows, XP computers, or windows, computer in some ways, and that they are not available right now.

They are encrypted in some way, which means people cannot pay by card, all automated stuff. The cash out is not available. And potentially the attackers proceeded the same way they started maybe in, in their company headquarter or in any other sub organizations. They are connected in some way. They have probably some update intervals, even for their older systems and try to share the ransomware. And then maybe yesterday in the morning, they decided now it's time to encrypt everything. And this is a good example.

At the beginning of my partner also shared something about the healthcare hospital. There, there was quite a little bit different. The attackers prepared everything and tried or encrypted everything. And then they asked the bun informs or the German BSI to support them. And they investigated, for instance, there was an document where they forced the university to pay the ransom. So the attackers didn't even know that they attacked the hospital.

They were, they thought they were attacking a university. And what happened in that case, at least the official statement was that the attackers in that case give the description key to the, to the hospital and they had not to pay the rent. So this might be the other story. So at least a certain level of humanity is there in some cases, and this shows a little bit, a high level of automation. This was not really an targeted attack. They saw a lot of computers, university potential money let's go. That was the idea.

And at the end, it was not the intention to encrypt everything here and this, I mean, it, I, I find this really interesting, but on the other hand, it's also frightening for all of us. Okay, Martin, I thought you wanted to state something. Not really, but, but I think there are two interesting questions. Isn't it? If you state the one was serious from SBL, Troy, Not the questions from the audience. I think the questions you just brought up, so maybe someone has a perspective on that. Someone wants to answer via chat or here in the room.

So, so how would you attack your own organization? Probably. You won't say it was wasn't naming the company itself. Maybe it was put, we didn't do So. So I think I brought up, let's say from, from my, my more generic perspective, the usual entry points and at the end, I think it, it very much depends on what power you have as an attacker. So fishing is the easy way software supply chain attacks clearly are a more complex, more complex, but better spreading way. And so I think it depends on, on the power. You can invest as an attacker, which, which way you, you take in some way. But yeah.

So I think we, we probably discussed most of that. If there are any comments, then we'll, we'll pick them up. Otherwise I think probably it's also best.

We, we go after a break more into the question, what do we do against that? Because that is, that is the big question. What can we do? And how do we ensure that our organizations survive well, Christopher back to you. Yeah. And I just have the honor to announce a 10 minutes break. We leave The session, We leave the session open and we will continue 10 after 10. Okay. So welcome back to our second part of the ransomware resilience workshop here live from the CSLs in Berlin. So also onsite.

We have several people joining our session in the previous part while we shared some thoughts about what is ransomware, what is the state of ransomware? Some definition, some basics. In the next part, I shared some ideas about how attackers could proceed, how they could gain access to your systems, to your environments, what they can do to force you to pay a rent sum. And now the next part will be preparation. And from my end, this is really one of the most essential parts. Because if you realize that you are the victim of a cyber attack offered ransomware attack, it's probably too late.

We had in the chat question or in comment through the topic, if you are not prepared, you have to pay the ransom. And yes, in that case, it might be true. But on the other hand, if you become a good customer of a ransomware company organization, this is also not your goal because if you potentially paid once, you will pay twice too. That's the idea. Okay. So let's start with the next part preparation, A fundamental question of why to invest into preparation. This slide is basically an argumentation. Maybe you are the responsible guy for the it security in your organization.

And you have to talk to your management to your senior management. Why preparation is an important topic in your resiliency strategy. And there are several points. Let's start with the reputation. So for instance, you are, maybe you are a so worldwide acting social network and you have a data breach, or you have a ransomware attack in the birth case.

I mean, three, four, five, six weeks ago, the, this social network was not available and all his sub-services too, we all were afraid and confused what happened. It was not a ransomware attack, but it could have been one. And for normal organizations, this is a big threat. If people think, think your data is there is not secure, or maybe your financial data and all that stuff is not secure there, then they will not stay your customer. Maybe they will leave you. Maybe they will think, oh my God, this is not a good company, not a good organization for the specific social network.

This does not count. They can have data breaches once a year. Nobody cares, but that's another topic. So the loss of reputation is really a relevant thing for you. The next one, the quantity, and this is something Warwick already mentioned. The amount of a tax is really, really high. The number just for July was around about one and a half thousand is just a number for known ransomware tax. And maybe the times three times, 10 times, 20 times, 100 numbers of other victims of such an ware attack paid. Nobody really knows. We have assumptions. We have ideas. Yeah.

But I think we also need to be realistic because you can also do a little bit of a mathematics, which goes from how many businesses do you have? How many businesses are attractive as a target. And so maybe the number is not endlessly high because you will not go for a four, a five employee shop, usually, which can't pay much because then the risk to reward ratio for the attacker might not be as interesting as it is when it is against, let's say media marked where you say, okay, that's probably something where a couple of millions are in, at least for me. Yeah.

And at least from known ware attacks in Germany, there are also some famous middle size organization with Don know, five to 50 million a year. And also these organizations might be a customer. For instance, if they have a specific product service, whatever, which is based on it. And if this is not accessible because it's encrypted, it is dangerous for them. So the number of attacks due to organizations is a big point. Why to invest in preparation. Usually I stayed in such presentations. The good news is good. News is you will become the victim of a cyber attack.

So not specifically ransomware, it's just a matter of time. And then you have to be prepared. Digitalization, Warwick, just A point I didn't mention though earlier about, you know, I said that the cryptocurrencies had helped and the internet had helped, but of course, another evolution that we've seen is the ransomware is the service.

Now, you know, Martin was saying, well, the, the reward to risk ratio, but with ransomware, it is kind of, it's less of an issue as far as I'm concerned, because there is not much, there's not much risk and there's not much effort involved. If you go through ransomware as a service, basically you just get a piece of software, you point towards the organization you wanna attack and you click go. It's as simple as that. And I've seen demonstrations.

So again, that, that just speaks to what Christopher saying about the quantity and volume of attacks that are potentially coming your way. Yeah. And we have a comment from Oliver about does that. This does not cover the nation state actors. If we remember the, the previous slide I shared before the presentation are the number of statement driven text was, let me check this. It was 9% espionage and 2% cyber warfare.

So compared to the overall number, just 10%, but for sure, if, if you are talking about critical infrastructures like healthcare or any transportation organization, this is for sure more relevant. I here I'm on the slide. I'm more focusing on the overall quantity. The attacks against such critical infrastructures is really a very focused attack. Okay.

Next step, next driver, for preparation or reason why to invest into preparation is digitalization. I know that's sometimes a boring word, but we use digitalization almost everywhere. Manual processes, paper driven, whatever, especially in the healthcare sector is now digitalized. It's on the system. It's a website, it's some form on a website or an application, an app on your mobile device, which you use to do something maybe to approve the travel to the CSLs in Berlin, for instance, or we all know our healthcare pass on the iPhone or on the other Android phone, which is needed.

So we are de or our everyday life, not the only the private life. Also the business life depends on digital services. And if they are not available, like for instance, Facebook, Instagram, and WhatsApp, we have a problem. We have to go back to and send normal SMSs. I even don't know.

I, I just read a number about the amount of how many people used SMS in that period. I think it was times 5,000 or something like that to previous phases. So digitalization is a very important driver because we rely on digital services and if they are not available, we have a problem. So in case of preparation, we have to take care. What happens if a digital service is not available?

And this is something you have to keep in your mind, maybe you use prioritization, whether Facebook is relevant or not, but maybe for your business, if your teams is not available your oh 365 in general, you can access important contract documents, excellent calculations, or even important workflows. Maybe this is not relevant for one day, but what happens if you cannot access them anymore because it's, it's not available for forever or it's encrypted or it's not available for a week.

And this is something you have to ask yourself in something like in seek importance, evaluation for your organization and risk assessment, whatever, what happens if this specific it service it, asset is not available. Can I deal with that or do I have to prepare if it's not available tomorrow? And that's basically the idea of preparation then for sure, we have the hybrid world. We have stuff in, in our da our own data center, physical service, maybe with virtual machines on it.

And we use multi-cloud multi-platform things, multi services from, from externals for almost everything in our normal life. Even if, if it's only accessible from internal, but we rely on it. And what I mentioned before, the teams, Microsoft O 365 is a good example for that. Or even if you use the Google document services, and then for sure we have the topic costs. So the money to spend, I mean, it's a simple calculation. You could think if I have to pay a random of 1 million and to invest investing, invest into protection is 2 million.

Then most people would say, yeah, and then I pay the ran maybe, but again, maybe you have to pay it twice or three times, and then it's not cheaper. And combined with the loss of reputation, maybe it's even higher. If you lose customer, your business is not trustworthy to your customers, to the market. Then you have a really big problem. And even if you are under attack, you have also to investigate what happened.

So the, the reliable or the cost, which are related to such an attack are also very high, usually bigger organizations, even the, the typical ducks concerns don't have specific departments with forensic experts for all that stuff. For sure. They have in security operations center, they have expert for specific machines, but the experts who investigate all the systems and check what happened during, under tech, how can did they attackers proceed? Did they share start with the fishing mail or whatever is a very, very specialized and complex stuff.

And usually this is something which is done by contracted externals expert Martin. You want to, yeah, I think it's, it's interesting.

We, we have an council of CISOs and we had a guest speaker a while ago who talked openly about the attack, which had may been hit the company he's been working in, and he's still working as a CIO. So typical midsize or, or probably mid-market company. And the point really is that they were more or less not able to, to really work for three weeks. And if you take that cost, then you know what happens.

And, and also if you take it, I think this is something we must not underestimate. I, I had a conversation with the CISO of a bank even probably already three years ago. And he said, you know what? My concern is is how long will my bank survive? If the critical systems are off, how long can a bank survive when, when the core system, and it's not able to trade when it's not able to fulfill obligations. And he said, we, we are talking about two or three days, probably.

And, and if you, I remember when I was a little younger, when I did my, my dual study at a large automotive manufacturer, I did a, one of the many internships. Wasn't the logistics. And I still remember whatever that they let fly in cable binders with a helicopter inverse case so that the production line doesn't stop way cheaper, the helicopter than an outage of the production for, for a few hours.

So what, what does it mean from a cost perspective? If you can't produce stuff for a couple of days, we are quickly talking depending on the companies about millions or tens of millions sometimes. So I think from a cost perspective, this, this outage thing and, and the, the risk behind it, which might be, it's not only that you're, you're losing money, but that you're at the end, losing your business is something which must not be underestimated by such a tax. And clearly you could think about paying if it works.

And usually it seems that most payments lead to a give, you will end up with a key, but then it's still a very expensive exercise. So cost is really considerable. Exactly. And we have a comment from Alexei and the chat he's asking. How about the cost of the attacker, even if it were to use a program that can be customized to the target, such as dark site that was used on the pipeline company, in the us, it can be cheap, right? Just thinking about costs versus profit for an attacker and yeah, exactly.

I mean, cyber security in an organization is usually to make it too expensive to become the victim because at the end with sufficient resources, so people who try to attack you, it is potentially, always possible to attack and Martin wants to. Yeah. But if I play here, that is true for the sort of the organized crime, part of the attackers, the attackers that do it trust for money. But unfortunately we have the other side which are states.

So the, for the state driven attacks, they, they trust might not care about the cost because they want, they do it in some ways, part of a cyber warfare. So yes, being costly is helpful, but it, depending on which business you are in, doesn't give you a sort of a full guarantee in any way that you will not become the victim.

The more you are part of everything, which can consider in the, the broader sense critical industry or critical infrastructure, the more you are anyway at risk, regardless of how difficult you make it, because you might, but should be just a target of whichever other attacker Speaker 11 01:14:28 Take a look. Exactly.

So this, my segment was really only true for organizations and not for the state driven stuff, or if you really want to break down shutdown, critical infrastructure, something like that for like the example from Martin. I think you, it was you from the black art book where they attack the energy sector over the world. Okay.

So the, the costs related to an attack to becoming the victim and all the related stuff during the time, you're not able to work. Maybe you are not able to produce your product, you to offer your service must also be part of your calculation, how much you invest into preparation or not. And not enough, we have some paradigm, some, some thoughts about things we have to deal with in cybersecurity for our organization. The first thing is for sure, we need an organizational structure, a way to work, which is as secure as possible. But on the other hand, it must be manageable.

It must be manageable for the people and for the it admins. And if it's too complex, if it's too difficult, you again, have a different attack vector here. And on the other hand, people will always find a way to do something. And the second point is work from anywhere, work from home, bring your own device. We realized in the past one and a half years, that working from home is possible. So I'm pretty sure this will be more the standard in the future. And this is something where that we must use to prepare our organizations for many organizations, did it the hard way in the past.

I just noticed from my girlfriend, she's working for a huge organization and in March or in April last year, Monday morning, VPN service when 10,000 of people tried to, to lock in it didn't work because they went prepared for something like that. And that's a thing.

I mean, we have different paradigms ideas during this conference for, for instance, like sea trust, sassy and all that stuff is possible, but this is something you need to know in the transition of your organization in the direction. So it's really, really a relevant thing. And on the other hand, again, a challenge, one thing makes it more secure, more authenticated, more validated, but on the other hand, maybe you open other doors and this is something you need, you have to keep in your mind.

And also what we did in the, when did we start to call it cloud, I don't know, 10 years the cloud first approach. So put everything into the cloud use services in the cloud. This makes it more complex. And maybe going back to the, to the topic cloud used as a storage driver, maybe we use AWS and the S three buckets to store to back up our data. This could also be encrypted during an attack during, in ransomware attack, or maybe in the worst case, it could be possible that your teams, folders, your SharePoint follows in the background could be encrypted in some way.

That's honestly a little bit more difficult because you need some API access in the background, but it is potentially possible. And this is something you, you need to be aware. And it's not only for teams. This is relevant for Google drive and for all the other services, because at the end, also in the online systems, for sure you have access on a different level, but all of these services offer API access. And on a certain level, you have access depending on the user.

And if you don't have an, an eye on these accounts, you again, have a huge attack surface here where you potentially could encrypt all your sales data, all your customer data, whatever. And this is possible. This is something you need to be aware. And if you're working on something like modern approach for offering application step services and all that stuff, DevSecOps is also relevant.

So the, from development to deployment on specific platforms on cloud platforms or any container platform, there could also potentially be an specific attack vector here, maybe like the supply chain example at the beginning, the initial image of an container is harmed is infected with whatever. And then you start to use this as a foundation for, I don't know, for your whole web shop, which has, I don't know, 10,000 of excesses each minute.

And with one click, everything is offline, encrypted, whatever, if you don't be aware of something like that, and this is really something you need to know, you need to be aware of when to think about the preparation into cyber incidents or ransomware attacks in that case, you want to add something? Yeah.

I, I just wanna add a little bit on the, the Def S part and, and I had a very scary window briefing recently was one of the, the providers that delivers solutions, which help you managing this multicloud multi hybrid, it, which helps you to manage your infrastructure as a service. And, and when you look at standard configurations in that space, it is problematic. Let's phrase it like that.

Where, where, where, where we think, you know, sort of over entitlements, we had got a crib on whatever onlin, Linux and windows servers over the years, at least to certain extent they are more or less the norm because the tendencies that, that this comes by default and, and by design. And, and clearly also to a certain extent by if a developer controls this environment, that person might quite commonly is not that much driven by security thinking or identity thinking, but by I won't solve a problem and get this code done.

And so, so this is clearly one of these areas which will make it or already makes it more complex. And, and the defs ops seem is, is something we, we definitely, and I would say, and the entire question on, how do we get a CRI on this increasingly complex multi-cloud multi hybridy world is, is really super, super essential. Exactly. And I think you will have a presentation exactly about the topic tomorrow. I think the day after On, yeah, exactly. Really cool stuff.

Because I had already had a look at the slides, just some spoiler and also Def stack ops, talking again about maybe a container pipeline. Maybe you have a scanning tool, which scans all your containers for vulnerabilities, for misconfiguration, for whatever. But usually the containers are not online, always. So they are maybe started for a specific reason. And the other point in time, they are just in a database, which you might not scan. And this is also something you have to keep in your mind. Maybe you think you did a scan on all your Def ops, Def SecOps environments.

You are prepared, blah, blah, blah. And then you turn on an alt container, which is infected and your back at the beginning, and this is something you have to keep in in your mind. I think we will later have also a discussion about backups and how to take care of them because backups are also data and data can be encrypted. And this is something you need to be aware if you think about preparation, but first of all, let's have a look at the overall picture here. So the preparation detection, respondent recover thing.

This is a combination of incident response management, which, which means in case of an incident, you are prepared with the processes, with the people, with the organization, with the technical experts to deal with an incident. So for instance, you are under ransomware tech.

You know, your people know who to inform first, you know, who's the responsible person and you know who to call if you need externals for forensic experts, for instance. So in Germany, if you're an critical infrastructure, you can call the, they have a specific team. I don't know the shortcut, but it's, it's really a specific team that is trained to do forensic analysis, to do recovery stuff and all the things they support you. And they also will advise you in case of paying a random or not. This is for instance, what happened for was the organization was the healthcare sector.

I mentioned in the previous part of the presentation, in all other cases, if you are not a critical infrastructure, you can call the police every federal state in Germany, at least in Germany, sorry for that out of every federal state in Germany has a specific department for such attacks. And they also have experts which can support you. This is something you can do again, depending on which data is affected. If it's customer data infected, you have to call them or inform the base.

Anyway, because you have 72 hours to inform about some incident with da private data related stuff. This is something you have to keep in your mind. And just on hint, I think most of you should know that, but the 72 hours start when you get the first information about something like that, not when the it team starts to investigate something. It's if the one who starts on Friday and the evening, the computers sees some Scouts and bones with the information you have to pay the ransom. Okay. Customer data might be infected. Then I have to inform them and not on Monday at 12 after 72 hours. Okay.

So the overall process here is identification prevention, detection respond, recover, and improve. So no surprise. This is also how we structured this presentation. Identification is basically something risk based.

I, again, or already said things like asset management, be aware of the risk. What happens if it's not available for a certain timeframe, this is a first thing you have to do, because before you don't know, what are your it assets within your organization? What are the systems I have to deal with? If you don't have an inventory, you cannot implement prevention mechanisms. You cannot implement backup strategies, failover strategies fail over strategies and business continuity strategies.

So this is really a first thing, and this is it based usually highly related to the corporate risk management as a sub department, or even in the overall it risk overall risk management of the organization. And I just can recommend to keep this as complete as possible, do regular assessments. And also there are scanning tools to really identify all of your assets. And you will probably be surprised how much things you find within your network.

So the connected stuff that you don't know, and I'm not talking about the typical things like the externals that are in the meeting room and connected to the wifi or to the traditional land here, there are a lot of things, private devices sometimes, and all that stuff. And this can be used as a foundation for your strategy. And then you do not start with, if you have thousands or 10,000 millions of assets with are this MacBook needs that this needs, that you start with a clustering.

So for instance, trustworthy devices, non-trust worthy devices, servers, OT device, other stuff, which is relevant for your organization, your structured server application database. And that's the first thing. And then there's a good thing. You can name responsible people. For instance, you can say for this type of asset, this guy is responsible and then you can break it down in further steps, but usually it's something I can circle or something you do regularly to really improve its step by step. And for instance, then you can define, and this is the prevention part.

All my databases must be encrypted. The keys must be changed. Regular only people was on privileged access management tool are able to access SQL drop table is not allowed or only was for high principle, whatever. Then you can define rules for the assets. That's the first part of prevention. You can then also define, for instance, I need a backup because if this database is lost, if this file system is lost, if the server's not available, we are not able to work. So I have to create a business continuity management plan, maybe in case of the hospital.

I print out once a day, all the information about my customers, about the people which are currently in my hospital with important medication and all the stuff I need to know. And for an organization, maybe I need to create a backup. And if I create a backup, I ask myself always the question. Do I need it once a day, every hour, every second. And what would happen for instance, if it's a four week old backup of an important database in case of in ransomware, I might have the idea, okay. Then I install a backup four weeks ago. So I lose four weeks of my data, whatever I did.

But then going back to Warwick statement or Martin statement, we don't know when attackers started to attack you and maybe depending on the file system and data structure, your backup is encrypted to, or your backup is infected if it's a virtual machine. So you are, you think, oh, okay. Then I install my, my backup from the server. And I used the backup four weeks ago installed. And the sec day after, or maybe four weeks later, ransomware is there again because all the previous installed ware is there. So you didn't fix anything.

And probably you have to pay them more ransom than in the first attempt of the attackers and this based for all your it assets helps you really to qualify what is important, what could happen and what can I do? And this is the first step. And you can repeat it if you have sufficient time and do the first qualification based on the risk, what happens if not available? So usually really you start with the most relevant stuff. I think we have, we have a, a little bit of a discussion also going on.

I think one point is very, very good from, from a Tia saying a breach exercise can be done without actively knowing if an incident has happened highly recommended. I think it makes sense to train. And I think the other thing I, I brought it up more as a question, maybe someone from the room wants to answer.

Did, did everyone, one of anyone of you ever have a LAR in is how in this home I had, I have to say, when did I start with protective measures right after I think everyone is aware this can be happen, but, but I think we, this is probably really standard human psychology and we must get rid of that in it security. We try to, to close our eyes and, you know, it reminds me also in a little bit of difference. I remember once a steering board, just a second, a steering board meeting at, at an insurance company, which was about, I was inland.

It was about risks and, and the, the board members always tried to, to have the risks very small so that they can ignore it. But at the end, it doesn't help us in this case to, to sort of diminish the risks or, or try to ignore it.

We, we just need to face the facts. Speaker 12 01:32:16 Thank you. So what we face as well is not only ignoring that something could happen to me in an organization and do something just after an attack. It's also organizations think that they are prepared because if you go to a large organization, they have everything in place. They have a solution for the, the window service they have, they have something for their client devices. They think they're prepared for people working from home and for cloud.

Then they think they have a multi-cloud approach where this is the best prevention, because it's not, yeah. Everything on, on, on one horse, but in the end, well, I'm, I'm from H sale, big fix. So that's something that we regularly hear from our customers as well. And they only come to us.

No, not only, but most of them after a large attack happened. And, and then they think, okay, if I have everything in place, I'm good, but they are not able to manage. They are not able to automate. They're not able to yeah. Or to hire the right people to, to go there. So I think it's great to have such a session to, to make organizations aware that there's so much more to, to do. Thank you exactly. And in this slide, this is basically the improved part, but the bad thing is between prevent and improve is detect respondent recover, which means something happened. Yeah.

And maybe to add to this, I also frequently, if something goes wrong, then organizations have a tendency to enter the hatless chicken mode. As I, as I call it running around, buying everything they can get in technology, but the tool itself doesn't help. There's a bad sun saying about it by which I will skip here. But at the end tools for itself, doesn't help unless you have all the stuff around as Christopher explains here. Exactly. And this is what is basically on this slide. You're absolutely true.

Most, especially the bigger organizations have everything we have inter chatter comment. I think this one was the one you stated that testing my incident, response management approach, my business continu management approach should be also an essential part of this strategy. So really verifying how does this work? And in the best case, not with a real incident with an fake one, and this is also something you can do for instance, with your employees.

In the beginning, we stated fishing attacks might be the initial entry point, and there are several options to challenge and to train it's not for, for blaming or whatever your employees, there are tools which allows you to share maybe fishing mails and measure how relevant or how many people clicked it, how many people did it, and also offer direct information to you as the one who, who was asking this assessment, but also to the people, oh, there was the following hint in that mayor. I shouldn't have clicked at something like that.

This is something which always helps to improve this process, to focus more on the prevention part, not becoming the, not now becoming the victim of such ransomware or cyber attack. So prevention based on risk based on what or how important is it. If this asset is not there and at the end something you have to repeat frequently and to dive deeper to more specify this, the next part is more or less something. You also need to be aware detection. So I will just go quickly through this topics because we will cover them later on.

But detection is something maybe in security operations center on CDC, they have monitoring, they can detect what is going on in your systems. Is there some strange behavior, some uncommon things they can detect it. And knowing that you are currently under attack is very important thing. In the best case, if it's a ransomware attack before the ransom where it's executed, so the systems are encrypted, then you might have some time to rescue yourself. And then the next part is respondent recover. And this is basically incident response management and business continuity management.

But for sure, this is also part of the prevention part, those processes. I will go dive deeper into that topic. And then later positive presentation also have a preparation part because you need to define something. You need to define the management, the process of people who are there. And then in the worst case, if you become the victim of in cyber tech or in the best case, you were able to recover, you were able to go back to work without paying the ransom in the best case. And then it's time to improve.

That's the best point in time, honestly, to discuss with your senior management about new investments, into cyber security, usually as the responsible person for cyber security, you have a very good arguments, but it's a set. It's really sad if you need something like that, to get more attention for the topic topic after an incident. But sometimes it's the way it is. Okay. Any comments in the chat I saw this? No. Okay. Then the next part is a little bit more deeper into the hybrid service stack or all that stuff. I'm already mentioned it.

In some cases we have container, we have serverless APIs, we have services or software as a service like teams like something from AWS, something from Google, Salesforce, whatever. And we rely on them. We have to rely on them. And for instance, what happens for your organization? If you use Microsoft for your documents, you use Google authenticator for authentication authorization, and both are not available. So you are not able to authenticate against your assets, your services. Then you need a plan B in, in the first case and plan B is relevant.

But on the other hand, you need also the availability of such services, Microsoft, Google, and all the big ones have their service level agreements. And they guarantee you 99 point. So nine nines usually, or seven nines.

How, how is the available of their service, but also important, more important is what happens if they, if they are under tech or your data is under tech, you have an incident. And then the response times are really relevant for the service level agreement. So for instance, if you have a 99.9 9, 9, 9, 9 available, but the response time for an critical ticket is two days.

You know, there's something like, I don't know, one hour first contact or 30 minutes first contact. If it's an a level incident or question, and then they have to answer this for a global acting organization, 24 times seven, this is an important thing.

And this, all these challenges with a hybrid service tech. So with all that stuff here from software, as a service to platform, as a service to API management and all those things, this must be part of your supply chain, risk management at the end that you take care in your prevention part, what would happen happened if something of some of these services are not available? Is there a plan B, do you switch from Microsoft to Google or vice versa, or do you have an other authentication mechanism for your peoples to authenticate, to lock into your systems?

This is something you need to be aware, and this is highly relevant. And the last point here on the slide is, do you have all the accesses you need? So typically if you buy something as a service, for instance, if you go to an Google cloud platform or AWS, you have a lot of permissions, you can configure depending on the service, whether it's a virtual machine or an S SQL database or whatever, you can do a lot on the AWS console, same on Google and same on Azure.

But if you buy for in Salesforce, for instance, you are limited usually on access to data, you are not responsible for, for the service underlying services, the databases and all this stuff. But if there's any incident and someone over a backdoor, or with a backdoor to an API, whatever was able to get access, you are not able to investigate those things. And this is closely related to the topic response times from the vendor, from the organization.

If you raise an, a level ticket or a critical ticket that they must respond, you immediately, because again, 72 hours, even if it's not your service, you are the one who's using it. And if you put their private data and someone used your systems to access it to your cred Analyst, you are responsible to inform the systems. Any questions in the chat, Martin Matthias is writing a lot and you answering. So that's great. Okay. So next slide. Yeah. This is more or less a summary slide of the prevention part.

First of all, understanding your it assets, the things which are in your organization and be able to know what happens if one is available and not the second one is the manage part. One hand, you need to manage your risks. You need to manage your assets and you need to manage the assigned risks to the assets and the corresponding measures. So for instance, business continuity, measures, prevention, measures, and all that stuff. And this is not that easy.

If you have a big organization with thousands, 10 thousands of assets, things devices you need to manage excellence is not the best idea for that. This could work for smaller organizations, but even there it's difficult. And if you then start to do something like an ISO 27,000 or any other certification that shows my systems are secure on a certain level, specific tools can help you for managing your it assets and your risks and manage part or understand part is also very important. Your systems change every day.

You get, you have new employees, you turn on new services, you disabled services. So you need to repeat this frequently to, to get the information about new services and to be able to remove all services, which are not relevant anymore. Prevention also covers the, the more or less parts. So it's not a prevention on the previous slide, it's general prevention. So also invest in something like detection and response mechanisms. So Martin will talk about the topic later on and take again your it assets and Investigate them on that level that you know, what could happen to it.

And then you can define also measures to monitor it, to check what is going on in a normal windows computer. We can do the basic stuff, or it's not basic, it's it, it can become very comp complex. For instance, if you authenticate every Monday morning from your office in Berlin, and suddenly you start to authenticate on Friday and the evening from your office in China, where you've never been before, this is some uncommon behavior, and this can be used in prevention, me measures, or in detection measures. We all know this from, from our Azure logs or from our Google log ins.

If we use a new device, usually we have to reenter our credentials or also enter multifactor authentication, which is a good point better. Speaker 13 01:45:44 Yeah, just I'm, I'm just wondering, you're saying prevention.

You, you should base this on metrics, et cetera. Are these the normal metrics we always have been using inormation security? Or are you thinking of something special when you think of ransomware attacks or is it just the normal hygiene and performance metrics we, we have used for for many years. So Martin, Yeah.

That's, that's, that's a fair question. I, I would say Performance.

So, so KPIs clearly are not what we are focusing. It's probably more, the K is side of the things.

So, so, and, and we have risk metrics is for cybersecurity established for years. So I think it's not fundamentally difference. It's about understanding where your instance are, et cetera. I think we, we, what we need to do is we, we need to Contently update this in the sense of look at what, what our new, new ways attackers come in, what are the things where we can best measure, but it, it's not that this is something which is, I would dare to say, it's not fundamentally new.

And if you trust stars building on what, what we, what so to speak a best practice, maybe would've been for, for a while. Then we are already in a better position. In most cases, at least than most organizations are today. Then it's clearly about drilling down more into the technical details. So below the, the higher level KRI, and that is what are we looking for in anomalies?

How do we, what are we we tracking, etcetera? But that that's the, I would, would name a KRI, A fair that ransomware. Speaker 13 01:47:36 So this is then a fair comment that ransomware reinforces basically the need to, to use metrics in order to measure our measures and, and, and, and activities we, we, we do for, for defense and response, et cetera. Yeah. I would clearly say yes, Definitely. Okay. Any further questions from the audience remote or online, remote, or online onsite or online, Nothing online. So then I would proceed with the last statement on that slide.

Be prepared, not surprised. This is something we want to share with you in this workshop today.

Basically, if you invest a certain time into preparation, then you don't have to be too much afraid for sure. You have to be afraid, but too much afraid for becoming the victim in that case. And at the end, going back to my first slide, the attack surface, everything you do should be focused really on minimizing your attack surface, or if this is not possible, adding controls, adding mitigating measures, technically based to prevent attackers, to get access, to install or investigate stuff, and install any ransomware software in your organization.

And with that, I would hand over to Martin for the next part. He will talk about protection. Do I need to switch the, The clicker, Use the clicker here. You use your own one. Okay. I got this. It was just for the chat. Okay.

So anyway, I'll talk a little about protection and protection. We, we touched it already in, in a, a number of times in some way that we, we talked about what are ways to protect yourself. And I think a lot goes down to, there's a lot of stuff in protection, which happens before you go to technology. And I think this is something we always need to be aware. It's not just that you, you throw as many tools as you can on that issue, but that you start as your organization with your processes, with your policies, with the people that you build on that, that you understand.

For instance, when we, when we look at, when we look at the entire thing around clouds, don't trust that your cloud provider will do everything you need to ensure that, that, that you have understood what, what you do, how you track that your cloud providers doing the right stuff, et cetera. It, it is something you need to do yourself. And it's your job like, like also in the chat has been written. You need to understand who's job. It is to do what in this entire thing to prepare it. But at the end also about technology, I just wanna bring in a few thoughts here for that.

And, and, and some of the, oops, some of the measures we, we, we commonly have, might be deliver less. I don't say that. Yeah. There's that there are not right way ways to do it. I think all of these are relevant to be clear in that everything of this is relevant, but just doing a certain thing might be not enough. And I think this is also this, oh, we, we did it. I think this was in the common earlier sometimes also there's there's this conception, oh, we have a backup.

So we, we are safe. Oh, we did this and, and we are safe.

And we, we need to be very careful here. So parameter protection, I think it's very important that the one thing is to protect a parameter. But the other thing is to avoid that people move from there.

We, we all have heard about zero trust in the past couple of years, specifically since the, the epidemic started where the zero trust really got a boost. And when we look at zero trust, then, then it is about it's avoiding of letter movement. And when we look at the, a anatomy of, of many of the known attacks, going back, for instance, with the RQ idea, attack, that the one thing was the attacker coming in. Why are fishing mills at the end of the day? Why are implanting malware through an attachment and stuff like that.

But then the point was that it moved from there over to it, moved from there over to more and more systems until they ended up at the seats back in the days. And so I, I think we can, we can clearly discuss, and this is part of the, the, the comment, I, I think both is relevant, but it, the point I'm bringing up is not that we don't need pyramid protection.

I'm, I'm a strong believer. We need it, but we need more than that.

And we, we, I think it is the usual thing. You know, if you, if the attacker is through the, the, the gate of the, or the castle, then the problem trust gets bigger and it's not. So you don't feel safe behind the walls. So to speak standards here, trust the other thing is backup and versioning. We need to be aware that that attackers also have understood that there might be a versioning, that there will be backups and that they have, that they are looking at how can they bypass that? So how can they even deal with versioning? How can they create a lot of versions of files in the short period?

So you need to plan for that, which means you need to, to have a defined state, to go back, at least for the very critical information, which is not just an online backup, clearly online backup is more of, of a target than, than something you have offline. You need to mix it. You need to figure out what is the right combination for which data you have need to have a plan here saying, I have a backup for itself, is that sufficient doing backups, right? Doing versioning, right? Doing it in different ways, understanding the data, understanding also how to get back from there.

How do you make your systems work? Again? I think a lot of people are way better in backup than in a restore. So that is part of the play encryption. Yeah.

If, if, if it's, it's a file that is in itself encrypted, but a file on a file system, it can be encrypted again. So it's double encrypted. Doesn't have you much that you encrypted your file. If you're realistic, depends on how it done, which types of approaches you're using, how you protect that.

If, if the, the system, why it's that files without can be encrypted without adequate entitlements here, again, a little bit better, like in, in some of the information protection approaches we see these days patching and updates. Yes.

Oh, for sure. You must patch. You must update and you must do it quickly as automated as you can, et cetera.

I'm, I'm a strong believer that the risk of not patching fast and consequently is way higher than the risk of every now and then a patch causing a system to fail that equation might have been different 10 or 15 years ago. Maybe, maybe not. But for today, I'm absolutely convinced. And when I hear people saying, oh, we, we have first, we get these new pets. And then we test the system 30 days. That means I leave the door open for 30 days. I think we can't do that in this way anymore.

Clearly there are environments with critical systems specifically when we go down to the operational technology space where we need to be, be more careful where we have the safety aspect aside of the security aspect. But even there, we need to, to figure out approaches because so to speak, if, if the consequence is that we, we either fail by patching or we fail by being attacked so that by patch or death by attack, then, then, then it's, it's, it's not a consequence we should face. We should figure out ways to get better on this. How can we do it better? How can we improve our processes?

So, and we also for updates and patches aside of doing it, we need to be aware, even then there are so many, I think zero day attack is a MIS is a misnomer. In fact, it, our minus days attacks. So the attacks are already running for a long time until the attack becomes prominent. Zero day means when it, when we learn about it, it already is running. We have no time to be prepared effectively. It's running sometimes as we learn for, for, for sometimes, for years, as we know for many years.

And so we need to be aware, even if we are perfectly patched, this is by way, not a hundred percent security. Okay. There's no 100% security. As we know everyone who has seen the movie Illuminati has learned about it, latest when the eyeball was lying on the floor, but at the end of the day, always ways to bypass security, to be clear about that. And the cost of 100% security would the limit would be towards infinite. So we can't be perfect, but we can get better. And we need to understand the things, the other slide, some ideas to look at that that might help better.

And so awareness at the end of the day. And I brought this up earlier, humans are the weakest link, still they're at least one of the weakest links. I probably would there still to say the weakest link, because as I've said, if you send out a sufficient number of phishing emails, someone will make a mistake sooner or later. And so drain them, drain them in a, in a well sought out manner, not once a year for half a day in a room, but do it continuously do it short.

And my main recommendation on draining is do it in the context of the personal life, because everyone of us also is scared of becoming a victim in the, in the personal life. And that is what people best understand the own banking, the own smartphone, the own email, where I start the daily things. And this really helps from my experience creating awareness.

What, what helps a little if done right again, cloud storage for now. And I make a big for now here. So attacks usually are, are concentrated on the local.

It, however, if you, if you, for instance, I haven't fully figured is out, but if you, for instance, using synchronization from, from teams or SharePoint down to your one drive on your local hard desk, that might be exactly the wrong way. Interesting to, to figure it out. We're not exactly a hundred percent sure on that. Sometimes something I have on my, my list of things to research in detail, but at the end of the day, it, it is something to look at will this last forever.

I think when you look at the impact solar insight on even Microsoft and the, their environment, probably not, it can happen at scale, worst case, probably even there. And on the other hand, we also learned over the past year, when we look at looked at some of the things the cloud can be, can disappear quite quickly. So to speak sometimes for trust a while, like with Fastly or Akamai or the Facebook thing, sometimes, probably forever.

If you looked at the O VH cloud fire in, in Strasberg last year where I think 85% of the customers from what I've heard, didn't have a disaster recovery plan in place. So the cloud data center burned, no recovery plan. What does it mean? No data. Didn't an access management. Yes. Privileged access cloud.

So, so when you look at the cloud service access to cloud resources and the infrastructure as a service standard, anti access management, restricting entitles, all these things are measures and basic, by the way, also basic hardening. I, I I've, I've already told, I've wrote this inside windows and teasing many years ago, I've wrote also a ton of books on that.

And, and I explained, so, so, so frequently, how can you get rid of the regular use for instance of a domain admin account? So if you look at a standard windows andt or not windows andt windows server environment, these days in many, many companies, how frequently will you see that admins still on a daily basis, go in with a domain admin account with the full, full rights. If you do it modern three times a year, you'd probably do something wrong. So it's still also going back to standard measures and ING access management is super essential. It's about identities.

It's about access is about identifying. If you don't take other things like seam identifying the anomalies. And by the way, anomaly detection is very important. It will not detect everything, but it will help you to understand the things which are not the normal anomaly detection. The smart thing brings must me to the point, number four, beyond seem to soar. So seems to security, information, security, information, and management, and sores security, orchestra, automation, and response, which is so to speak the next step. So SIM analyzes the data and says, oh, there's a problem.

So ours says, okay, there's a problem. Let's fix it. So to speak.

And we, we need to, to do that. We need to, to have technology in place, which also helps us detecting. So to speak the unknown, because back to what I said at the beginning or earlier around, for instance, zero day attacks the problem with, with status, there's something going on, potentially on your systems. And the only way to detect is not by looking for whatever virus, signatures, or signatures and stuff like that, because you don't know them. But if there are unusual behavior patterns that can give you indicators, this is a tricky, this is a complex thing. This is not easy.

And AI is by far not as, as, as mature as I'd like to see it, but it's something we, we need to have an eye on. We need to think about. And so at the end, we need a set of measures. And my main main message is not to only debtor that never it is a combination. It's about the right combination.

I, I always tend to, to paint simple metrics, I'm an Analyst. So I, I try to, to do everything in the matrix, a picture always. And for instance, you look at what is the, the risk mitigation impact technology has, what is the cost it has, if you created right. And the upper right edge, there are the technologies, which are not the most expensive ones, but which have the highest impact. And there are some which are costly and have a high impact. And there are some which cost a lot and have a little impact.

And so, so you can also do some sort of portfolio assessment. You need to understand what delivers to your risk mitigation. What is the right combination? Because at the end of the day, you always need to be able to handle that. And you need number four, here, you need the staff, which helps you to correlate everything across a single tool, because that's what we have. You need this, this perspective, this correlation across everything that already was it basically from my end, one question, maybe someone wants to comment on that. How would you start to implement your protection requirements?

What is from your perspective, the most important thing to do Can please go back to the slide 24, the point would be back up now, the other one, you know, 0.2, backup and versioning. You mentioned here that that backup could be already affected. So the question is, how can I detect this? Because when I have an offline backup and you're told an hour ago that the attack is about 72 days here in my network, so that all backs are broken. So the backup is needless good mention there in the check. I would really place windows.

It's, It's a good mention, but It's not Really possible anyway, in our environment. Yeah.

I, you know, I think, yes, it might be that, that you're, you know, if the attacker is long enough in this, at the end might be the case, does it mean we shouldn't do backups and versioning? No. Can we detect everything? Maybe if we know the pattern of the malware at a certain point, we, we, we, we potentially could scan for it. Can we do that in the, the truck time we have to recover difficult.

Oh, really? Yeah. Yeah.

So, so I, I think, you know, yes. And it's, unfortunately, I, I can't come up with that. Holy grail of ransomware resilience and recovery.

It's, it's, it's a mix of measures, which helps you mitigating risks, which helps you potentially reducing the impact, but there's no, at the end, there's no guarantee that all this works out for your specific case. So you also, always, I think part of, of preparation always is also that you discuss ahead with your board and your insurance, whether when, how much you will pay, because what I've also learned is that sometimes then these discussions already take way too long and you need to make this decision ahead of what is it worse.

So to speak for me to pay at the end of the day, and then can I get an insurance for that? All that stuff is part of the story, But maybe not the goal because when I have, when I paid and then they have the back door already installed. So they come again, you told me for one of the first slides that 45% are coming back again to see you. Yes. But what is your alternative sometimes? I don't know.

I ask you, you, you are a professional. Yes.

I, I, I am. And, and, and I trust can say you can bring up a number of measures to mitigate a risk, to, to reduce the risk you have. You can't bring it down to zero. So part of the game is that you also prepare for the worst case scenario. So back is part of preparation. So our theme is part of the preparation, all these things add together and, and make it harder that to attack you, they make it less likely that something really server happens. They make it potentially easier for you to detect there's something going on to isolate, to sort of reduce the impact of the system's overall affected.

So, but it is not that there's a, a simple solution or even one user, which helps for everything battle. Do you have it that solution? Yes. Speaker 13 02:07:58 Yes, absolutely. Speaker 15 02:07:59 Oh, but that's why you're CEO. Speaker 13 02:08:03 No, I think it, in my opinion, it it's very, obviously there is no simple trick. Yeah.

And if people think they can remove or, or not do all the things Christopher presented earlier, like the prevention measures, the detection measures, the respond, the, the respondent recover measures, and just rely for example, on backlog, on, on, on, on backups that won't work. Because if you don't have the detection capabilities, I mean, you will never find anything in, in the backups. If you have the detection capabilities, it's not guaranteed yet you find something. But I mean, that is exactly the, the, the remaining risk. We all have insecurity. There is 100% security. Absolutely not.

Right. Sure. Yeah. Just in addition to, to that backup discussion. So as Martin already stated, it's a mixed measure. You can implement here, practical example for what you do in such cases. If you are under tech, you have a backup and you don't know whether it's infected as setting up or having a sandbox environment and install that offline backup there and check whether the specific ransomware you investigated in parallel by your forensic experts. Is this in this backup, or also there or not. This is something you can do if you are not 100% aware or currently are under investigation.

So don't know, 100% what happened to me then you should really take care with going online with that backup. But this again is depends on the risks or at the end of the cost. What happens if I don't turn it on not able to work, it costs me 2 million a day. If I turn it on, I can work three days, but it's the danger that it's infected to. And this is the trade off at the end. And exactly these discussions, these thoughts must be prepared. This is an important thing.

You need to be aware, what are the people who are involving or at the end, responsible for such decisions, whether to take it online or not. But the easiest way, easiest way, the most secured way is having a sandbox environment, scan the offline backup, and then go online or even not. Please place another question about one thing I'm missing here in the protection requirements is for me the tiering of the admin accounts, excuse me. One thing I miss about the slides of the protection requirements is the tiering of the admin accounts. So you have every tier has a separated admin. Yes.

And you have no crossing, and this is potential in my opinion. So it is, he can attack one tier. Okay. You lose your clients, but you protect your servers. Okay. When you yeah. Agreed service. It's Very, I don't, I don't don't say at all that this is a complete list was just a number of points. So Christopher just has, has recognized that, that our workshop is running until 12, not until one as he had in mind.

So we, I think we need to speed up a little, the things. And I proposed that we skipped the break. We hadn't in mind, otherwise we probably will not have enough time for the, the remainder of the workshop seems so, first of all, it's up to you. Yeah. So we skip a break. 10 minutes done. You hope you had. Okay. So let's get welcome back from our break. I hope you enjoyed your coffee.

No, the good news is at one, two, no. At 12 o'clock. Then we have the lunch break. So you will find something to eat in the area outside where you also find the coffee. Okay. So next part is talking about response. And just from a timing perspective, it's better if I just talk 10 minutes, right? Okay. So if you are under attack, so it's Monday morning and you get the information, say I have fancy desktop background and I'm not able to access anything.

Typically, a lot of questions raise up for you as an responsible person for security in your organization, or for availability, whatever. And these are written down on that slide. So the first question usually came up, who can help us and important hint. These questions are something you can prepare who can help us as already stated you. There are usually external experts, organizations who are specialized in exactly supporting you as an organization in such incidents. And you should have contracts with them. Service level agreements, response times, whatever this is, their job.

They have experts. They know most of the systems. If you are more Unix based or container based or windows based or Oracle mainframe based, they have experts. And if they need additional ones, they have them too. So this is something which should be prepared for sure, depending a little on the size of your organization. Then we also have, who is responsible. Who's the lead in your organization. So is it the CSO? Is it the chief information officer?

Is, is it the chief executive officer? Is it the chief security officer or is it the, the head of cybersecurity? The head of security. There are a lot of people or the head of operations might also be a potential candidate. And this is something you have to define. First of all, for sure. Or usually it's some named person and you also need deputies because people are on vacation, sick leave weekend, whatever. And this is something you have to cover depending on the size of your organization. And then, and this goes back to the preparation part. Are we still able to work?

This is the first question which usually came up, are all systems affected or how many systems are affected? What is the impact? Can we work or not? Then backups. We talked about that. This is typically also a question from senior management. Do we have backups? Yes. Then install.

No, yes. Maybe we talked about that and what are the next steps? And this is mainly an incident response management process, which bigger organizations should have, and it should be tested to something we discussed. Also whether organizations have a lot of processes, products, services, whatever, but it should also be tested once in a while. So an implemented incident response management process, I will share this on a later slide. The next question is, do we inform our customers?

Or how do we communicate for those of you who are familiar with incident response management communication is an important step. And you have not only the internal communication, maybe confidential, internal communication, but also if customer data is affected, you have to what needs to be communicated or do you have to announce some or create some press release because you are offline for three weeks.

Again, if you are a big social network, that's not relevant for you, but for others, it should be who must be called at least in Germany, the police of your federal state, if you are critical infrastructure, the UN inform. And if customer data is infected also to be I for you. And then a question you can prepare for this question, maybe you need, or you use the input from today's workshop. Should we pay the blackmailer?

It's a matter of risk and the concrete situation, but I think it should be clearly stated that we recommend most of the times not to pay because otherwise the blackmailers would love to have you as a very re reliable customer that this is nothing, nothing you want to achieve. Okay. And next slide is incident response management process. So this is really only for a rough overview. It involves this, usually the team or you, you need a team for that specific incident response management. You need a responsible person.

And depending on which systems are affected, you need the technical experts too. Or the people who know the technical experts, your organization should be prepared for that. Which means even the guy who is, I don't know, cleaning the windows needs to know what happens if an incident happens.

So this is part of your training strategy that people know who to contact first, if there's something, because again, if it's a GDPR or a relevant topic, 72 hours and a communication strategy, as on the previous slide stated, think about that first and prepare something how you would act if something is happening, if you're a bigger organization, you usually have experts for communication. But maybe in that case, sometimes also the legal department makes sense to involve here.

So this is from an organizational team perspective and from the technical process, what happens if you are under attack right now, usually everything start starts with an detection thing. So we realize there is something, then you have a triage. So an investigation looking impact and all that stuff. And then the next step is, okay. I know there is something, all our windows servers are affected. All our windows, clients are affected.

All our MacBooks are blocked, locked, encrypted, whatever, but there are several systems, unique space, unique space, but not Mac, which are able to work into access. And in that case, containment is a good thing to limit the impact if possible, to really build some virtual walls or unplug cables. An important, a first idea of people is usually to turn off effect systems. Don't do that, especially in the triage phase. When the forensic experts have a look at your systems, what happens in the memory is a lot of information they can access. They can use to investigate what happened.

And if you turn it off, usually it's deleted and you can never find such information again. So the simple thing is really to unplug the cable. If this isn't possible in some way, even for virtual, then for sure, you know what happened? You contained it. You try to remove it in some way and then start the restoration. So really to maybe reinstall the servers, import the backups, whatever you prepared or not, and then inform in the notification part, inform your internal organization, whether it is soft or not, or what is opened, what is lost, what is still there.

And also if it's an GDPR relevant thing, you have to inform the BSI or the customers can also be informed here, but in general, the communication strategies, unparalleled stream here, and a very important thing. And this goes hand in hand, was a discussion we had earlier review use the knowledge you learned during that process to improve it, do something like an retro perspective meeting, have a look, what went good?

What went well from a process perspective, as well as for an technical discussion, use the knowledge from that incident, maybe to ask for more budget, for specific measures, whatever investigations. That's an important thing with that I would forward to, I think Warwick, right? Thanks Christopher.

Yes, no, we're moving into the recovery stage now. There's kind of more or less wrapping up things, putting together. You'll hear sort of touch on some of the ideas that we've had already.

So I, I guess the, the important questions to ask yourself here now, you know, what is the goal? So the goal is to recover, to get back to your minimum viable business so that you can actually carry on to push your, your things out the door. So like that aluminum company in, in Scandinavia fund, they, they had to find ways of getting, getting their, their product out the door. And the interesting part of that story is where they were able to do was where they were able to restore the manual overrides.

So kind of automation is great, but in a way it's always good, perhaps just to, to keep the manual on the manual version handy, because you never know when you may need it also with the telephone attacks and other several attacks we've seen where they've gone back to the manual ways of doing it. So, so that's kind of the thing, and you've gotta decide what your priorities are. So I don't know if you want to contribute directly or in the chat, just give us a, a message. So recovery is, is more than just recovering your data.

So that, that seems to be the most important thing. But as I said, it should be taking care of the, the whole business. And as Martin and Christopher touched on is, is kind of learning from, from that experience. So the recoveries from the, the two perspectives is the operational side and for the ongoing recovery. So we'll look at those in more detail. So the operational recovery here, we we're carrying out the, the recovery plan to bring the back business back to full, reliable capacity.

So this is where we are gonna be launching in parallel the business continuity management plan and the instant response plan. And on just a point on the business continuity there's, you'll see, there'll be some stuff on, on the keeping a coal website, where we talk about the necessity of, of putting together your security teams and your, your business continuity teams. Cause I think often in many organizations, these two things working in, in silos and they don't talk to each other.

And increasingly we see the value of getting, you know, basically your aims are the same, but you've got one team rushing around doing one thing and the other team doing the other thing and perhaps fighting for budget. Whereas if they, if they cooperate, then you, you can get a bigger collective budget and work collectively together. So that that's a point to bear in mind.

And, and we made this point many times, this, this should be something that's already designed and tested before an attack. You don't wanna wait for it to happen before you, you start working on it and then your ongoing recovery, that means improving your cybersecurity functions to mitigate the impacts of future attacks. So let's look at that in, in, in more details, your operation recovery is going to be, it led recovery. That's your instant response management as detailed by Christopher and then the business lead recovery, which is more on the ensuring, the continued availability systems.

Cause I said, these things have to, they have to work together. So we had the discussion about the integrity of the, of the backup work with your vendors. If you've got a backup vendor say to them, look, if I were to be hit by a ransomware tech, what could you do for me?

And then, and you'll maybe shop around on that basis. Just find out what, what the, what the vendors can offer you in terms of checking the integrity of the backups they're making for you. And perhaps go with a vendor. Who's gonna give you the best assurance that they can enable you to, to, to check the integrity because you don't want to, you don't want to reinstate something that that's potentially infected as we discussed earlier. So reinstate the backup if you can.

And if you, if you feel confident in it and here your, your managed service providers share the responsibility, and this is where the importance of the SLAs and your understanding ahead of the time, what it is you can expect from, from your providers. And then recovery's longer than, than just getting rid of the, the, the threat you've got. This can take time. It can take months to recover. So kind of base base everything, your objectives on your business, critical priorities. That's why it's also important upfront to say, okay, what do we need to restore first?

Do we really understand what it is that we need to get up and running with? Because if you don't understand that, and you're only having those discussions in the middle of a crisis, it's just way too late on the business led recovery side, you follow your business, continuity, recovering plan, launch your crisis organization.

And, and you can only do that. If you have one, it's no use having even a plan. That's got dust in it in the cupboard, unless you have a plan. If you have a team who know, okay, when we get the call, these people are the people involved. This is how we contact them. This is how we communicate. These are the things, these are the things that we have to, we have to do. And then decision making is important. This is also about recovery.

You need, you need someone who can say yes, I think often in a crisis, everyone goes like, well, should we, what do you think? What do you think? What do you think?

What do, what do you think should there must be someone who's going to make that decision? Who can say, yes, we can allocate these resources.

Yes, we can spend the money. Yes, we can. Whatever. And if you don't have that, then you could end up in a, in a paralysis situation. Or as Martin says, headless chicken situation, which, which you don't want to make sure you have the lines of business lines of communication in there. And then you make sure that you have someone to, to manage the social media and, and, and manage the, the compliance side of things. Okay. So ongoing recovery.

This is about continually improving and preparing for the next attack, because I can't remember who the quotes attributed to, but I love that quote about never let a good crisis go to waste. You know, you try and get as much out of it as you can.

And, and so this is what we're gonna, we're gonna look at at here. It's an iterative learning process. You need to keep in mind that that kind of the, the resilience that we're talking about, it's just the foundational piece, but we need to work towards it all the time. It's not just something we can do once and say, okay, box ticked. It's done.

So, as I said, in the very beginning, the, the key word in the title of today's workshop was resilience. And, and here's a definition. It's the ability to resist absorb, recover from, or successfully adapt to adversity or change in conditions. And I think if you kind of take that to heart, that that'll be a good, a good guide in preparing for any kind of cyber attack, because although we've been focusing on ransomware today, the point has been made by several of you and by Martin and Christopher, that this is really not something other.

So while it is very important to be aware of the business model and the, the kind of opponents that you're going up against, this does come back down, boils down to cyber hygiene. You know, if you, if you're following best practices and you're doing all the things that you should be doing, this is gonna hurt you a lot less than if you're not doing backups. And if you're not doing patching, and if you're not doing privileged access management, I mean, that's also something we haven't spoken about, but, you know, that's part of the whole, the whole lateral movement thing tomorrow.

I I'll be moderating a session on lateral movement and talking about the value of segmentation in the context of zero trust. So if you're interested in that, make a note to, to pop along to that.

So what I, I did on the resilience side was I just made some bullet points. Kind of what that boils down to is, is, is, is gather the data from your systems. So if you've got all these systems, I think we mentioned SIM and saw and all you've got all these systems, look at what they're telling you, identify as Christopher said, what worked and what didn't.

So you know what to discard, what to retain and what to improve and use this as an opportunity to review your cybersecurity and ransomware incident response plans and review and update your security tools, which ones did you use, which ones gave you value. And, and you can, you know, you need to have a look at your portfolio all the time. Martin talks about this, about, you know, it's, it's, it's no use having a zoo of tools and then nobody can use them and they're not delivering value.

And then as Christopher mentioned, prepare a post-incident report, communicate to the business, what you've learned, and, and this can also help in getting future budget. We've also discussed the trade offs in terms of the backup thing, decide whether it worked, you've cut.

You, hopefully you've come up with a strategy we're gonna back up so often we're gonna have an offline backup here. This is what we're gonna back up. So at this is the point where you can assess, did it work well, or do we need to change? Do we need to change? Do we need to back up active files more often than, than dormant fund dormant ones? So this is kind of a cost reward analysis thing. And then moving on to the diminished capacity, what did the crisis organization tell you again, look at what worked well.

Can, can processes be streamlined or, or eliminated during normal operations. This is also an opportunity to improve your business as usual.

Again, I don't let a crisis go to waste why we're not updating, Sorry. Ah, okay. And then continually practice.

As I said, having a having plans that are gathering dust somewhere is just no good run test exercises so that your team is prepared for a variety of, of scenarios. And no, I recently watched a BBC television series about a submarine, and there's great confusion between the, the characters as to whether this is a real situation or not. So try and get to the situation where you can simulate an event so that maybe people don't really know whether it's an exercise or not.

And they, they real, they understand what it is they have to do or realize they don't understand what it, so you can fix it. So by the time you do get hit by something it's not gonna come, is gonna come as a surprise.

And I, I think that's basically that section done. And I think it's now just time for Martin to wrap it up and put it all together. And hopefully you found that useful in the recovery stage. Yeah. So I think quite, quite a lot of information, we, we, we had in there a lot of discussion, which I like, so thank you very much also to the, not only the people in the room, but also the attendees which were in online because it was very, very active and, and interesting discussion with a lot of valuable points.

I think what, what if tried to, to tell you is it's, it all starts with, with really Accepting that there's a challenge preparing for the challenge, taking, taking measures to mitigate risks, even while there's not the silver bullet again. So to speak the ransomware empire, to stay in this picture, which is, which is a challenge we have.

So, so there's no, no absolute guarantee. And I think we also had following your command and also some, some discussion chat around isolating having different years.

And, and I think if yes, a lot of things come together and what we didn't touch much, but I think if we consequently apply the, the added zero trust principles, that also helps us the thinking with, with, with our, our fight against ransomware, because it's about very verifying it's about avoiding that we have sort of one big chunk of, of, of it where everyone can move around. Literally that's where zero trust at the end started. And a lot of other measures.

And, and I think only by bringing these together as we, we will be able to also at least if something happens to, to reduce the impact, because at the end, it's about how can we, can we, do we get our system or our it back back to work. So we need to be able to restore. We need to be able to, to recover from that. We need to be able to, to, to current times things as much as we can to, to, to mitigate, to, to limit the impact, at least. And there are a lot of things to do. There's not a single measure. It's really a, it's a team effort. And I think it's also very important.

You always need to, to play it as a team, you need to exercise it. These would be my main, main things. Another takeaways to, to give you it will remain a problem. I don't see that this thing will disappear.

The, the only hope would be that regulators decide on we don't have cryptocurrency anymore. So the biggest impact clearly would come from that saying, there's cryptocurrency, but there's no cryptocurrency anymore. And we would see rents where widely disappear because at the end, that's the reason why we have it.

Now, the reason is people have understood. They can make more money because their cryptocurrency, but cryptocurrency is the enabling factor at the end payments. Okay. Any comments here? No comments online or anything from your end. So thank you very much to being here or listening in online. Thank you very, very much. I hope we could provide you some, some good thoughts. At least probably you already knew a letter of this, but maybe there was the one or other takeaway for everyone here from that. So thank you very much and hope to see you in the afternoon.

Some of the workshops are tomorrow during the conference with the three streams, we will have running. So a ton of information there as well, including probably some, some more rents where information from different angles. Thank you.