Hacked! 72 hours of a CISO's nightmare

Cyber Security Experts So we cyber security experts, we end up thinking a lot about prevention, how to prevent an attack happening, but of course you never can be 100% sure. Our next speaker will talk about exactly that event, so what happens if we are being attacked and what is it what we need to be doing. Please help me welcoming Florian Jörgens on stage.

Florian, the stage is yours. Thank you very much. So I have now the very unthankful task to stand in between you and the lunch and I only have, looking at the agenda, 10 minutes left. I will need a little bit more time, but besides that we also have a workshop after the lunch if you want to get more insights about this topic. So first of all, what will you expect in the upcoming roundabout 20-25 minutes? First of all, the mood will be decreasing, that's very important. So the mood will be bad after my presentation, just so we make sure what is the expectation about this.

Because I will lead you through a ransomware attack. It is an interactive tabletop simulation, so you are going to take over the role of the CISO, the person information security responsible, and your company will be hacked. And we will simulate this through three rounds. In each round, you will receive additional information and you need to make decisions. First of all, regarding the organizational part, you don't need to take any pictures.

Of course, you will receive the full slide deck. So just to make sure what you will expect in the upcoming 20-25 minutes. Just to give you a short introduction, like I was already announced, my name is Florian Jorgens. I'm currently the chief information security officer of the 4WK group. If you are from Germany, 4WK is most famous for the best kitchen appliance in the world, Thermomix, and fantastic vacuum cleaners. And I'm in this position for roundabout three and a half years now.

So, like I said, we will simulate the whole thing, which is not based on a real attack, just to make that sure. We have not been hacked, it's just a simulation. And we are doing three rounds. So let's start with a short introduction. First of all, of course, it is Sunday evening. These things always happen on weekends. So therefore, it is Sunday evening. Your colleagues from all around the world are contacting your IT support saying, I cannot work any longer. There's some kind of strange behavior on my computer. Some kind of skull is seen on the screen.

And the IT decided, okay, we will now create a major incident. And they are contacting you as the person responsible. Please have a look, there's something strange going on. So what happened? Typical ransomware attack. The attackers say that they have the possibility to steal your customer data. They want around about $2 million in Bitcoins. Now it makes even more sense to ask for Bitcoins due to the fact that the price has been increased. In a real-life scenario, you will receive a customized offer for your company. They will have a look at your financial data.

They will have a look at your revenue. And you will receive an individual customized offer for your company. And they will ask for an amount of money which will, of course, hurt you. But it won't bring you down. You will get the money back in the next three to five years.

But, of course, it will hurt you in the first place. So let's start with a very short interactive question. What are you going to do first? So I'll give you three options. First of all, you can call your forensic company. And I hope you already have a forensic company you will contact in the case of. Because normally it's very time critical to get this information. You can create a Microsoft Teams channel and invite the relevant stakeholders. Or you can declare the emergency case. So please raise your hands if you want to start with number one. Calling your forensics.

Number two, Microsoft Teams channel. Inviting all the relevant stakeholders. All right. Number three. Okay. Perfect.

So, in the end, all these things are very important. But normally you would start with declaring the emergency case. Because it is linked to additional resources, additional communications, and so on and so on. So this makes a lot of sense. So it's Monday morning, of course. More PCs have been infected over the weekend. And you receive different kind of colleagues all around the globe are complaining. So you can now imagine it would be a global problem. Let's imagine that you also have some local shops. Half of them have already been encrypted.

The other one are still offline because to a public holiday. But now you should already think about that you will have a customer impact at a very early stage. So I'm now asking you, what are you going to do now? You are the CISO. I'm just here moderating. Okay. The first one is leaving. Might also be an option. So what is your idea? There is no right or wrong answer. This is just to share the experience. Have it a little bit interactive. Any ideas?

No, it already has been a long day. Yes? I would make sure that the last shop that is open online remains offline. Yeah. Putting the systems offline. Good idea. Any other idea? Yes? Communicating to the public that due to the cyber incident these shops are going to be closed. Okay. Also a good idea at a very early stage.

Of course, get an overview together with the colleagues from the security management team. What do you know? What do you not know? Containment. We heard that. This is actually the thing where most of the companies fail because they do it too late. But we will talk about that later. Talk about a potential business impact. Initial stakeholder information. We are going to talk about that on the upcoming slides. Create an action and communication plan. We heard that. And think about additional budget. This will be extremely relevant in round number three.

And at this point, you should now contact the forensic company. The white things are additional. Maybe talk to the colleagues from data protection because the attacker said that they had the possibility to steal customer data. But at that early point, you are not really sure if they are telling you the truth. Round number two. Let's just imagine that you have contacted your forensic and you receive a security report. In a typical security report, you will receive recommendations like disconnect. Disconnect the infected systems.

Don't shut them down because then you will destroy all forensic evidences. But cut the connection to the Internet. But this will bring you to some new challenges. If you are connected to an external IT provider, to your forensic, they still need a connection to your Internet.

So, it's not just pulling out the plug from the router or something like that. You need to think about what kind of secure tunnel, secure connection you still want to work with to talk to relevant stakeholders. Analyze. Analyze new admin users. When we are talking about a ransomware attack, it's not that the attackers will get access to your network, install the ransomware, and then they will wait to receive the money. They want to stay there. They want to stay in your network as long as possible because it feels like home. They want to install additional malware.

They want to take over your accounts. They want to create new admin accounts.

So, you always have to look left or right. What is going on? Is there some kind of strange behavior? Check the lateral movement of the ransomware.

So, what is the infection way? How is the ransomware actually working? Check for further malware. We already talked about that. And the most important thing, and if you want to have one lesson learned for today, it is make sure that your backups are protected against ransomware. That means that, first of all, no infected files will be backuped and that the backup itself cannot be encrypted.

This will, sorry, save your ass in the end. If you don't have that, then it's nearly over.

So, make sure that you are in contact with a lot of companies who offer this kind of services. I don't want to make any commercial about it, but just take care of this topic. It doesn't matter which company, which technical solution provider you're going to choose, but choose one. If you have that, congratulations, but you need to think about something else. You need to restore all these systems in a new environment because the old one has been compromised. You need to set up your whole infrastructure empty to restore all your files. That's a lot of work, actually.

Okay, nobody said that they should inform the employees. So, the encryption of the PCs is going on and on. Let's just imagine that now your servers also have been infected. What could now be the worst possible thing be? It's going viral. The first customers are complaining they cannot work any longer. Your products are not functioning and so on and so on. And now it's pressure on the topic because now a lot of new stakeholders will come into play. First of all, your internal colleagues. Your head of sales is complaining he just bought a house. Now he's the father of two kids.

He needs to pay the bills, but the CRM is not working any longer. SAP is not working any longer. You have to do it. You have now to work on these things due to the fact that it went viral. The head of press communication is now contacted by the local paper.

Yeah, we had some rumor. Some of your shops cannot work any longer. Some things in the social media are going on. It would be so great if you can send us a short statement what's going on.

Otherwise, we will write something by ourselves. You have one hour. That's okay.

So, be prepared for these things. At least you have something like, at the current status, we don't have any evidences that we actually lost customer data. Which also can mean that your monitoring systems are so bad that you didn't even recognize it. But in the end, it's not even a lie and you still receive some time.

So, what are you going to do now? I told you that the mood will be bad. Don't look at me. Run.

Yeah, run. Go on holiday.

Also, idea. We had that. Advise the shops to take off the systems.

So, make sure that the infection has not the possibility to infect other systems. Alternative work scenarios for shops. Maybe they can still sell your products and writing down the orders with pen and paper. Alternative work scenarios. Something to make sure that the business can continue work. Business continuity management. The things you should already have done three years before.

Now, it's coming back. You have to think about these things, even if you don't want to. Isolate the infected system. Separate the network segments. Request proposal for emergency operations. I will postpone that in round number three. We talked about the admin accounts, which might be now created. You need to set up a new, secure, new, clean environment to restore your information. You have the possibility to get in contact with the hackers. If you want to, please, please, please don't do it by yourself. Don't do it by yourself. There are specialized companies available at the market.

Professionals who are doing this all day long. Ask them. I have seen some real screenshots about some discussions. We're in a discussion with hackers. You can also receive a discount. For example, a Christmas discount.

Because, in the end, there are also people working who need to pay their bills. They have a family at home. They want to have a nice Christmas. You will receive 20%, 30% if you pay in the next, I don't know, two to three hours. If you want to get in contact with them, please don't do it by yourself. This is not your playground. There are companies who are professionals in that. Evaluate necessary steps for potential Bitcoin payments. We will also talk about that in round three. Communication strategy for social media.

And, of course, how to reach your employees. This is always one of my most interesting questions. How can you reach your employees if Microsoft Teams, the Internet, and Outlook is not working any longer? Very often, there are some raised hands that say, Okay, we will send out SMS.

Oh, great. Everyone in your company has a smartphone, a mobile phone from the company.

Ah, no, no, you're right. Someone else said, Okay, we have an app, a communication app, and the employees will receive the messages.

Okay, so everyone has a company phone. No, no, no. They need to install it on their private phone. The workers' council is going to love that.

So, you want to reach your employees, but you're not willing to give them a company phone. That's not going to work.

So, you need to think about alternative scenarios. For example, a friend of mine is also a CISO. They printed posters and put it in the office.

So, as soon as you enter the office, there's a big sign, Go directly to the IT support. Don't start your computer. But what about the colleagues who are working from home remotely? You need to think about all these scenarios. Round number three, the feedback from the IT colleagues. They cut all the connections. They send the employees home.

Still, of course, some of the clients are more and more infected. But you're very lucky. Your backups are safe. You can restore them.

Now, the colleagues from IT are saying, Okay, we will need a roundabout for a desktop client. Eight hours. Shop system. Less software. Five hours. A server. Two days per system. SAP server. Three days per system.

And now, do the math in your head. Okay, how many clients do we have? Multiply with eight hours. The colleagues from IT will stay a long time in the office. And they won't see their families within the next days and weeks. And this is actually a real scenario. They will stay in the office for 16, 20 hours, restoring all the systems. And this will create some new questions.

So, where are they sleeping? And who has actually the credit card to pay for their food? Did you think about these scenarios? You might think, Okay, this is very well far away, and this won't happen that way. It will happen. It will happen in exactly that way. You need additional resources. You need to involve the workers' council, the colleagues from human resources. You need to take care of your employees, that they don't get a burnout to reduce the workload. These are all things you need to think beforehand.

Of course, sooner or later, it will be in the newspaper. And at least at this point, you need to involve the law enforcement. I'm actually a big fan of a very early involvement of the police. We have a very close collaboration with the colleagues in Nordrhein-Westfalen, the ZAG, Zentrale Ansprechstelle Cybercrime. We are inviting them to our awareness campaigns, so we are sharing knowledge. Because you only will have benefits from that. First of all, they are trustworthy, so you can talk with them in a very open way.

The second thing is, the probability that you are the first company facing this attack vector is very low. So, they already know what's going on from other companies. And they can give you additional information. For example, if your customer data has been published in the darknet, and so on. And besides that, the hacker said, OK, we have the possibility to steal your customer data. You need to involve the data protection colleagues, due to the 72 hours reporting time from the GDPR requirement.

Of course, the advisory board is now aware of the topic. It was in the newspaper, asking, why are we paying so much money for your solution? And now we have been hacked. I thought we have 100% security.

So, looking now at the time, I will move a little bit forward. Business impact analysis. This is a question I receive every time. There is one reason to pay, and a lot of reasons why you should not pay. The reason you should pay is, when you don't have any other idea. Your backups have been encrypted. Your whole infrastructure is encrypted.

Then, of course, pay. But on the other side, there are, from my perspective, a lot of things why you should not pay. First of all, you are talking with criminals. And I don't know how trustworthy they are. Will you receive your decryption key? I don't know. Maybe you will now say, yeah, but this is a business model, and they will damage their reputation.

OK, tomorrow they will be back with another name, with another brand. On the other side, you will be on the list of the companies who are actually paying. And the attackers are very good connected. They are sharing their experience.

They say, I hacked this company, received $2 million in Bitcoins. But they still have these admin accounts with bad passwords, no multi-factor authentication. I found this unpatched version here. If you want to go for it, I will go to the next company. And the last thing, and this is my main point. You still need to restore everything from scratch. It's not that you will receive the key, type it in, and go back to work. Your infrastructure has been compromised.

So, therefore, you also need to build up everything new. So, from my perspective, I would always recommend not to pay.

But, of course, it is a decision. Your company has to be done. We talked about the clean network. Someone was talking to the production. Anyone? Because you cannot sell your products, does it make sense to produce now? Request the hackers group. Like I said, please don't do it by yourself. There are companies available at the market who can do this. And still think about how to reach your employees. We have done this exercise at Forework, not in 20, 30 minutes, in four hours. Together with an external consultant who actually created this exercise for us.

And we had very high-value participants from the executive board, the head of communication, finance, data protection, CIO. And, like I said, it was done in four hours, each round 20 minutes. And he was taking the time. And I can say, after these four hours, we were done. We were so exhausted. Because 20 minutes off, he was stopping the time.

Okay, now, what are you going to do? Decision. This is high pressure. But this exercise, I can only recommend, created two major benefits. First of all, every participant realized a ransomware attack, an emergency case. It's something where every department is involved. HR is taking care of the mood and the feeling of the employees. Finance maybe will think about additional, will think about Bitcoin payments. The executive board needs to make decisions. The colleagues from the communication marketing department need to talk to the customer, to the other companies you're working with.

So, everyone is involved. It's not that security or IT is taking over this topic and everybody else is waiting that they can continue with their work. And the second benefit is that I will receive this question very often. How do I get budget?

And, of course, sometimes it's hard to explain, especially to the executive board, where everything in security is so expensive. A certification for an employee, five, six thousand. Yearly salary, six figures. A security solution, 250,000 additional, something like that. And in the end, we are not creating a real measure value for the business.

So, what we have done is we changed our way of communication and we created a fictional KPI. It's not something we are really calculating. It's just to make our benefit more clear. And this is a return on damages not incurred. To make sure or to show that we are creating a preventive measure. That our return on investment is actually the things which do not incur, the damage which do not incur. And therefore, also our executive board realized, okay, yeah, that makes sense. We will save millions of dollars or euros.

So, an invest is also a very good option. I had faced a similar situation in my former company, Lanxess, a chemical company, where we had some indicators of compromise for Vinty. And due to the fact that we could not make sure that we cleaned all our hardware, we changed the whole server hardware worldwide. The colleagues from IT did this for one year. The amount of money we paid was a high six figure. And I cannot recommend to do this. It was a lot of work. Like I said, or not like I said, I'm pretty sure you now have a lot of questions.

A lot of questions where you at that point don't have any answers. That's why I mentioned the mood will be down after my keynote. To make it a little bit more clear for you, I created a handout. In this handout, for seven pages, you will only find questions. Questions like, okay, what does disconnect mean? Is it unplugging something? Who is actually allowed to do this and where do I need to do this? Who has the credit card to pay for the food? If you want to pay the ransom, who has actually the Bitcoins? How can we transfer 2 million euros in Bitcoins and what about taxes?

Do we maybe support terrorist organizations? Questions, questions, questions. If you want this handout, the easiest way is just send me a LinkedIn message. If we have not been connected yet, just click on the three dots connect. And please then send me the message that you want this handout. For those who are more interested in this topic, I can only recommend to join my workshop after the launch from 2 to 6, which I will be moderating in this workshop.

I will show you the handout and we will go through every question and discuss the question within the participants of the workshops, how they have solved these questions, how they have implemented these and these things, restore plans, communication plans, who actually has the credit card within their company. So if you want to, like I said, after the lunch, 2 to 6 p.m., we will have more time to have a deeper look in this topic. And now I think we are all hungry and ready for lunch. Thank you very much.

Thank you, Jörg. Yeah, I'm looking forward. I'm already depressed looking forward to your workshop.