 One, good day, good morning, good afternoon, good evening. Wherever you are in the world, thank you for joining today's exciting webinar, a hands-on webinar that we're doing anatomy of a cyber attack. Lessons and best practices for the global postal sector. But of course it could be for anyone. So we happy to have all of you joining. Whether you're from the postal sector or from outside the sector, this will be a benefit to everybody today. Today we have, my name is Tracy Haksha. I'm from the Universal Postal Union who is hosting this event. I'm head of the DotPost Business Management Unit with me, a colleague from the DotPost team, Ms. Sam Sabra, who will be facilitating the conversation with all of you. So thank you for joining us. With us today, we have two, I'm so happy to have two well-regarded experts in the field who will give you a brief introduction to themselves, but you can also find them on LinkedIn if you want to get some details as to exactly who they are. So we have Mr. Joseph Carson, who is from Delinia and based in Carolina, Stonia. But as some of you who know his work, we know him from being around the world doing a whole series of presentations and activities, which is how I found him. And I'm happy to have him after chasing him down for some time. Finally, we locked in a deep. This is great, fantastic to have Joe here. And alongside Joe, we have Mr. James Diva, who is also going to give support to this webinar in terms of giving you some of the potential best practices, some ideas of how you can proactively prevent cyber attacks, because you'll see a live cyber attack in operation today, run by Joseph. So he'll give you some ideas what you can do to prevent and essentially, or hopefully, take steps in the event you are attacked, because some people say it's a matter of time before something attempts to come into your network. So it's really better to be prepared. And if you are attacked, what steps can you take during that attack to avoid being completely disrupted in your organization? So happy to have both of you here today as I wait for most folks to join. And I think we can start officially now. We have just about maybe about 40 people online. So hopefully others will come on shortly. But I think with this group, we can begin the session. As you know, this is a recording session. So for those who are not able to make the start, they can see the start subsequently. So with that, I believe it's a good time to hand over to Joe, who will kick us off with I understand some slides and then a walkthrough or maybe say a hands-on appreciation of what a cyber attack looks like. So with that over to you, Joe. Absolutely. Tracing many thanks. It's a pleasure to be here. I'm really excited to share my experience and knowledge with the attendees and audience. And as Tracy mentioned, what I'm going to go through is it's basically lessons learned from a real world ransomware attack. Some of the things that went well, but also some of the things that went horribly wrong. And hopefully, you know, one of the things is the victim of this particular attack have given me permission to share a lot of the details about what happened. And it's very rarely that you get that permission. So they want to make sure that other organizations around the world can learn from this and make sure that they put the right controls in place to make sure that they avoid to become a victim. I'm going to set some of the context at the beginning. So I'm going to go through some slides that will kind of take you through some of the events that happened. Then I'll get into a live kind of walkthrough, myself putting myself in the seat of the attacker and walking you through all of the things that they did ultimately in order to deploy and bring the business to complete stop. So let's go ahead and get started. So I'm going to go and show up my slides. So hopefully you're seeing this at the moment. So can you just give me some confirmation that you're seeing my slides, okay? It's coming. We're not seeing any slides as yet, Joe. And we've seen you started. There we go. The slides are now visible. Go ahead. Okay. You seem to be frozen. You seem, maybe there's something your connectivity seems to be drifting a bit. Okay, there's a... I can't see it. Joe himself is a bit freezing now and then. Yeah, it's just... I think you're okay now, Joe, if you could proceed now. Do I think Joe is reconnecting or is he? Yes, he's reconnecting. So while Joe reconnects, what we could probably do is use the chat. Feel free to introduce yourselves in the chat while Joe reconnects with us. I think he's just changing his connection or his device and let us know where you're from and what country you're working in. And I've neglected to mention, if and when you have questions, please feel free to use the chat pot to put your comments and some questions in. But ideally, we like to use the Q and A function within Zoom. The Q and A function, as you may be aware, is normally in most screens to the bottom, in the bottom menu structure next to the participants' listing. And you can put your questions there. We'll attempt to answer them there for you. Okay, should we try this again? For some reason, Zoom just hit Christ and restarted again, so. So as I went through, basically, this is the reality check, is what keeps security leaders and people who's responsible for a lot of IT and infrastructure. It's really what keeps you up at night. And there's lots of attacks out there. There's things from data breaches to financial fraud. We see a lot of business email compromise from insider risks, basically. Most of those insider risks are unintentional. They're accidental through misconfigurations. Ultimately, some, you know, malware-regulating organizations trying to steal credentials, extract data. And all of these can result in some type of revenue, brand damage, can have data poisoning, compliance failure, a lot of organizations have some type of regulatory compliance, whether it be things like EU GDPR, whether it be a California Customer Privacy Act, you might have PCI compliance, HIPAA, and so forth. All of these can result in some type of business or service or application downtime. Now for me, probably the most severe out of all of these is ransomware because it is very destructive. It can ultimately bring the business to a complete stop. But I've seen various different types of, let's say, subverties. I've seen it from really large organizations where the complete business has come to a standstill and the attackers are demanding millions of euros in ransomware in order to get the keys, to get the business back up and running. Ultimately, down to small businesses where it's basically a small family business that's providing some type of a service. And ultimately, it's not just about because in the business, the small business that I've had to assist with, it wasn't just the business that was down. It was actually the entire family's digital life of the last 15 years that was also encrypted. So not just about the financial data on the business services, but also photographs of their family and grandparents that have passed away that are completely encrypted. And the attackers at that point are demanding tens of thousands of euros in order to give that back. So you get two massive different skills of the severity here. Now we get into it, ransomware has not been, it's not something that's new. It's been around for a long, long time and there's been many variants over the years. Some of the earlier variants goes right back into 1989 where it was the age trojan. And this was basically one that was distributed by a floppy disk and on the floppy disk it would actually infect the other exact batch. And then basically make the mis-system unbitable. And then that case was actually looking to get the money through basically sending it through the post. So they actually, for just under $200, you would actually send it to a post box in Panama in order to get basically your system back. So this is something that's been around for a long time and there's been different variants over the years. But I think it really escalated around 2013 when we saw Cryptolocker. And that was one of the first variants of ransomware that leveraged cryptocurrency in order for payment. And since then it's really accelerated throughout the years where we've seen, of course, not pet you impacting lots of organizations back in 2016, really bringing a lot of the supply chain logistic companies and shipping companies to complete standstill. You see the likes of Merck and Merck to large organizations becoming victims of that and bringing their business complete standstill. You see also RYUK, you've got our evil and others that basically continue in order to cause havoc over the years. Now ransomware is continuing to evolve. It's not just about the crypto type of ransomware. It's about bringing the machine to complete standstill. Rensomers evolve to exfiltration, denial of service attacks and screen lockers. One of the things that we've seen in the last year is that the traditional ransomware, which is very noisy, which basically brings the business to stop and control the systems, tends to get very, very high public visibility. The public tend to know very quickly that this organization is experiencing problems. And therefore they know typically from that the employees start mentioning on social media, their partners and suppliers and customers can't access their services. So those crypto style ransomware become very public quickly. What's happened is in the last year, attackers have moved and they've kind of moved into looking at the exfiltration only method, which is about stealing a sense of data. So basically as a lot of the criminals that are in countries were, let's say, they're under sanctions or under high scrutiny right now, they have basically went into this affiliate model as well and using exfiltration as their primary because it's also a way to stay more stealthy and it's less public visibility when those attacks happen. And we're also seeing the ransomware code base is also changed to being things like Rust and Go-based, which makes them more portable and also affect larger amounts of machines. So this is something, you know, there's lots of different types out there of ransomware, but it's constantly evolving, it's attacking more systems and also starting to become a lot more stealthy as well. Now the attack techniques is commonly used by the attackers. These are the ways that attackers look to get into the organizations. Usually the entry point typically is through some type of vulnerability, either misconfiguration, it can be through remote desktop protocol or RDP or remote access. It could also be via phishing. Phishing has been one of the kind of most common methods typically getting employees to hand over the credentials or to go to a site which is basically compromised or to go to a fixed site and into the credentials and ultimately getting the credentials stolen. And we've seen that recently, of course, in the US the large public incident with the likes of MGM Resort and also Caesar Palace where both of those casinos had become victims of ransomware. If you look at the MGM Resorts, ultimately it was several million per day at loss of the business during that incident and it's still not fully back up to compete operations after several weeks. Once they get that initial footnote door it's basically living off the line. The attackers prefer to use, you know, the tools that they find in the network in order to basically elevate privileges, to create backdoors in order to change configurations, to move around and discover the environment. So they prefer to live off the land not introducing anything new. Then they wanna make sure that the access they have is persistent, that they can come back whenever they want to. And sometimes they use techniques such as what we prefer to sticky keys or they create hidden users in the background because sometimes they're afraid that the user they might have compromised or might change the password or might change the security locking them out. So they wanna make sure they're able to come and go whenever they want to. Another area that they look is credential harvesting which is very common. They wanna get as many credentials as possible. Once they get more credentials they can let it remove around the network and then they elevate up to full domain or active directory access. This typically means, usually when they get the directory access it tends to be only a few hours before the attackers basically deploy something like a ransom or a very destructive malware. So this tends to be the kind of most common technique that's used and the path that they heavily utilize. The entry point does change depending on the victim but today most commonly it's social engineering and phishing is the predominantly method of gaining access. Now, when the attack happens what typically is that you typically find hide from external sources. So the most common ways you'll find out you become a victim is sometimes law enforcement will contact you. They will be basically either taking down a command of control or be investigating other cases and in those other cases they tend to find some evidence of other victims. Sometimes it's your third parties including customers might find out when they're accessing your services and they're unable to access them. They will then notify you. The attackers might contact you directly. In the case that I'm gonna go through today in this particular incident the attackers contacted the IT team and the security team. They had all the details. They had their home addresses. They had their email addresses. They had their telephone numbers and they contacted them through lots of different methods to notify them that they had become victims. So that's one of the things you know the attackers want to make sure that they're actually reaching out and accelerating the ransom payment as quickly as possible. So in most cases they will contact the IT team and notify them. You might find that through social media the attackers might be bragging about it. They might be sending it out and just really kind of trying to make as much visibility and pressure on the organization as possible. You might find that for employees who are connecting to their systems and finding out that they got basically messages displayed on their devices and that the system's been compromised or been encrypted or you might find out from security researchers. Now just to give you one example in this case I mentioned the attackers contacted the organization directly. During the investigation on this incident myself as a security researcher I did find evidence of another victim within the actually logs and the evidence that I was researching and investigating. So I got permission to reach out proactively and contact this really large organization really well known organization. So I contacted them and said during an investigation of another incident I found evidence that you've also become a victim. Maybe we can work together and ensure indicators are compromised. And immediately afterwards I got a response by saying no, you're wrong. We were not a victim and that was at last communication that I received at that point. So later I can of course continue the investigation. Actually I sent another message by saying maybe you just haven't become a victim yet. Maybe we can prevent it from happening. Maybe we can go through and see if there's evidence that the attackers are already on their network. And no response came after that. So about two months later after doing this complete investigation digital forensics and this response it came to the point where I needed to hand over all the evidence that I gathered to law enforcement and legal team. And during that handover I want to make sure that I notified the other victim that said they weren't the victim that I'm now passing over the data which included their server names, user names, IP addresses, domain names, passwords, hashes to law enforcement. So I sent out just let them know that this was happening. And then immediately afterwards they responded and said, yes they were a victim. So it wasn't until I actually had to hand over data that had evidence that they had finally admitted. And even to date you will not find any evidence publicly that they were a victim of this particular ransomware case. So it's usually sometimes there's different means of finding out that the organizations have become victims. Now when organizations become a victim they're immediately going to trigger an answer response plan. This is one of the most common techniques. Our organizations tend to all have a plan today in different types of incidents and your plan might look something similar to this. You might have some defined ownership of who's responsible for certain things. You might have a method of communications about who to contact, who needs to be responsible for doing what, who to involve and it might be internal external capabilities. You'll have that updated contact list and I hope it's updated. A lot of incidents that I find that I'm working on sometimes that contact list is a year or two old and the people on that list is no longer sometimes even with the company. Now in different types of incidents you might respond differently. You might go through some type of confidentiality or data loss. You might be dealing with a data poisoning or integrity attack or availability such as DDoS attack. Now when we're talking about ransomware ransomware checks all of those boxes. You're dealing typically with exfiltration so you're dealing with a data loss. Attackers have extracted data out and are threatening to publicly disclose it. You're dealing with a data integrity issue which means that the data has been encrypted meaning that that data is no longer available to you and also you're dealing with an availability and because of that encryption you tend to be having a dine basically a service is unavailable. So ransomware tends to impact all of those. So when the insurance response checklist you might be going through your in-house capabilities what your internal team has the ability to do and you might also have third party maybe it's response teams or security teams that can assist you. It's definitely better to have those already out front and planned and agreed rather than trying to do it in a mid-incident. You might be going through a containment process of evidence gathering. You might already have predefined press statements. You might have already legal assessments into what types of regulatory compliance you might have to deal with. If you're in GDPR you might have to contact the data protection authority to notify within 72 hours. You want to look at eradication how your recovery plan is and then you continue to learn from the lessons from this. Unfortunately all too often when I'm involved in this response that the answer response checklist and plan is also encrypted because it's sitting on a share point it's sitting on a document or a PDF on a system that's encrypted. So it's always make sure that you have something like this that's already basically easily available either a printed hard copy or on a device that's maybe not connected to the network. So make sure you've got basically systems that are offline that you can go to that have all the emergency information that you need. Of course, once you get into this one thing I do want to mention about that is there's a very big difference between having a plan but also being prepared. Some of the things that you go through and in this response is you want to have proper plans and actions. What's your mandatory requirements of who to contact? Who's involved? What's the meeting plans? How frequently they are? Who's going to respond to and start communicating with the attackers? Who's the executive summary? How is it made available? What type of information is in there? Documenting and having detailed in response timeline about when the first time you find out what everything that happened and actions that occurred after that and having making sure you got that really kind of detailed timeline. What's the attack path? Mapping it to the MITRE attack framework and understanding about all the different techniques that was used by the attackers. Doing a malware analysis of the ransomware itself was something that I was involved in and doing basically perversion and understanding the techniques and capabilities of the ransomware. What's your data recovery and evidence store process? How are we going to recover the data? And ultimately, how are we basically you're going to collect the evidence and make it available to the team at a later stage? Maybe doing threat intelligence. So looking through the dark web or any chatter or any bragging or potential disclosure of data or your data might be up for sale. Understanding what security was in place and also why those security didn't actually prevent the attack and then look at mitigations that will help you contain the incident. How did the data exaltation occur? So ultimately, how did the attackers get the data out of your organization and ultimately making sure that you can actually track and see exactly what type of data was extracted. And that will also let you understand about what type of regulatory or potential compliance failure you might be dealing with. So that's something to be aware of. It's really important to have a very, very solid asset inventory information. So you know exactly what systems you have and what applications, what data's out there. And then looking in the detail about the network activity. The lessons from this particular incident is that the organization, they had a plan and they had basically went through and they had a good detail plan. But the problem was during this incident, this ransomware case, is that they never practiced it. They never simulated it. They never went through and actually understood what it would be like to be in that real life scenario. So there's always a difference between having a solid plan but also having a simulated plan. And that can make a big difference. When you go through a simulated plan, it allows you to start understanding about some areas of gap. Such as for example, this organization was a multinational organization and they had different basically time zones and different, for example, time formats that they had to deal with. And when you're collecting evidence, you wanna make sure what time zone you're actually going to use as the base time zone. What naming convention you're gonna use for basically collecting the images of effect systems. Also what policies apply? Do you have actually documented policies that actually oversee when you're dealing with ransomware and security incidents? So who from HR has been involved previously? Have you dealt with legal about whether you want to communicate with the attackers? What it means for you in regards to regulatory compliance, who needed notify? And also do you have contacts with law enforcement which can also make a big difference because sometimes law enforcement might already be dealing with other cases that can actually maybe help you look at indicators, compromise or methods that help them. In some cases, even law enforcement may have already been able to get a decryption key. So sometimes that can accelerate things as well. How are you gonna do evidence gathering? How are you gonna get the logs and images? This particular victim, what ended up happening was they didn't have enough disk space to put all the images. So we ended up having to do basically same day delivery of massive orders of basically hard disks from Amazon in order to be able to have enough disk space in order to put the images. And it typically is equal to your existing storage capabilities at that date. So terabytes of hard disks were being ordered in order to be able to do the evidence gathering. And that's a big problem because those disks need to go through sanitization. They need to get cleaned. They make sure to reformat it as a right actually file system. So that creates lots of challenges as well. How the forensics and its response seem to what identities and user access that they need in order to gather. Because if you're gonna be using the same Active Directory accounts that have already been compromised, you're gonna be contaminating evidence. What about service accounts? How are you gonna rotate those? Even having a go bag makes a big difference. Having a bag that's ready to go that basically has all your equipment. Even if you're gonna be working as a data center, you want to be warm. Where are you gonna be sleeping at night? Having a sleeping bag, having some chocolate bars just to give you energy to get you through the day because this is one of the most stressful times for an organization is dealing with ransomware. Out-of-bind communications. One of the things is that the attackers will have access to your entire environment. So how can you communicate without them seeing your communications as well? Now they'll have access to emails. They'll have access to your communications, messaging apps and so forth. So it's really important to have an alternative out-of-bind communications that is not gonna be compromised through the same credentials. Help the team being ready and able to respond to concerned victims, your customers and partners, employees. Keep that answer response plan updated but go through these practice drills. It's so critical. And I can tell you how important time is during this whole process. The first 24 hours is probably the most important off an organization during a ransomware attack. So make sure that you practice and ready and you basically go through this as quickly as you can. The particular ransomware I'm gonna refer to in today's example is Kryloch. Kryloch is a variant that basically was known as Kryacal up until about 1.6. Law enforcement did get fine decryption keys for the 1.6 of Kryacal but in Kryloch 2.0 it had a much improved encryption capability which was definitely much better than previous variants. And also there's one of the first ones that I dealt with that basically was a ransomware as a service. So the creators of this particular ransomware are not the same who deploy it. So it's really important as they went through basically an affiliation or distribution program signing up their channel partners in order to use this. As you can see here, this is typically what you see. You've got four days, your data will be permanently deleted. And if you pay within two days, you get a 50% discount. Just to give you some of the figures here, the ransom demand was in the tens of millions of euros and that 50% discount was still a lot of money and time is essential here to responding. So during the investigation, of course, there is negotiators who do reach out and what's really important here to kind of the act and to work because ultimately the attackers in this case are gonna, you're basically the, you're in the wrong because you didn't stop them from gaining access. So they will treat you as the malicious person, as the person who basically allowed this to happen. And it's a very tough time for the organization. Going through, here's an example of basically doing some dynamic analysis of the executable, the ransomware from executing. So some of the things I do here is I'll create, for example, large files of different character sets to see maybe what types of encryptions used. You'll basically see here, this is the temporary folder location. I've got process explorer running and basically also got Redsmon running in the background here. So as we go through, let's kind of take a look. So you'll see here that the ransomware gets executed. Of course, the prompt here will not be displayed in the real scenario, but just in this demonstration, it does get displayed. Once it executes what you'll see here is basically at the bottom of process explorer, it will actually launch a child process. It will do a ping back up into a command control. So it's communicating externally to notify that there's another victim in basically who's now basically being compromised as a ransomware. Of course, during the story of that one display, it'll be auto accepted. It deletes then the current process and deletes the original executable. And then it creates a child process within the temporary location of this machine. And then within only a few minutes, basically this entire system of gigs of data gets encrypted. So I'll kind of scroll through and you can see here eventually towards the end, you can see basically in this folder in the desktop, you can see there's different types of character sets and file sizes. And ultimately, once this ransomware is finished, it changes the extension of those files. And then there's HDA basically, which is a prompt to get displayed in the background here that really shows that the systems encrypted and then all the files are inaccessible. So this is what it's like to, for a employee who ultimately sees their machine when they log in, none of their files on the systems or applications, the system itself, the operating system still functions, but ultimately all the data and applications will not be able to access the data. So one of the most important things here for a victim is you wanna know what you're dealing with. You wanna know what type of variants. Now the attackers in this particular case, they actually had five different types of ransomware variants. Those five different types of ransomware variants would determine basically there's a site which one would avoid the security controls that they had in place. So one of the things here you wanna find out quickly is a sample of the crypto. You wanna understand what capabilities it has. So finding that basically sample, one method you can do is upload it to solutions like Joe Sandbox, which does basically dynamic analysis of the ransomware of the crypto itself. It allows you to get a good idea of what types of capabilities it has. Does it have the commanding control? Does it do basically credential theft? Does it basically have a trojan? Is it a worm that moves around the network by itself? So you wanna understand about what you're dealing with and Joe Sandbox is a great way I've been able to see and maybe other victims might have already up with a similar, the same variant that you're dealing with to understand some of those other victims indicators of compromise and some of the techniques that was used. You also might want to upload it to virus total. Virus total will give you an understanding about, for example, what types of security alerts or what has been seen before. Now this is uploaded here, it was months later, but on the first instance when the ransomware of the first time, only three AVs were detecting this particular variant of ransomware, meaning that the three AVs, if you weren't running any of those, even your antivirus or endpoint detection would have not stopped this ransomware from running. So something to be aware of is that when the attackers have access to your systems, they will try to understand about what types of security controls you already have in place. And when they find out what security controls you've got in place, they will use techniques that try to avoid detection. And also techniques that will make sure that your security products are not gonna stop them. So next thing here, one of the things I always ask the question is what did the attackers have access to and what was the techniques they used in order to basically move around. So I wanna understand, did they get access to the domain administrators? Did they get access to the main controllers? Did they have access to what systems and what was those systems functions? What data did they get access to? What applications? Was it just on-premise or in the cloud? How long was the attack going on for? What tools did they use? Did they leave any backdoors or ways to gain persistence? So ultimately you wanna make sure you close those. What data did they take and how did they extract it? What was the timelines of events? And ultimately, what evidence was remaining? These are some of the things I go in and try to gather this in order to answer some of these important questions to make sure the organization, one that's can find a way to recover, but also make sure the attackers have no way to get back in at a later stage. The organization is then faced with a massive decision. The attackers still have active access. They still have access to the network. They still have access to the credentials. So the organization is gonna come to basically a massive decision, whether they basically pulled a plug to their actual operations. What can they go back to manual? What can still be operational? So these are some of the most important decisions. This organization, this victim, ultimately decided to basically pull the plug to the internet access and go back to manual operations. This is one of the things that they decided to do because the attackers were still in the process of trying to exfiltrate the data. They had extracted about 40 gigs of a almost 200 gig database and it was decided to make sure that that data was not being stolen and exfiltrated. So they decided to make sure and disconnect their systems from the internet and then work on eradication, work on the evidence gathering. And this is what happens and you see this time and time again, many organizations are faced with this hard decision into what to do with their business. And this means that their business is basically has stopped at this point. Now after becoming a victim, you tend to have only a few decisions to make. You want to restore from a backup. That's the ideal scenario. You want to, you know, some organizations consider paying the ransom and some basically, you know, try to rebuild from scratch. Now I go through and, you know, in this particular victim, I asked, well, what kind of backup options do we have? And unfortunately, their backup was also encrypted. Even just a few weeks ago I was talking to another organization who were also a victim and they had three backups. They had the backup. They had a backup of the backup and they also had the secret backup. And the attackers found all of them on the network and encrypted all of them. So it's really important to make sure that, you know, you have a ransom or Brazilian backup. It's one of the things I highly recommend going through. In this particular, this victim was considering paying the ransom and was looking for alternatives. The one that I mentioned just a few weeks ago, they did negotiation and ultimately paid 50% of the ransom demand. So sometimes, you know, you get into organizations who consider paying the ransom itself. My recommendation is, you know, I like to look for all possibilities of not paying the ransom, but ultimately, I only recommend against it. But it ultimately, it is a business decision that the business had to decide, you know, how they get back to operations. So this particular victim now going through one of the things that they were fortunate enough it was a one year prior to this ransom or case. So they basically, they're facing, you know, their business is completely destroyed. When you talk about that, they had no information about employee contracts. They had no information about logistics information, the invoices that they sent out who to pay, their financial details, the ERP system, their inventory system, all of that gone. You know, what employees performance reviews were, what's, you know, what's their salaries, what's their job descriptions, all of that completely gone. And they were faced basically with, you know, what to do. When doing the investigation and doing the asset inventory portion, they were fortunate enough to find a system that had basically, it was done migration one year prior. That migration basically was a hardware migration because the hardware was new enough in order to support the new version. So they did a hardware upgrade. Looking off that one system was still available sitting collecting dust under the desk. So during the asset inventory, we find this one system that actually literally had a footprint, a baseline, off their entire environment from one year prior. So it did mean that they had this one system that we were able to use in order to actually start a recovery, which meant that they had lost one year's worth of the entire business operations. And that process then went into going and scraping drives and getting through emails and trying to recover. Also, they were fortunate enough that they'd just previously done a cloud deployment and the only one that was affected for their environment was the on-premise. So their cloud environment was still available and still operational. So they were able to use that in order to start working on a recovery capabilities. But it didn't mean that they were severely impacted from this. So let's get into, I'm gonna take you through this live demonstration and do a complete walkthrough into what it looks like with the attacker perspective. And I will go through and share exactly all the steps and techniques was done. And so just bear with me while I switch over to my demo environment. Okay, so I hope you're seeing this still. So it's just gonna be Tracy, can you give me confirmation that this is now being shown? Yes, we can see it. Okay, fantastic. So one of the most common methods, as I mentioned earlier, is using the phishing and compromise credentials techniques. One of the things is that, for many users and many employees out there, even contractors, and we tend to use easy guessable passwords and we tend to reuse those passwords commonly. So one of the most common techniques for attackers is to basically try and get a copy of the basically password hash. The password hash is an encrypted format off the clear text password. And when the attacker ultimately kind of gets a good understanding about what your password history is, they can quickly search for many previously disclosed database dumps out there that contains all your previous password choices. And if you've got a combination that is simple variations of that, the attackers will be able to create really smart intelligent word lists that they can go through basically and crack those passwords. So you can see here, the big boss here on the system has this encrypted basically format off the hash, which is this is the hash itself and it's the encrypted one way direction hash off the password itself. So this is what systems use in order to basically exchange and ensure that you can authenticate correctly. Now the attackers using tools such as hash cat and once they know what type of hash this is, they can basically say, here's the hash, which is this file. Here's a very intelligent word list of all of this users previously known to compromise passwords. And I just disabled the pop file from basically running this before. So simply running this, and ultimately after even only a few seconds here, you can see that the attackers been able to successfully get the clear text password for this person. So that's basically with choosing weak credentials or weak passwords, this is one of the most common methods that attackers are able to continually successfully gain access. And then once they've got the clear text password, they can simply become that person and pretend to be that person and log on with those credentials. Now, how do the attackers also, sometimes they get those hashes, sometimes even just get the clear text password by basically having pretexting or asking people for it or just creating websites that are fake that look like the sites that you're going to. Another common method, excuse me, is using tools like Responder here. So Responder basically will mean that any machine that's on the same network, and this can also be done over a web and email. And those machines will try to connect to my machine. So I'm simply just going to run Responder here. And this will take advantage of what we call as LMNR. So over here, I've got two victim machines. I've got this rogue victim, which is this machine here. And I've also got a domain controller. And I'm going to take you through the steps that ultimately the attacker will do in order to basically compromise both of those. So first of all, let's log in. And what we can do then, just one second while it logs in, I'm going to simulate what it looks like for Responder to work. So if the user basically gets, let's say, they simply just get an email and they click on that link or they go to the website and they click on that, it will basically send the attacker the encrypted format of the password. So I can simply go here and just basically by doing that, I haven't put any credentials in. I haven't done anything else. But what this action has done is that my machine has responded said, that network shard that you're looking to gain access to is over here. You can gain access to it from this system. So if I go back here, you can see that that victim machine has simply shared its network entail on hash with the attacker's machine. And now that I have this hash, I can simply take that hash, again, bring it over here, put it into a file. So this is the hash of that victim. Again, using hash cat and the mode and the hash itself and simply running this. And after only a couple of minutes of basically running through on this machine, you can see here, I've been able to correct the password and clear text. Now for this particular scenario in the demo here, I have changed the passwords from the real passwords that's been used just from non-disclosure and stuff like that. But just to let you know that the passwords in the victim's environment were easy guessable. There were passwords that were created by humans. They chose easy guessable passwords and the attackers were able to go through the same techniques that I'm showing you in order to compromise those passwords. So that's one of the most common techniques is being able to correct the passwords. And that's why it's really important to make sure that you choose wise passwords that typically the longer the better. Short passwords, anything less than 16, 15 characters, even with special characters, tends to be easily correctable. So now the next section is what other common method in order to get access to that initial foothold is through brute force attacks. So in this particular environment, there was a machine that was publicly facing which had remote desktop protocol running on it. And the attackers were able to find that using tools like Shodan and that machine becomes available and visible. And again, they can do enough reconnaissance and offer information about who this person uses his machine is. So cruel bar here, using this command, I'm targeting RDP. I've got the IP address that public facing RDP machine. Here's the basically user of that system. Here's the well crafted word list. And in this case, I'm using a hundred threads. So it's gonna do a hundred simultaneously RDP brute forces all the system. So again, having a really good chosen word list, again, it will be only a matter of time before the attackers are able to find the successful password that will work on this machine. And basically ultimately give them access. Other methods as well is through phishing and basically getting the employee to log on to fake sites also, which is quite common as well. So I'll just wait for this to go into brute force. So as you can see here, again, RDP was successful and the attacker now has the ability in order to gain access. So the next stage that the attacker will do is log on as that user. So we're gonna do our remote desktop with the user against that RDP system, the log on and basically ultimately for the victim here, all they will see is basically somebody successfully log on with that person's credentials. Now to give you some background into who was this initial victim. So this initial victim was actually an accountant. So the accountant, it was the end of the quarter. The accountant needed to do some financial transactions. They weren't able to travel. So what they did was they contacted the hosting provider, the ISP, and they demanded remote access to the financial server. And since the accountant has some power, they were threatening enough and demanding enough that the hosting provider ultimately enabled RDP access for this particular system to the public internet. And the accountant was able to log on. Now interestingly, just to go through, this machine is in the exact same state that that accountant had. Now I'm gonna take you through some of the findings of that machine, which was quite shocking. On the desktop, there was a file labeled exactly as it is here called important stuff. So this accountant basically had a file said important stuff. And when you open that file, they have basically had the IP addresses, the server information, the administrator password, they had the database information. They had financial websites along with the passwords and clear tax sitting in a clear tax password sitting on the desktop of this machine. Now, you know, I know that this is shocking, but this is such a common thing that basically employees do is they try to make their lives easy by putting things in easy accessible places. And the attackers, when they log in with that compromised user, they will also look for those types of things as well. Now the next thing the attacks will do is they'll log in and they'll take a look at the browser. Now, one great thing is the browsers have lots of really great security, but unfortunately, lots of browsers don't have security by default. So the attacker can simply go to passwords in the browser and simply here, they can find all of the accounts that this person's used, things like Expensify, email, Office 365. And they can simply just go out and show that password in clear text again. So these are some of the most common techniques and they will, you know, doing that credential, basically discovery. They'll be looking for other passwords that allow them to get access to other parts of the network and environment. So this is another method. So yes, some people would recommend storing your password in a browser for ease of use. But again, you have to remember that if you don't enable security, the attackers that they ever compromised will also have access to those credentials as well. So the next stage is they want to do some enumeration. So what they'll end up doing is they'll open up a command prompt, they'll go through and say, who am I, I'm Neil on the matrix, what's my host name, okay, I'm on rogue. And I'll also look at that local group. And they want to see basically what information do you have in the system. Now mistake, the next mistake that was made on this particular system was that this user was a member of the local administrator group. And this is a massive no-no. This is a massive mistake. Attackers really want to find where these types of mistakes are done. So now what they're able to do is as a local administrator in the system, they can make configuration changes. So right now they don't own the network. They only own this machine. But the big mistake here of giving local minister rights means the attacker can make configuration changes to this. They can really get to the point where they can go simply and go open up and they get disabled security on the machine. The next thing they'll end up doing is also is they'll download their payloads. So I'm going to do that here. So I'm going to basically on this system here, here's all the different payloads. And this is the exact naming convention of the attackers here. A.zip was an auto scripting tools. B.zip was the payloads. C was, for example, different types of ransomware variants. Scanner was a scanning tool. And Zap was basically the ability in order to launch and deploy the attack itself. So simply by launching up a web server here, what the attacker can now do on this victim machine is they can simply open up a browser, go to the machine location. Let me write address here. And now what they can do is basically download those different payloads. So they'll download the payloads. So now they can go into, for example, wherever they download the payloads. In most cases what they tend to place it is in places like movies, documents, pictures, in a template location. So they try to hide their tools in plain sight. Now in here, you'll see what they've got is they've got this auto folder. And going into the auto folder, in this location here, you'll see different automation scripts. So one is disable security. So this is basically an automation script that will go and disable security in the system. I can show you, these are the real scripts the attackers actually use. So edit here. And this is the script that will go through and now disable all security on this machine. Allowing the attacker to work and do their malicious activity will actually be monitored and anything raising alarms. So this will disable security. What they can do is go on and find passwords. The downloader will download the malicious tools and payloads. They might create a new user. So in the background here, they might want to go and create a user that they can actually gain persistence. Or they might go and enable sticky keys here. Sticky keys will allow the attacker in order to basically simply access this machine at a later stage without having to know the password. So after going through and doing these tools, the next stage what they'll do is they'll go and run a tool such as Mimiketz. Now in later versions of Windows, they storing passwords and clear text in memory has basically been patched and stopped. But with these simple changes of the script itself, this will revert those changes so that the password will be stored in clear text. The attacker will then go and run a script called dump creds. This is exactly the same script the attacker's used. And this basically by running this script will then dump all of the clear text passwords from memory into this file here. Now of course, the first time the attacker will run this, they're only gonna get the credentials off the user that's currently logged on. So they'll be able to get the current user, which is Neo, and they'll be able to see the password of course for Neo. Now, what the attacker will want to do is find a way to lure other users in the environment that has higher level privileges. So in this case where they might want to, they might break some things in this machine, cause some disc problems, they might cause some application failures, alarms. Once they make those changes, they'll go back up into the auto script and they'll run this clean script. The clean script will actually clean up the machine from all of the evidence that has been basically created during this particular session. The sessions typically last between four and eight minutes long, no longer because the attacker knows that a lot of the services that they've actually stopped working will actually be auto protected and restarted within a 30 minute window. So therefore once those services start back, so the attacker tries not to be longer than that to make sure they can stay hidden. So if you come back and you investigate this machine with problems, the only thing you'll ever find is a small gap in the logs and nothing else. And the security will scan the machine and nothing will be detected. So the attackers are really good at staying stealthy and they know the timing, they know what they can do without raising any typical alarms. So in this particular machine, one of the unfortunate things was that there was a backup job running. And that backup job was running TS exec, which we connected this machine on a daily basis, usually midnight or two a.m. in the morning, and it'll take it back up to the database and then basically that machine has been backed up. Unfortunately, the actually credentials that was used for that basically backup job was the main credentials. So now the attacker after running this over a few days, they can simply come back into this machine and after basically that backup job runs and after making those configuration changes that's hidden to the user, they now can find actually a password of the domain administrator, basically here in clear text along with the hashes. So this is the next mistake is using a backup job running with the main credentials in order to basically access the machine because now the attacker can basically steal those credentials and reuse them. So another interesting thing here was GMER. GMER is a tool that we typically use in the security industry in order to find root kits and backdoors. The attackers were actually using GMER in this case in order to find security solutions that were hidden behind the scenes. So they're using it in order to find what security is running on the machine itself. So an interesting mechanism. The next thing that typically the attacker will then do is they'll go and run a scanner. Now interestingly, the scanner they used in this particular instance was actually a commercial software. So they go through and they'll start scanning. And unfortunately, the next mistake that this organization made was they made all of the system's names easy guess, easily to understandable what those systems were like ERP system, CRM system, database backup. So by naming them in basically a simple way of knowing what the task is, may the attackers also very easily know what they can do. So now you can see all these systems here. The main controller, for example, they also use this tool, for example, in order to run automation. So you can see here, creating new user, download packages, turn security off, put sticky keys in this machine. So they're not able to use this tool in order to basically deploy and create other staging machines and environments. So this is a method that we're able to use in order to scan and find out where all of the sensitive systems were. So we can go ahead and force this to close. We don't need any more once the scan's done. The next stage the attacker will then do is they'll basically log on to the main controller and validate that they have full access. So now basically logged in with the main controller credentials. The attacker will then maybe go and they'll look through and they'll have access to all of the accounts here. They might find one, they might decide to basically reset the password. So this particular one, they might say if they do a discovery and they might look at when's the last time this user logged on, maybe it on vacation, maybe it's a dormant account, they will go and reset the password. So again, they can come back at a later stage and then log into the main controller. Unfortunately at this point in time, after this action occurs, it tends to be somewhere between four and eight hours before the attacker will then go and launch basically the attack. So once they've had access to the main controller, they can back out, they can go into this system and they basically have the automation script to launch the attack. And what this will then do is basically in all the systems in the environment, it will then take that piece of ransomware, put it on the system and execute it. And then the entire environment basically becomes infected and unavailable to the entire organization. So these are some of the most common steps. Now, after we go through, just to show you some of those backdoors that the user created, what I can then do is close this down and I can go basically here, for example, to PSXAC. So I can run PSXAC and log directly into that victim machine using the command line. So the same tools it was used to run the backup job for the database. So you can see here, if I do a close name, I'm on the victim machine. Who am I? I'm an anti-authority system. So I had not full access to this machine. Also after going through and getting the actually hash. So you can see here, on this particular one, I'm going to access the domain controller with the administrator account. And I don't even need to know the password. I simply just need to get the hash to that password. I can actually do pass the hash and it'll all go into that system. So here you can see I actually own the domain controller and I'm basically the matrix and the domain. So I completely at this point, after doing those simple steps of going through, I own this entire network. I can do whatever I want. I can actually trade the data to wherever I want to. And I completely can do whatever damage at this point. Now I mentioned earlier about sticky keys. One of the things that attackers use in this case with sticky keys, you can see here, I've got a login prompt. So if I move desktop in, and let's say for whatever reason, the user changed their password and I can no longer log in. Password is basically incorrect. You'll get the password denied or access denied. So password's incorrect, try again. Now what the attacker can do is after doing sticky keys, they can simply click in here and you can see that the command prompt comes up. Who am I? And then empty authority system. Now again, this is a, you know, antivirus will detect this, but it won't detect it. It was scanning at the same time that this is open. So the attackers know again timing, they will be able to go and create a new user very quickly in order to, and basically once they've created that new user, they can hide that and then log in with that user. So they're able to know what techniques they hid and what techniques will erase alarms. And they also know that time window that allows them to go and do those malicious activity were possible. So going back to the slides here, kind of some of the techniques that can help actually reduce the risks. So what things can you do in order to basically make these, you know, attack type of attacks and ransomware attacks are less successful. So this is going into some of my top tips that I recommend that if these were in case in place, they would have at least prevented or slowed the attacker down or raised a lot more visibility. But good education in cyber hygiene, make sure that users are choosing smart passphrases, which are long and also using, you know, definitely multi-factor authentication as well. Make sure that, you know, multi-factor authentication would have actually made it more difficult for the attackers. It wouldn't have made it impossible what it would have forced them to do more higher risk and more social engineering to get access. But really good knowledge and what a good password is and make sure that it's long and use a password manager were possible. Having a backup and test plan, which is basically resilient against ransomware attacks. And this means definitely having an offline backup. There's lots of cases where we're seen in the postal services where you've got victims of ransomware attacks, which even took out, you know, the belief for them to operate. Especially at very critical times such as the holiday periods, you know, Christmas time or when people are ordering presents or doing deliveries and packages. We're seeing times where basically a lot of those services have been flooded and unable to operate. So having a good backup and test plan and similarly didn't have backup and making sure it's recoverable is critical as well. So this is another area. I can't emphasize enough of having a ransomware resilient backup, which is important as well. As also, as I mentioned, multi-factor authentication, having a phishing resilient MFA is also important. So making sure that you go through and put the right security controls that makes it as difficult as possible. The next one is zero trust and lease privilege. What I showed you in the demo today is where the attackers were able to, you know, gain access to a local administrator account. And then the backup job is running under a domain administrator account. So this is really where you get into making sure that, you know, you're doing lease privilege. So make sure that the users don't have local menstrual rights because the attackers know that they will elevate quickly up to those credentials. And where you're using backup jobs, make sure you're using dedicated credentials which don't get the attackers a full access even if they do compromise it. User privilege access account management solution that will help you rotate credentials after usage, make it more difficult for attackers to, even if they're able to get the password and clear tax or even the hash, it prevents the ability for them to do lateral moves. Implementing solutions like application control will also make it difficult for the attacker to use any malicious applications or use even tools like PSX Act which can be used for both good and bad but making sure that there's legitimate reasons and times that those applications can be executed. And again, you know, making sure you have a good passion and updating your security on a frequent basis. Ultimately the goal here is to reduce the risk, is to make it as difficult as possible. So some ransomware resource that I highly recommend. A good tool is also, which is basically, this is the Flare, which is basically a response virtual environment in order to make sure you're able to collect evidence. Then you've got the sans sift, which is another tool which is great for basically doing it's responsive forensics. A good resource and website is the NoMoreRansom.org which has got lots of ransomware resources, which are great and provide some best practices and some basically advice on what things you can put in place. There also is the scissor.gov, which is the stop ransomware site and also gives lots of good resources and information. And then some of the resources that I've created myself directly which are available for Dillinia. We've got different ransomware surveys and research that we've done. We've done guide to securing Windows endpoints. We've got insur response checklists and more details around cyber insurance as well. So those are some of the resources that I've created that helps reduce the risk as well. So at that point, Tracy, I mean, if James wants to add some more details, we can get, can I cover or we can get into answering some of the questions as well. Thank you very much, Joe. Yes, so I think we can move straight to James, but let me just say two things. One, remind everyone that you can use a Q&A pod for questions and, Joe, there are some questions already in the pod, so that if possible, you can maybe answer them in writing if you can and I will read out the answers later or we can do it in verbally afterwards. And just to remind everyone that this is the last day of cybersecurity awareness month. So we caught it right on the head. So ensure that you are well-prepared for any potential risks, as Joe just mentioned in your organization. And let's not let this month be the end of awareness. Let's ensure you keep away all through the year in your organization. So I'll hand over to James who will probably introduce himself. James has a quite extensive background in this sphere having taught in the, let's just say the, maybe James would do the necessary. He's taught in this space at the highest levels in terms of cyber defense. So James, over to you for adding some color to this and giving some best practices and some lessons learned. Over to you. Thanks, Tracy. That was great. I was watching Joe's presentation. I've seen a lot of them. That was special. So have me go first next time, Tracy. I don't want to follow this guy anymore. Anyway, folks, great to be here with you. So yeah, my name is James. I'm a cyber lawyer, university professor. I worked for the United States government and with the private sector domestically and internationally. So when Tracy first asked me to come on, I did some research and I looked at some of your posts around the world and you are in peril. And so what I did is I want to frame my discussion today. And so I came up with five specific rules to help you. And so I'll reiterate these rules at the end of our discussion. If you take what I tell you to heart, you will be in a better position to defend yourself. You'll be more resilient in the face of these relentless aggressors. And you'll be in the best possible position to lessen your liability. As Joe explained, ransomware is a crime of cyber extortion. So they're obviating the confidentiality, the integrity, the availability of data. And the way, though, that the world is progressing, that ransomware is evolving, is it's more towards this exfiltration of data, the confidentiality, the obviation of confidentiality. And what that's doing, right? It's all ways to bully you, right? To make you pay up. And one of the things I wanted to do is, well, cyber extortion is a booming business, right? And if we have time later on, I can get into some of the more history, why it was that there was a dip last year, but there was an increase this year. But because we're a little pressed for time, what I wanted to do was just get to some of the five rules that I have for you. So the first one I have is that cyber extortion gangs are not lone wolf actors. They are criminal business enterprises, criminal business enterprises. And to appreciate the extent to which you are vulnerable to attack, and hopefully therefore you'll take action spurred in your own self-interest, you need to understand the sophistication and capabilities of your adversaries. And so let's do a quick thought exercise. I'll ask you to do a couple of thought exercises here at our conversation this morning or afternoon where you are. When you think of the term cyber criminal, what image comes to your mind? Just take a second, please, cyber criminal. And I'll tell you the image that appears most often when I talk to United States audiences. And that's because there's posters in government buildings, there's posters in private sector buildings, and basically what it is, it's some like anonymous person in a hoodie before a computer screen. And that really does, they're solitary, right? It could be someone in their mother's basement. It's, and it really kind of does a disservice because it gives you this false belief that ransomware gangs, cyber extortion gangs are lone wolves. And nothing can be further from the truth. What should come to your mind to appreciate the danger that you're in is a criminal syndicate, a criminal syndicate in the nature of a modern sophisticated business. These gangs are not solitary. They have expert language and cultural skills and they're methodical. They're methodical in their approach. They're ruthless, they want your money. They have zero qualms about hurting your post, your ability to transport goods. And important too, I think to keep in our minds is that these gangs are not static monoliths. They take whatever form is most advantageous to them. They disband, they reconstitute, they morph. In a word, they change. Some gangs have distributed networks and some even operate ransomware as a service model where affiliates are recruited to conduct attacks resulting in a web of unconnected threat actors. And change is not limited to the composition of the gangs themselves but also the characteristics of the victims. In 2020, for example, the majority of victims consisted of government agencies and the private sector in mainly, mainly English speaking countries. And that's for two reasons. One, it's a target rich environment. And two, the gangs had language and cultural skills to prey upon English speaking victims. But that's changing now and puts many of you in our audience today squarely in the crosshairs. So, and this brings me to my second rule. Cyber extortion is a crime facilitated by technology but committed by people against people. And that's because too often when I'm asked to come in and talk to corporations that I haven't hit, everyone has this preconceived inelastic conception that ransomware is just a crime of technology, that it's somehow a computer fighting a computer. And again, that's not reality. Cyber extortion is a crime that uses technology as a tool for the use of a device. It's a crime that uses technology as a tool, but people are nonetheless at the heart of the crime. And on one level, that makes sense. But you can see why people kind of get this kind of the wrong end of the horse here. Because we're talking about data exploitation, we're talking about CIA triad, we're talking about disruption, we're talking about threat actors from the other side of the world attacking your organization, all of which is reliant upon technology. But there is the all important human element in cyber extortion, which in my humble opinion, receives scant attention, but is nonetheless essential to understanding the fundamental characteristics of the crime. And as I kind of alluded to before, for example, Japan has not been attacked as much as its wealth and business density suggests because attackers hitherto for have lacked the language skills and just as important the cultural understanding to exact the extortion schema. Japan has the same hardware, software, operating system, vulnerabilities, you name it, as everyone else in the rest of the world. The differentiator has been that cyber extortion crime, again, is a crime by people against people. And so in certain areas of the world, there has been a type of almost an inoculation against some of the worst effects of cyber extortion. But this is changing, right? Similar to a disease. In the body where a virus will mutate because of a given drug, so too are these gangs evolving and infecting other parts of the world. The criminal must understand the victim's data and the value of its data, right? So, and the victim must understand their data and the value of their data, right? Hopefully before an attack occurs. And the human element is also present in the all-important question of, do you pay or do you not pay? And so, Joe alluded to this, I think it's absolutely critical. This brings me to rule number three. Organizations must have real-world exercise plans prior to getting attacked. In other words, no paper tigers allowed, right? No paper tigers allowed. The answer to the question, do you pay or do you not pay? If done correctly is fact and context dependent. And definitively, one that is best answered not in the cauldron. And some of you may have actually experienced this in real time. And I think cauldron is the right word. And those of you who have gone through this searing experience won't soon forget it. But the time to make those decisions is not in the maelstrom of when you are in an attack. But rather before when you're taking the time to understand your data and the value of your data. And what I respectfully suggest to all of you is that you do the hard work up front now to know your data and the value of your data. And so this concept of the paper tiger, as Joe had said earlier, is the unpracticed, the unpracticed response line. And I've seen many of these. And some of them are absolutely fantastic. Some of them are, you know, they're brilliant until they're encrypted. Until no one thought, as Joe again alluded to, that you have a paper copy somewhere, somewhere protected, somewhere not lying around. And sometimes it's best, right? Because when we talk about this, you know, the digital domain, I get it. It's easy sometimes for your eyes to kind of, you know, glaze over. Sometimes it happens with my students all the time. But so when you're thinking about though, a response plan, think about it, you know, make it personal. For example, you know, think of a talent that you possess, right? Everyone has some talent that they do well. On a piano playing, violin playing, playing football, swinging a bat, cooking a meal, whatever it is. Now imagine that you have to explain how to execute your talent. Let's say, you know, kicking a football. You have to explain to me how to do it. Um, lighting your foot, the angle of your, of your, of your cook, the speed of your leg, et cetera, et cetera. All these, all these invariables. But if I was to walk out to a football pitch without prior experience, right? Even though I have your expert guide by my side, if I'm to do this using only the words that you've given me, I can promise you my success rate is gonna be very, very low. And that's what I mean by the paper, Tiger problem. I can't tell you how many times in organizations large and small, right? Well-funded and mom and pop shops, domestic and international, I'm requested to view the document that is the cyber extortion plan, the response plan. Couple of things with this. One, it's often written by a third party. And again, that makes sense to some degree, right? A lot of people don't have, a lot of organizations don't have that kind of knowledge in-house. They go to a third party to write it, makes sense? But oftentimes that third party won't have a holistic understanding of your organization. And oftentimes, frankly, they just, they tear off the name of the corporation that paid them before you paid them and they sticky your name on top. So in addition to this, so it's not just the response plan, it's the human element of the negotiator as well, right? Because the negotiator is a critical element of this human to human crime. And the organizations that I've seen respond most efficiently to a ransomware event in addition to the ones that have thought about the data and the value of that data are the ones that have welcomed negotiators into their plan of rehearsals prior to vetting these negotiators, right? But walking them in saying, you're gonna be a critical part of what we do here. And the cost of, because no one has limited budget, but the cost of preparing correctly for one of these malicious events is minimal compared to the outlay cost of failure, right? So many of you I'm sure have heard ounce of prevention, pound of cure, ounce of prevention, pound of cure. If you're worried about budgets and everyone's worried about budgets, do the work beforehand and you'll save yourself scads of money. Rule four, look at yourself with the eyes of a predator. And so let's do another quick thought exercise here. What I respectfully request is in your mind's eye, or with the help of a pen, paper, whatever, type down the screen, think about your post. Because again, when Tracy asked me to do this, the first thing I did is I researched you all over the world. I researched post agencies all over the world. The more I learned, the more worried I got for you. And here's why. In particularly in certain areas, posts are connected to particularly tempting targets in the eyes of a cyber criminal, right? So either in your mind's eye or on a piece of paper, you know, put your post in the middle of the page or the middle of your mind and then draw lines from your organization to the organizations and institutions connected to you. For many of you, you will be connected to the sine qua non of the cyber predator, which is the financial institution, a bank, a loan facility, a money order center. Well, let's not stop there. Once you've drawn that line and circled what you've, what you're connected to, annotate the consequences that would result for you or that entity was hit by a cyber extortion crime. So for instance, if you were hit, you know, you're a post, right? So you deal with the transportation of goods as well as communications. But if you're tied in with a bank, there are innumerable more cascading consequences that can result. And you don't need me to tell you this, right? You're the expert here. You're the expert here. You know, if you fail, if your partner organization fails, you know the consequences that will result to your region. And sometimes these rise to the level of nation-state effects. And so what I exhort you to do is you can have a voice in this conversation of cyberspace. In fact, you are the most important people to have the voice because, you know, of the deletorious consequences that will happen if a malicious cyber attack was to occur against you or the banks that you're connected to. And what I'm trying to get you to do is advocate, advocate for yourselves, advocate for a small budget that says we need to prepare. Do we have a negotiator? Do we have a response plan? Who's our decision maker? Do we pay? What data would make us pay? Why? To answer these questions that will become much more complicated again in the cauldron of an actual event. And so, and once you have articulated those types of risks that kind of interconnected web that will illuminate to those that you were trying to persuade a more accurate risk profile than just your individual post. And so to help us kind of understand this a little bit, let's take a look at some real world artifacts and look at what happened to Royal Mail in the UK. And so Royal Mail, which if you're not familiar with it, please Google it, it's great. It's great because the negotiations are online, which tells you something. So it's not just on the nose, right? A post agency hit by debilitating cyber extortion event, but the transcripts are open source and you can see a lot by reading the transcripts because both the criminal and the negotiator make mistakes. The negotiator, you can also see, it knows the organization and that's critical factor. There's a reason why Royal Mail ultimately did not pay, but not least of which because the transcripts are on the left, but the Royal Mail, the negotiator was familiar with the organization and was able to nimbly respond to some of the thrusts and parries of what the criminal was trying to do. And so let's jump in both feet, right? So we arrive in the middle of the negotiations. You can think of the, you have the victim negotiator and then you have the criminal. Sometimes I talk about the criminal negotiator as the criminal language and culture expert and they're not necessarily the same person. Sometimes they're side by side, sometimes there's multiple people depending on the complexity. But you'll get a visceral sense if you read the transcripts of this Royal Mail that these are human beings. And so for example, the criminal says to Royal Mail, quote, if you were really worried about medical equipment, just pay for my work and get a decryptor within five minutes. You are making multi-billion dollar profits from your business and don't wanna part with the money. Don't you think that's odd? It's your greed that makes the people who are waiting for their packages suffer, right? Because Royal Mail was like, man, it's like, you know, they tried to appeal to the humanity of the criminal. They're like, people are gonna get hurt, people might die, they're not getting their medications. And so the criminal just comes back and says, no, no, no, no, it's essentially your corporate greed that's putting people at risk, not what I'm doing. Then the criminal asks, how much is your revenue? How much is your revenue? So, I mean, everyone right now, how would you respond to that question? What would you say? Do you know your data and its value? What would you say? Are you the decision maker? What is your level of confidence that if you're not the decision maker, the decision maker knows to a sufficient degree of accuracy what is right and wrong for your organization? Does your negotiator know your revenue? You even have a negotiator. If you have a negotiator, is that person sufficiently educated or enterprise to answer the queries of a criminal in near real time? And what should the negotiator say anyhow? So in this instance, like I said, the negotiator was familiar, was pretty familiar with royal mail. And it started to become clear that the criminal had made a mistake, right? So again, don't think of it as merely, it's a crime facilitated by technology but done by human beings. And basically what happened was, and you can see this in the transcripts, is the criminal had mistaken royal mail for its parent company. Parent company or royal mail has some seriously deep pockets. At the time, royal mail was not doing well, right? It was, and so, funny enough, the victim negotiator actually sent an article from the UK Times saying, we're not, royal mail is not doing well. You can read it literally about our losses in the UK Times here. And the, you can see the criminal kind of, and it kind of goes downhill for the criminal from there. But please take a moment, read those negotiations and consider the implications if you were in the hot seat, if your organization was in the hot seat and how would you answer those, those queries? Final rule, don't go it alone. In the spring of 2022, two significant ransomware operations targeted 27 Costa Rican government agencies in addition to the country's healthcare system. So Costa Rica's government refused to pay and the effects were serious. Many government-run systems had to be taken offline, including those related to tax collection, medicine, social security. The Costa Rican president, it was a time of transition, declared that Costa Rica was at war, interesting language in terms of international law, that Costa Rica was at war with the attackers. And there were attackers, there was basically two ransomware groups that were attacking Costa Rica. And the one who attacked Costa Rica second in time used experiences and data that the first ransomware gang had leaked on the dark web. So the gangs were kind of learning from each other and using the information and passwords that had been posted on the dark web to further hurt Costa Rica in the second attack. So just to get a little bit more granular, in April of 2022, by the time that it was the Costa Rican Ministry of Science, Innovation, Technology, and Telecommunications that was hit, they realized that the finance ministry had been hit a few days earlier. And so the director of the Ministry of Science said that it was in hindsight, it was poor communication between agencies, meant that there was a little time to share details of the incident and a lack of situational awareness throughout the government, which made it easier for the dominoes to fall for more agencies to become targets. And it got severe, the Treasury Department was hit and there was a message to civil servants basically saying you're not gonna get paid right now. But even though Costa Rica suffered this debilitating event against agencies, it didn't go it alone. And importantly, it had pre-existing relationships that it could take advantage of. Immediately, Costa Rica reached out to Spain, the United States, Israel, and some of the private sector in the United States. And what did these relationships do for Costa Rica in this moment of peril? Well, the United States offered technical assistance and also via the U.S. State Department a reward of up to $10 million for information leading to the identification and or location of any individuals in the gang responsible for the attack. And so the Spanish government donated tens of thousands of toolkits and also sent an entire of cyber friends esteem to Costa Rica to augment the Costa Rican cyber defendants. Israel, Israel, this is interesting, Israel and Costa Rica had signed a memorandum of understanding prior to the attack for cooperation in cybersecurity. So Israel provided relevant threat intelligence increasing the visibility of the attack surface. The U.S. private sector rallied to Costa Rica side and the guys of Cisco and Microsoft began providing toolkits and helping resilience. And I wish I could say that Costa Rica recovered in early May, but again, we talked about the fluid dynamics of ransomware gangs and how they inform one another. And on the last day of the month on May 31st, the second, I lose this before earlier, the second ransomware gang again leveraging those credentials that were listed in the dark web again hit Costa Rica. But again, Costa Rica had about a month of recovery and they had international relationships built. And so the good news is that the second wave of attacks were far less effective than the first wave of attacks. The economic loss was high. Estimates arranged from 38 million to 125 million in the first 48 hours timeframe. In the wake of the cyber distortion crime against Costa Rica, the nation did something extraordinary. And what I mean by that is Costa Rica did something bold. It contributed to the development of a customary international law of cyberspace. In particular, the subject of state sovereignty. In essence, what types of cyber harms will violate a nation's sovereignty? Costa Rica drew some red lines in the stand by stating that not only physical attacks, but also cyber operations that trigger a loss of functionality of cyber infrastructure located in the victim state constitute a violation of sovereignty. And it went further saying that usurpation of inherently governmental functions is a violation of sovereignty. Now that's consistent with the talent manual. You might be familiar with that talent manual on the international law applicable to cyberspace. But Costa Rica went further saying malicious cyber events interfering with the state's democratic process, such as elections and a choice of foreign policy all potentially constitute violations of state sovereignty. And then went even further because Costa Rica say that certain categories of cyber surveillance operations can be conducted in such a manner that breaches state sovereignty and other rules of international law, which makes Costa Rica go further than Germany, Japan, Poland, Israel that currently declined to tie surveillance operations to potential violations of state sovereignty. But that's what's so important about what Costa Rica did that took a stand. And I say all of this because there is present no concrete international law of cyberspace because too many countries refuse to take a stand. They refuse to state unequivocally their position on the issue of state sovereignty and cyberspace and what harm may violate Article 24 of the UN Charter in which may give rise to self-defense to include preemption in trying Article 51. Help is available. Help is available. And I respectfully exhort everyone listening to become members of these important and burgeoning relationships. I know for a fact that the United States government has, is in the process of extending its hand internationally. US Cyber Command can deploy hunt forward teams for defensive purposes and to increase local resiliency. In the past five years, US Cyber Command has deployed 40 times to 21 countries. And, you know, and to give just one in July, love last year, Albania was targeted and US Cyber Command sent a team of cyber operators and they stayed there for three whole months helping Albania. In fact, relationship building is a backbone of the national cyber strategy of the United States. And the administration is on record looking to build and partner with the international community. In fact, there's even a quote that says in the United States national security strategy that US foreign policy and cyber security goals are aided by international relationships. But the partnerships alone can't be one-sided and the United States right now is needs your help to maximize assistance efficiency. Deciding how to prioritize who should receive cyber assistance and when, how to structure a mechanism that is sufficiently flexible to address the diverse circumstances of which requests for aid may arise, figured out how to get US funds to relevant foreign agencies. And it's not just the United States that's come with the conclusion that a rising tide raises all shares in the digital domain. In Europe too, cyber defense was considered a primarily a nation state responsibility but more recently the European commission has proposed the EU Cyber Solidarity Act, which looks to enhance capabilities through partnerships to detect, prepare for, respond to significant large scale cyber security attacks. And so most of this, most of these relationships have been ad hoc, but I think the moment is ripe, the moment is ripe for all of us to come together, those of us that want an international law of cyberspace that bolsters and supports legitimate lawful behavior in the cyber domain to come together, share information, help each other. And so if you look at these five rules, I'm just gonna mention these five rules one more time, right? So cyber extortion gangs are criminal business enterprises right there, sophisticated cyber extortion is facilitated by technology, but as a crime committed by people against people, you should have real-world response plans regularly tested and attended by relevant stakeholders like no paper tigers allowed to extend the extent of your peril, look at yourself with the eyes of a predator and use a wide-angle lens, not just yourself in a small sense, but who you are connected to and who is connected to you and don't go alone. Form helpful relationships hopefully prior to when you get hit. So if you take those five rules, you'll put yourself in a position of advocacy, right? Advocacy, use that little bit up front, the hard work and maybe a little bit of expenditure up front to save you a lot of money and pain on the back end. So Tracy, I know we're out of time formally, so I'll end there, but thank you so much everyone. It's been an honor to talk to you today. Thank you very much, James. That was wonderful and I really appreciate you outlying those five rules, which I hope everybody took note of. I think if nothing else at the end of this webinar, we all would have that list of very, very powerful action or actions that we can take as an organization, even as individuals to deal with proactive aspects of this, as well as potentially reactive. I do want to spend a little extra time, if you don't mind, treating with some of the questions that were asked, but before I do that, because I think I could do that by, actually I copied and pasted over the question and answers, which Joe has kindly dealt with all of them, which is quite a thank you so much, Joe. So I think I'll share the screens. I'll be very effective, which we'll kind of cover that. But maybe one general question, which would kind of lead to sort of a summarized position. I think there's another one coming in, which I could also ask, oh yes, it's just clarifying what AI and AI meant. So now that we've spoken about this cyber attack anatomy so we've dissected it. Joe has given us some very practical, technical solutions, I think, to dealing with the problem, showing us exactly how operators intrude, infiltrate, and deal with it. And James has given us, I would suggest, what I would call, I don't like to use word soft, but certainly maybe the non-technical regulatory, the things that you can do that don't require you to necessarily use bits and bytes, so to speak. So I think that's a good mix. So I have one final question for both of you. Given that the postal sector, which is the focus of this, but I think it applies to everyone, has been identified actually by both of you as becoming more and more susceptible to these attacks. Given the situations we are facing, we're hearing more of them, some are in the news, some are not, is there one card, another rule, I think, that you would suggest that these organizations, everybody, including the post, can do right now, like today, you leave this webinar, you need to do something right now. What would you suggest that you can do at this moment, everything else you've said, we know that could take some time, but we're right now, this moment. After you've had your lunch or you've had your dinner, as the case may be, or your breakfast, what can you do right now? So may I stop it, Joe? What does one thing you suggest someone can do right? So I mean, there's lots of things you can do, which are very basic, that can make a massive difference. I mean, one of the biggest things is multi-factor authentication, is having employees using that in as many places as possible. But the one thing I would highly recommend is going and, you know, picking a backup of your backup and storing it offline. It's, that is probably the biggest difference that I see in organizations, having the ability to recover, is having a good, solid backup to go to. And that, it makes the difference. That's the one mistake that I see constantly, all the time, is that the backup's encrypted, the backup's encrypted. And that's where really the organization and the service starts having that negotiation with the criminals, is because there's no alternatives. So, you know, one thing I practice, what I do is I have backups of backups. And then on a monthly basis, or a quarterly basis, I rotate the disks. So at least I know that my worst case scenario, is that I have a three month old backup that I can go to. And that's the worst case scenario. So, yeah, I highly recommend it, you know, if you wanna make sure that you can survive. This is a survivability technique to make sure that you can continue. It doesn't stop it from happening. It doesn't stop the attackers from stealing data. But it means that at least from a business perspective, you can continue. Because ultimately, this is where a lot of the scenarios is that when victims start having the discussions about paying the ransom, it gets into a very tricky situation. Especially in some countries, as Jim, you know, I leave it as to was around, you know, sanctions as well, play a big part in regulatory and some of these criminal operators operating countries, well, there's sanctions at play, so how do you pay them? So it's really important to make sure, you know, is that you don't have to get that situation. So, yeah, go back, take a backup of your backups and store it offline for that rainy day when you need to use them. Very sound advice, and to be frank, with other webinars that we've had, that's been the one message that, you know, have a plan A, plan B, and C, and sometimes even a plan D. Just ensure that you are well-prepared. Backup of your backup. Some people didn't say backup of your backup of your backup. Sure, that's, yeah, because that's the key. James, one thing we can do right now. Today I would have, I would set a meeting with all relevant stakeholders. And so relevant to you might be the bank that you're attached to, or it might be your decision makers, or it might be a combination thereup, right? But set a meeting today, everyone that is a stakeholder in your post and start talking about what happens when we get hit. Thank you, James. So I'm seeing, I'm not sure if it's a question, but I think it's a comment coming in from Calvin Ramna saying, I agree, Joseph, we were hit by a major ransomware attack earlier this year. We were able to recover from our off, I think that's offline backups. Since our primary backups were also compromised, I think that's re-emphasizing your points. No, it's the survivability. Definitely, you know, James's point, one of all their, you know, recommendations is that, so when you're dealing with security responses today, you're no longer just IT incidents, they are actually business incidents. And that's the big difference is, you know, the business can't just say, IT, go and fix this and recover and get us back up and running. That's not the case anymore. This is a business response. So, you know, to extend it on what James has mentioned, is that this really means that all stakeholders of the business have to actually already, you know, make sure that they have a business crisis plan for these types of incidents because it is a business response, not an IT response. And therefore it means that you need to go through and simulate, practice, coordinate across the business, all functions, HR to the executive team, to the boards, to your suppliers, to your customers. Everyone needs to be, you know, let's say coordinated in those types of responses. And that's why, you know, having this as a business crisis in response is vital and treated like that. Thank you. And maybe before we leave, I can just share my screen. I think you should be seeing the questions. So I redacted the names of the questioners just for the census going on live. But for those who are on the Zoom, you can go to the Q&A box and see who asked the question. So... Let me just elaborate on those answers just so people understand. The first question is, you know, but around some are resilient backup. In the backup scenario, I mean, that's my history. That's where I've spent a lot of time and my career was in the backup administration. I worked for backup vendors over the years. And one of the things here is that, you know, the backups should only have access to the production environment and not vice versa. So whatever credentials you have should not be a flat network and your production should not be able to communicate into your backup segmentation. So the backup should only be basically retrieving data from production and it should not be bi-directional. The only time you enable that is during restoration. You know, when you need to restore, that's the only time you can actually pull from the backup environment. So having those completely segmented, segregated and having different, you know, credentials is vital. And then at the point, you know, having that final one, which is the offline one, which you can go to. The second question here was around, you know, evidence gathering. One thing that I typically do is using FTK imager and that allows me to take basically live images of machines that are infected. And then I take those off. So that's the, you know, making sure that you have the ability to take those live images. You've got full disk images. They're quite large. This is where you have to, you know, make sure that you understand about what type of disk space that you need for those. They are actually quite large images. You can take them in raw images, which allows you to do proper investigations later before you go and start, you know, recovering and going through, for example, imaging processes or restoration. There's lots of different tools out there, but that's one that I probably kind of, that's my go-to one that I use quite often in live incidents. The encryption, yes, is typically the last phase, but, you know, that's why I go through that same process of having that rotation. One, I've seen in one case where it was a large telco organization that became a victim. They actually had, their backups were not infected and they restored them only to find out that the ransomware was actually backed up into the backup. So they actually restored the ransomware back into production and it was only a matter of a few weeks later that they were infected again. And that made it a significant issue because previously they'd only lost 15 days of data. Now because of that situation, they have now lost 45 days of data because they found out that the backup is also infected. So also make sure you do an integrity check and validate the backups and check for IOCs within the backup environment. The one here also about lateral movements, absolutely. This is the major issue and that's why you use privilege access management, you use password rotation, use multi-factor authentication within sensitive areas in the network. So yes, LAPS is great for managing privileges and privilege elevation, but I highly recommend that you create very complex passwords for especially your privilege accounts and that you make sure that you rotate the credentials after use. By rotating after use means that even if I do capture those credentials in clear text or I get the hash, I can't move laterally in the network with those because the passwords have already been rotated after usage. So this is where you start thinking about getting your disclosure rate down to as zero as possible. Or what I refer to as least standing privileges or zero persistent privileges that will definitely deal with those types of incidents. There was a question here in the chat and the question answers were all around cyber insurance. So one thing is I just done research in cyber insurance and just that I did a massive talk recently in the ISC2 Congress in the US on that specific topic. One of the things that cyber insurance is it's a financial risk alternative. So if you get cyber insurance, cyber insurance is not an alternative to security but it is a ability that if you look at what it takes to recover from a cyber attack and if you don't have that financial means available to you, cyber insurance tends to give you the financial ability to recover. So cyber insurance should be a consideration if you find that you don't have access funds available. Some organizations go into what's called the cyber captives. Cyber captives is where you ensure yourself. For example, the large case a few years ago with Target, Target had multiple policies but one of the big policies they had was a cyber captive that also give them additional funds to recover as well. But today it's getting more difficult. It means that to get cyber insurance, you typically will have to go through and already have done very good, let's say risk mitigation already. The one here in AI, yes criminals are using AI today already but they're using it for mostly automation and pre-taxing capabilities. So what happens is they're using AI or genitive AI in order to automatically respond to make the interaction with victims more seamlessly. They're using it for language translations. For example, I'm based in Estonia. Estonia really didn't have a massive issue with phishing and social engineering because the Estonia language was almost something that protected them for a long time because attackers could not really get it translated really well with the existing tools that they had. And the only ones that they were able to do successfully is where they actually paid language translators in order to translate the phishing campaigns for them. That's the ones that actually were more targeted. But now with genitive AI, the automatic language translations that in real time make those attacks which were more difficult with Estonia language much more easier to do today and more easier to pretend to be legitimate services. So we're seeing social engineering accelerate further with the use of pre-taxing and not pre-taxing is been driven by genitive AI and automation. Thank you very much, Joe, for providing some color again to your responses. Appreciate that. James, did you have anything to add to this? Do you want to see anything having seen the Q&A and do you have any thoughts on this? I mean, what you can do is pull that into your final words on today's webinar. Sure, I think, yeah, one quick word on cyber insurance is be careful, Lloyds of London came out in March of this year saying that if it was proven and it's difficult to understand who has to do the proving, is it the victim or is it the insurer? That if it's proven that it's a nation-state actor, they're not gonna pay up. And so that kind of sent some shockwaves through the cyber insurance market because it's hard sometimes to dissimulate a nation-state actor from a proxy and what does that mean from an insurance perspective, especially when some nation-states allow malicious actors to work very freely within their borders. So just with that one caveat, no, just say, look, you can ounce of prevention, pound of cure, ounce of prevention, pound of cure in this space. It doesn't cost a lot of money to take some unnecessary steps. And there's just- Yeah, just an additional note is that it's still up for a massive debate right now because a lot of cyber insurance policies, they do have what's called as exclusions and limitations and those exclusions typically have things like that there's no claim in active war, active terrorism and stuff like that. Now, in regards to the postal services, this gets into a bit of a gray area because the recent case against Merck earlier this year under insurers, they had about 12 insurance policies that they activated and made claims from the not-petia attack back in 2016. Now, in that particular case, Merck went and triggered insurance policies which was 700 million in claims of that particular ransomware case of not-petia. Now, the insurers, most of the insurers came back and said that due to the exclusion of active war, that they would not pay out those claims. And it went to basically court case. Earlier this year of May, that Supreme Court in the US finally concluded that the active war clause exclusion in the insurance policy was not justified because Merck and themselves are not a legitimate target in a war. So therefore that exclusion would not be applied. So what happened was the Supreme Court favored with Merck that exclusion was not a valid exclusion and therefore they won 1.4 billion payout in the insurance case. Now, that brings up a bit of a debate into, okay, what is legitimate government targets in a active war? And that's still something that is unclear. So those who are considered not legitimate, pharmaceutical hospitals and so forth, those exclusions would be, for example, not held up in court, but organizations that do hold of legitimate government relations, those who are supplying, let's say, governmental services might find themselves a bit of a tricky situation whether that clause will apply or not. So until we have more cases like this, the debate will still continue. All right, thank you very much, gentlemen. I really appreciate the time extra time we spent with us today, I really appreciate it. I think the information shared was extraordinary valuable and I'm absolutely sure our colleagues online will indicate as such to us. Fantastic questions coming in as well. One of the, I did indicate to you before we started that I wasn't sure how many questions we'll get and we actually got a flood of questions. So I was really appreciated from the engagement. But thank you everyone, participating. For those who are asking, yes, the recording will be available online. We would notify all of you who are participating who signed up registered where that will be. It will be ideally just to confirm on the UPU's YouTube channel and you can contact us via this information I'm just putting in the chat for more information about what we do at the DotPost business management unit at the UPU. Feel free to contact us. And for those who are in the sector, please do, let us know if you would like to get involved with the DotPost project which will further provide resilience to your environment accordingly. So with that, do enjoy the rest of everyone's day. Thank you, Joe. Thank you, James. Really appreciate you joining us for this webinar. Last day of SAP Security Awareness Month, keep away. Don't let the month end and just we drop our guard. Let's keep going and let's ensure that our organizations are well protected and you yourself as an individual take necessary cyber hygiene steps, protect yourself and your organization and even at home where you're doing your own work because that could infiltrate into your environment at the office as well. Thank you once again. And with that, I say, bye-bye. Enjoy the rest of your day or night or evening wherever you are. Bye-bye, Joe. Thanks, everyone. Bye. Thank you. Thanks, everyone.