 I'm John Griner. I'm the founder of Just Tech. Thank you so much for joining this last webinar of LSNTAPs on the cybersecurity series for 2021. And I want to encourage everyone, if you haven't attended some of the past webinars, to visit the LSNTAP website. And also, I'll let you know that these webinars and additional material will be put together into a cybersecurity toolkit for the legal aid community. And that's going to be available to the community in January through the LSNTAP website. So we thought this last webinar would be sort of a good finale to the series. We've talked a lot about some of the different elements for managing cybersecurity approaches for advocates to navigate their work in a more secure fashion. Talked about some of the more technical pieces and opportunities for programs to improve their security. But as with a lot of different disaster preparation or fire preparation, it's good to sort of explore I guess the anatomy of a cyber incident to understand it and to prepare for it. And hopefully be better able to respond. But also maybe look for opportunities to reduce the risk of an incident within your organization and maybe the extent of the damage and the time that it might take to recover. So we're going to spend some time today with some wonderful panelists who are going to bring the legal aid specific perspective, engineering perspective on some of the technical details, as well as sort of the legal operational perspective on cyber incidents with us. Specifically our Jada Bregel, who's the Chief Information Officer for Legal Services Corporation. Deena Brownstein, who's the director for Greater Boston Legal Services. Joseph Mello, the director of engineering for Just Tech. And then on the legal team, we're very fortunate to have Kaylee Shuler, who's associate at Pulsinelli. Daniel Pepper, who's a partner. And Elise Alam, who is an associate, both at Baker Hostedler. And I think what we want to do is sort of go through some questions sort of laying out sort of the typical progress of a cyber incident. But we also want your questions and comments. So if you would please make sure you use the chat to share your experience, your knowledge, your questions. We're going to be keeping tabs on that chat. We're going to either integrate your questions into the dialogue or depending on the nature of the question, we will try to answer them at the end of the session. So with that, I think I'd like to kick it off with a question to Jada to begin with. And that's why the legal aid community should really care and care about and prepare for cyber incidents. And I have a couple of slides that I'm going to share to answer that question. So hopefully that is visible to all. The first slide here has an infographic from the FBI. And you can see from 2019 to 2020, internet crime complaints are going up significantly. In addition to that, downtime due to ransomware is on average 21 days. So this is big and we need to care. We haven't seen 2021 information yet. I also pulled some cyber crime statistics also from that FBI report that our OIG uses. And I think what's important here is business email compromise, which is something we see a lot of, continued to be very costly, $1.8 billion, fishing over $54 million, and a lot of ransomware incidents. The other thing that I found that I thought was interesting is there's a ransomware attack on a business. It's estimated every 21 seconds. 11 seconds, I'm sorry. I can't even read my own slides. And it's expected that that's going to go to every two seconds. So I think we need to realize that cyber crime is really big business. And even though we're nonprofits for the most part, we're running businesses, and we are a target. And then I just wanted to show some stats that we keep track of at LSC, our Office of Inspector General logs cybersecurity events for us at LSC and our grantees. And since 2018, they've logged 27. I'm not sure that they've actually seen all of them. A lot of these are phishing incidents. And what I see happening more and more is that someone's email gets hacked, and everyone in their address book starts getting fishy emails. And I think it's important to remember that we're all connected. We're a supply chain of sorts. So if you have a cyber event in our community, you can impact the rest of us. Thank you, Jada. And I got to say, we're privileged to work with both LSC and non-LSC funded legal aid providers. And we certainly see quite a few cyber incidents. So I know that outside of the LSC world, you're not immune to cyber incidents. And in some ways, I think, again, I think that one of the wonderful things about LSNTAP is that we're really trying to help bring up the whole community's understanding and knowledge and improve the practices of the broader community. And I think, to Jada's point, that we're interconnected. And so our security is really dependent on the broader network or joint security. So I guess to the extent that, again, we have a range of folks from across the country and the community, if you wouldn't mind sort of sharing a little bit of your perspective and just in the chat what you're sort of most concerned about why you care about cyber incidents and cybersecurity, I think that would be sort of helpful as we sort of proceed. And again, any questions that you have that you want to make sure we try to answer. So as I mentioned, we've got some great practitioners who are doing cybersecurity incident work and preparation work, sort of the preventative work as well and the management work as well with us this afternoon. And having sort of their experience, I think I'm just really delighted by, because we see a number of incidents every year, they see many, many more. And so I think we're looking forward to sort of hearing sort of more, giving more of a sort of big picture about how cyber incidents unfold. And my question first to Kaylee, Dan and Elise is maybe if you could share how firms typically identify that there's been some compromise. And maybe there's sorts of incidents that you're seeing that you're getting involved in. And I guess to the extent that there's some question about whether some activity on the network or with the system is related to some sort of malicious cyber activity or if it's just a poor configuration or poor management of the technology. Like how does that sort of play into the whole process of getting to the point where you're responding to something that you think needs all hands on deck? Yeah, John, I'm happy to kind of kick off the discussion there, it's a really good question. And I think the answer can really vary in terms of how and when an entity starts to understand that it's dealing with a breach or a possible breach. So it kind of in terms of the main types of incidents that I'm seeing come across my desk, I think there are probably four that most incidents probably fall into four categories. So first, with some regularity, we'll see a pretty straightforward case of something like an inadvertent disclosure. So this is where somebody accidentally mails the wrong document or attaches the wrong document to an email and then sends that out to an unintended recipient. So in those cases, occasionally an employee might notice right off the bat that they've made an error, but more often that's coming onto the business's radar when they hear from that unintended recipient who's saying, I got something that doesn't pertain to me, what's going on? Another type of incident we see with some regularity is kind of the lost device incident where employee is on vacation and loses their cell phone or was recently dealing with a client whose vehicle was stolen. And it just happened that her work computer was in the car when it got stolen. So again, in those cases, as soon as the employee reports the incident, the business is aware and ready to start responding. In the more technical types of incidents, it's not always obvious as quickly that something is going on. And as you heard from Jada, kind of the two types of more technical incidents that we're seeing frequently are the business email compromises and the grant somewhere incident. So a business email compromise involves an unauthorized party, we often call them a threat actor, getting into the email account of someone in the organization. They're often able to do that using what we call a phishing email. So it's, as you may know, an email that is designed to look legitimate and to dupe that recipient into voluntarily providing their credentials or username and password. And then once inside, we see the attacker doing one of a couple of things, kind of to Jada's point, often we'll see them sending out additional spam emails, so kind of getting that person's contact list and then purporting to be them, sending out a bunch of additional emails, trying to collect more credentials. The other thing we will see them do is try to identify an ongoing conversation about a payment and try to insert themselves into the middle of that. And kind of again, by being tricky, pretending to be other people, redirect a payment that's supposed to go, say to a vendor, they'll kind of trick someone into sending payment to an account that is controlled by that threat actor. So in terms of how a company is going to identify that one of those things is happening, occasionally we'll see, technical controls that are in place that might start to kind of tip off ITs. So maybe you've got an alert that would be triggered if thousands of emails were going out of one account in a very short period of time. I think more commonly we see businesses become aware that something has happened when the recipient of one of those phishing emails reaches out to say something strange is happening, I got this from you, I don't think it's legit. Or in what can be an extremely frustrating situation, whenever an issue arises around the payment, right? So you've paid a bill, you thought you'd paid a bill and then a month later, the person you thought you paid is reaching out to ask you, when are you gonna pay that bill? At which point you go back and realize the person you thought you were dealing with by email was actually an attacker that had gotten into your account. And then lastly, with respect to ransomware incidents, and I guess as a preface, a ransomware incident involves an attacker getting into your system. Again, kind of with the financial motivation, here their method is extortion, right? So they get into your systems and then they lock everything up, encrypt your files so that you cannot access any of your files. And then the extortion can come in two forms and more and more we're seeing attackers use both. One is telling you that if you would like to unlock your data, get access to your data again, you will need to purchase a tool from them that will allow you to unlock your files. Or two, and again often in combination, they will say that before we locked up your files, we also still copies of some of your data that is sensitive and if you pay us, we will delete it. If you don't pay us, we will publish it on the dark web. So in terms of how that type of incident is being discovered, again, there may be some controls in place that are identifying things like large volumes of data being copied out of the network. I'm working with a client right now who had that. They kind of had technical controls in place that helped them spot that a lot of data was going out. And so they were actually able to stop the encryption piece from happening, although they were not able to stop the exfiltration piece. But I would say more often, we're seeing clients who are in a position where employees came to work in the morning and they couldn't get on their computer. Maybe they even could see a digital ransom note that hasn't left behind that's displaying on their screen that is the red actor saying, you've been hacked and if you'd like to discuss payment, contact us. So that's a lot of information and welcome. Dan and Alyssa's thoughts as well. They have other thoughts about how kind of these things typically get on a businesses radar. And I know as the conversation goes on, we'll talk about where a person goes from there. Sure. Yeah, thanks, Kaylee. That's a great description and explanation of what we typically see. A couple other things that I find when we are talking about how do organizations ultimately determine that there's been an issue. So Kaylee mentioned business email compromise. And in those situations, the threat actor typically does not want to make itself known because they want to continue the damages as long as they can. They want to continue to be able to redirect emails or get inserted into the payment process between let's say an organization and their vendor. And as long as they can continue to stay in the environment they're caught, so much the better for them. On the other hand, ransomware, the threat actor wants to be known. The ransomware actor will leave a ransom note in most cases saying, this is what we've done and we've locked your files up. And if you want to recover your data, including data that we may have stolen and potentially will publish on the internet, here's how to contact us. And once you've done that, they'll demand a payment. So they're very upfront about it. So it really just depends on the motivation of the threat actor. In some cases, we'll also see different types of intrusions where organizations very frequently now will use different types of cloud service providers or cloud services to either store data, run certain operations or systems, and they're dependent upon the third parties to ensure that their data is being protected correctly. In those situations, third parties can be subject or those vendors can be subject to different types of security incidents that impact their customers. And so in those situations, oftentimes once that vendor discovers that there's been some sort of intrusion or other incident, they'll notify the organization that's been affected by it. So it really will depend ultimately on the nature of the intrusion. And one thing I'll just mention, this is a common question that we get pretty frequently, whether or not certain types of organizations are targets more than others. There oftentimes is an assumption that, the bigger organizations with the deep pockets, the ability to pay more are more frequent or attracted targets. And we find that unless, in certain circumstances and exceptions, where you may have, let's say, a nation state actor, which is intentionally targeting a particular type of industry or company, most threat actors are opportunistic. They will get in whatever they can. If there's a phishing email or a campaign that a threat actor is instituting, whoever takes the bait, that's where they'll go. It can be a multinational conglomerate. It can be a two-person CPA firm. It can be a small non-profit organization. Really doesn't matter. So at least may have some other thoughts on that too. Yes, I just wanted to echo what Dan just said at the end there that we often work with companies that or organizations that prior to dealing with us, didn't think that they could be a target and didn't think they needed to worry about this type of thing. So going back to what Jada was talking about at the beginning of the presentation, this is something that every organization does need to care about and plan for because everyone unfortunately is a target. That's really helpful. And I think it really wonderful to point out that again, there's the whole range of different types of cyber incidents too. And some of them as you've just discussed are sort of long-term compromises and they want to use your infrastructure. I remember years and years ago going into an office that had one of its servers full and they couldn't figure out why the server was full. Well, it had been compromised back when people want to store, I think video files or games, like they're basically using them as free cloud storage and that's why they didn't have any room for their client files. So some of this is not necessarily shutting down your entire operation, but it's leveraging your operation either, sort of for some financial transaction or to attack others. So there is a pretty broad range. Joseph, do you have anything you'd like to add in terms of sort of awareness around cyber incidents when they're occurring? Yes, so as Kayla was mentioning earlier, I mean, there's a lot of different alerts that an IT administrator can receive and should be receiving about sort of what's happening in the environment. So things like unusual sign-in activity from your email, from Office 365 or G Suite, saying Elise is always in New York and she signs in in New York and that's a normal occurrence, but then suddenly she signs in from Russia, China, India, all in the same day, which is just seemingly not possible. So in those situations, you either need an administrator to act immediately or have a system in place that will act on your behalf and immediately lock out that account and then run through the procedure of checking with the user, because you never know, maybe they figured out a way to teleport, but you could also figure out if that is malicious activity that's happening, the password should be reset. Thank you. So I guess back to Kaylee, Dan and Elise. So once, again, once a firm recognizes that there's some sort of cyber incident or breach or some sort of compromise, could you maybe walk through what you think of as some of the most important next steps or an organization? I'll take the lead on that one to get us started. So I think, you know, discuss sort of at a high level, but it can depend on the type of incident that you're experiencing sort of what your first steps or next steps would be. You may address it differently if it's, you know, an inadvertent disclosure versus a business email compromise versus a ransom where incident where your entire network is shut down and you can't do anything or access any of your data. So with that being said though, I think the first step really once you know you're dealing with some type of cyber incident is to identify internal and external resources to help you address the incident. And so many of your organizations may have an incident response plan or you've heard of one. And in my experience, I don't really see organizations get out their incident response plan and follow it step by step during the incident, especially during a ransomware incident. I see the value in having the incident response plan as sort of identifying the resources internal and external that an organization has and identifying the people that need to be involved in the incident in responding to the incident. So having those ducks in a row prior to an incident is really valuable. So, you know, once you've identified those people you've escalated to the people within your organization that need to know about the incident really your next step would be and there's sort of things that you do in parallel but those would include reaching out to your cybersecurity insurance carrier. Sometimes that might be through your broker if you have one and they will help line you up with external resources including legal counsel. And then typically if legal counsel gets involved we would then help you identify and engage additional external resources including forensic firms that would help perform an investigation as well as to make sure that the incident is contained. And so it's not spreading or we wanna make sure that if the threat actor is in your email accounts or in your system somewhere that we kick them out and keep them out. And so things like that if we're dealing with a ransomware incident we may also want to engage a third party negotiation firm that focuses on communicating with threat actors in ransomware incidents to, and there can be a lot of reasons why you might want to do that even if you don't actually need a decryption tool because you have viable backups you still may want to communicate with the threat actor to figure out how they got in if they'll tell you what data they took things like that. And these firms specialize in that type of communication. We, you may also need technical support firms that we call helping hands that essentially are there to augment or supplement your existing IT infrastructure. So either your internal IT or your external IT firms that help you on a day to day basis you may need extra hands on deck to respond to an incident. And there are firms that specialize in that as well. And finally, related to sort of external resources there are some incidents where we may think about engaging a crisis communications firm typically law firms who are helping you through an incident would be able to assist with any communications but there are some situations where we might need a third party crisis firms to help manage sort of any like social media posts or news coverage of an incident which can happen especially if it's a large organization hit by ransomware. And so sort of kind of talking about communications and these things are sort of happening in parallel as well it's not like a one step after the other it's all happening at once. And you need to think about who are you communicating with and what you're communicating to those people. So you have internal stakeholders some of them they might have to communicate to a board for example, so trying to figure out and make a plan for communicating with those stakeholders as well as external stakeholders you may have contractual obligations to notify partners that you have. We also need to think about what you need to communicate with staff in a business email compromise you may not need to notify or discuss with anyone other than the party whose email is involved but you may need to notify somebody that received a phishing email somebody outside of your organization in the event of a ransomware incident you may need to tell employees give them instructions on what they need to do if everything is shut down do you tell them to go home, what do you tell them? So sort of having that in mind that those communication plans and legal counsel is there to help you through all of that too which is why it's important to get us involved but those are all really important things sort of early on in managing an incident and responding to an incident and in the case of a ransomware incident it's really critical to have a way to communicate internally as well as with your third party vendors that are helping you respond to the incident sort of out of band is what we call it so basically not in your own system so normally you'd be emailing each other or using Teams or Skype or something like that to communicate with each other in order to respond to the incident and when we identify an incident we don't know right away what the threat actor has access to, what they can see and oftentimes they have visibility into Teams or email things like that and we obviously don't want the threat actor privy to our discussions on responding to an incident so our recommendation typically is to create brand new like Gmail or other free email accounts specifically just for this incident with MFA make sure you have multi-factor authentication on those so that you can communicate securely and confidentially in responding to the incident because we have heard of incidents where the threat actor actually was viewing all of the email communications or in the Teams responses or even joining calls and so we don't want that to happen to anybody and some other things regarding communications we often notify law enforcement early on in the case of a business email compromise we often will notify the secret service they have a task force that is geared directly toward addressing business email compromises and can sometimes help get funds back that have been paid to a threat actor and in the case of a ransomware incident we would notify the FBI field office that is responsible for handling and investigating the particular variant involved they don't come in I see in TV and movies the FBI will come storming in with their laptops and they're all hands on deck helping you through an incident they don't do that in real life they do help give us some information about a threat actor give us some data points that may help us in our response efforts but really it's great to have them as a partner but it's really just a notification that we just let them know that that's going on and then I'll just sort of very high level talk about notification obligations I won't go too into the weeds because it's very specific to every incident but these types of incidents do sometimes and more often as Kaylee mentioned when data is being taken by these threat actors there can be notification obligations to regulators and to individuals which is another reason why it's important to have legal counsel help you through these incidents and then finally just a couple points on some communication sort of missteps that I've seen really you wanna be careful about what you're communicating and how you're communicating it I really applaud organizations that wanna be transparent but sometimes being too transparent or giving too much information too early can backfire and we see if we'd say too much now for example if we say personal information wasn't involved and then a week later we find out actually the threat actor took data and we have to walk back those statements that's not a good look and we wanna make sure that we're being strategic about our communications and just one specific example to end with is that just recently I was working on a ransomware incident with a large nonprofit and they had had an employee click on a phishing link right before the encryption event maybe two days before the encryption event happened so the infosec team assumed that that was the cause of the incident and they told everybody internally and even some external stakeholders that the cause of the incident was phishing and it turns out that that was just a coincidence and the phishing incident had nothing to do with the ransomware incident and so although it didn't really affect anything from a legal standpoint it just wasn't a great look for the infosec team who worked really hard and did a great job responding to the incident but having to sort of walk back to these things where there were very definite statements that ended up not being correct so just wanting to be strategic about those things when we're responding to an incident especially in the early days when we really don't know a lot of what occurred is really important. Wonderful, thank you, Elise. I don't know, Dan or Kayleigh, would you like to add anything to that? Just one other consideration I wanted to throw out there and that's the importance of maintaining turn of client privilege in the communications as well so it is not uncommon for an external firm or outside counsel to engage a forensics firm and other party vendors under privilege where the purpose of the investigation is to be able to provide enough information to external counsel to provide legal advice to the client. So whether there are certain analyses of conclusions that are reached based upon what these forensics firms are finding we want to ensure that those are protected under privilege especially important because we do see a fair amount of litigation that often can arise out of these incidents if there's personal information that's been compromised credit card numbers if there's a risk of identity theft. Depending upon the volume of that information the number of individuals affected that certainly can increase the risk of some sort of class action litigation so ensuring that privilege is maintained is important. The second piece is instructing the client to ensure that the way they're communicating about the incident either internally or externally is discussed really, really key. Many cases we've seen from claims filed where exhibit A is an email that's given by some information security or IT folks about, gosh, we knew it was only a matter of time that this vulnerability would have come back to buy this and gosh, if we only decided to spend more money and increased our budget to improve our security this may never happen. The exact sort of thing that plaintiffs for our love to see. So ensuring that, you know, during, well, it's only before, during and after an incident but certainly during an incident really working with clients to understand the effective ways to communicate not to draw conclusions, not to use certain legal terms of art which can have certain ramifications that they're used and really ensuring that they're not drawing any sorts of conclusions based upon oftentimes or even limited information when it occurs. So that's an important concept to I think. Wonderful. Kaylee? Yeah, no, I think that's all very true and I completely agree with everything that both Dan and Elise said. I think the only thing I would add is just a quick plug for evidence preservation. I'm gonna try to avoid swerving into Joseph's lane here but I think early on there's always a tension between kind of continuing the incident, getting back up and running and particularly I'm thinking about ransomware incidents but also preserving that evidence that the forensic team is going to ultimately need in order to give us the best chance of understanding what happened. So I just put that in your mind to kind of be thinking about that. You know, we sometimes have situations where kind of in order to contain an incident clients have kind of wiped everything that they thought was infected which can result in containing but also in losing that evidence. So it's just kind of, it's challenging but even in those early hours kind of thinking down the road about kind of giving yourself the best chance to fully understand what happened can be really helpful. Absolutely and it's really interesting that and again, we've I guess had the privilege of working on some of these incidents and helping organizations recover but yeah, the communication, the language we use. I mean, I think this is not stuff I think that you would just normally assume that that's what you should be doing. So I'm really glad to hear a lot of this and I hope that again, as I think folks tend to err on the side of transparency that we check ourselves a little bit to make sure that we do really fully understand and that we bring in the forensic expertise that what we think we know, we may not really know and so we've got to be careful and it's for liability reasons but also for confidence and trust reasons if we're not, if we're making misstatements along the way when we're recovering from something that can be kind of traumatic for a lot of people. So the next question is for Jada and Dina, I'm sorry, Jada, Dina and Joseph and this Kaylee, thank you for the transition kind of shifts us back to what providers should be sort of doing early on on the tech front and obviously there are a range of different incidents. So if it's just, if it's an email account that's compromised, it's one thing but could you maybe share some of your experience, your thoughts on sort of the initial technical response? I can start. I would say first of all, put someone in charge. You need a battle captain sort of person to manage the incident and it should be someone who has the authority to tell people what to do and they should manage it throughout. I would also say contact the experts as quickly as possible, call your insurance company, get these folks like we're talking to today involved immediately or as soon as you can because while I have a wonderful IT staff we don't deal with these incidents every day and we could make really bad missteps if we do the wrong things. And so I really, this happened to Alice last December, December 2nd to be exact when we realized we had a pretty bad incident on our hands. I really welcomed the experts in and took their advice. Dina, do you wanna, what are your thoughts? And you're muted, sorry. Okay, here we go. Boy, I'm really batting 1,000 today aren't I folks? Sorry about that. So I'm gonna hi Jade, I'm gonna echo what Jada said. We were fortunate to have cyber insurance which gave us access to all of the experts that you all have been talking to today and I can't, we had two attacks in the past year that were just a couple of months apart and I can't imagine sort of going through any of this without having the full team of the law firm, the cyber forensics, all of the stuff you've been talking about. Joseph who is our external engineering team who knew exactly what to do, getting in touch with the insurance company right away. That sort of whole first level of panic where you have to assess the damage and stop, make sure that someone's looking at stopping whatever might be going on, figuring out how to get your now completely overwhelmed panic staff, password reset so they can at least get into 365 and you can't use any of your usual channels. So how are you gonna figure out how to get the information to people so that they can at least continue to do their work somewhat? And then third, how are you gonna communicate with them going on? All your systems are compromised. What are you gonna do and how are you gonna do that? And that was our sort of in the days and hours that followed both of our attacks that those were our sort of three primary focuses, security, access and communication. And I'll let Joseph say how all that happens since he's the one that did it. So yeah, as Dina and I think others have mentioned before, there's the importance of the cybersecurity, a cyber incident response plan is having that plan in place so that you don't have to do any thinking in these situations because it is a bit of a panic moment. A bit is an understatement, but it is something you don't wanna have to think about. You just kinda wanna look at the plan and be told what to do in these situations and that's always helpful. But I'd say what you certainly wanna do is establish that communication. You certainly wanna establish what's really happening. Make sure, confirm that there has been an attack, there has been a security breach. What's the extent of it? Look at the logs, look at the activity that's been going on if it's been happening at three in the morning, if it's been happening from other countries. If your systems are somewhat interconnected, for instance, if your Office 365 is connected with your active directory and the attacker managed to get into Office 365, there's a very high potential that they could have gotten into your internal network via VPN or remote desktop or whatever method you use. So there is leakage there. You wanna sort of dive into all these systems and confirm what the real damage is. And you do wanna avoid certain steps. Like for instance, you don't wanna go in there as an IT administrator to start wiping everything because that's a very big mistake in terms of forensics and you wanna know what's going on, you wanna know what's there. I mean, if it was a ransomware attack and they left the ransomware note and you're blowing it away, then there's really no way to sort of get an encryption key if that's something that you need in your situation or to be able to talk and negotiate with the attackers about whatever they may have exfiltrated from the environment. So yes, certainly there's things there with wiping things. There's also the consideration of how do you deal with the systems that you know are infected. And so there is a step of shutting down a server, for instance, but then that also eliminates the memory that's running on that server, which again can be collected for forensic purposes. So your best bet is to actually, if it's a physical server, disconnect the NIC or if it's a virtual server, disable the virtual NIC so that you can kind of put it in an isolated state, it'll be running Windows, but it won't sort of have access to anything else in the environment and hopefully stop the spread of infection if that's what's happening. But you wanna sort of do that with your servers and then on your firewalls, you essentially wanna lock everything down. There should be nothing coming in and out of your environment at that precise moment other than IT for management purposes. So all outbound internet traffic, all internal access to your network, everything has to stop, which is what can be the most devastating part is this is why it takes on an average 21 days to sort of come back to a full stage of recovery even if that's accurate. I think that could even be longer depending on what the damage is. But yeah, you wanna sort of lock things down as best as possible in those situations. And then figure out who needs that limited access. So IT obviously is gonna need that access, but working with other staff members may be pulling certain very specific key data from a file server if attorney's needed for a very specific case, plucking out what's needed in the environment to help at least get some of the business continuing to move as safely as possible. And Joseph, I just wanna add something when we talked offline that you mentioned that I think is worth just again throwing out there that the value of documentation can't be overstated that the better your documentation is on your whole environment, in-house and in the cloud, the easier it will be for you and others to help assess, how do we get at least get control of it and not necessarily destroy evidence but mitigate the ongoing harm or the data exfiltration. So to next question, again, back to our legal gurus in terms of how cyber instance typically progress. So we've identified it, we've sort of gotten the initial communication going with the management. What's the, I guess the anatomy of not the murder but the incident that folks should understand sort of the typical progression from first from denial to acceptance or whatever. Oh yeah. I can start with that. And by the way, the murder is not a bad analogy because I'll tell you, for most organizations is the worst day in their professional lives that we go through this. So it feels like your business has been killed in many ways. And I just wanted to follow up on the point that you made, John and Joseph as well about the answer response plan. And this kind of ties into this point as well about what you can expect and what timing look like and what does this look like when it progresses. Not only is it important to have very well-written response plan that's been tested to, that the organization has gone through, they know it, they know how to proceed with it but to actually have it printed out in hard copies. Work with the organization not long ago that we sit with the ransomware and their beautifully written instant response plan was encrypted and no one could get to it. So no one had the opportunity to actually see it and follow it. So have it printed, have it sitting at everyone's desk or in their office so they can grab a hard copy of it along with it phone numbers and email addresses because those also can be encrypted so you don't know how to contact it buddy. So just a little aside there but as far as the timeline goes. So in some situations, and I think a number of the folks including Jada mentioned the importance of moving quickly and bringing in those experts quickly once you've discovered the incident. We find in some situations that organizations especially those that need to get back up and running very quickly they may be losing money on the hour every hour they're down. So their first instinct is let's get everything restored let's get everything back up and running and then we'll start to figure out what happened because we've got to get the business up and running. Perfectly understandable. I use the analogy where you have this great forensics process where we stopped everything we got all the forensic information and all the evidence over to the firm for them to investigate it but the business ultimately couldn't survive. So the operation was a success but the patient died. Not so much a good example of the result that you want. So sometimes in those situations the forensics firm may come in a couple of days later after the restoration is already occurred there's no evidence left it's all in white there's nothing to do. And so there's a very good chance and we've seen it's a lot that you haven't actually ejected the bad guy from the systems and you're just gonna be waiting for another attack because they're just lying away. But in general the forensic firm is there to do what, where, when, who and why. How did this happen and how do we prevent this from happening again? The process and just to kind of give you some numbers of what you can expect this is based upon what we've tracked as part of our team each year. So in 2020 our team worked a little over 1,250 security assets on behalf of our clients and on average the point in which the initial occurrence of the incident begins to the point of discoveries on average about 12 days which generally means that you've got the predator that's in the environment undetected until they make themselves known or you have an IT administrator or somebody else discovered the threat was there. Once the forensics firm ultimately is engaged on average it takes about 36 days based on our experience for the forensic investigation to complete. Why does it take so long? Why does it take 36 days on average to complete that? So there's a few different moving parts here. There is oftentimes a lot of evidence that the forensic firm is looking to collect. There could be lots of systems, lots of different locations that the organization has all with different types of logs, images of systems that need to be collected while everyone is scrambling just to keep the business front. That can take some time. Finding ways in which to collect that and actually transmit that to the forensic firm so they can start investigating that. Once that's all collected, depending upon the volume of that information it's going to take some time to push through that. And so that's kind of built into that 36 day average timeframe. So what are they looking for? And what does this process typically look like? Well, obviously on day one I think there's a number of folks who've mentioned you want to get that guy out, want to get containment so that the infection isn't ongoing. We also want to identify what type of information they've been impacted. Has there been, apart from just maybe encryption in the event of a ransomware incident? I think, as Kaylee mentioned earlier on, it's very common now for these ransomware actors to steal data as a second extortion habit. So if you've got good backups of your data and you don't need to actually purchase a decryption key from the threat actor to decrypt your data, well the threat actors say, look, you know what? We'll also steal your data and print or publish it as in another way to extort you to actually pay the ransom. So how do we know whether or not this is something that we care about? Part of the forensic investigation is going to identify to what extent it possible any data was actually taken. How much, what type, when was it taken, et cetera so we can make a determination of, do we need to get into discussions with a threat actor to prevent that data from being published? It's a particular risk because threat actors, especially some of more of the sophisticated ones, are better at identifying what sensitive information an organization has. They know, and these are not business majors by any stretch, or financial or accounting experts, but they know enough that social security numbers are important. They know enough that financial account numbers are important. That's going to get an organization's attention. They're gonna know that if employee social security numbers are threatened to be released or credit card numbers, that's going to get the attention of the victim organization and generally gonna get you to start communicating with a threat actor's potential negotiator. So we wanna be able to determine as best we can as part of the forensic process, what information may have been compromised. Sometimes a threat actor will give you examples of what they've taken. Sometimes in the ransom though, they'll say we've stolen data from you. And once you've initiated those communications, sometimes they'll give you some examples of what it didn't take. Once you've seen those, generally you can say, well, I know where that type of information is stored in my system, so I can look to see what else might have been in that same file or in that same server. And I can then start to extrapolate, well, there's a good chance they may have taken more of that same type of information. So when does it make sense to negotiate? Very common question we get from most of our clients, especially in ransomware matters, should I pay the rents? And the truth is, there's no really right or wrong answer here. Some organizations will have philosophical positions that we just are not going to negotiate terrorists or extortionists, we're not gonna pay criminals, we're just not doing it. Sometimes they'll build that into their own policies. It's just, you know, thou shalt not pay criminals. We're not gonna pay rents. Well, that might be fine until you find yourself in a situation where you don't have any other option. The business literally is going to shut down because you have everything locked up, you can't get access to data, you can't run your operations, your applications, you can't service your customers, unless you're actually paying for decryptions, tough spot to be in. That oftentimes can be an easy decision at this point because we don't have any other options. But oftentimes you find yourself or the client finds itself somewhere in the middle where maybe you've got some backups, maybe you don't, we're not quite sure because no one's checked for a while. Or we've got some backups that, or maybe 30 days old, 60 days old, maybe older, can we work with those? Maybe, maybe we can't. So now we have to start going through this process and determining what is the value of trying to restore data or rebuild or recreate data versus taking data that might be old. Can we still work from that? And of course, what is the threat actor demand? You know, depending upon the organization, whether there's cyber insurance that will cover all or some of that ransom payment and whether or not ultimately value of decryption that data is worth the actual value of the decryption key. So those are all determinations as well. Once data has been compromised, especially personal information. So once it's been encrypted, once there's some evidence from the forensics firm that that sensitive or personal information has been accessed, generally at that point, most state breach notification laws are going to require individuals to be notified if their sense of personal information has been compromised or accessed. Many times state regulators have to be contacted as well. So whether or not that data ultimately is released by the threat actor because they've stolen won't change the obligation to notify those individuals. So if you have to notify those individuals anyway, does it really make sense to pay the threat actor to suppress the publication of that data if we have to notify affected individuals? So many organizations will take the position. It really doesn't really help us that much and it's really not worth potentially hundreds of thousand dollars more to pay a ransom, to prevent data that ultimately subject to notification allegations. Another question that comes up well, if that data is ultimately released, do I need to worry about potential liability? Is my organization, what does this mean for my employees, my customers, other third parties, whose information has been impacted? What do I need to concern myself with? The first thing I generally tell folks, most threat actors, they will have what they call their leak sites. These are the sites where they will publish the data that they've stolen if a ransom payment isn't made. Generally, this is not the type of site that you're just gonna Google and find. So if you're typing in, my data was compromised or stolen in the result of one of these incidents and you type in, you know, dance, effort, social security, and other chances are it's not gonna come up in the search result. There's a little bit of effort required in order to get to that information. So it's not readily available. But many of these threat actors, what they will do is there's a secondary market on the dark web where they'll look to monetize that data if they're gonna publish it. So they'll look to potentially share that or sell that with other threat actors in a downstream effect to try to monetize or make some money off of that data or potentially use that for some sort of identity purposes. So those are all things that they consider. And those all potentially raise liability risks if you're considering whether or not to pay the ransom. And depending upon the volume of the information, sensitivity of that information, as I mentioned earlier, that might increase litigation risk. So that's part of the consideration there. And thank you so much. And again, I mean, I think that the value of sort of working through, each organization sort of working through how this might progress, understanding maybe some of the variables so that you're better prepared. I'm just, again, I really appreciate sort of understanding again from your experience and Elise and Kaylee and Jada and Dina that this is just a really valuable exercise. And it might even be worth some of the providers to really do sort of a mock cyber incident and try to walk through how that fire drill, how that would really sort of unfold and test it like we test some of our disaster recovery preparations. Thanks again to LSE's leadership and helping to kind of move the community forward and on that front. I want to, because of where we're at on time, I want to actually sort of move forward a little bit in terms of, again, the recovery, any kind of additional sort of recovery pieces that Jada, you or Dina or Joseph want to add. And if you could each maybe take about a minute on that because I want to make sure, I haven't seen too many questions, but I want to make sure that we reserve a little bit of time for questions from the folks participating today. Sure, I could jump in first. So it's certainly, and this was mentioned earlier about sort of password resets. I mean, the first thing you want to do is of course make sure that you've kicked the attacker out of your environment. Cause if one of your very first steps was to reset people's passwords in the environment that the ones that you think are compromised but the attackers still in the environment, I mean, they're just going to still have access to your environment. It doesn't really change anything. So you certainly want to kick everyone out of your environment and then work towards most likely password resets if they got in. And that applies to just about any system you're dealing with. There are, as mentioned, the backups you have in your environment. So hopefully you have functional backups and you've been testing them. But what you want to watch out for, and this is where the forensics is very important is making sure when the attacker actually got into your environment because they may have gotten in today, which is great than you restored from yesterday or they may have gotten in a month ago and hopefully you have the logs that can show that but if they got in a month ago, then you have to, you can't restore from yesterday. It's possible they may have dropped us some sort of system to remote access into the environment or some other method for them to sort of regain control even if you restore from a backup. So there may be situations and this will be likely through the attorneys and the security company you work with or the forensic company you work with they may provide you the recommendation on sort of what to do in terms of how to restore from your environment whether that means restore from, go ahead the entire image, which is great because then that saves you time or they tell you only restore the files which means you're gonna have to rebuild a Windows server from scratch and just restore your data because they just simply don't trust what's on those backups. And then I'd say for security improvements I would also include, if you got phished because somebody got by an email but you don't have MFA like that's a problem that's a security feature you should turn on and if it resulted in a security breach and you've cleaned up that mess and you're like great, all right, let's go back to business as usual like that's not a good idea either you certainly want to implement MFA and sort of plug that whole that gap as quickly as possible ideally before you sort of reopen the doors again because you're just gonna put yourself back in a position of risk if another user gets phished again. Jada, Dina. So I agree with everything Joseph said and when I think about this I think it's important to learn from each event and hopefully you don't have a lot of events but after our event last December we took a look and said what can we learn from this how can we make sure this doesn't happen in the future or what can we do to help it not happen because you can't be 100% in our case we made a lot of changes we implemented a new vendor portal so that banking changes go through that and individuals can't make them we changed processes in our accounting shop we implemented multi-factor authentication for even our grants management system which drives people crazy to no end but it's really necessary we implemented so many technical recommendations from the company that our cyber insurance brought in to review our network and systems and so I think it's important every time this happens to make changes. Thank you, Dina. I'm unmuted now. Yes, adding agreeing heartily with Jada and Joseph I guess and maybe you've talked about this earlier but the part that I would add is the balance between it was a big cultural change for our users their need to get work done, to get back to work and you having to be sort of the gatekeeper of when that can happen in a secure way so making sure that you have your senior management staff wholeheartedly involved in all of your meetings that your senior staff isn't subverting your own security keeping all of that understanding and really prioritizing the security over the access which can be really difficult especially in our offices where there's so much of a need for people that have access and do but there is sort of a finite amount of time where now you have their attention because everybody's traumatized and trying to as Jada said learn from that moment and seize on that moment and try and move your organization forward into that sort of more secure realm and awareness. I just wanna recognize Daniel for his short comment that this can be the most stressful thing that anyone deals with in their career. I am like eight months of this and just really still cleaning up from it and it's like PTSD listening to all of this. I'm like, oh, the contact with the bad actors, oh, the negotiation. I mean, it's so important that you have the right people on your team. I mean, you don't wanna try and handle this alone. So I wanna, there are a couple more questions I'd like to ask the panel but I really wanna make sure that if folks who have called in today have any questions that they post them in chat. One question that I did get was, I guess to the extent that an account's compromised in this instance, a fake job posting gets put up and you have applicants for this is the scenario, applicants for the job posting who's responding. I mean, is there, I guess I'm trying to abstract this a little bit but what's our obligation to, I guess and maybe this is too generic to answer, right? To notify people who in this case you might have applied for a job that doesn't exist and maybe sent their resume to Russia or China or just to some bad actor domestically. Do we need to sort of figure out who might have responded to this? I mean, I know that within the legal aid community even with government agencies that we've worked with sometimes one person will notify the other organization we think that there was a compromise and I think we always appreciated and I guess we always expect that we're going to do the same but any thoughts on some, beyond sort of I guess the disclosure requirements this is sort of somebody who might have been hoodwinked. So I think I'll jump in. I think as far as disclosure requirements go typically the way the data breach notification laws are worded the data owner has the obligation to provide notice to individuals whose personal information was involved in an incident. So one sort of tricky thing with the scenario you described is determining who's the data owner. You know, if your organization's system was actually somehow compromised and somehow they added something to your website or something like that, that would be a scenario where you may decide that you need to notify individuals of that but the other thing too though is that in the United States at least resumes typically don't have information contained within them that would rise to the level of personal information that would trigger a notice obligation. Other countries do often include things like a passport number or you know, date of birth, things like that I've seen in other resumes. I'm not sure how that would really play in in that kind of scenario here but I think it would be really difficult in that situation to identify who sent, you know, their resume to the bad actor because I would assume that the bad actor would put, you know, whatever their email address is that they created for the scenario. So I think it'd be really difficult to determine who you needed to notify. But again, if it's somebody from the US sending their resume, I think typically that wouldn't trigger notice but it would be unfortunate. We've seen some scenarios that I wouldn't really call them a cybersecurity incident or a breach but something like where somebody's website is being spoofed or something like that which is not really a cybersecurity incident in a strict sense but is something certainly that organizations do have to sometimes deal with, unfortunately. And I guess again, it's sort of like the value of talking with counsel or sort of analyzing each situation on its fact pattern and making a judgment call because it may also be your brand, it may be your trust in the community, it may not be an obligation, you know, that the state statute sort of prescribes. So I don't see other questions, hopefully we haven't, I don't think we've traumatized people too badly today. I think that this is, you can get through it. I mean, I think that's as hard as it is, you can get through it. What we want is for, there'd be fewer incidents and for the response to be as, I don't know, orderly, as thoughtful and rapid as it can be and that you're preparing for it by reducing some of your risks like not having logs that Joseph mentioned. So if you have, you know, log retention, if you've got more data for the forensics teams, they can help identify more of what's gone on or if you're not collecting social security numbers or you're limiting the number of folks that you keep that information on, what can you do so that if you are compromised, the size of that damage is lessened. So I guess maybe on that vein, and this is sort of a question to the whole panel, based on your perspective and experience, what do you think would be the top thing that you suggest organizations change today to have a better, a more restful night's sleep when they start to think about cyber incidents? I can jump in. I can jump in. I think from the technical standpoint and probably the biggest one I'd say that should be implemented across the board is multi-factor authentication. And most people will think, okay, yeah, I'll get MFA turned on on my email and then just kind of call it a day, but it's really not just that. If you're doing some sort of remote access into your environment with a VPN or remote desktop or some other method, log me in or these third party systems, make sure that has MFA as well. If you have a case management system that's online if your accounting system anything and everything should be covered with multi-factor authentication. And in those situations, I mean, there are users who will dislike it a lot, but it's just really a matter of, and maybe this doesn't apply to everywhere, but when I leave my house, I bring my keys with me and that's basically multi-factor authentication. In order for me to get back home, I have to use my keys. Mm-hmm. Thank you, Joseph. Jada? Can I add on to that to what Joseph said? When you're buying new services, don't buy them if they don't have, if they don't support MFA. I can't, I'm having this struggle right now and boy, does it drive me crazy. But that's what I would say, don't even consider them and tell the vendor why you're not buying them. And then the policy thing that I would say is think about how you're gonna handle this sort of thing ahead of time, put a policy in place. I think Elise said early, she finds that most of her clients don't follow that policy step-by-step. We didn't follow our policy step-by-step either, but at least we had something written down that guided us and it was sort of a backbone for how we handled things. And I would suggest to everybody to write down your incident management process. Wonderful. And sort of a preview of the ITC conference session we're not gonna do, we're gonna try to do a little workshop on incident response policies. I'll throw my two cents here. I say, this is true for almost any organization. Get rid of data, you no longer, storage is cheap. Two thumbs up. I think John, you mentioned earlier, you see these hacks come in, people would try to, well, like use server or files space to save data because it was expensive to do it yourself. Now no one cares, right? It's cheap, you can just keep buying more and care. And so organizations will just say, well, look, it's not costing me anything to keep data going back 10, 15, 20 years. I got customer data, I got employee data going back. I'm keeping it, you know, sensitive information in my email account because who cares? I can do it and it's not costing me anymore. And that's exactly the type of risk you're now increasing because once a product gets into your environment, they've got this treasure trove. So if it's not there, there's nothing to take, there's nothing to compromise, whether you moved it out, you've archived it, you've deleted it. Probably one of the biggest things right there, I think from a data governance perspective, organizations can do it without a risk. Great, great. Taley, Elise, Dina. I'd mostly just be echoing what the others are saying. I just have said, because my top hit list is, you know, MFA right away. Oh my God, those logs. Make sure that you've got like detailed logging turned on because you wanna know what happened and it can really inform you going forward. And so that's something you can do in the beforehand. Like I started, since you're covering all the big, you know, the biggies, it's like, what can you do really fast? What can you do today? That's like really easy. Do that right away. And retain those logs, make sure you keep them. Make sure that everything, your firewalls, your servers, like all your logging is on, it can be, you know, really, really helpful, so. Thank you. Kaylee, Elise. I agree with what everybody said. Go ahead. That's a thumbs up. Excellent. Well, I really appreciate everyone joining today and my special thanks to the panel. I hope this was useful for everyone who joined in and again, wanna urge you to look at the other sessions that we've done as part of this series and I'm looking forward to the ITC conference where we're gonna do another somewhat similar session with a slightly different focus and working with Lideodra and finishing up the cybersecurity toolkit, which will be sort of a starting point and hopefully a launching off point to help the provider community move forward in some significant ways to advance their own cybersecurity practices and readiness. So thanks again. I hope everyone has a great holiday. Coming up in several weeks.