Blog

How Semi-dry ink turned into my Worst CISO Monday Morning

Written by Eyal Benishti | Jan 25, 2016

“That’s Crazy— We’re keeping all our user’s data in a f*cking vault ” I shouted a second before I hung up my car phone, on my way to drop my kids off at school. I kissed them goodbye, and secretly wished I could join them that day.

Mondays seemed to be hectic around here lately, but this one was about to enter the hall of shame big time.

After surviving a 6 months crazy due-diligence period, all was set to greenlight the M&A. Friday signed-off with a smell of semi-dry ink on recently printed legal docs, trumping the air circulation. We all had our ultra-happy weekend smiles on.

Parked. Took a long deep breath and there they were, all lined up to “greet” me as I approached. Our CEO, CFO, CIO, CMO, PR, an FBI agent and my team. My worst CISO nightmare...the moment I feared the most was all over the news by now:15M personal records, swiped and held hostage by Blackhats…

A well-designed message decorated our screens –

“Good Morning, we’ve encrypted your customer data files. Failing to pay by Midnight will result in publishing all those personal records publicly.”

I was well aware of ransomware but that was the first time I’ve ever heard of an ultimatum given, with a threat to go public with the hijacked data. To my utmost surprise, a simple “Just pay them and let’s get it over with” came from the unexpected FBI direction.

The Act

We’re 15 min before the first press conference. While our Spokesman was busy briefing our frustrated CEO, I could just feel his eyes staring at me, looking for some redemption. I could feel his disappointment but I had nothing.

Forensic time. My team and I are all over the place. Sniffing around for some breadcrumbs, footprints, origin, anything. CSI mode of collecting evidence from a crime scene.

What went wrong? What went wrong? We’ve literally built an IT fortress around our sensitive data. We’re fanatic about access & permissions, we’re training our employees, and have spent loads of money on malware protection.

A fully halted M&A process and 10 sleepless nights later, we had it all figured out. It was Dave. Dave from finance.

Dave is very active within his social networks and joined us 7 months ago to lead the M&A project. It took him no more than 2 days to have the entire CFO team included within his network. Now, as this was his first M&A deal, it took him just a few weeks to start spreading hints about the deal, sharing deal-related items on LinkedIn in times we were all stealth.

Dave got an innocent “Last document to print out” email with an attachment, a few days before D-day. Actually, the whole CFO and legal team received more or less the same email.

Five well-aware employees immediately deleted that email, as they suspected it of being spam/phishing. Three didn’t even notice the email, and seems that two responsible guys have forwarded that mail to my SOC team.

We scrolled down through more than 800 Emails our SOC team had received that week.

S*it…we’ve missed those two Emails reporting on that suspicious “Last document to print out” Email.

A twisted episode of the “when Whaling meets Ransomware” attack. This was the iceberg we had run into (or better off, the iceberg that run into us..)

Here’s what actually happened behind the scenes:

The Hacker social engineered around Dave as a Whaling target.

A highly relevant mail was sent to dave.

The hacker decided to expand the attack and targeted the CFO and Legal teams, as the map was at his feet.

Dave opened the attachment.

A CryptoLocker was propagated by the Attachment.

The CryptoLocker, once activated started encrypting files and network drives.

End of story.

Epilogue

Zooming back to our Highly trained CFO and legal teams we had:

5 that spotted and deleted

3 that did not notice

2 that spotted and reported but didn’t get to the top of the stack..

And of course, our good old Dave who got lured without even knowing…

As an organization, we should have been able to mitigate the attack.

We had to be able to leverage the awareness of at least some of the team members, but we missed it.

We ended up paying, and yes, we were very quiet about it, though legally paying ransomware is no crime.

I ended up keeping my seat, but boy, I’ll never forget that early morning Phone call that made us all flip over. So please don’t call me early on Mondays…

The going gets tough and will probably get tougher as time goes by.

Hackers are laser-designating our guys. We must go beyond.

The shocking truth

Sharing some data, released earlier this year by ThreatTrack. Their study, conducted by Opinion Matters covered a blind survey of some 250 security professionals at U.S.-based companies, shows that –

Overall, 30% of the organization say they would negotiate with cybercriminals for the safe recovery of stolen or encrypted data;

That number jumped to 55 % when asked of organizations who’d been victims of cyber-extortionists before.

The Threat Track survey hints that the issue is, indeed, more widespread. When asked if they believe other organizations have negotiated with cybercriminals, 86 % of all survey respondents said “Yes.”

Some even went so far as to suggest that organizations start preparing now.

23% of all respondents, and 43 % of those who’d already been cyber-extortion victims, said organizations should set money aside for the purpose of paying ransoms.

59% of all respondents and 74 % of respondents who were prior ransomware victims say that cyber insurance providers should hire professional negotiators to act as the liaison between victim organizations and the criminals.