From Chaos to Control: Mastering modern incident response

Key Takeaways: From Chaos to Control: Mastering modern incident response

Executive Summary

The webinar "From Chaos to Control, Mastering Modern Incident Response" covered key topics such as ransomware as a service, business e-mail compromise, wire fraud, regulatory enforcement, and state and AG shifts in statutory construction and enforcement. The presenters, Colin Battersby and David Lane from McDonald Hopkins' Data Privacy and Cybersecurity group, discussed the prevalence of ransomware and e-mail compromise incidents, emphasizing the importance of preparedness and response strategies. They highlighted the increasing sophistication of threat actors, the role of social engineering in breaches, and the evolving regulatory landscape. The session also addressed the challenges of managing incident response, including legal obligations, notification requirements, and the complexities of dealing with ransomware payments and data recovery. The importance of robust cybersecurity measures, employee training, and effective incident response plans was underscored to mitigate risks and ensure compliance with regulatory standards.

Speakers

Colin Battersby, CIPP/US, Member, McDonald Hopkins
David Lane, CIPP/US, Attorney, McDonald Hopkins

Key Takeaways

1. Business Email Compromise: Business e-mail compromise (BEC) remains the most common incident, exploiting human elements and often leading to unauthorized access and financial fraud.

2. Ransomware Data Extortion: Ransomware attacks are increasingly involving data theft and extortion, with 26% of victims paying a ransom to recover encrypted data.

3. Ransomware Service Proliferation: Ransomware as a service is proliferating, allowing more individuals with malicious intent to conduct sophisticated attacks, increasing uncertainty in response and recovery.

4. Aggressive Regulatory Enforcement: Regulatory enforcement is becoming more aggressive, with states like New York and federal entities like the Office of Civil Rights conducting thorough investigations and potentially issuing fines.

5. Expanding Statutory Amendments: Recent statutory amendments in states like Pennsylvania, New York, and Oklahoma are expanding definitions of personal information and imposing stricter notification requirements, reflecting evolving legal landscapes.

Key Quote

The ultimate goal for the threat actors and the BEC attacks is to gain unauthorized access to the e-mail account. And once they are there, they often will take measures to make sure that they're not detected and they're able to do the type of surveillance that they want to do in order to gain access to the account or in order to effectuate the compromise itself.

Related Content

Explore Related Content.

Webinar

Watch Full Webinar here.

FAQs: From Chaos to Control: Mastering modern incident response

General Incident Response

1. What services does McDonald Hopkins offer in the area of data privacy?
McDonald Hopkins offers pre-breach services, policies, procedures, training, incident response preparedness, IT regulatory defenses, and privacy litigation.

2. How many attorneys are part of McDonald Hopkins' data privacy team?
The team consists of 54 attorneys with 20+ industry specializations.

Business Email Compromise (BEC)

1. What is a business email compromise?
A business email compromise (BEC) is an incident where threat actors exploit the human element of a data breach by posing as familiar or trusted parties to gain unauthorized access to email accounts.

2. What are common tactics used in BEC attacks?
Common tactics include phishing emails with malicious attachments or links, social engineering, and bypassing multi-factor authentication through methods like session stealing and MFA bombing.

3. What is the main goal of threat actors in BEC attacks?
The main goal is to gain unauthorized access to email accounts to conduct surveillance, monitor communications, and often to misdirect payments for financial gain.

4. What should organizations do if they suspect a BEC attack?
Organizations should notify law enforcement, request a recall of funds from the bank, and consider engaging experts in fund recovery.

Ransomware

1. What is ransomware?
Ransomware is malware that encrypts data, effectively locking it up and demanding a ransom for the decryption key.

2. What are the two main types of ransomware attacks?
The two main types are encryption-based attacks, where data is locked up, and pure data theft scenarios, where data is stolen for extortion without encryption.

3. How often do organizations get their data back after paying a ransom?
Approximately 26% of organizations get their data back by paying a ransom, though this number is decreasing due to better backups and awareness.

4. What is ransomware as a service?
Ransomware as a service is a business model where hackers sell malware to affiliates who then perpetrate attacks, handle negotiations, and split the ransom payments.

Regulatory Issues

1. Which states are known for following up on data breach notifications?
Indiana, Massachusetts, North Carolina, Connecticut, Florida, and New York are known for following up on data breach notifications.

2. What are common issues regulators look for in data breach investigations?
Regulators look for weak passwords, lack of MFA, outdated policies and procedures, insufficient employee training, outdated software, slow detection of intrusions, poor vendor management, and retention of old data.

Statutory Amendments

1. What recent changes have been made to Pennsylvania's data breach notification statute?
Pennsylvania now requires notification to the Attorney General if 500 or more individuals are impacted and mandates credit monitoring if certain sensitive information is involved.

2. What amendments have been made to New York's data breach notification statute?
New York now requires notification within 30 days and includes medical and health insurance information within the definition of private information.

3. What changes are coming to Oklahoma's data breach notification statute?
Starting January 2026, Oklahoma will include unique electronic identifiers and biometric information in the definition of personal information and require notification to the Attorney General if 500 or more residents are impacted.

Blog: Mitigation Strategies and Compliance for Ransomware and Business Email Compromise

In today's digital landscape, businesses face significant cybersecurity threats, particularly ransomware attacks and business email compromises (BEC). These incidents pose severe financial risks and challenge organizational integrity and trust. Understanding these threats and implementing robust incident response strategies are crucial for maintaining control and minimizing damage. Ransomware has evolved into a major threat involving data theft and extortion, highlighting the need for comprehensive backup strategies. Regular and secure backups can enable organizations to restore data without paying ransoms. Despite this, many organizations remain unprepared, lacking viable backups and facing difficult recovery decisions.

Ransomware and BEC: Mitigation Strategies and Regulatory Compliance

Ransomware attacks encrypt victim data, making it inaccessible until a ransom is paid. While some attackers steal data for extortion, most encrypt it. Despite the growing sophistication of these attacks, organizations are improving at mitigating their impact through better backup solutions and increased awareness, leading to fewer ransom payments. The risk of data loss persists as decryption keys from attackers may fail.

Business email compromises (BEC) exploit human elements in cybersecurity, often through phishing emails that trick recipients into revealing sensitive information or performing unauthorized actions. These attacks leverage trust in business relationships, with threat actors posing as vendors, colleagues, or authoritative figures. Despite training and awareness programs, BEC incidents remain successful, necessitating ongoing vigilance and advanced security measures. Financial implications include wire fraud and payment misdirection, leading to immediate financial loss and legal and reputational challenges. Organizations must navigate notification obligations under data breach laws, manage communications with affected parties, and engage in fund recovery efforts, often requiring law enforcement and specialized legal teams.

Effective incident response combines preventive measures and reactive strategies. Organizations should invest in robust cybersecurity frameworks, including multi-factor authentication, regular security training, and advanced threat detection systems. A well-defined response plan is critical, outlining steps for containment, investigation, communication, and recovery. Collaboration with forensic experts and legal counsel ensures compliance with regulatory requirements and mitigates potential liabilities.

Cyber insurance is crucial for managing financial risks associated with ransomware attacks. Most policies cover ransom payments within limits, but organizations must consider the broader implications of depleting policy benefits, which also cover recovery costs, notification expenses, and legal fees. Decisions on ransom payments should evaluate data necessity and overall organizational impact. The concept of "reasonable and necessary" expenses in cyber policies can complicate ransom payment approvals.

Ransomware tactics have evolved to include double extortion, where data is both encrypted and exfiltrated, with threats of public release if the ransom is unpaid. This shift introduces significant reputational risks. Organizations are advised against paying for data suppression unless absolutely necessary, focusing instead on robust cybersecurity measures, regular backups, and comprehensive incident response plans.

Ransomware as a service (RaaS) has democratized access to sophisticated ransomware tools, increasing the frequency and diversity of attacks. Affiliates in the RaaS ecosystem introduce uncertainty into response and recovery, as they may lack technical expertise and reliability, complicating negotiations and decryption. Vigilance in identifying entities is crucial to avoid sanctions and legal repercussions.

Regulatory scrutiny is intensifying, with state and federal agencies increasingly involved in cybersecurity incident investigations and enforcement. States like New York and California have implemented stringent notification requirements and expanded definitions of personal information triggering breach notifications. Organizations must stay informed about evolving regulations to ensure compliance and avoid penalties. Effective cybersecurity practices, including strong passwords, multi-factor authentication, regular employee training, and up-to-date software, are essential in meeting regulatory expectations and protecting sensitive data.

The evolving threat landscape demands that businesses stay proactive and prepared. Ransomware and business email compromises pose significant risks to business continuity and legal compliance. Organizations can better safeguard their assets and maintain stakeholder trust by understanding these threats and implementing comprehensive incident response strategies. Adopting robust backup solutions, adhering to regulatory requirements, and investing in prevention, detection, and response capabilities are essential. While cyber insurance offers financial protection, it should not be the sole defense. Staying informed and equipped enables businesses to navigate cybersecurity complexities and minimize the impact of attacks.