Repelling A Ransomware Attack: Jeffrey Wells of Clark Hill On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
Lastly, is establishing a documented information security program that contains an incident response plan to address ransomware and extortion-ware. Review the information security program as you walk through a practice exercise or a round-table discussion for ransomware to see exactly how systems and employees have reacted. How did everyone from a human perspective respond to that particular ransom scenario and then make improvements? Having, practicing, and improving a plan, is incredibly important for information security as well as for ransomware attacks.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Jeffrey R. Wells.
Jeffrey R. Wells is the Co-chair of the Cybersecurity, Data Protection & Privacy team, Clark Hill, and is a cybersecurity professional responsible for keeping organizations safe and protecting employees’ privacy worldwide.
With over 25 years of global experience leading cybersecurity engagement, Jeffrey engages clients by leveraging existing infrastructure and talent, establishing effective cyber resilience strategies, and responding to immediate incidents and emerging cyber threats.
Recently, Jeffrey led a Joint Inter-Agency Task Force countering transregional organized cyber-crime and violent extremism while addressing current and emerging risks impacting national security, commerce, and critical infrastructure. Jeffrey has consulted with cyber startups and venture, private equity, and angel investment organizations on cybersecurity-related strategies, including cyber-due diligence and the commercialization of cybersecurity technologies and ideas.
Appointed “Cyber Czar” by two Maryland governors, he was responsible for aligning commercial, federal, and military cybersecurity initiatives with NIST, NSA, U.S. Cyber Command, and other military and government entities. Jeffrey also served as vice-president of the Maryland Cybersecurity Roundtable was a founding partner of the NIST — National Cybersecurity Center of Excellence and the BENS Cyber & Tech Council.
Prior to joining Clark Hill, Jeffrey founded a White Hat cyber advisory firm, Innovation Intelligence. Jeffrey began his cyber career in the military intelligence community for the United States Department of Defense and intelligence agencies and is a member of the Military Cyber Professionals Association. Jeffrey has participated in numerous U.S. government-sponsored security advisory and trade missions and has attended the World Economic Forum in Davos, Switzerland, and the Forbes Global CEO Conference.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was a military brat. My father was in the Air Force, and I was fortunate enough to move, on average, about every nine months until I went to college. And I say fortunate because I got to travel quite extensively around the world experience different people’s cultures and perspectives. I did make friends, and we ran into each other often. But my family sent me back to Boston every summer to feel like I had roots someplace until I was 13.
And then, I went to work for my uncle, an entrepreneur, in its most accurate form; this helped me understand the value of problem-solving and customer service. I had to pay rent to sleep in the attic. I had to buy a bicycle from him every summer. And I learned, though, what it meant to be entrepreneurial, how to run a business, and a sense of discipline. The combination of all of that, of moving around so much, being in different environments, different workplaces, and away from my immediate family, gave me a unique perspective about resiliency. It helped me to understand that things are always going to be dynamic. Things are constantly changing, and there are core beliefs, values, and models that you can generate to thrive in new and uncertain environments.
Is there a particular story that inspired you to pursue a career in cybersecurity?
Yes. It comes down to place and timing. Indeed, I was fortunate enough to have a high school mentor who inspired me to use the new computer in the library. That led to my curiosity about coding and how technology works, which provided an understanding of the critical connections and led to a sense that there’s always more sitting in the background of computing technology. In the early days of the internet, we were looking at e-commerce and realizing there’s a lot of risk going to happen here. And certainly, my experience in the military threw me into an environment we call cyber. I think I’ve always just been in the right place at the right time and certainly been around the right people, and that’s what led me to this career.
Okay. Can you share the most interesting story that happened to you since you began this fascinating career?
I’m fortunate enough to work with a retired Marine logistics officer. She and I had responded to a significant ransomware attack. In that environment, we were able to bridge our military careers. Many big-name companies that developed technology, built infrastructure, and responded to forensics were involved in the response. Bringing these teams together to figure out how do we resolve this particular ransomware incident and maintain business continuity? It was pretty incredible to see people digging back in and pulling out paper, a group of folks who were just about to retire sitting in a room with a young member of our team, who was formerly in the Army, trying to figure out exactly how to keep doing business so that we can create a temporary solution while the ransomware got resolved.
You’re a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
The character trait of being resilient, adapting, and looking for opportunities to thrive rather than sink, no matter what environment I may be thrown into.
An example of exhibiting resilience is showing up as a single representative from my organization in a meeting with a team of 30 Swedish telecommunications company employees building a data center in the United Kingdom. We barely spoke each other’s languages and had very different ideas about how it should be architected. I had to quickly decipher what had started to be assembled, as well as how to begin to build trust. I only had about three days to try to understand initially what the project goals were. It turned out that I ended up spending about a month there. I quickly looked at the infrastructure and tried to understand where there were security gaps. Thankfully, the outcome was positive, and we could save a fair amount of capital for the client.
The next character trait is curiosity. Especially in cyberspace, being curious every day, you could be overwhelmed by the volume of information and quantity of threats. But I like to look at it as my curiosity helps me better understand the things that I don’t know, as well as the black swans and the gray rhinos that may be over the horizon in this space. Being very curious, I like to think, has served me well my entire life. I can tie it back to resilience. It’s the willingness to look, learn and grow rather than be caught fearful in a particular environment.
I hope many would agree with this third character trait, my listening ability. Asking questions, but more importantly, deep listening to understand what an organization or individual is trying to achieve via cyber resiliency. Understanding the culture is essential to creating better relationships horizontally across an organization.
Are you working on any exciting new projects now? How do you think that they will help people?
Yes, traditionally, there’s been a lot of reactivity in this space. And indeed, over the last several years, when it comes to ransomware or any cyber incident, we’ve been very focused on reacting to a steady stream of threats. Over the last couple of months, we’ve developed and implemented proactive client services. Practicing sound methodologies, processes, and procedures that tie to policies to help organizations establish a living environment of resiliency and compliance, both from organizational and technical perspectives, and how to live with their legacy systems.
I am helping to merge into a company’s culture, where everyone understands their role in securing the organization, along with a methodology for approaching systematic and very focused achievable goals over the long term. This is especially important in compliance areas. We’re also implementing simple ways to hold third parties accountable by asking them questions about how they are securing themselves. We’re setting a standard level of compliance for their business partners and vendors down the road.
Being on the proactive side is a lot more engaging. We’re not in a crisis. There’s a lot more opportunity for me to ask, listen and customize programs for clients, which are helpful for them to use going forward. They become living programs rather than just some sort of policy that somebody gave them that lives on a hard drive, and no one ever sees.
For the benefit of our readers, can you briefly tell our readers why you’re an authority about the topic of ransomware?
Authority? I like to think I am a specialist. Before joining Clark Hill, I was in the offensive cyber arena. We’ve been working very closely on our integrated cyber and data-privacy business unit in the last four years. We’ve been very focused on incident response pieces. And I think that we’ve assisted with an increasing number of ransomware cases over that period. You’re never truly an expert. You’re always specializing, trying to understand what the new tactics and tradecraft procedures of the adversary are, but we’re working them every moment.
Okay. Let’s now shift the main focus of our interview. To ensure that we are all on the same page, let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
There are two types of important ransomware attacks. There is a legacy version of a ransomware attack, where the threat actor gains access and encrypts the environment. Then demands a ransom to provide the decryption tool necessary to decrypt the environment so that the end-user can get back up and running. That has been around the longest.
The second is ransom/extortion-ware. It has evolved in the last two years and continues to do so. This is where an attacker will go into an environment and copy data and files, exfiltrate them and then encrypt the environment. Their goal is a ransom payout, then they will provide you with the decryption tool in the legacy way. If you do not pay the ransom, many organizations don’t pay ransoms because there have been advances in technology and improvements in incident response models around backups — The attacker says, “We will release this data to the public either directly to your clients, or we’ll release it for sale on one of the darknets.” This is a true form of extortion, which makes many of the decisions around ransomware a lot more challenging, certainly if there’s no cyber defense plan in place. It’s important to understand and have a thoughtful discussion in advance of either type of incident so that you can have a plan in place to combat potential attacks.
Who has to be more concerned about ransom attacks? Is it primarily businesses, or is it private individuals?
Everybody who uses an electronic device is a target. Individuals probably have enough to lose, but they tend not to have large amounts of data. If your laptop becomes encrypted and you can’t decrypt it, there’s always the option of purchasing a new laptop or erasing it and starting over, and you lose all the data. If you think about that for a business, that’s where the real risk comes in, there’s a great risk to business operations and the flow of revenue. There may be regulatory fines or legal action, and there’s a great risk to one’s reputation. The threat/risk temperature ranges begin to increase depending on the size and the type of business. Even as a sole proprietor, it’s about what you have and how you protect it. That’s when ransomware becomes a challenge and a problem.
Who should be called first after one is aware that they are a victim of a ransomware attack? The local police, the FBI, a cybersecurity expert?
First, you’ll want to call a breach coach and your cyber-insurer. Having cyber insurance is a must for anybody doing business today. On the first call to your cyber-insurer they will say, “We recommend the following breach coaches.” Then the breach coach begins to assist in the execution of an incident response plan. Answering questions like -Who we’re going to contact next? How and what is going to be communicated? How is this process going to be run? The breach coach can be emotionally disconnected. Usually, they’ve done thousands of these and understand the process. There’s a complicated method to ransomware. Having the right advice and being able to make the right decisions on internal and external communication is incredibly important.
If you don’t have an insurer, it’s reaching out to the breach coach on your own. I recommend you do this today. This will help you establish a relationship in advance so that when needed, the paperwork is done. It will make a difficult situation a lot easier so that you can move quickly, rather than spending two to three days trying to figure out how the mechanics and paperwork are to be executed. Being prepared will allow you to operate and catch up with the nature and the pace of the threat.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further as well as protect their customers?
Step one is to disconnect from the network, and that means cutting, turning off the internet connection to the organization, and then disconnecting the devices from the company’s network. You don’t want to power things down because the encryption process may not be complete, and you may risk the ability to restore if you stop anything midway. What you don’t want is for any of the attack to spread across the network or to leave the enterprise, business, or your environment.
Next is contacting the breach coach so that you know exactly how to follow the incident response plan. Knowing if or when you’re supposed to be making notifications to people. It’s understanding that and engaging a crisis communications firm or advisor to help you craft the appropriate language internally for your staff and external communications with clients to preserve your reputation with them.
During a ransomware attack, you don’t always know what is being impacted. It takes time and forensics analysis to understand what the situation truly is. It’s incredibly important to revert to a methodical, and organized plan. You want as much transparency as possible but understand what that transparency means. You’ll want an experienced hand to help you.
Should a victim pay the ransom? Please explain what you mean with an example of a story.
It’s not a simple binary decision — do we pay the ransom or not? There’s a lot to consider. Developing a strategy in an advanced incident response plan is recommended. Being proactive should be a discussion that’s happening in every business. Whether you’re a sole proprietor or an enterprise, it should be a discussion that takes place, so that there’s a true understanding of the different types of ransom attacks. The encryption versus ransom/extortion.
For instance, not too long ago, I worked with a company that had very wonderful, viable, organized, and clean backups. Which meant that they could completely restore their entire environment and did not need a decryption tool to get them back up and running. The problem that they were faced with was that their backups were offsite, and their internet connection was fast, but not sizable enough to do the restoration in a high-speed process. It was going to take over two weeks for the backups to be up and running so they could begin to generate business revenue. They were faced with a difficult decision. Pay the ransom and be back to normal within 48 hours while taking a risk that the attacker would give them the decryption tool. I’d say nine times out of 10, the attackers are very sophisticated and work quite extensively to make sure the decryption tool works; because the attacker has a reputation to maintain.
It came down to a number’s decision for the company. Do they pay for the decryption tool so that we can be back up and running in a couple of days, or not pay the ransom and wait? Which would mean losing a couple of hundred thousand dollars in revenue while waiting weeks for the system backups to kick in.
So it’s a very important discussion that needs to take place, and not just at the level of the CIO, CSO, or the IT department. This needs to be a business-leader discussion, across the business, about the full potential impacts. Time equals money in this equation. What types of systems are in place, how resilient are they, and how much time is necessary to recover? I wish there was a clear answer, like, “Don’t pay it,” because we don’t want to encourage crime. This must be a thoughtful decision and an ongoing discussion that I recommend happens semi-annually.
What are the most common data security and cybersecurity mistakes you’ve seen companies make that make them vulnerable to a ransomware attack?
I’d say first is thinking that somebody else is doing the security for them. And the second is thinking, “Why would anybody want to attack us? We’re just a small or medium business.” On the internet, everyone is a target of opportunity. Organizations are not spending enough time on training so that everyone understands what is ransomware? What are the common vectors or attack methodologies that threat actors use? Often, it’s phishing through a link or an attachment. Everyone plays a vital role in securing the organization and it’s not just the IT department’s job. Another issue is not maximizing the existing security controls and infrastructure that come with the legacy systems. Most of the legacy systems have their security features turned off by default or are not fine-tuned to the organization’s requirements, and that creates vulnerabilities.
Next, is having an effective, manageable, and living information security program. That’s not just a document, a policy that says we will do things, but it’s having the processes, procedures, and discipline which outline how an entire organization’s security is addressed. Specifically, one that covers patch management, email maintenance, training/awareness, and working safely when working from a remote location. That list can go on and on as you create an information security program. Having a truly defined, resilient, and living information security program which is a continually updated Word document that sits on your devices is key- it should also be kept in hard form. For larger organizations, making it available in seven binders located in different locations around your facility is helpful, because when you get hit by ransom, it’s nice to be able to pull out a binder and open it up and say, “Okay, here’s our information security program. This is our incident response plan page. Or this is what we’re going to do to restore and recover.” It’s just a lot easier to manage when you have it referenceable and practice it.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
From the government’s perspective, I would say it would be nice to see a unified, standardized, and simplified guidance plan on not just ransomware, but cybersecurity for all businesses. I think that anybody that operates online in the United States should be considered critical infrastructure. And certainly, the U.S. Department of Homeland Security’s Cybersecurity Infrastructure Security Agency does put out guidance on best practices quite frequently, especially in recent years. It does have a lot of information on its website. But I think that it’s very focused at the technical level and/or the technical aspects of the business. And if the government could escalate or lift it a level so that it speaks broadly to organizations, that could be very helpful.
And for tech leaders, I believe Bruce Schneier once said something akin to — security companies are in the business of making money first, technology second, and security third. I would like to see tech leaders, whether that’s hardware or a service, delivering products where security is not an afterthought. There are more companies building security upfront using sort of a zero-trust model. It would be nice, especially if you look at the number of connected devices and they’re all attack surfaces that do not have security or privacy features built into them. Security should be thought of from the beginning, rather than in a reactive way or an afterthought.
This is the main thing. What are the five things you need to do to protect yourself or your business from a ransomware attack and why? And please give an example of a story for each.
Number one is consistent training and awareness of both security risks as well as ransomware risks. Some programs are out there that you can purchase, and free ones are available on YouTube. It’s about adopting a cadence within your organization. This is especially important when onboarding employees or when something changes in your environment. It’s constant and perpetual training that helps everyone understand what cyber risks are. What are the risks of ransomware? How are they currently being delivered, especially through phishing and attachment scams via email? Training is incredibly helpful. It can reduce a significant number of breaches because those working remotely are likely to click on a link, trust a document or an attachment’s credibility. By building awareness, there’s that little bit of second-guessing in everyone’s mind, to double-check and rethink. That’s going to reduce a significant amount of risk.
Number two is to make sure that you have multifactor authentication in place in your environment, or at a bare minimum, two-factor authentication, which is not just using a username and a password, the addition of a code or a token that is used to prove who the user is, at that particular time and location. Who is trying to gain access to email or some part of your system? This is especially important in today’s environment of bringing your own home to work, as many are in hybrid situations. Making it a lot harder to get into the infrastructure can greatly reduce lateral movement through the system, which is often how ransomware spreads.
Third, in today’s remote world, it is super critical to ensure additional security measures are in place, it also will reduce the likelihood of a ransom attack. Wherever possible, confirm that your IT departments, administrators, anyone who oversees the databases or has access to move around in the environment, are not using the master administrator password to gain access into the system. Adopting a model of least-privileged access, and looking at each individual, creating a separate account for them to use for very specific aspects in the environment is most advantageous. The overall adoption of least privilege really can address not just from the IT department point of view, but from everyone across the organization, that they only have open entry to what they need access to. Whether that’s somebody that might be working reception that has the least amount of access, all the way up to the leadership. Often, employees are given way too much access. Adapting to a least privileged orientation can significantly reduce security breaches.
The fourth is maximizing the investments that have already been made. Take a good, hard look at how the network, environment, systems, or services are implemented. How are the defaults, or what are the settings in place from a logging perspective? Do we have the firewalls turned on? Enacting a good regimen of review. For some organizations, quarterly checks may be too much, but reviewing these protocols is time well spent when considering the angst, a breach can bring. In bigger organizations, a quarterly review to make sure that the current security environment on firewalls and VPNs, that those settings are all corrected, and that everything has been updated and is running the current version. It’s important to identify any devices at the end of service or end of life and forecast budget dollars to replace them. Begin to plan a procedure to rotate out those things that cannot be protected and defended, because they’re not supported by the manufacturer.
Lastly, is establishing a documented information security program that contains an incident response plan to address ransomware and extortion-ware. Review the information security program as you walk through a practice exercise or a round-table discussion for ransomware to see exactly how systems and employees have reacted. How did everyone from a human perspective respond to that particular ransom scenario and then make improvements? Having, practicing, and improving a plan, is incredibly important for information security as well as for ransomware attacks.
You’re a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would it be? You never know what could trigger a good idea.
I talk to clients about this, to help them understand that everything IT falls into cyber, but not everything cyber falls in is IT. This impacts an entire organization and is everyone’s responsibility, and it’s incredibly important to make everyone in the organization understand and believe that they have a role in being part of the cybersecurity program. It starts with onboarding. It’s not just, “Hey, here’s a security video to watch.” It’s talking to them and saying, “An essential part of our culture here is for us to deliver our product or service to our clients by maintaining good cyber hygiene, practicing good cyber resilience. And that is your role, too. Whether you’re working on the dock, your role is to make sure that, if that door looks suspicious, that door probably shouldn’t be opened. Or if you are scanning things and something doesn’t read right, if you are working from home and something doesn’t look right or setting up a secure home environment, it’s understanding, “Hey, let me look at those policies and practice them. Let me make sure that my connections are secure. When traveling, I’m not connecting to a hotel WiFi without following the proper procedures that my company has established.”
It’s helping everyone understand that cybersecurity is completely irrelevant until it happens to hit the human aspect. What happens in cyberspace, those are just ones and zeros moving around. Once a human interfaces, that’s when it becomes incredibly important. I think if we could help everyone understand their day-to-day safety, we’d be able to deter many security issues. It drives my wife crazy that she has trouble with her phone because I have it locked down and she can’t just connect to certain things. She’ll say, “Hey, this is interesting.” And I’ll say, “Yes, that’s a phishing email.” It extends to your personal life as well. As long as we have devices that we carry with us, we have a role to play in cyber defense, and that extends both backs to our organization and then back to us at home.
What’s the best way for readers that see this article to follow your work online?
jwells@clarkhill.com and ASSET360.com
Thank you for these fantastic insights!
