Repelling A Ransomware Attack: Ken Mendelson of Guidepost Solutions On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
Communications with a 24/7 team of first responders — The key to recovering from a ransomware attack is speed. The faster you can have your response team act on the problem, the less harm will come to your organization because of the attack. Being able to immediately contact your first responders and setting them to their tasks as soon as possible after the attack is identified will be essential. Maintain active, up-to-date contact lists for the entire internal team as well as external digital forensics/incident response (DFIR) experts, cybersecurity counsel, public relations, and law enforcement points of contact will accelerate recovery time and thereby reduce harm.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Ken Mendelson.
Ken Mendelson, senior managing director at Guidepost Solutions, is an experienced consulting executive with more than 30 years of experience at the intersection of law, information technology and public policy. He excels at leading teams of technical professionals that produce high-quality results for clients facing legal, regulatory and media scrutiny.
As a member of Guidepost Solutions’ National Security Practice, Mr. Mendelson conducts monitorships and third-party compliance audits in connection with mitigation agreements enforced by the Committee on Foreign Investment in the United States (CFIUS) and Team Telecom. In addition, he assists established and emerging companies with implementing and maintaining cybersecurity and privacy programs by developing cybersecurity policies, procedures and guidelines, conducting risk-based cybersecurity assessments and undertaking investigations.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born in New York City and raised in the Long Island suburbs. My father was a lawyer/CPA — turned media executive who was an avid fisherman. My mother was a former Broadway/TV dancer who retired when she became a mother to my sister and me. I certainly got my focus and love for the sea from my father.
My upbringing was a little unusual in that I developed a love for all things aquatic at a very young age. I learned to drive a boat before I learned to ride a bike. Boating, fishing, sailing, and later scuba diving became my passions, but they left little room for more typical things like sports. To this day, I’m happiest doing just about anything on the water with family and/or friends. Several years ago, I inherited the boat I went to purchase with my father when I was eleven. I spend a lot of my free time just keeping it afloat — but I wouldn’t trade it for anything.
Other than that, my background is atypically typical. My parents never got divorced, we always had a good relationship. I still talk to my sister. Many of my friends weren’t so lucky, so I consider myself to be blessed in that regard.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
After practicing law for a few years in Washington DC, I thought I would try something new. A friend of mine worked on Capitol Hill and absolutely loved his job, so I thought I would try that. In 1993, I was fortunate enough to land a position as counsel to the U.S. House of Representatives Judiciary Committee. The Clinton Administration had just announced something called the “Clipper Chip” and I was told that was going to be my “issue” to handle for the committee. When I asked what the Clipper Chip was, I was told that it was an encryption device. When I asked what an encryption device was, I was told to learn about it.
That assignment truly changed my life and set me on a new career. In order to understand the policy issues related to the technology, and the competing interests of law enforcement, national security, private industry, and individual privacy and security, I had to learn about the technology itself. It was a fascinating experience. It was kind of “heady” as well. With one phone call, I would have an entire delegation from the National Security Agency (including the General Counsel) show up in my office. The issues were that important. The Clipper Chip, a government-run, encryption key escrow scheme, failed miserably under its own weight, but I suppose I owe my career to its existence. At that time, many of the things we now take for granted (e.g., widespread use of mobile phones, email, e-commerce, etc.) were only predictions. We knew then that cybersecurity was going to play a big role in its development, but everyone was scrambling to figure out just how it would go. It’s been quite a ride.
Can you share the most interesting story that happened to you since you began this fascinating career?
Before the mid-1990’s, encryption technology was considered a munition by the US government, like a missile or a firearm. Exporting it to another country required an export license from the Department of State, which was hard to come by. US manufacturers were at a huge disadvantage because foreign competitors didn’t have the same restrictions and there was a groundswell of support to have encryption technology moved from the State Department munitions list to the “dual-use” Commerce Control list maintained by the US Department of Commerce. This shift would allow the US technology industry to be more competitive. At the time, I was working as corporate counsel for a now-defunct company that had developed an alternative to the ill-fated Clipper Chip, so I was very involved in the issue.
When it became clear that the Commerce Department would eventually have to develop its own regulations about encryption exportability, the lawyers at what was then called the Bureau of Export Administration, or BXA (now known as the Bureau of Industry and Security) reached out to the CEO of my company and asked if someone would teach them about encryption technology so that they would be in a better position to write a useful set of rules to permit it to be exported under their watch. My CEO asked me to prepare and conduct the training. A week later, the entire BXA legal staff came to our offices so they could learn about this new “encryption thing” — from me. It was not lost on me how significant an assignment that was. These rules would affect millions of people and entire industries. It was great to play a small part in something that got to be so big.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
See the big picture: From my time on the Hill, I learned that there usually are not two sides to an issue — there are many sides. The best solutions to complex problems consider not just the “what” but the “why.” When a client asks for help developing a cybersecurity program, it’s very important to understand why they are asking. Is it a regulatory requirement? A directive from the Board of Directors? Have they just suffered an intrusion or ransomware attack? Often, it’s a combination of factors. Understanding the various drivers helps to craft the most appropriate solution.
Look for the win/win, not the win/lose: Perhaps the reason I didn’t like practicing law is that I was never comfortable with the competition inherent in litigation — one side wins, the other loses. I don’t believe that life must always be a zero-sum game, and I prefer it when parties can come together in a way that benefits everyone. When working with a client on a cybersecurity project, I’ve always felt it is shortsighted to focus exclusively on short-term projects at the expense of considering the long-term relationship. Delivering value to the client means the money they spent was “worth it” to them. Clients that believe you’ve delivered value will be your clients for a long time. That is the real win-win.
Mentor/Empower others: Your team is your greatest asset. The best solutions come from the collective brainpower of a group of people that look at the same problem from different perspectives. The best way to improve your workforce is to have the more experienced members of the team mentor and work with the less experienced ones to share their knowledge and expertise. I never quite realized I did this, or what impact it had on people until I left a job I had held for over 17 years. When I left, the office threw me a party and presented me with a jar filled with notes from members of my team I had worked with over the years. The notes described anecdotes about projects we worked on together or moments we spent together that they wanted to share. Most importantly, many of the notes described how I inspired them, or otherwise helped them to be better at what they did. Of all my successes, the contents of that jar represent the one thing about which I am most proud.
Are you working on any exciting new projects now? How do you think that will help people?
I’m part of the National Security Practice at Guidepost Solutions. One of the things we do is help companies comply with mitigation agreements they enter with the Committee on Foreign Investment in the United States (CFIUS). When a foreign company or entity buys or invests in a US company, a national security concern could be raised as the result of the acquisition. In those cases, the companies file a notice with CFIUS. If CFIUS has concerns, they will either recommend the President of the United States block the transaction or enter into a mitigation agreement with the company that is designed to address the national security concern. Increasingly, those national security concerns stem from access to technical information or large data sets involving US citizens’ personal information. Addressing these issues involves cyber security controls.
I’ve been working on projects where we serve as either the third-party compliance monitor or auditor of a company’s compliance with its agreement with CFIUS. It’s extremely interesting work, as each company is different, as is the nature of the national security concern the government raises. When we do our job, the companies continue to operate, and the US national security interests are protected. Everybody wins. Nobody loses. It’s very gratifying work.
I’m also working with a very exciting, fast-growing cryptocurrency firm. We’ve been retained to assist them develop, improve, and grow their cybersecurity capability in multiple ways. We’ve conducted risk assessments, policy and procedure development, third-party vendor due diligence, business continuity/disaster recovery planning, and overall governance, risk, and compliance services. Their objective is to provide cryptocurrency services in the most secure and defensible way, in full compliance with existing and proposed regulations. Cryptocurrency has enormous potential but is often maligned for its risk and the fact that it is largely unregulated. Over time, companies like my client hope to change that by deploying and maintaining processes that earn the trust of businesses and regulators alike. Helping to create a new industry by improving its overall security is extremely exciting.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
When you’ve spent almost 30 years thinking about encryption in some way, you can’t help but pick up a few details about how it can be used for both good and evil. Ransomware is certainly one of the evilest uses of technology. I’ve spent a number of years working with companies to help them protect themselves and their networked assets from the harm that can come from cybercriminals of all types. Ransomware is just the latest (and possibly most egregious) peril they must defend against.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
There are many different types of ransomware attacks, authored by talented (but truly evil) developers around the world. Most ransomware variants do the same type of thing in different ways; that is, encrypt a victim’s files and not provide the means to decrypt those files until a ransom is paid. Rather than describe the different code variants, it may be helpful to describe how ransomware attacks have evolved over the last few years. One of the more disturbing trends is for the attackers to extract even more money from their victims, and it’s not limited to higher ransom demands. Rather, it’s engaging the same victim multiple times. This is how it works…
Now referred to by some as “the good old days” the “Single Extortion” is where ransomware encrypts your critical data, and you pay the ransom to obtain the key to decrypt your files.
Once the bad guys saw that companies will actually pay the ransom, they upped their game and began stealing copies of sensitive data in addition to encrypting it on the organization’s systems. This gave rise to what is known as the “Double Extortion.” In this scenario, once the victim pays the ransom to decrypt their data, the extortionist sends the victim a sample of the data they’ve stolen and demanded a second ransom in exchange for not releasing the sensitive data in a public forum.
More recently, a “Triple Extortion” scheme has been deployed. In this scenario, after extorting money from the company that they stole the data from, they go to the company the stolen data is ABOUT — in other words, the victim company’s customers — and try to extort money from them as well.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?
First and foremost, ransomware attackers are thieves. They want money. They will take their time to perform surveillance on an intended victim to ascertain whether they have the money (or insurance coverage) to pay their ransom demands. However, ransomware extortionists don’t focus exclusively on large, wealthy companies. Small and mid-size companies tend to be victimized the most. In many cases, they are targeted because they believe themselves to be too small or insignificant to be targeted at all. As a result, they don’t have as robust an information security program as they should — this is what leads them to become victims.
I am not aware of specific individuals that have been targeted, but it is likely that such victims would not necessarily feel comfortable reporting such things.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
Time is of the essence in a ransomware attack. It is essential to understand what is going on to know what to do about it. All organizations should have contact information for a firm that specializes in Digital Forensics and Incident Response (DFIR). These are the experts that can ascertain what is happening in your network, minimize the damage, and allow for recovery. They are familiar with how best to work with law enforcement and when. Another call worth making is to a competent cybersecurity attorney that can guide you through the process of working with law enforcement and addressing the myriad of regulatory issues raised by being a victim of such an attack. In fact, being the victim of such an attack can expose an organization to several forms of liability if not handled correctly. Having qualified counsel to help navigate these complex issues can be extremely helpful.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
Being prepared is the best way to ensure the company can recover as quickly as possible. Ideally, the company will execute its pre-written, practiced ransomware “Playbook” that guides the organization through the complex recovery process. The contents of such Playbook reflect what a company needs to do when faced with such an attack. It should include, but not be limited to:
A description of the recovery processes to use, specific to the company’s IT infrastructure, to address such an attack.
A list of authorized (and tested) backup and restoration tools.
A list of regulators that must be notified and the timeframe for such notice.
A current set of functional and security dependency maps to establish the order of restoration priority. They should include control, business function, and user systems, with specific attention to systems that store data backups.
A phone tree or list of the ransomware recovery team personnel, external digital forensics/Incident Response specialists, internal system administrators, desktop support, backup administrators, managers, general counsel, and public relations personnel as required.
A list of the essential people, facilities, technical components, and external services that are required to achieve the organization’s mission(s).
A comprehensive recovery communications plan for both internal and external parties, along with internal communications among the recovery team members and wider management to control and coordinate activities and status updates. External communication should be from a single, authoritative, and informed source. Specific messaging is required when communicating with the management team, the board of directors, the general counsel, corporate communications, employees, the IT team, law enforcement, vendors, and customers.
Trying to figure out how to do all these things while in the middle of a ransomware attack won’t be very helpful, so being prepared is key.
Should a victim pay the ransom? Please explain what you mean with an example or story.
Nobody WANTS to pay the ransom. In principle, paying hurts everyone, since ransom payments fuel the vicious cycle of ransomware…cybercriminals use the proceeds to fund even more frequent and sophisticated ransomware attacks. We ALL know it’s wrong to pay these guys. However, principled decisions and business decisions do not always align — particularly in the areas of healthcare or critical infrastructure — where people’s lives can be at stake. In 2019, the FBI updated its ransomware guidance to say that they understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.
But paying the ransom is not without risk….
Depending on what industry you’re in, there may be a regulatory impact from paying the ransom. For example, the banking and insurance companies regulated by the New York Department of Financial Services (NYDFS), are required to maintain adequate cybersecurity controls. NYDFS warns against ransomware victims using insurance to pay a ransom “as a substitute for improving cybersecurity and pass the cost of cyber incidents on to the insurer.”
Perhaps a more tangible risk comes from the Treasury Department’s Office of Foreign Assets Control (OFAC), which administers the economic sanctions against foreign entities determined to be a national securities risk to the United States. OFAC has determined that ransomware payments with a sanctions nexus threaten US National Security interests. As a result, making a ransom payment to someone on OFAC’s Specially Designated Nationals and Blocked Person List (otherwise known as the SDN List), or payments made to individuals located in an embargoed nation can result in penalties based on strict liability. So, let’s say you’ve determined that you must pay the ransom to get your company back up and running, but you’ve determined that the payment will be made to someone on the SDN. If you try to apply for a license to make the payment despite the recipient being on the SDN list, that license request is presumptively denied.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
The most common mistake is simply the belief that the organization is too small or “under the radar” to be the target of a ransomware attack, and thus not taking even the most basic steps to minimize the risk. While the largest ransomware attacks get the most press, most victims are small and mid-size companies. Just as there are different types of ransomware variants, there are different types of ransomware attackers. Some will spend months doing surveillance on a large, well-protected company to find a weakness and demand a large ransom when it is exploited. Others will simply look for weaknesses among a larger number of less well-protected companies and demand smaller ransom amounts but make it up in volume. There’s a cyber-thief for everyone! All organizations should train their people to recognize how they can help reduce the risk, have an information security program with a set of controls based on a risk assessment, and perform basic cyber hygiene to maintain their systems. Failing to do any of these things increases an organization’s vulnerability to ransomware.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
The government only recently began seriously addressing this problem, but it’s beginning to have an effect. In May of 2021, the president signed an Executive Order on Improving the Nation’s Cybersecurity
and announced that it is taking a “whole of government” approach to ransomware including overt and covert disrupting ransomware infrastructure and actors, sanctions to disrupt cryptocurrency payment or exchange, working with the private sector to improve defenses, and building international coalitions to hold countries that harbor ransomware actors accountable. The Treasury Department has already stepped up its sanctioning of cryptocurrency exchanges used to launder extorted cryptocurrency.
In addition, the Department of Justice (DOJ) declared that ransomware attacks on critical infrastructure should be treated as a national security issue akin to terrorism. The DOJ now has the legal basis to get help from the Department of Defense (DOD) and Intelligence Agencies, and as such elevates ransomware investigations to a similar priority. In December, the New York Times reported that Cyber Command, the US military’s hacking unit, which is part of the National Security Agency, publicly confirmed that it has taken offensive action to disrupt cybercriminal groups that have launched ransomware attacks on US companies.
This is a really big deal. The DOJ’s mission is to prosecute criminals. The DOD and the intelligence community have enormous resources and capabilities but cannot operate without legal authority. Now they have it. To the extent that most of these criminals will never be extradited to the US for prosecution, a different objective — namely making this stop — could have a greater impact on the national security of the United States than the Justice Department could have on its own. Much of what will happen may never be disclosed to the public, but hopefully, the results will speak for themselves.
As much as I’d like to see our government take down all of the ransomware extortionists, there will always be more of them. This problem is not going away any time soon. Accordingly, tech leaders should focus their attention on building and deploying technologies that are more resistant to all forms of cyberattacks, including ransomware.
Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)
We’ve talked about the horror story that is ransomware. But I would be remiss if I didn’t mention a few general and specific things that organizations can do to reduce the risk. On a “general” level, there are a couple of truisms worth mentioning. The first is that there are no silver bullets here. It’s a process that takes time. The second of course is that you need to think in terms of managing risk, not eliminating it. To that end, utilizing a standard risk management process is essential. Companies need to get granular when it comes to how they will choose to address each element of the risks they face. Finally, reasoned decision-making, supported by evidence, will help guide decisions about whether to accept, mitigate, transfer, or avoid a given risk. And it all starts with executive management and the board knowing what you need to protect, and from whom. But since you asked for a list of five things, this is what I believe is most important:
- Preparation — Don’t wait to be attacked before acting. Develop a cohesive, tested plan (i.e., the Playbook I mentioned earlier) so that people already know what they should do when the attack occurs. We know it’s coming. Forewarned is forearmed. Don’t try to figure it out when it’s happening, and everyone’s hair is on fire. The key to resilience is the ability to move quickly. Nothing will accelerate recovery more than being prepared.
- Training — The most common attack vector for ransomware is a phishing email that contains an attachment that deploys the malware code. The best money a company can spend on ransomware prevention is on training. Train everyone with access to your network on the basics of what to do, and what not to do; how to spot a phishing email, and how to handle it. Also, train the IT staff on how to respond and what they should do at the first sign of a ransomware attack.
- Patching — Another common attack vector for ransomware is for the attacker to exploit unpatched application/software vulnerabilities. To that end, keeping all systems up to date with the latest manufacturer-supplied patches is essential. It is often a race against time, as the bad guys sometimes learn of the exploits from the media, the same way we do. Staying up to date with the latest patches significantly reduces your risk
- Offline Backups — Ransomware extortionists can demand payment only because they have executed a successful availability attack against your critical data. If you have a copy of that data that has not been encrypted, the attack has inconvenienced you, but it was not successful because you don’t have to pay the attacker. You can restore from your backups. It is, of course, essential that the backups be tested and kept offline (as the attackers will encrypt online backups as well). A robust, tested system of offline backups is the most effective way to avoid paying a ransom.
- Communications with a 24/7 team of first responders — The key to recovering from a ransomware attack is speed. The faster you can have your response team act on the problem, the less harm will come to your organization because of the attack. Being able to immediately contact your first responders and setting them to their tasks as soon as possible after the attack is identified will be essential. Maintain active, up-to-date contact lists for the entire internal team as well as external digital forensics/incident response (DFIR) experts, cybersecurity counsel, public relations, and law enforcement points of contact will accelerate recovery time and thereby reduce harm.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
I am dismayed by the highly partisan political division in this country being fueled by the extreme views on both sides of the political spectrum. This country was built upon the proposition that a plurality of ideas benefits us all, and not upon the idea that one side is always right, and the other side is always wrong. I’m old enough to remember when members of Congress from different parties were actually friends and referred to each other as the “loyal opposition.” People didn’t necessarily agree with one another, but neither did they question whether their opponents were patriotic or loved their country. During those times, the objective was to find common ground where it could be found and to compromise in order to achieve a goal that was at least acceptable to both sides. Today, the concept of “compromise” is viewed as a weakness rather than a goal. This is not realistic or useful. Neither side will “go away” or “be converted” so it’s incumbent upon all of us to acknowledge that we still need to find common ground, and to do so does not mean that you’re weak — it means that you’re doing the job. If I could start a movement, it would be to “find the middle — where all of us get something, and none of us get everything.”
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
You’re welcome! Thanks for having me.
