Extorting Leaders, Threat Intelligence and Risk Management, with Jason Baker
What organizations need to know about threat actors, psychological tactics and what effective protections and responses will help
What is company leadership to do when they are faced with extortion involving ransomware: that’s not something that every CEO, COO or board is taught or has learned. Even if they have participated in executive education or been expertly briefed on the topic, being in the figurative fire of it is an entirely different experience.
Organizational leadership has to come to understand certain critical points before, during and after navigating extortion scenarios.
“First and foremost is visibility and understanding impact and you can’t have the latter without the former,” says Jason Baker, a senior threat intelligence consultant and ransomware negotiator at GuidePoint Security, a firm which helps decision makers make better cybersecurity decisions to mitigate risk.
“Ideally, all of the things I’m going to say next should be planned for and addressed in advance: you should know your network, know your data, know your network traffic, know your endpoints and know your backups,” he says. “But for the sake of simplicity, I’m going to word these as if we’re responding retroactively to an incident.”
Foundational knowledge must come first.
“For most, the initial incident response effort is going to center on establishing visibility and scoping the intrusion before actions can be taken to contain and remediate the activity,” Baker says. “As this portion concludes, you should begin to form a picture of how the adversary got it, what they impacted and what data they exfiltrated, if any.”
That checkpoint accomplished, the process moves towards the next phase, identifying the “what” and “how much” to gain clarity on what the perpetrator’s advantage, real or perceived, may be in the attack.
”From there, understand what kind of data and how much data may have been accessed or exfiltrated by the threat actor,” Baker advises.
“This is what they are most likely to use as coercive leverage and they will generally have targeted data that they assess to be sensitive or worth money to repress. Most often this means financial, human resources or medical files that are likely to be rich in Personally Identifiable Information (PII) or Protected Health Information (PHI).”
Determining Resilience Capacity
”Understand your ability to recover,” Baker says.
“This means validating and clearing your backups, which should be redundant and immutable. Other than data extortion, most ransomware groups will encrypt data for impact and use this as a second coercive lever.”
He offers a professional recommendation as a risk management and safety measure.
“If you’re able to roll back to backups with minimal impact to your organization, you’ve effectively taken away the power of this lever,” Baker says.
“That being said, threat actors know this and will actively target backup solutions specifically to take this option away from you. Don’t let them. Configure, test and validate your backups regularly and segregate them from your primary network.”
Threat Actors
“We may refer to an affiliate of the Akira ransomware group as a threat actor,” Baker says. “In this context, they will be following an often repeatable process to gain access to the victim network, move laterally, escalate privileges and ultimately deploy an Akira encryptor.
“In situations outside of cybercrime, the same general approach is applied to groups of actors performing state-sponsored, state-sanctioned or state-condoned operations,” he adds.
Their Psychological Tactics
The attackers can operate in different ways yet there are some that are more frequent.
“During ransomware negotiations, we most commonly see appeals to time and appeals to impact,” Baker says.
“What we mean by this is that, as you’d see from a used car salesman, there’s often a heavy emphasis on why payment is needed today, or right now. Threat actors likely know, as does the used car salesman, that the more time passes, the less likely they are to be paid and so they’re heavily invested in making sure that things don’t drag out.”
This strong threat actor push and aggression for a sense of urgency isn’t always met with immediate compliance of the demand.
“They have to balance this with the reality that even victims who want to pay don’t often have carte blanche approval to make such an approval, nor do they have six figures in Bitcoin sitting around on the corporate ledger,” Baker explains.
“So settlement takes time too.”
The Attacker’s Strategy
“In appeals to impact, we’ve typically seen threat actors emphasize that failure to pay will result in publication of the victim’s data, which will then ‘destroy their business’ or lead to fines and regulatory consequences,” Baker says.
“This is understandably a pain point they want to press on, but the threat actor is already outside of the environment and often misinterprets the breadth and severity of their impacts.”
Here’s Why
“Affiliates are typically not performing deep research into their victims, so we often see them make threats in this regard that don’t really make sense,” Baker says.
“For example, an affiliate may ransom a school. They will likely go to ZoomInfo or find something that assesses how much money is in that school’s budget, misconstrue it as ‘revenue’ and demand hundreds of thousands of dollars in ransom.”
The Threat Actor’s Weakness and Your Advantage
“You can try and explain to them that said school doesn’t have any revenue but they don’t really care or bother to differentiate,” Baker says.
“All of this is to say that these are canned threats. They’re not based on actual risk as it pertains to the victim, even if the threat actor would like to pretend otherwise.”
Warning and Guidance 1
“I would emphasize testing the processes that organizations believe to be in place,” Baker says. “This can be done via blue team, red team, purple team, tabletop exercises or a combination thereof.
“In the cases that we’ve seen go from bad to worse, it’s because victims thought they had a plan but didn’t, or had a plan that didn’t match reality.”
He explains to illustrate:
”This plays out in a couple of ways: First and foremost is responsibility and delegation of command. A lot of decision have to be made, often pretty quickly, in the middle of an incident,” Baker explains.
“If, in the heat of the moment, nobody knows who has authorization to determine what, then time is wasted on trying to run that down. Even down to who is able to declare an incident: if you don’t know this, resources are delayed.”
This is highly problematic.
“We’ve seen, in real life and in tabletops,” Baker says, “where organizations were sure this was black and white. It wasn’t and chaos ensued.”
Warning and Guidance 2
“Technologies and processes: The worst offender here is backups,” Baker asserts.
“Whether misconfigured, improperly segmented or just plain not set up, you do not want to find out that these don’t work the way you think they do in the middle of an incident.”
There is a known reality that requires a specific responsibility.
“These systems and their architecture can and do change with some regularity and your incident response plan and other documentation need to reflect current information,” Baker says.
“Periodically validate and check the configuration and working order of your backups and other key controls,” he says. “Immutable backups, which cannot be modified or destroyed, are a crucial part of avoiding the worst-case scenario in an encryption event.
Important Perspective and Encouragement
Baker knows how this may sound to readers and leaders: a list of failures. Yet he wants to make another helpful, more palatable point clear.
“The same areas where we’ve seen the greatest hurt are also the areas where we see the greatest victories,” he offers.
“The incidents where the victim has been in the best positive position to response and recover are incidents where they nailed all of these basics,” Baker says.
“They had a plan, they tested the plan in advance, they executed on the plan and they had the resources they needed to recover.”
Michael Toebe is a reputation and communications specialist at Reputation Intelligence and writes the Reputation Intelligence newsletter here on Substack and on LinkedIn. He helps individuals and organizations proactively and responsively with matters of trust, stakeholder relationships and reputation.
He has been a reporter for newspapers and radio, hosted a radio talk show, written for online business magazines, been a media source, helped people work through disputes, conflicts and crises and assisted clients with communications to further build, protect, restore and reconstruct reputation. LinkedIn profile.