Adopting the assume breach mindset

In episode three of Cyber Horror Stories, Matt O’Kane reflects on the importance of adopting the ‘assume breach’ mindset after ransomware targeted a business.

The malware exposed more than 200 terabytes of data, but thanks to a strong culture of cyber resilience and an ‘assume breach’ approach, the incident was contained within three hours.

The breach began when an employee installed software that they believed was a legitimate open-source tool, but it turned out to be malware.

“Virus scanners are only 50 per cent effective, so you want to be very selective on what software you run,” said O’Kane.

Once inside the network, the attackers discovered they had access to roughly 200 terabytes of sensitive data, and a ransom note soon followed. The attackers demanded payment, pricing the ransom based on the country’s expected cyber insurance coverage.

“They unfortunately run like a very well-organised business,” said O’Kane.

The company’s IT team quickly detected abnormal network activity and shut down the compromised endpoints.

“They detected the intruders and within three hours they booted them out,” O’Kane said. “Very impressive. Like gold-standard ability.”

The incident revealed a key gap: there was no backup of the affected data. But the business did not pay the ransom. Instead, the team set out to recover the files, which had been renamed, not encrypted, using custom-built tools.

“We wrote software that went through,” explained O’Kane. The development took about a week, but running the software across the full dataset took a month.

In this incident, the malware was introduced unintentionally, but instead of focusing on blame, the company supported the individual involved.