Adopting the assume breach mindset

In episode three of Cyber Horror Stories, Matt O’Kane reflects on the importance of adopting the ‘assume breach’ mindset after ransomware targeted a business.

The malware exposed more than 200 terabytes of data, but thanks to a strong culture of cyber resilience and an ‘assume breach’ approach, the incident was contained within three hours.

In this case, O’Kane discusses how detection speed and internal response can shape the outcome of a cyber-attack.

The breach began when an employee installed software that they believed was a legitimate open-source code.

“There was an employee who downloaded some software that they thought was good open-source software, but it turned out to be malware under analysis,” said O’Kane.

“Virus scanners are only 50 per cent effective, so you want it to be very selective on what software you run.”

Once inside the network, the attackers discovered they had access to roughly 200 terabytes of sensitive data, and a ransom note soon followed.

The attackers demanded payment, pricing the ransom based on the country’s expected cyber insurance coverage, not unlike how businesses might segment markets.

“They unfortunately run like a very well-organised business,” said O’Kane.

Containment

The company’s IT team quickly detected abnormal network activity and shut down the compromised endpoints.

“They detected the intruders and within three hours they booted them out,” O’Kane said.

“Very impressive, right? Like gold-standard ability.”

“Detecting so quickly — that assumes breach leads to a very clear process,” he added.

“They said that behaviour is undesirable, and they locked the misbehaving workstations until it could be investigated.”

“That’s when I got called in.”

According to O’Kane, the initial crime scene was already under control by the time he arrived.

“It’s like, you’re coming into a crime scene, and it’s all cornered off and everything is under control.”

No backup

The incident revealed a key gap in the organisation’s plan, and there was no backup of the affected data.

But the business did not pay the ransom.

Instead, the team set out to recover the files, which had been renamed, not encrypted, using custom-built tools.

“We wrote software that went through,” explained O’Kane.

The development took about a week, but running the software across the full dataset took a month.

Support over blame

In this incident, the malware was introduced unintentionally, but instead of focusing on the blame, the company supported the individual involved.

“I’ve seen many cases where there’s been a mistake by a single individual, not an IT person, and it’s brought the company right to a terrible place.”