Responding to Ransomware Attack [Case Study] | Interview with Yannick Hirt
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today, guest is a very interesting person, Yannick Hirt, and he's the founder and the CEO of ODCUS, and this is a security consultancy based Switzerland.
Dejan Kosutic:And as a consultant, he had a very interesting experience. He was working for a company that experienced a ransomware attack. So in today's podcast, you'll learn what are the best practices to handle ransomware attacks. Welcome to the show, Yannick.
Yannick Hirt:Thank you very much, Dejan. And I'm happy to be here today and thanks for hosting me.
Dejan Kosutic:Great to have you here. So can you tell me, you know, how all this ransomware attack happened? What are the what are the what were the circumstances?
Yannick Hirt:Of course. So basically, we're talking about, yeah, two years ago almost. It was November.
Yannick Hirt:It was kind of like cold night. Back in the days then, we were actually working with a client, an industrial company, which is producing products for, let's say, yeah, departments for houses. And I can't, like, go a little bit deeper on that, but it's an international company. So, basically from the infrastructure also kind of architecture and organizational perspective, they had their head office in Switzerland, but also having other branches in Europe and also, yeah, in The US as well. Mainly production was in Europe, so it was a, yeah, very diverse, very decentralized organization, but the main IT, the let's say group IT was in Switzerland.
Yannick Hirt:And in that time, the company was going through a big transformation actually, the IT there, and the focus was on doing kind of a cloud transformation. That was also the main purpose why we were there in that time, But the yeah. The company in that time was also facing the problem of, like, the cyber risks that they are having, and they were already trying to do a lot of things in that direction. But, unfortunately, because the main focus was on the cloud transformation, the the things were not as they should have been, in that time, and, unfortunately, they also got caught, basically by a ransomware attack. And what happened was, it's not 100% sure yet about, like, how the attack the the the attacker entered actually the the company, but most probably was a phishing mail, which has been distributed to around, I would say, I think 20% of the company, very, very sophisticated, very, very it was very good.
Yannick Hirt:Like, the attachment was very, very good. And, basically, I think one of the IT administrators with privileged rights fell for it. And through that, we assume that, yeah, it it got, like, the attacker got the access. And from there, he basically did lateral movement until he came, to, like, the server the infrastructure and, yeah, everything was decrypted afterwards encrypted. Mhmm.
Dejan Kosutic:Okay. And what were, let's say, kind of first signals? And and how how did this company actually realize it was under attack?
Yannick Hirt:So the first realization came in the morning. So it was kind of like a overnight attack. So the first time in the morning when the IT administrator basically turned on his computer, he saw that something is not working quite well. Everything was encrypted, and he also found the random note. So that was basically the first, yeah, realization that something happened.
Dejan Kosutic:And then basically, how did the things develop? So what were the kind of, let's say, the timeline on what has happened further?
Yannick Hirt:So in the morning, because we were already on-site on that time, basically what happened is that IT administrator disconnected the infrastructure, and a war room has been built. So, yeah, with a lot of people that were basically working for IT or inside of IT, obviously, also the CEO and everyone who, yeah, wanted to know what happened. And in that situation we had to kind of decide on what we were doing, how we are going to recover from this. I also need to say that like the main, let's say, program management was obviously also done by the IT director in that time, and we were doing certain parts of the recovery phase where we were managing the streams and and different things that I'm coming to back in in in a few moments for sure. But yeah.
Yannick Hirt:And in the first time, I think it was basically day zero or moment zero. We had to decide on what we were doing for the next steps. And what we were deciding on was obviously a big part is communication. How are we going to communicate that to the company? And also afterwards, how we are going to set up kind of like the recovery management.
Dejan Kosutic:And you mentioned this war room. So I assume that this is, let's say, a meeting or so of the key people that were involved. So what is, let's say, in this case of this company, which people actually participated? And on the other hand, what do you think should be, let's say, a perfect war room? So who should on the let's say, on the perfect side, who should typically participate?
Yannick Hirt:Actually, the the setup was already quite good. So we had obviously the IT director in in the war room. We had everyone from infrastructure in the war room, which I mean, there there was like one IT administrator, which had a very big oversight about the whole architecture and infrastructure. We had people from the application side, also kind of like the the manager in terms of managing the the enterprise applications.
Yannick Hirt:We also had providers on-site. So because we were doing the cloud transformation, we were kind of a mix between different providers in that time, and they were all already on-site, so it was easy also to bring on new people in that time, which have like had specific knowledge. And then, I mean, we had the SOC, we had the disaster recovery team, very, very fast on-site as well in in this group. So those are thank I think from the IT perspective, the main people. And another person who was also a key in my opinion was communication.
Yannick Hirt:Someone from communication who can maintain internal and external communication in that time.
Dejan Kosutic:When you say communication, mean someone like a PR on the business communication side?
Yannick Hirt:Exactly.
Dejan Kosutic:Okay. And so what about the rest of the senior management? Did they actually participate in the war room?
Yannick Hirt:Not really, I must say. And that was also a good yeah. It was also quite good that they didn't kind of try to interact or interrupt the whole operation. We felt a lot of confidence from the c level as well to make sure that we can recover from the ransomware attack. So that was, I think, also a key element of it, that we didn't got disturbed kind of by, yeah, share our stakeholders that were not really having any job to do, let's say.
Dejan Kosutic:Okay. And it is, let's say, early hours of working on this problem. So what kind of decisions? What were the key decisions that you actually had to make?
Yannick Hirt:So in the first place, obviously the setup. So the recovery setup was organized in streams, which means, like, we had, for example, the ad communication streams, we had infrastructure recovery streams, we had the endpoint recovery stream, application recovery stream, and then also threat intelligence, for example. And I think this is the key setup. So it was kind of, like, handled as a small yes, a small program, actually, where it it was key to separate a little bit responsibilities into different, on basically, on on onto different people. And that was done in the in the beginning.
Yannick Hirt:And afterwards, obviously, we had to decide how we are going to communicate that to the stakeholders internally and externally. So externally was also, for example, the police, if they should be involved, insurance, also government, and that was the key decision in the beginning.
Dejan Kosutic:And with regards to information systems, so how did you actually decide between, let's say, rebuilding the information systems from scratch versus, let's say, simply trying to restore them?
Yannick Hirt:That was actually a key during the kind of decision phase. So we spent, I would say, almost four days primarily just to understand how the business works, like the business Mhmm. Not the business as usual, but like the business minimal operation. So in that phase, we had to kind of identify the applications and also the infrastructure behind that, which was essential for, yeah, the minimal business processes. So that was something that I can also recommend for, companies to do that before that happens, because, obviously, like, we were spending four days on that, and you could save those four days for something else.
Yannick Hirt:How we were basically identifying those critical infrastructure was through, identifying the the applications that are necessary for the business to run. And as it was a industrial company which was producing products, they were mainly applications, for example, for logistics, applications like an ERP system, things like this.
Dejan Kosutic:And then you basically what? Decided to to try to restore them or or rebuild them?
Yannick Hirt:We restored them. We had the luck, and I must say that it was really like a lucky moment, that I think two months before, the company was transitioning to cloud backup. So we were in that moment, we were quite sure that they were working. However, we had to, yeah, to clarify that. So there was also kind of this period, when we were negotiating with the attackers about data release or not.
Yannick Hirt:And, this was basically also the period where we had the chance to actually verify if the backups were working. And they were working, so we were restoring from that. However, in a new infrastructure.
Dejan Kosutic:Yeah. Directly in a new one. Okay. And so how did this communication with the attackers, with the ransomware attackers actually go? So basically, what what did they want and and how did you respond?
Yannick Hirt:So they were quite aware about how much money they could request because they obviously saw also the financials. It was a public company, so they also knew how much revenue they are making. And the communication was quite interesting because it went through a specialist company, I think, in The Netherlands, which was specialized for ransomware communication with cyber groups like that. So in our in that case, it was Akira, which was the attacker, and they were specialized for communicating with them. So we were basically communicating through this company.
Yannick Hirt:And in the end, it's kind of like a normal situation how you would maybe ask the service desk of any other company. So, basically, you have a chat window, and you just chat with these peep with these people and try to negotiate and, yeah, back and forth, messages back and forth. So it's it's kind of illusional, to think about that. But, yeah, company or actually groups like Akira, they are super professional, and they have, like, their own service desk which handles those things and have also kind of like a good or professional setup. And
Dejan Kosutic:I assume that you can't say how much money did they ask, but let's say compared to company revenues, how much was it in percentage roughly?
Yannick Hirt:Around 5%, I would say. It's kind of the amount of money that they usually request.
Dejan Kosutic:Okay. And when communicating with these, I mean, criminals, do they actually act businesslike or professional? Or is it like communicating with someone who is completely very different from from what we normally what we normally expect?
Yannick Hirt:I would say it's professionally in in in their own way. For sure, they put pressure on you, and for sure, also, find ways to, yeah, make sure that you are aware of the situation that you're facing. Let's call it like that. But for sure, they have a professional way to negotiate with you, and you also feel that they are used to that. It's not the first time that they are doing it.
Yannick Hirt:So, yeah, I would say the whole setup was quite professional.
Dejan Kosutic:And what were basically their demands? So they demanded money, I assume, but for what? What exactly did they promise to to do?
Yannick Hirt:Basically, to give the decryption key to decrypt the data. There was also kind of a negotiation on the table about the data release. So if the company would have paid, they wouldn't release the data and also give the decryption key.
Dejan Kosutic:And so what was actually the thinking in the company? I mean, how would you I mean, how could you actually make sure that if you do pay them that they simply would deliver the key? Or on the other hand, that they might really do deliver the key, but on the other hand, put all of this data into a public domain. So do you actually what was, let's say, the thinking in the company at that time about these risks?
Yannick Hirt:So from the strategy, I would say the main focus was always in, not paying, obviously, and also in restoring the infrastructure if that's possible. But we were entering a negotiation phase to make sure that we have at this time to to check the backups. And, obviously, they put a lot of also time pressure onto, our decision in terms of, like, that they release the data, that the negotiations are or the prices from the table and things like this. But the strategy was, yeah, restoring the infrastructure, because we knew that, the data that they were having obviously were critical, were sensitive, but they were not as critical as, for example, if you are a bank or if you're an insurance company or a health data or something like this.
Yannick Hirt:So that was kind of like the prioritization that we were making. And what also needs to be considered in this space is that they have kind of a yeah. They they also want to deliver the services according to what they say, because they want to be well known that if, for example, you pay, you get the decryption key, and it's working because it's basically their business as well. So imagine if, yeah, companies will pay them and the decryption keys wouldn't work, their whole business model would basically fall apart, because, everyone would know that, they are not reliable. So in that sense, we knew kind of, okay, there is some negotiation space, but our strategy was definitely just to recover the infrastructure and make sure that we don't need to pay.
Dejan Kosutic:And so how long did this recovery phase then then last? So you mentioned this four day it took it took you four days actually to to only kind of map the applications and processes. So how long does it last in total?
Yannick Hirt:So as far as I remember, it took at least one one week or ten days until people could work again, firstly. And then it took six weeks until business as usual. Mhmm. Until we had, like, kind of the setup again to make sure that, yeah, at least the minimum processes were working again. And, afterwards, it took three months until, like, really this post incident activities were were completed.
Dejan Kosutic:Yeah. Yeah. And in the meantime, what was the, let's say, the length of these discussions with the ransomware attacker? So was it like the whole this ten days or was it shorter than that?
Yannick Hirt:It was definitely shorter. It was really just the first few days. I don't remember actually how much time they gave us to decide if we want to pay if the company wanted to pay or not. But it was really just a few days. I think it was between three and four days until the offer was away.
Yannick Hirt:And afterwards, they published the data in the dark web. And also they during that time, they were also calling, for example, employees to make sure that they influence kind of the decision of management and try to, yeah, kind of create a little bit of a bad error, bad atmosphere then.
Dejan Kosutic:So they were calling them on the phone? Wow. So they were very, very, very informed, unfortunately.
Yannick Hirt:Yes. I mean, they had all the data. So they had, like, all the phone numbers. So and also email addresses. So actually, in in this time and also afterwards, phishing may continue it.
Yannick Hirt:Social engineering was very, very active. And we had also from the email security perspective, obviously, to make sure that the infrastructure was protected.
Dejan Kosutic:Okay. And if understood well, then you managed to actually restore the the data actually without their help. So you didn't I mean, the company didn't pay. Right?
Yannick Hirt:Yes. Yes. It was completely possible through the backups.
Dejan Kosutic:Okay. So it was a happy ending, so to say.
Yannick Hirt:Definitely. For sure. For sure.
Dejan Kosutic:Okay. Great. And you mentioned that the communication actually went through Akira, I think you mentioned. Right? Okay.
Dejan Kosutic:And this Akira is a legal company or is it just a group of, I don't know, people?
Yannick Hirt:Akia is what the the ransom group or the cyber group which attacked us. The communication went through, and I don't remember, unfortunately, anymore the company in The Netherlands, but they are really specialized for communicating with cyber groups, and in that case Akira.
Dejan Kosutic:Okay. So this Dutch company is a legal business. Right? They do actually this for a living, this kind of communication.
Yannick Hirt:Very well. And they would also offer kind of I mean, yeah, I think it needs to be said that there are companies who are willing to pay, and they also take over the transaction. So they make sure, for example, that they convert the fiat money into Bitcoins or whatever the attacker is going to demand.
Dejan Kosutic:Yeah, understood. Okay, you mentioned also that you notified police also, government, this kind of thing. So what was actually their reaction, and did they really help in this situation?
Yannick Hirt:Yeah, I must honestly say that they didn't really help. It was rather more work to do afterwards in terms of like, yeah, what happened, to explain what happened, but they couldn't do anything anyway. So in my honest opinion, I wouldn't recommend obviously, you have certain, regulations which obviously make sure that you notify the the institutions during a certain amount of time. But besides that, you can't expect too much help, in that in that case. Maybe it's different in other countries, but in that case, yeah, it was like that.
Dejan Kosutic:Okay. Let's go a little bit back to this recovery. So obviously this was not a small company, right? It was a mid sized, maybe large company.
Dejan Kosutic:So they had obviously lots of these systems. So how did you actually make, I mean, decisions on which systems to to recover in in which sequence?
Yannick Hirt:So we were doing a a kind of a wave planning, a wave road map. So we separated then actually all the applications into certain waves and also, from there decided which infrastructure is needed to make sure that the applications in this wave run. And I think though based on that, we were making the decisions, which and how to restore infrastructure. So the the wave planning was really also essential to make sure that we've kind of follow a time plan and, yeah, also manage basically the recovery itself.
Dejan Kosutic:And then let's say these decisions around, let's say, these waves were obviously made by the company. But who actually in the company needed to make these decisions? Was this more on the IT side or on the business side?
Yannick Hirt:I think it was together, with the IT side and also the business side. In the IT team, we had two people or three people which worked since thirty years, thirty five years in this company, so they very much understood how the business was operating and how the business processes worked. So from that side, we didn't really need it kind of having the business on-site and saying which systems are important for them. The the knowledge was really already in in IT.
Dejan Kosutic:Okay. Okay. Understood. And you mentioned earlier that it took you this a number of days actually to map, you know, the processes and the systems and and that companies should do this upfront actually not to do have to do this under such a stress. So what exactly what kind of mapping actually do you think, should every company make just to to to to prepare?
Yannick Hirt:So first of all, it's basically, yeah, drafting or drawing the the business processes. And from there, making kind of a business impact analysis and making sure, okay, the business processes that they are having, which kind of define where the money, flows, obviously, and also where the data flows, from those are depending on on which systems in the IT, on on which assets. And in that in that manner, you also make sure kind of to understand the connections between different systems and between different assets. And I think that was the key.
Yannick Hirt:And in our case, it was literally just, yeah, drawing on the walls and making sure that, yeah, basically the whole wall was covered in paper and and, yeah, with pen and Yeah.
Dejan Kosutic:And when speaking about, let's say, methodology, could you use some methodology like business impact analysis from ISO 22,301, the business continuity standard for that purpose?
Yannick Hirt:For sure. For sure. I think especially those frameworks give you the knowledge and also the base to draw something like this and start from there. So I always say to companies, take those frameworks as a reference, they really help and start from there.
Dejan Kosutic:Okay, great. Good. Now you also mentioned that this communications person, the PR person had a big, let's say, role in war room. So can you please explain the the what this person did?
Yannick Hirt:So it was, I would say, mostly in terms of, like, internal communications, what is happening, what is going to happen, what are the steps, where the company is also going through, Obviously, also advising the employees what to do and what not to do. In that case, we didn't have any media attention, which was very, very good. But I think it was also because there was no leak leak from any employee or similar. So that, was very important. Obviously, also external communications.
Yannick Hirt:As I said, there was no media attention, so there was, no media communication needed, but, the communication with police, or insurance, etcetera. And on the other side, also internal guidelines. So in that time, we, for example, create a phishing guideline to make sure that people follow certain steps to make sure the email is valid and verify the sender and verify the subject and stuff like this. So those were the main parts.
Dejan Kosutic:Okay. And if we can speak a little bit about senior management now. So what do you think the senior management actually, what their role should be if they have this kind of a ransomware attack?
Yannick Hirt:In my opinion, it would be to facilitate basically everything that is needed for the core team to be successful in the in the recovery phase. And I think there are certain things that are usually not really considered. So for example, obviously, core team will, yeah, work a lot, will do over hours, and, their families at home might be affected by this as well. So, I think those kind of social factors are very important. And if, yeah, senior management, C level management that is not really directly involved in the whole recovery can make sure that they facilitate the whole, environment around those around that, this helps a lot.
Yannick Hirt:So just, for example, who takes care of the kids at home for Indus families, things like this, obviously, also nutrition, so, maybe it's not the best thing, to eat pizza every night, for the core team. Maybe something else, coffee and like, yeah, kind of the whole environment. I think the facilitation of this is very crucial. Mhmm. Mhmm.
Dejan Kosutic:What kind of decisions the senior management needs to take and how quickly?
Yannick Hirt:That's a that's a very good question. So in in the big I mean, I would say the main decisions need to be taken by the IT director or the CIO in in a certain in in a situation like that, because from, yeah, skill and expertise level, a CIO can't really decide. So, obviously, he is accountant accountable for the decisions. But I think if, yeah, there is a high level of trust between the C level management in these situations, this is very necessary. Which decisions need to be taken, obviously, also to onboard providers to spend money on onboarding new people, if that's okay or if that's not okay.
Yannick Hirt:Also kind of negotiating with the insurance what is the budget that they can spend on until a certain level where, yeah, let's say in the beginning no questions are asked, And I think those are the things that really need to be cited in the beginning. So what is kind of the budget that you have for the recovery and also, yeah, kind of until where you can go.
Dejan Kosutic:Okay. Since you mentioned insurance company, so did this company have an insurance policy against cyber attacks? Yes. What kind of, let's say, how did this communication with the insurance company look like? I mean, what did the insurance company look for in this whole process of resolving the incident?
Yannick Hirt:So in the beginning it was they were also very proactive actually in terms of, like, if if any support is needed. Obviously, they also had a network of providers in the back, that could be activated in the in that moment. So in that sense, it it was very, very good. Also, from a financial perspective, we had or the company had the budget that was needed to make sure that at least until business as usual is reached, that those those financials are secured. And, yeah, I think that that was very necessary, obviously, also that the whole situation is not, yeah, made more difficult than it already was.
Dejan Kosutic:Okay. I mean, some insurance companies are looking for lots of, let's say, paperwork and so on, which is not very happy. I mean, I can imagine companies are not very happy, you know, when they have to deal with the attack. So where was this balance with the insurance company?
Dejan Kosutic:Were they more on the helpful side or did they still ask lots of, I don't know, documents or records or whatever?
Yannick Hirt:The documents came afterwards. So they were asking for all these things afterwards, after the whole recovery phase was finished. But we were also, or at least I have to say the IT director in that time was very aware that it's very important to document everything. So we started basically from the forensic report, that was very well structured and also, very comprehensive. Every meeting was documented, so there was always one taking notes in every meeting.
Yannick Hirt:Every decision was also documented. This was definitely a very important part. And in that sense, obviously also making sure that everything that you are documenting in this time, it is stored safely. So there was another point in the beginning that we had to make sure that wherever we save all this data, that it's, yeah, a safe place.
Dejan Kosutic:Do you feel that, you know, this documentation of doing everything, was this only for the benefit of the insurance company or did this have also some other benefits?
Yannick Hirt:I think it was also important to structure the cybersecurity strategy afterwards. So the forensic report was showing a lot of gaps and vulnerabilities, for example, and also the service provider in that time was including some recommendation. And I think this was a very big part obviously also about the next phases of the cybersecurity program. Mhmm. Mhmm.
Dejan Kosutic:Okay. And you mentioned this forensic report. So you are I assume that you you did the forensic report after after an attack. Correct? And Yes.
Dejan Kosutic:How important was this forensic report? And basically, what what did it tell what did this report tell you?
Yannick Hirt:So from a from a document perspective, it was very, very important for insurance, for the police, for anyone who had kind of a stake in in this process, which was external as well. I would say for the for the moment that kind of forensic was analyzing how the attacker entered the company, how the the lateral movement, how the whole process might have been, yeah, done. I think it was not very how should I say? I mean, for sure, it was helpful, but it was also kind of, like, interrupting the recovery phase. Because forensics, until they really finish the report, it might take some time.
Yannick Hirt:And in our case, it was exactly in the same time that the company was figuring out how the infrastructure and how the systems work together. But assuming that the company already knows this, it might actually slow down the recovery phase because they need to look into the systems and, yeah, and make sure that they can find everything. So I also say all the time, in case something like this happens, it really makes sense to duplicate, for example, the systems to make sure that one can be provided to the forensics to make sure that they can finish their work and on the other side you can already start to recover.
Dejan Kosutic:And this forensics was done by a government body or by a commercial provider?
Yannick Hirt:A commercial provider.
Dejan Kosutic:Commercial. Okay. Since since you're, you know, acting on on as a consultant, so what would you say?
Dejan Kosutic:How can actually what kind of role should consultants actually have with their clients when they are attacked by a ransomware?
Yannick Hirt:So I think especially, I mean, the experience that usually consultants have and bring on the table is very necessary and very also important and can help help a lot, and also the network behind that. So assuming that you are a small medium enterprise, which, maybe, like, does a good job in in terms of security, maybe already has a security operation center on board, when a consultant comes in, he might have, like, a completely different network of providers, of specialists that, especially in the security space, can help because, yeah, a forensic person does a very different job than a security analyst. And, so you really need to be able to bring the right people on board. And I think a consultant could, help in case something already happened or something is happening. And, of course, if we are talking about the time before, preparation is the key, and I think there a consultant can obviously help to structure and also, not do like I always say a pragmatic approach is very essential to make sure that, like, you are as prepared as you need and not, yeah, 101100% preparation is almost impossible.
Yannick Hirt:So to kind of focus on the right things, I think there you can really rely on a consultant.
Dejan Kosutic:And how can actually consultants, I mean, raise, let's say, their capabilities to help a client? I mean, is there some kind of a special training, let's say, for this kind of a purpose? Or I mean, not many consultants have, I would say, the privilege, so to say, to participate in real attack.
Yannick Hirt:That's actually a good question. Obviously, a lot of how to react in these situations is theoretical until you get, like, the real life experience. But I think I would say if consultants are focusing on on frameworks and about kind of like the best practices that we are having in the cybersecurity industry, you can already, yeah, prepare a lot of things. And I think the the gap is really just the social part between that, kind of like what I was saying. Yeah, you need to take care for the people as well.
Yannick Hirt:And on that side, it's very, very, very difficult obviously to prepare. But I think that there are also some educational, courses that, consultants could take to kind of like, learn the social part of it, because obviously IT always has kind of this, yeah, dry side, let's say, and I think like the social part, might, yeah, be missed a little bit. So I would say in that side in in that side, consultants could also go, to to dig a little bit a little bit deeper.
Dejan Kosutic:You mentioned this is a social part. What exactly do you mean?
Yannick Hirt:I mean, just people to people communication, caring for the people, being empathic. Yeah, it's a very stressful situation and everyone reacts a little bit different to these situations. If you are an external consultant, obviously, you are I mean, you are in the same boat, but you don't have, like, the same, risk, obviously, that, is happening. So you have some distance, and you can also might take this distance as opportunity to spread a little bit of calmness, to spread a little bit of, yeah, safety, because I think this is very, very necessary in this moment that people stay calm, that they take, calm decisions. And, yeah, this is very essential also on the social side.
Dejan Kosutic:So what were kind of the main lessons learned, you know, from this experience that you had?
Yannick Hirt:So, I would say, obviously, preparation is a is a very big part, but I also don't want to kind of over complicate that. I think what is very necessary is definitely make sure that your backups are working. And, that's always I mean, we we we say it over and over again, but it's just essentially true. Make sure that, detection is working. In that case, it was actually, because the company was having their server infrastructure outsourced, the monitoring system of the provider was already, yeah, notifying and having alarms that something is happening, but no one was really notified or, like, kind of there was also no SLA in place or service agreement that these kind of alarms need to be, yeah, raised and and things like this.
Yannick Hirt:So make sure if you outsource your infrastructure or if you have your, core systems outsourced, make sure that the service provider has some SLAs and also some responsibilities to make sure that to notify you in case something happened. But, obviously, first, you have need to have the detection in place that you even realize that something is not working quite well. And then, on the other side, it's what we are always saying. I mean, if if you have privileged accounts with privileged rights, make sure that they are, saved. Make sure that they are somehow, obviously MFA, phishing resistant MFA, things like this, also just in time access.
Yannick Hirt:There are many, many ways to secure those accounts and make sure that they are secure and protected.
Dejan Kosutic:Okay, so these are obviously, let's say, technical preparations that need to be done. And what about this, let's say, more organizational business side of what companies should do?
Yannick Hirt:In that case, I would say identify the important people, make sure that you already know which people bring the right knowledge to the place in case something happens. Also make sure that you already know providers who might provide services in that situations. In some cases, maybe it makes sense to already have contract in place with some retainer hours, for example, that you can just, take in in in case something comes up. And, what I would also say, obviously, that need to be defined, who is taking decisions in that case, who is I mean, who is taking notes. That's a very, very important part.
Yannick Hirt:And on the other side, also processes in terms of, like, for example, if you need to do a company wide password reset, how do you do that? And just also organizational and also technical, because you need to inform the people afterwards that their password was was reset, because they can't access the email account in that situation. So thinking about these kind of processes and preparing those is is very essential, because otherwise you lose time and time in this time is obviously the most important value.
Dejan Kosutic:And what about training or raising awareness or maybe some kind of exercises with the real simulations? Do you think that these kind of things would would would help?
Yannick Hirt:Yes. A certain level of awareness and training throughout the whole company is essential, that everyone, like all the employees, get trained frequently. And I don't say just, like, yearly. I think, there are many, many ways nowadays to train people in a very attractive and very motivational way. On the other side, I also think that, the management level should be trained differently with, for example, a war room situation, with different kind of scenarios that are played and how they would react.
Yannick Hirt:And I think in this kind of, yeah, soft trainings, I would say, you really see how people would react in this situation and maybe to analyze, okay, which decision would have been wrong. Maybe some responsibilities are completely said wrong. Maybe people in these situations who usually you you think, I can rely on those kind of people. Maybe they overreact and maybe you need to really replace them with someone else who is a little bit calmer, who can take actions more calmly.
Dejan Kosutic:Okay, great. Well, thanks a lot for all these insights, and I've learned a lot. And, it's been a pleasure talking to you.
Yannick Hirt:Thank you, Dejan. It was a pleasure. And I hope, yeah, I could share some insights, especially also like kind of the non theoretical things to consider in these situations. And I always say preparation is obviously a big part of it and making sure to think about what could have happened and make sure that you're prepared with, processes and responsibilities and organizationally.
Dejan Kosutic:Yeah, and technically and psychologically and organizationally.
Yannick Hirt:Exactly, exactly.
Dejan Kosutic:So thanks again Yannick and everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple podcast.
Yannick Hirt:Thank you very much. Bye bye.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website, you can check out various tools that can help your business. For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients.
Dejan Kosutic:Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!
![Responding to Ransomware Attack [Case Study] | Interview with Yannick Hirt](https://img.transistorcdn.com/2KVI92MX5ncT7oTH4aCsUt9IThR9Rqb3CX2OQIX_Xbk/rs:fill:0:0:1/w:800/h:800/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS80YmI3/OGMyOGExNmRkNjEz/ZTI3MWJlMjUzZmFk/NzJmOC5wbmc.webp)