Constant Vigilance Is the Price of Cybersecurity

Constant Vigilance Is the Price of Cybersecurity

Change takes time, but it seems that businesses in general, not just large enterprises, are realizing that cybersecurity isn’t a fad but a key part of most modern businesses. Wayne Hunter, Founder and CEO at AvTek Solutions, Inc., has been preaching that message for years and we recently had the chance to interview him.

Something unique about AvTek that shows how seriously they take cybersecurity is their $1M guarantee against ransomware. If ransomware gets past the defenses they erect for your company, they will pay $1,000 per endpoint, up to $1M. This guarantee runs alongside their “no risk switch.” If you’re not happy within 30 days of coming to AvTek, they will help move you to another vendor. And moving vendor is easy at any point because AvTek believe in earning a client’s business every day, so they don’t require long-term contracts.

Phishing Attack

Wayne shared an insightful story about a construction company that AvTek had been working with for years. The company had many recommended safeguards in place that allowed AvTek to help recover the working environments — during a relatively short amount of time — that got frozen in a phishing attack. But the solution that would have helped them get up and running faster was immutable storage, which they had resisted implementing.

Immutable Storage

One of the advantages of cloud data is that it’s accessible from multiple devices, but that access also exposes the data to more vectors of risk. An immutable backup is a write-once-read-many format that cannot be changed, edited or overwritten. Read-only files cannot be lost, deleted, corrupted or encrypted in a ransomware attack.

Immutable storage can also be time-limited, allowing you to update or delete files within a certain period that the user specifies.

Business Functions Impacted in a Cyberattack

While some might think that a construction company would be less impacted than others by a cyberattack, the company faced three problems that are common in a cyberattack:

  • Work in Progress (WIP) can’t be billed. You likely cannot access information to see what has been invoiced, send invoices or receive payments.

  • Proposals can’t be accessed. Any information that had been gathered for a bid is locked away.

  • Payroll. Many employees are having their time tracked electronically and, without access to systems, you can’t figure out what people are owed. Even if you could, you might not be able to pay them using the traditional payroll system.


Smaller Businesses Get It

Wayne also shared that while some enterprise-level companies may move more slowly on implementing a full suite of protections against cyberattacks, smaller businesses are more and more “getting it” when it comes to cybersecurity. They’ve come to realize that even though they are smaller, with client lists of 50, not 5,000+, they represent part of a larger scheme. By getting access to those 50 clients, cybercriminals can keep going and soon have thousands of victims.

Practice What You Preach

Wayne knows that it can be annoying to have to use MFA and other security measures. He knows because he has the same measures in place at AvTek that he recommends to his clients. Not only does this protect AvTek but it also gives them a sense of the user experience — invaluable when framing the sale as well as for the onboarding process of new clients.

Wayne reminds himself every time he enters a password on an internal system that information is at risk and that without these measures, there’s every chance that AvTek (and by implication, all their clients) will be attacked and exposed.

Even though Wayne explains to clients that what he is proposing is what he does in his own company, change is still hard. But Wayne welcomes having those difficult conversations and documents when clients refuse to take certain measures. Every quarter he will go back to them and continue to beat the drum for change. “Documentation and communication,” he says. Clients may still refuse but Wayne will have proof that he’s been doing his job.

A Security Triangle

Part of that communication has to exist within your cybersecurity solution, as well. Cybersecurity isn’t just the measures you take. It’s the compliance you ensure you are meeting for your industry. It’s also the insurance you have in case anything goes wrong. Wayne advocates for an open line for communication — and collaboration — between these three partners. Silos between these partners can undermine the very cybersecurity that companies are trying to establish. Wayne emphasizes that “completing that circle” between these partners offers a much better security posture.

Now, if you’re dealing with a managed services provider (MSP) like AvTek, two angles of that triangle might be with the same provider: Wayne and his team provide both cybersecurity solutions and compliance assistance. There is the chance of a conflict of interest there and Wayne provides an analogy:

“If I’m walking out the door, I might always think I look good. But if I ask my wife, she might not agree.”

To guard against this, AvTek puts in checks and balances to ensure that compliance and security are looked at as the separate issues they are, rather than a blurred combo of the two which can lead to more risk.

If the worst happens, you’re going to want the best financial, legal and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

End-User Education Is the Last Mile of Cyber Security

End-User Education Is the Last Mile of Cyber Security

While we do believe that technology is part of solving the cybercrime puzzle, we know that it can’t help companies that don’t have leaders and end users who understand the technology, and more importantly, the cybercrime realities that make that technology a necessity in today’s business environment.

Bruce Nelson, President at Vertilocity, emphasizes the importance of end-user education. He recently sat down with us to discuss this and give real-life examples of how lack of end-user education plays out in bad outcomes for organizations.

A Spear Phishing Attack

Spear phishing is an attempt to acquire sensitive information, or access to computer systems, by sending counterfeit messages.

This type of attack often targets a specific person, or group, and will include information known to be of interest to the target, such as financial documents or current events.

Like other insidious forms of attack that use social engineering, this type of attack takes advantage of basic human nature, including:

  • A desire to be helpful.

  • Providing a positive response to those in authority.

  • Responding positively to someone who shares similar tastes or views.

In the example that Bruce shared with us, the threat actor was able to gain access to the email of a third-party project manager who worked between two IT firms that serviced one client. The victim managed projects and made sure that everyone was on the same page. The problem was, he was using a standard Gmail account for all this correspondence.

Don’t Use Personal Gmail for Business

We should note, it’s never a good idea to use a personal Gmail account for business. Apart from signaling a lack of professionalism by having as part of your work email address, you’re also advertising to cybercriminals. You’re letting them know that you’re on a version of Gmail that doesn’t offer much support in case something goes wrong (it is free, after all) and you’re also advertising that you’re not someone who takes cybersecurity that seriously.

Message received: this professional had his Gmail breached and the threat actor was able to read messages between all parties. The threat actor then sent a well-crafted, legitimate-looking email to the controller of Bruce’s client, one of the parties involved.

The email was asking the controller to update banking information. Since the email had come from a familiar Gmail account, it didn’t raise any red flags and the banking information was duly changed.

Almost three months passed before the real vendor called asking if something was wrong as they haven’t received payments for months. The controller was confused and sent over proof of payments…going to the new account. The problem was, of course, that the vendor never changed their banking information. The threat actor got cash and disappeared.

What went wrong? Clearly, the end user was not educated enough in the scams being used today. Instead of following up with a short phone call after receiving the request to update the banking information, they went straight ahead without verification and literally paid the price. As well as user education you can have systems in place to avoid this type of scam. For example, sending a dollar amount, or a type of request that requires secondary verification, a sort of “real life” MFA.

Bruce notes three red flags: the request was unusual (banking information doesn’t often change), impactful (this would affect all payments) and urgent (it needed to be done in a certain amount of time).

Bruce also shares an instance in which those three red lags helped a client avoid a scam. The company in question was in heavy acquisition mode and the CFO received what looked like an email from the CEO “greenlighting” an acquisition. But because two of the three warning signs were present (impactful and urgent), the CFO slowed down and was able to see that a few small things were off about the email, and after phone-verifying with the CEO, they realized it was a scam.

The overarching moral: don’t let team members think they will be penalized for slowing down, especially when it comes to financial issues. Better to be too slow in paying something legitimate than too fast in paying something illegitimate.

Using Our Emotions Against Us

Bruce also shared a story from a conference he attended in which a former FBI agent illustrated just how easy it is for threat actors to target victims. The following is a basic playbook:

  1. Go to LinkedIn and find the CEO of a midsize company and then gather more information that might be available online.

  2. Find out if this person has kids and where they go to school.

  3. Create a legitimate-looking email from that school saying that there’s been a terrible event such as an attack, or a sexual predator has been spotted in the area.

  4. In the email let the parent know that the situation is under control and to learn more, click here and…

You’ve got them. You harnessed the powerful emotions of a parent’s instinct to protect their child and, of course, they click on the unknown link. Note again the three warning signs: something unusual, impactful, and urgent. Those three signs should always cause us to stop and pause before taking action.

Keep It Simple

Bruce shared a simple tactic to help end users get on board with cybersecurity. “Make the secure way also the simplest way. It’s the way to get massive adoption,” he noted. Part of the reason change management is so difficult is not that people resist change in general, but they tend to resist things that take longer, even if they can see the merits of them.

Note the Worst-Case Scenario

It does happen that companies go out of business, or have to take drastic measures to stay alive, after a cyberattack. Employees should note that one wrong click, or following the directions of one wrong email, might cost the company everything, including everyone’s jobs.

If it’s framed as: “all our jobs depend on taking cybersecurity seriously,” team members will be more likely to pay attention.

Have a Plan

Bruce concludes by emphasizing something we hear from nearly all our guests on the podcast. Have a cyber risk assessment done. Have it printed out. Make sure people are designated to lead in the event of an attack.

Cyber risk assessments also have the helpful quality of identifying where the greatest risks lie so that the C-suite can spend the money where it will have the greatest impact (assuming most businesses do not have infinite cybersecurity funds).

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

Stop Thinking Ransomware Attacks Won’t Happen to Your Business

Stop Thinking Ransomware Attacks Won't Happen to Your Business

One of the ways we help business owners wake up to the current realities of cybercrime is by sharing real-life stories. We recently had the chance to sit down with GroupSense CEO & Co-Founder Kurtis Minder to hear some of those stories. Kurtis and his team have hundreds of cases they’ve dealt with, many with Kurtis leading the negotiating team.

You Can’t Always Google Everything

One story Kurtis shared was about a small Midwestern architectural firm that got hit over a holiday period. Their data was encrypted and the backups destroyed.

An architectural firm’s IP is crucial. Think of all the drawings and blueprints, not just for current projects but for those going back decades. These documents are referenced over time and relate to vital infrastructure such as roads, bridges, buildings, etc., not things you want to lose the plans to.

If that wasn’t bad enough, all the machines were encrypted, so they couldn’t use any of their software to do the current work. Everything was at a standstill.

Kurtis noted that he and his team did not actually get the first call. The firm googled the name of the ransomware variant, along with, “How to destroy X.” But just as legitimate businesses pay for Google Ads to get listed at the top of a search, so too do illegitimate companies. They count on a portion of business owners looking for an online DIY fix to their ransomware attack.

Unfortunately, the architecture firm was just headed for the second round. The criminals in the Google ad promised to “decrypt” the ransomware. But they were the middlemen. Using the ransom note — which the architectural firm happily handed over, not considering why that note would be necessary for decryption — these criminals then went onto the dark web. There, they found the original perpetrators and put themselves forward as the original victims looking for the decryption key.

A standard operating procedure for ransomware attacks is that the threat actor then decrypts a small amount of the data to show the victim that they are capable of reversing the damage of the original attack. This can move the victim to pay the ransom. In this case, the ‘Google criminal,’ acting as the real victim, paid for this “mini decrypt” to give the architectural firm some hope. They then acted as a middleman, marking up their cost by 80%. They billed the architectural firm and received payment. These new criminals then disappeared. That’s when Kurtis and his team got the call.

Having been burned twice and with a price for the ransomware decrypt already set by the middlemen criminals, the architectural firm chose to go an alternate route. They went to their email inboxes and found as many files as possible. They emailed them to each other to rebuild their database, which they built back almost in full.

What Businesses Should Do

Kurtis concedes that most 30-person small businesses are unlikely to have a cyber expert on staff and even if they wanted to have one, there wouldn’t be a supply for such a demand.

However, when Kurtis speaks to business owners around the country, the response he often gets is, “Wow, that’s scary, but that’s not going to happen to me.”  Wrong. More than 80% of ransomware attacks happen to small businesses and those are just the ones that get the headlines. Many attacks happen around us that never make the news.

Make a Plan

When they do get convinced, however, some of these businesses tend to go overboard, wanting to create a cyber risk assessment that covers every possible contingency. “Don’t let perfect be the enemy of good,” Kurtis warns. Put something basic in place, and of course, when you have it, print it out so it can’t get encrypted and become useless in the case of an attack.

Sweat the Small Stuff

One of the reasons business owners procrastinate over protective measures for their businesses is the thought that it will take time and money to implement them. But this is a misperception.

Kurtis encourages business owners to look at the example of the criminal using Google Ads to ensnare victims. Those criminals are using tried-and-tested practices of advertising to small businesses.

Many of these threat actors are small shops with limited teams and infrastructure. Only a few of them are part of the giant syndicates that make the news. Hence, they are going for low hanging fruit, which in this case consists of companies who don’t follow basic best practices in cybersecurity. This includes:

  • Basic password policies: not permitting “password1234”, and other lazy practices, and insisting on forced changes more than once a year.

  • Software patches: ensuring that all devices accessing company information and resources are updated to the latest software.

  • MFA: ensuring that users are forced (whether they like it or not) to use multi-factor authentication to ensure the identity of those accessing company resources such as email accounts and databases.

  • Offsite storage: ensuring backups exist that are disconnected from your regular resources, so if those regular resources go down, you can still access the backups.

Believe it or not, most of these small businesses get attacked through one of these avenues, leaving businesses with the, “If only I had done X” feeling.

If companies can’t have a cyber expert on staff, the least they can do is take the basic steps that any cyber expert would if they were on staff: fix passwords, patch software and implement MFA.

Kurtis does lots of public speaking so if you know anyone who could benefit from hearing this information, you can book him here.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

Scams, Bad Plans, and Ransom Demands with Roger Grimes

Scams, Bad Plans, and Ransom Demands with Roger Grimes

If we find online safety measures like multi-factor authentication (MFA) irritating, we probably need to adjust our levels of expectation and trust for the internet of today. The longer we put off proper level-setting, the more likely we will fall for the scams and frauds that are rampant on today’s internet.

That’s one of the messages Roger Grimes shared with us recently. In this article, we’ll go deeper into his reasoning and share some of the best practices he advocates.

Subject-Matter Expert

Roger has been in computer security for over three decades. He started in the virus space, fighting Apple and DOS viruses, before spending the 1980s as a network technician, rising through the ranks.

Roger has written 1,200+ articles and 13 books, and has been interviewed on shows like “All Tech Considered” by NPR.

He now consults with hundreds of companies on security reviews, attack responses, and advanced persistent threats.


One of the things Roger is known for advocating is MFA. When he gets push back on it, it is usually in terms of “it’s too much trouble.” This indicates that some people are still thinking about the internet in the same way as real-life scenarios.

Roger gives the example of ordering a pizza; We call a number and have no idea who is answering. We may even give them a credit card number. Then some stranger comes to our residence and hands us food that we haven’t inspected and we give them money. When it’s framed like this, it sounds like a lot of trust is involved, and it is! But that’s because there are safeguards in real life, not least of which include the police who can help you in case of a potential attack.

Now consider that same scenario on the internet: You want to purchase a pizza. Is it strange that your bank or credit card company or even the pizza place want to double check that it’s a real person ordering and not just a bot?

So once we understand that it’s unreasonable to apply our default real-world levels of trust and expectation to the internet, we’re approaching the right mindset for keeping safe online.

Four Signs You’re Being Hacked

But you can’t question every experience, right? So once a reasonable level of security expectation is established, what are some warning signs to put you on high alert for fraud? Roger lists four:

  1. An unexpected communication — this could come from a person or organization that you know or would be reasonable for you to know.

  2. Being asked to do something for the first time — this could mean filling out a form or sending an email or providing particular details.

  3. A stressor event — this is a demand that the thing you are being expected to do needs to be done in a short time window.

  4. Could be malicious — this is recognizing that whatever you do might expose you. This might include sharing your bank details or home address, or part of an identifying document, such as a partial social security number.

Job-Offer Hack

Red lights would definitely be going off in your head if all four of these signs happened at once. But Roger stresses that if any one of these occurs, you’re at risk. If all four do, you’re almost definitely being scammed.

Roger shares an example where a candidate was applying for a posted job offer whilst working at his current role (he was a chief marketing officer). He was asked to fill out an application in Microsoft Word format that had active fields in it. These active fields served as vectors for malware to capture his passwords and gain access. The scam cost his firm quite a bit of money, to say nothing of his embarrassment that the compromise happened because he was looking for new employment. Even worse, this person regularly read Roger’s columns and still fell victim to a scam.

This doesn’t mean that you can never trust a situation where there is a stressor event. It just means that you need to be vigilant, even in a scenario that you think you’ve initiated.

Romance Scams

Roger believes that sharing stories is a big preventative measure. But sometimes people disregard the evidence that they are being scammed.

Roger says this is most prevalent in romance/dating scams. Even when someone has been shown they are being scammed out of money, they still want to pursue a “relationship” with the scammer. “The heart has a mind that the mind knows nothing of,” Roger says.

It’s Not About Intelligence

It’s not “stupid” people who get caught up in these scams. One of Roger’s clients has a Nobel Prize in quantum physics — not someone you would classify as “stupid.” Yet he still got scammed out of two million dollars.

It’s not about intelligence, it’s about awareness. Keep up with the scams that are out there, be aware of the four warning signs in your personal interactions, and advocate for proper security measures to be taken in your professional environment.

Passwords and MFA

The average person logs into about 170 websites a year, but only tends to use three to seven passwords across those 170 sites, often without the help of a password manager. This goes back to the mentality shift Roger advocates.

We aren’t asked to remember dozens of passwords in everyday life. But instead of realizing that online there are methods in place to keep us safe, we rely on our memory and gut and then act surprised when we get hacked.

That doesn’t mean MFA is a cure-all. One of the last things Roger mentioned to us on the episode is about the class of MFA you are using. He advocates for phishing-resistant MFA. Just like viruses adapt to overcome treatments, criminals don’t just give up when confronted with MFA. They try to find a way in, starting with getting your password.

If they can find a way to hack your password, they can find a way to intercept your text messages, a one-time password, or answers to your security questions.

Roger refers to phishing-resistant technologies outlined in a White House document: FIDO2 WebAuthn and PIV smart cards, which use a third piece of technology to verify that the person requesting access is actually the right person.

Remember that if your reaction to this is that it’s overkill, it’s because you haven’t sufficiently shifted your mindset to what is normal on the internet. Until you do, you’ll be susceptible to attack.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

Giving Employees the Proper Cybersecurity Training

Giving Employees the Proper Cybersecurity Training

We recently had the chance to sit down with Michael O’Hara, a Certified Information Systems Security Professional at KB Communications. Michael was recently introduced as the guy “with more letters after his name than letters in his name.” We thought it might be useful to review some of those letters to give context to his great advice.


The Certified Information Systems Security Professional is an information security certification granted by the International Information System Security Certification Consortium (ISC). As of January 2022, just over 150,000 people hold this certification worldwide. It has been assessed by some organizations as the equivalent of a master’s degree.


A Certified HIPAA Professional is someone who has undergone training to enable their company to become HIPAA compliant. The course covers areas such as the implementation of policies and procedures, patient confidentiality, and security measures in line with HIPAA requirements.


The Health Insurance Portability and Accountability Act of 1996 modernized the flow of healthcare information. It stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft. It generally prohibits healthcare providers and businesses from disclosing protected information to anyone other than the patient or the patient’s authorized representative without their consent.


The Certified Cyber Security Architect credential validates knowledge and skill sets in cybersecurity strategy, specifically:

  • Incident response

  • Encryption

  • Risk assessment

    • Vulnerability assessment

    • Penetration testing

Michael has been in cybersecurity for 30 years and says that the letters after his name really only drive home the fact that he’s a cybersecurity evangelist and wants to spread that gospel to all nations.

Case #1: The Fake Invoice

Michael can get called in at any stage of an attack. In the first story he shared with us, the client had inadvertently paid a fake invoice to the tune of $30,000.

The company has eight employees and $1.5M a year in revenue.

The owner was on vacation for the first time in 38 years, enjoying a cruise. His staff received an official-looking invoice demanding payment of $30,000.

With the owner finally away on a vacation, the staff debated whether to call him to verify the invoice. After some discussion, it was decided to let him enjoy his time away and the staff duly paid the invoice.

When the owner came back and realized that a fake invoice had been paid,  he complained to his bank. His banker recommended Michael to him to make sure this couldn’t happen in the future.

Email Training

One of the reasons the staff had been tricked was that the email “looked legitimate and official.” Michael gave them a basic rule to avoid the same mistake again: when examining an email, look at the headers to find out if the domain is a legitimate one. In this particular case, even this quick check yielded the fact that the server was located in Russia, which was not the home of any company that the owner was doing business with.

Other times, what looks to be legitimate might be just off by a letter or two and will be missed by someone who doesn’t take the time to do what Michael recommends.

Social Media Awareness

Criminals, not just cybercriminals, are watching Facebook and Nextdoor to see if people are away from home. Michael reminded the owner and his staff not to “live their life online.” In other words, if you’re having a great time on vacation, save all those pictures and post them when you get home—otherwise you give criminals an opening; they will know you are away from your home and/or business.

Case #2: Email Breach

The second case Michael shared with us was one in which the staff emails of a small warehousing company were hijacked six weeks in a row. The threat actor then spammed customers from the company accounts with links to sites that could personally compromise those who clicked.

When the company asked their managed service provider why this was happening, the MSP responded that he had recommended MFA when he took over the account ten weeks prior. But the staff had pushed back, saying, “there are too many extra steps to get into our email.”

Well, they learned that those extra steps could have saved the company a lot of reputational damage.


Multi-factor authentication requires a user to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. It is an industry-wide best practice of strong identity and access management.

Final Thoughts

Michael’s take-home message is that it only takes a bit of extra effort to maintain a minimum level of security; check email headers, add MFA to password protocols, and don’t post those vacation photos in real-time. Don’t be “annoyed.” Be professional.

All your security measures should be part of (last acronym, we promise!) a WISP—a written information security program—which is a document that details an organization’s security controls, processes, and policies. This should be printed out so that a copy can be referenced in the case of a cyberattack when computers can’t be accessed.

And if you need Michael and his team to help write a WISP or convince your team of the importance of cybersecurity, reach out to him at KB Communications.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

The Cybercriminal Hierarchy

The Cybercriminal Hierarchy

We recently had the chance to sit down with Vincent D’Agostino, Head of Cyber Forensics and Incident Response at BlueVoyant. BlueVoyant provides security services like third-party risk and digital rights protection, among many others.

Before Vincent brought his talents to BlueVoyant, he spent a number of years with the FBI, seven of these on the team dedicated to dealing with traditional organized crime. While the connection isn’t obvious between that world and the world of cybercrime, someone with Vincent’s experience has context most of us lack—and this was just one of the things we spoke about during our conversation.

Traditional Organized Crime

Whatever country a traditional organized crime syndicate is in, they are involved in for-profit illegal activity. Vincent notes that many of these activities are in sectors the government does not regulate—and those organizations also deal in corruption to make sure that status quo stays in place. These organizations may also practice:

  • Physical violence

  • Extortion

  • Blackmail

  • Early adoption (using the latest technology to their benefit)

  • A particular code of rules, both implicit and explicit

Cybercrime Syndicate Similarities

While you can’t commit physical violence on the Internet, cybercriminals can and do commit economic and financial violence against businesses and organizations.

They use ransomware, powered by the latest technologies, as a tool of extortion along with threats of data breaches as blackmail to add pressure to ransomware.

Cybercriminals also operate by a specific set of rules, which includes how they get paid (usually in a difficult-to-trace blockchain-based currency) and how long they give victims to pay.

Cybercrime Syndicates as Tech Startups

The twist many might not expect is that, in addition to emulating the structures of traditional criminal organizations, they also follow some of the best practices of rapidly growing tech startups.

Tech startups need to:

  • Fundraise — cybercrime syndicates do this through their criminal activities which can include speculating in and meddling in traditional and crypto currency markets.

  • Hire well — cybercrime organizations have “job postings” out on the dark web which follow a traditional process of reviewing CVs and interviewing candidates.

  • Know their customer — cybercriminals research specific niches and sectors in order to find out which organizations are most vulnerable and what they can pay in the case of a ransomware event.

  • Have a strong brand — employer branding can help with hiring in the legitimate business world; it also helps in the criminal one. A strong brand also puts victims on notice that they are dealing with serious threat actors, not just one hacker in a basement somewhere.

  • Deal with shifts in world events — because Ukraine and Russia have been bases for some of these organizations, the recent war and resulting sanctions have made it more challenging for cybercriminal syndicates to operate.

  • Schedule product launches — cybercriminals tend to pick vulnerable days (Fridays) or holidays (Christmas) to trap victims in particularly stressful and vulnerable situations.

  • Use social media well — cybercriminals can use bots on social media networks, which push out deep fake content to create pressure around their goals.

  • Use the latest technology — cybercriminals often use military-grade tools and packages to overwhelm their victims, triggering a surrender reflex that’s the mirror of the “buy” reflex when a traditional consumer sees dazzling technology.


During the interview, Vincent frequently referred to Conti.

For those unfamiliar with it, Conti is ransomware focused on Microsoft Windows that has been observed since roughly 2020 and is believed to be distributed by a Russian-based group. The US government offered a $10M reward for information on the group in May 2022.

They use a website to leak documents copied by the ransomware. The technology and its implementation were shrouded in mystery until recently.

In a twist of poetic justice, the Conti Group (as it’s known) was subject to its own leak of 60,000 messages recently. This was done by an anonymous subcontractor of the group who was opposed to Conti’s unconditional support of Russia and its threat to launch cyberattacks against anyone who launched cyberattacks against the country.

The leak shared source code as well as the source of possible leaks to the Conti Group within the Russian government. Governments that are already sanctioned in some ways turn a blind eye towards threat actors in their territory, usually content to simply take a sort of “tax” on their activities.

Vincent thinks that this event will lead Conti to do something else that tech startups sometimes do: rebrand. Once an organization has been uncovered in any way, its power is weakened.

A Big Difference

While Vincent noted many similarities between traditional crime and cybercrime, there is one big difference: scale. Because of the Internet, and because of the medium of software, cybercriminals can commit hundreds or thousands of times the number of crimes that traditional criminals, constrained by such ‘old-fashioned’ restraints as time and space, can.

With that scale in mind, Vincent warns listeners that just as there are many businesses that serve a particular niche, cybercrime is its own growth industry—the “profit” involved attracts even those who would not consider themselves “criminals.” He adds that, over time, there will be organizations covering every niche, including small accounting firms in the middle of the USA, for example. It’s important for businesses to move to protect their assets now instead of waiting for these cybercriminals to build up their infrastructure.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

Understanding Ransomware Response

Understanding Ransomware Response

We recently had the opportunity to interview Devon Ackerman, Practice Lead & Head of #DFIR Services for North America at Kroll. Before he was at Kroll, Devon worked with the FBI as a supervisory special agent, coordinating both domestic and international digital forensic investigations.

Devon described two case studies that offer helpful insights into the state of cyber attacks and their threat actors.

Detective Story

Some years ago, a law firm approached Kroll with an unusual case. A client was losing business every single month: long-established suppliers were just ending their contracts. They suspected that a recently-departed employee was providing information to a competitor that was taking the business. But there wasn’t any proof. This was where Devon and his team came in.

An Atypical Case

In a traditional digital forensics or incident response investigation, you’re looking at logs or a computer server or a firewall, trying to put together a timeline of how something occurred. That’s what Devon and his team asked for at first. What did they find?

  • A wiped computer (a full-secure overwrite of the data had been done)

  • A factory-reset phone

  • Two factory-reset iPads

  • No networking logs, as the client simply designed and made a particular type of item for resale

With nothing coming from the technology side, Devon sent a former law enforcement officer to sit where the employee sat to look around and see if anything was missing. As he examined the space more closely, it was clear that there was a large storage device that probably used to be there but wasn’t there any longer (a telltale sign was the plugs that were left behind).

The investigator also noted that there was a server in the office, which had the entire customer database and all the order information for the company. Knowing what a goldmine of information this would be for a competitor, the team started looking at the logs and found a folder structure that had been created about a month before the employee left. That folder had an entire backup of the customer database as well as a database dump of the email software, going back eight years. These digital fingerprints were like a note in an empty file cabinet: “I copied these files on this date.”

The narrative was coming together; a large amount of important company data was copied. Where was it copied to?

Devon and his team found security footage of people entering and exiting the building. After reviewing 60 days of footage around the time of the employee’s resignation, they found a day that he entered with a backpack (which he never usually did). When he left at the end of the day, the backpack’s shape was significantly different. It must have contained the digital storage for the files and, sure enough, the employee had made the mistake of purchasing the storage with a company card two months before he left the company.

Another piece of the digital narrative was an email rule that had been disabled but not deleted. This rule captured a copy of every incoming email to the president and CFO of the company and routed it to an external, non-business domain.

Finally, to add real-world correlation to these digital findings, Kroll sent a PI to surveil the ex-employee and saw them driving to the office building of a competitor. One day he even came out of the building with a swag bag that had the competitor’s logo on it, confirming that he had stopped by that office.

All these digital and real-world findings didn’t necessarily constitute a smoking gun, but they provided a documented narrative that allowed the law firm to successfully sue the ex-employee on behalf of the client.

This approach works in the civil space, where you don’t have to prove something beyond a reasonable doubt. But it also helps law enforcement authorities in the criminal space. By putting together a dossier, companies like Kroll can help get the ball rolling on an investigation that might not otherwise happen. The FBI handles over 700,000 cases a year, so the ones that have a head start in the form of such a dossier have the best chance of being solved.

Life and Death

While we’ve seen ransomware take down infrastructure and make life troublesome or inconvenient, we may not have heard of life-and-death situations. The second case that Devon shared with us was of a hospital that had a ransomware attack.

The ransomware affected every part of the hospital’s software; they couldn’t take in new patients, which meant that people coming to the emergency room in ambulances were being turned away.

When you’re dealing with ransomware cases, there’s always a time element at play. The threat actor is trying to force a decision on a limited time scale and the victim is trying to buy more time to restore the environment and potentially avoid paying. When you add an additional stressor like emergency patients being turned away, the situation can be really hard to manage.

In this case, Devon used a triage technique, just as emergency rooms do. He focused on what needed to get up and running first. Using a team working around the clock in shifts, they found the original intrusion point and patched the system going forward. Then they had to make sure that the threat actor was flushed out of all the systems. This was challenging as there had been secondary detonations of the ransomware across terminals where employees logged in, so they had to be told not to log in until the problem was solved.

The additional challenge was making sure that protected and private patient information was preserved, not just for the patients but for evidentiary reasons. Devon and his team had to devise a plan that preserved the evidence but at the same time would get the systems up and running again. This included making a decision to overwrite some non-business-critical systems to get certain machines up and running.

Thanks to Devon and his team’s calmness in the face of considerable stress, the hospital was able to start serving patients again faster than if it had tried to handle it on its own.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Preparing an Organization for Cyber Attacks

Preparing an Organization For Cyber Attacks

As more and more people realize that cyberattacks don’t just happen to ‘others’ but are likely to happen to their organizations, it should be clear that simple awareness of these events is not sufficient: you have to prepare for when, not if, these events happen. We recently had the chance to sit down with Stu Panensky, Partner at FisherBroyles, LLP. Stu and his team have dealt with over 100 ransomware attacks in a counseling role and have a lot of wisdom to share about the current state of cyberattacks and what organizations can and should do to prepare for them.

Incident Response Plan

One of the key issues we covered in the discussion was the importance of an Incident Response Plan. This is a set of instructions or procedures to detect, respond to, and limit the consequences of a cyberattack against an organization’s information systems.


You want to have this plan put together (and written down) for three reasons:


  1. You don’t want to have to figure out what to do and who to call while the event is happening—you need to account for the fact that it’s very hard to make rational decisions in disaster scenarios.
  2. You want to have a written document to reference in case computers are encrypted and you can’t use them to access the plan—there should be multiple copies of this printed plan with multiple people to avoid a single point of failure.
  3. You want to have gamed out scenarios, such that there’s a step-by-step checklist you can follow to help the organization respond quickly and calmly—this should include conditions in which the organization can stay ‘open’ and move to non-digital tools to carry on business, and other conditions in which such actions are not tenable.

Communication Matters

Generally, in a ransomware situation, threat actors are trying to shorten the timeline. They put pressure on for a decision to be made quickly, but Stu and his team counsel victims to press for more time. This, firstly, allows for the environment to be secured, and secondly, gives time to see if there are alternatives to getting back up and running without relying on a decrypting tool from the threat actor.


The reason you will often need time to secure the environment is the complexity of given networks and interlocking programs, including on-premise servers vs. cloud servers, etc. It’s no good negotiating if the environment is still vulnerable to new attacks.


Tactics that the threat actor can use to create pressure include:


  • sending emails to your help desk to keep it busy all day long
  • accessing a customer list and sending emails to those customers telling them, “Did you know we’ve attacked this company you do business with?”
  • threatening to make the data breach public, creating a public relations problem

Christmas Miracle

Stu told us a “Christmas miracle” story, in which threat actors had attacked a school district right before Christmas vacation. Stu and his team spent a lot of time early in the process communicating with the threat actor. They explained the difficulty for a large bureaucratic organization like a school district to get ransom money at this time of year, with faculty, staff, and students getting ready to go on Christmas vacation.


Stu attributes this transparency as well as playing on the particular time of year with a once-in-a-lifetime resolution in which the threat actor gave the decryption key with the note to “make sure the kids get taught about cybersecurity.”


While Stu says that this is not an outcome most people should expect, he believes that part of how it happened was because he and his team had been highly communicative from the start, and that’s a best practice to implement.

Audit Your Vendors and Contracts

While many organizations understandably outsource their data security to a third party, they aren’t always clear what the conditions are regarding a cyberattack. Go over your contracts with third party IT providers and find out what is in your agreement in regards to cyberattacks and what their obligations are. You can go further than this and ask what measures they have in place to make sure they are auditing their own systems to be prepared for every sort of attack.


Be aware that you may have responsibilities as well. Stu shared with us an engagement letter that a client had with a retailer in which there was a security provision, that in the case of a cyberattack, including but not limited to ransomware, they were to be notified immediately. If you have engagements with a provision such as this, you need to add it to your incident response plan: “Contact X per their security provision.”

Cyber Insurance

Another way to outsource risk is to get cyber insurance; Stu says that this is the best form of security. While we agree, of course, he also noted one particularly underutilized aspect of cyber insurance: crisis communications. This is coverage that enables a client’s marketing or internal public relations team to hire a firm to guide them through media statements, social media strategies, social media monitoring, etc. to help get ahead on messaging. This is important not only for internal stakeholders like employees and investors but also for all those who are watching the event happen and may have some tie to the situation.


Stu underlined that there was not a single one of his small or mid-sized clients that did not benefit from having cyber insurance.

No One Is Immune

As we said at the beginning, it’s not a question of ‘if’ but ‘when’ a cyberattack will happen to an organization you are involved with. It’s not just because of the large number of threat actors out there; it’s also because every organization has something of value that some criminal can chase. Those items of value need to be safeguarded thoughtfully and intentionally now, before a crisis happens.


If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 


Click here to learn more about how we can help secure your business data!

Understanding the Business of Cybercrime

Understanding the Business of Cybercrime

Small business owners may think of cyber criminals as freelance or small group threat actors, but plenty of those criminals work within sophisticated organizations that function like legitimate businesses. Someone who has observed these criminals at work is Mark Lance, Senior Director of Cyber Defense at GuidePoint Security. We recently had the chance to speak with Mark on The Cyber Crime Lab Podcast and want to share a few of his insights to help small business owners realize before it’s too late that everyone is at risk.

While Mark has been in information security for 22 years, he’s been in incident response for the last 12 and has seen many different situations. One he recently came across involved a celebrity who suffered a business email compromise.

Business Email Compromise

This type of threat is one of the more common ones that Mark and his team see. In this particular case, someone had managed to get into the celebrity’s email and had, through email chains, successfully impersonated the celebrity and had begun a bank transfer of $2.5M.

Inbox Rules

How can you compromise someone’s email box without them knowing you’re in there? One way, it turns out, is to use a feature that most email services use to help you organize your inbox: rules. The threat actor gained access to the celebrity’s account and looked for any emails that related to transactions, accounting, bank accounts, etc. They then made rules to ensure that any replies to these emails went into the trash, where they could continue to work and draft replies but the celebrity would be blind to the fact that something malicious was happening (people don’t usually check their rules or trash).

Because the threat actor had access to all the previous emails and interactions, they had all the context they needed to sound authentic in new exchanges and to make what seemed to be an innocuous request for more funds. In this case, it was innocuous enough that it wasn’t noticed until the celebrity and the celebrity’s manager started to get notifications of a pending money transfer, and Mark and his team were able to discover the trail and get it stopped in time.

Part of the success of this particular threat actor was simply tapping into cultural and technical norms; people have become used to dealing with financial requests by email, without requiring voice or video confirmation, and that norm was almost successfully exploited in this instance.


Another form of fraud that continues to be successful, despite greater personal and professional awareness of the practice among the public, is phishing. The practice has become more sophisticated, of course. You’re no longer being asked to click on a ridiculous link that bears no resemblance to something the user might be used to. And if you are unfortunate enough to click on it, users won’t be brought to a bad counterfeit of a website they frequently see but to an exact replica, set up to capture a user name and password.

If people are expecting the same old phishing techniques and aren’t prepared for the increased sophistication of the approach, they may get hooked by one of these threat actors.

Who Are the Threat Actors?

While there are nation-state-sponsored threat actors, motivated by access to state secrets and weapons blueprints, and hacktivists looking to bring awareness to their causes, the majority of threat actors are simply criminals, after money or IP addresses that can be sold for money.

These criminals can be further divided into freelancers or small collectives and large organizations that operate just like legitimate corporations. They tend to go after certain verticals or certain-sized companies. They also appreciate the value of niching!

Criminal IT Support

At times, Mark and his team have managed to find a threat actor who has access to an environment and have taken steps to close doors of access. They’ve then watched in real-time as that closed door is attacked again and escalated through various levels of troubleshooting, just as you would expect when dealing with IT support in a legitimate business.

One time a threat actor realized they were caught and started putting in user names they knew would be logged, such as, “We know you are watching us” and “We’re going to get back in.” They won’t give up easily, even when they know they have been caught in the system.

Hire the Best

Criminal IT support doesn’t come from out of the blue. Often it comes from the dark web, where criminal organizations put out job requests, just like you might see on LinkedIn or Indeed, with the same types of interview patterns. At every level, these criminal organizations are operating as if they are legitimate businesses, partly because it means that potential employees don’t have to veer too far off a societal script to be drawn into a criminal scheme.

What To Do?

One of Mark’s strongest messages is that no organization should consider itself immune from attack. From a mom-and-pop-pizza shop to a Fortune 500 organization, there are targets for every type of criminal and every size of criminal organization.

Apart from basic user awareness training, a key best practice is implementing multi-factor authentication (MFA), which is a major hindrance to many threat actors.

With awareness and security practices in place, organizations can be better prepared for the many threat actors looking for open security doors they can exploit.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

Tracing the Digital Fingerprints of a Threat Actor

Tracing the Digital Fingerprints of a Threat Actor

If you’ve got a robust security system in place and have a team member that has over 15 years of cybersecurity experience, you might feel like you’ve done enough to be safe. Unfortunately, for at least one business, that wasn’t enough.

We recently had a chance to chat with Luke Emrich, Director of Incident Response at Tetra Defense. He investigated the above case and shared what he learned as well as some tips for how organizations can better prepare for attacks.

Tetra Defense

Tetra helps businesses deal with ransomware attacks, business email compromises, IP theft investigations, and other incidents that need response and investigation. They help businesses improve their cybersecurity posture in accordance with the latest threats (and the latest solutions).

As one of Tetra’s case leads, Luke will be one of the first people that a client will speak to when an incident occurs. Together they will work through a game plan and strategy for how to investigate the event, and more importantly, how to recover and how to get the business up and running.

The Attack

It was a Saturday night when it was obvious that something was wrong at a medium-sized SAS company. The 15-year cybersecurity expert we alluded to in the introduction took copious notes from a security engineer late in the afternoon. Server shutdown alerts were coming in one after another and it became clear pretty early on that three separate attacks were happening simultaneously. So this wasn’t one burglar getting into one house, it was a simultaneous attack on three different houses in a neighborhood.

Find the Source

As Luke and Tetra started looking at the situation, they began with the high-value systems that the threat actor may have used as part of the attack. In this case, the threat actor used a tool called Cobalt Strike.

Cobalt Strike

Cobalt Strike is a tool that is often used by the US government and large businesses to emulate the tactics and techniques of a threat actor. In one exercise, one group of “hackers” will use Cobalt Strike to deploy a payload that creates a connection to a server. In the case we’re discussing, the threat actor used Cobalt Strike to deploy ransomware. This allowed the threat actor to go from controlling one computer to five, then ten, and so on exponentially.

Planning and Preparation

Because the company had plans in place for situations like this one, Luke and his team were able to move pretty quickly to try to look at the logs, which the threat actor had been clearing. But because the company had a very granular backup program as part of their planning for attacks, Luke and his team were able to find out when the system was compromised.

Not Just Malware

Luke is quick to point out that ransomware these days is not someone clicking on a bad link that downloads malware. Threat actors these days are likely to have done a lot of reconnaissance and know user names, passwords, and locations of key systems.

That’s why it’s important to figure out where the threat actor got in, so you can put protection in place to prevent it from happening again, but then can also restore systems from before that entry. If there aren’t backup protocols in place, restoration won’t be a matter of hours or days, but weeks or months.

Finding the Source

Luke and his team were initially focused on the corporate domain, because that’s where the most important and sensitive data was. But there was a separate domain that had a legacy environment and protocols on it. Even though the threat actor had been clearing the security logs, after a bit of digging Luke and the team were able to see that there had been a Bloodhound detection.


Bloodhound is an open source project that was released in 2016. It was originally designed for offense: it looks at your setup to determine how big the attack path problem is for your business. You can think of it as a hammer that you can use to hammer nails to help build doors of security. But hammers can also be used to break down doors, and that’s what the threat actor was doing in this case: using Bloodhound to find weaknesses and the fastest paths to gain what they desired.

The use of Bloodhound in this particular case led to the realization of the team that there were local administrative credentials being used (remember the legacy environment we mentioned). Those credentials should have been changed when a new computer system was provisioned, but on the antivirus server that bridged the different domains (legacy vs current) the credentials were not changed. When they followed this path they found that not all the logs at that level had been cleared, which allowed the team to trace back to the original entry point.

Six Days Later

Luke had the initial call with the client on Saturday, but it wasn’t until the following Saturday that Tetra was able to come back with answers as to how the threat actor got in, when they got in, and how the company could use their backups to get back up and running. That meant there were six days of hard teamwork (often around the clock) running down leads and trying to follow clues.

Be Prepared

While a week seems like a long time, Luke emphasizes that this was actually a short time to restoration because the company had been prepared and followed a predetermined recovery plan. Some of that preparation includes:

  • Having a robust security program
  • Developing an incident response plan which includes how to act and when
  • Incorporating vulnerability management and patching
  • Ensuring ongoing monitoring of systems (this could be a security operation center or a product that’s watching for anomalous activity in your systems and potentially implementing containment steps if an event develops)

Thanks to the work of Luke and his team, the threat actors didn’t get a dime of the $800,000 in Bitcoin they wanted, and more importantly, this vulnerability was shared with Tetra’s clients to make sure that something similar didn’t happen to them as well.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from Datastream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.


Click here to learn more about how we can help secure your business data!