[Webcast Transcript] Ransomware, Incident Response, and Cyber Discovery: History, Solutions, and AI Workflows

Editor’s Note: On August 11, 2021, HaystackID shared an educational webcast designed to inform and update cybersecurity, information governance, and eDiscovery professionals on how organizations can prepare, address, and respond to cyber-related incidents. 

While the full recorded presentation is available for on-demand viewing, provided for your convenience is a transcript of the presentation as well as a copy (PDF) of the presentation slides.

[Webcast Transcript] Ransomware, Incident Response, and Cyber Discovery: History, Solutions, and AI Workflows

In this presentation, experts in the areas of cybersecurity incident response, cyber discovery, and privacy shared how organizations can prepare, address, and respond to cyber-related incidents. From ransomware remediation to incident response, the presentation highlighted cutting-edge data discovery technologies and proven document review services to support the detection, identification, review, and notification processes required by law after sensitive data-related breaches and disclosure.

Webcast Highlights

+ It’s Only A Matter of Time: Security Incident Statistics & The History of Ransomware
+ The First 48: Electronic Security Incident Detection & Classification
+ Effective IR Plan Design: Simplicity, Scalability & Beyond the Technical Details
+ Post-Breach Discovery: Workstream Overview, Use of AI & Impact Assessment Reporting
+ HaystackID ReviewRight Protect: Post-Breach Review & Extraction Workflow

Presenting Experts

+ Michael Sarlo: Michael is the Chief Innovation Officer and President of Global Investigation and Cyber Discovery Services for HaystackID.

+ Mary Mack: Mary is the CEO and Chief Legal Officer of the Electronic Discovery Reference Model.

+ John Brewer: As Chief Data Scientist, John serves as the Head of Advanced Technology Services for HaystackID.

+ John Wilson: As CISO and President of Forensics at HaystackID, John is a certified forensic examiner, licensed private investigator, and IT veteran with more than two decades of experience.

+ Jenny Hamilton: As the Deputy General Counsel for Global Discovery and Privacy at HaystackID, Jenny is the former head of John Deere’s Global Evidence Team.

Presentation Transcript


Hello, and I hope you’re having a great week. My name is Rob Robinson, and on behalf of the entire team at HaystackID I’d like to thank you for attending today’s presentation and discussion titled “From Ransomware to Cyber Discovery: History, Solutions, and AI Workflows”. Today’s webcast is part of HaystackID’s monthly series of educational presentations on the BrightTALK network, and designed to help cybersecurity, information governance, and eDiscovery professionals as they face cybersecurity and cyber discovery challenges. Today’s webcast is being recorded for future viewing on the BrightTALK network and from the HaystackID website.

HaystackID is also excited today to highlight our support in partnership with the Electronic Discovery Reference Model. The EDRM, led by CEO and Chief Legal Officer Mary Mack, creates practical resources to improve eDiscovery, privacy, security, and information governance, and since 2005, the EDRM has delivered leadership standards, tools, guides, and test data state steps to strengthen best practices worldwide. Currently, the EDRM has an international presence in more than 113 countries spanning six continents, and they’re continuing to grow, and we’re also grateful today to have Mary Mack as a speaker today. Mary is the author of “The Process of Elimination: The Practical Guide to Electronic Discovery”, which is considered by many to be the first popular book on eDiscovery, and she received her Juris Doctor from Northwestern University Pritzker School of Law, and she also holds their credential of CISSP or Certified Information Systems Security Professional. Welcome, Mary.

Mary Mack

Thank you, Rob.

Rob Robinson

We’re definitely glad we’re able to have you share today. HaystackID’s also excited to be able to highlight our partnership with the Association of Certified eDiscovery Specialists, better known as ACEDS, and ACEDS provides training, certification, professional development courses in eDiscovery and related disciplines, and we’re delighted to partner with them on efforts such as today’s webcast. In addition to Miss Mary Mack, today has some expert presenters who are considered some of the foremost subject matter experts in areas ranging from cybersecurity incident response to cyber discovery. Mary, would you do the honor of introducing our experts today?

Mary Mack

I would be most pleased to, Rob. We’re so happy at EDRM to be partnering with HaystackID ID and sharing on such a timely topic. So, first up is Michael Sarlo. He is the Chief Innovation Officer, President of Global Investigations and Cyber Discovery Services for HaystackID, and of course he facilitates operations for all things digital forensics and litigation strategy both in the United States and around the world. And then next that is me. You know who I am. And next one up is John Brewer and is Chief Data Scientist, and I have to say I absolutely love that data scientists are getting involved in cyber discovery. It is just a wonderful thing and the education around that for our greater community. John serves as the Head of Advanced Technology Services for HaystackID and he has worked for dozens of Fortune 500 firms in roles ranging from eDiscovery to data migration to information stewardship, so has a very wide surface to address these issues. And we also have our friend John Wilson. He’s the CISO and President of Forensics for HaystackID, and besides doing all the technology, the forensics and the electronic discovery, he is also an expert witness, and that’s a rare thing in our industry, and we’re very, very happy to have John on the presentation. And then we have Jennifer Hamilton, who I first met in her gig at John Deere, where I can’t believe it was 14 years, shaping the development of that and leading that eDiscovery operations team over there as head of their global evidence team over at John Deere, and she is the Deputy General Counsel for Global Discovery and privacy for HaystackID.

And with that, we have quite an agenda for you and I will turn it over to Mike to lead us through our discussion.

Core Presentation

Michael Sarlo

Thanks so much, Mary, Rob, and thank you everybody for joining today. We hope this is an informative presentation. We’ll be taking questions. Please pepper as many as you would like. We’ll try to get to all of them. Today’s presentation at a high level is on ransomware, you and me and eDiscovery and the intersections, and we’re going to really talk about some stats. I think it’s important for everybody to be aware of how we got to where we are, as far as the ransom ecosystem. We’re going to talk more about the first 48 hours, so to speak, in the event of a compromise, any type of security incidents and best practices there. We’re going to kick it off to Jenny to really dig into more a high level effective incident response plan design, and really moving beyond some of the technical details, especially where eDiscovery practitioners may find themselves engaged that may not have the typical incident response skill set when we think about the cyber incident, and we’re going to learn today that there’s a lot more that goes on than simply sealing a breach.

We’re going to talk about what is post-breach discovery. What does it mean? How do we use AI? How does that impact privacy workflows we’ve all been dealing with for many years now? And then end talking about HaystackID’s ReviewRight Protect offering and our approach to human review and data mining and how we gain synergies leveraging new types of AI in that domain.

So, first and foremost, we have seen a massive explosion, really since 2010, in cybercrime and cyberwarfare, and I think it’s a really important distinction, especially with the way that insurance markets, which tend to dominate the way that we deal with breaches, the technology we’re able to use, the response to them, the payments, and just the approach and overall flow of the whole cyber incident response paradigm and all the players that are involved, and there’s many of them. We’ve seen a pretty large explosion of incidents, and a lot of identities compromised, some really large breaches in 2017/2018. This stat here is fresh as of 2021 and provides a pretty accurate look back on reported breaches, and that’s really something to be aware of as many organizations may get breached, may have a ransom event, may have data exfiltrated, may not have a regulatory requirement to report that breach, depending on what type of customer data was accessed. We’ve seen cases where very large organizations should have reported an incident and did not and they suffered the consequences from a civil litigation standpoint. So, we see that most organizations, medium and large, tend not to go that direction anymore, although reputational issues, brand management, customer issues, may lead some organizations to work to construct an event where perhaps they don’t feel they need to report it.

So, these numbers are actually very low, is the short and sweet of it. There’s a lot more going on day-to-day, especially in the government sphere. We get sometimes thousands of mini breaches happening on a monthly basis, as far as our infrastructure, and our government agencies are concerned, and there’s more reporting metrics that are coming to light there as well, and that disconnect between this number here and what can be tens of thousands on the government side should give you a sense that this is highly under reported. That said, in 2020 alone, we had about 300 million folks’ PHI, PII, sensitive data compromised. That was a lot of letters asking you and me to sign up for free credit monitoring, for sure, that went out.

John Wilson

Yes, and well, Mike, I just want to add one of the things when you’re looking at the stats, you see that spike number back in 2017, but you also have to realize that the attackers have gotten much more adept at being very targeted in what they’re doing. So, they’re getting a very rich data set, and not just – it used to be just grab the world, whatever we can get our hands on, we grab it. Now, they’re being very focused, very targeted and very intentional about what data they’re grabbing or what information is being compromised. So, while the numbers are a little lower than they were back three, four years ago, the damage is substantially higher.

Michael Sarlo

That’s correct, and we’ll talk about the evolution of where we are as far as what the world and the cyber side calls more the game hunting tactics.

So, average cost of a breach, we work on all different sizes and scales of matter, some are very transactional and managed, some are super high touch. The global average cost was about $3.86 million. Here in the US higher, about 8.64 as of 2020, and that doesn’t necessarily account for some of the tangential revenue loss, as well, that occurs in the event of a large scale breach. A lot of this is related to post-legal spend workflows, just like when we think about the old saying, eDiscovery, where maybe the first 15% of the budget is the data lake collection, maybe it’s down to 10% now, maybe the other 15% is related to eDiscovery processing and hosting, used to be probably about 25, pricing has come down, and everything else was related to document review and motion practice. You can think about the same paradigm of spend and budgeting insomuch as sealing the breach, dealing with the defensive recommendations and the forensics work as far as tracking and understanding different types of indicators of compromise. We’ll hear that word IOCs. It probably was more about 30% of the spend here, the rest is all aimed at identifying PII, responding to different regulators, and really very much of a legal workstream and oftentimes a technology enabled workstream as well.

And to give you a sense, when you saved that Excel to your local desktop, or on a network share that maybe has some information you shouldn’t, the average cost of a stolen record here in the US is about $146, down about a $1.58, and healthcare companies tend to get hit very hard, and there’s a lot of personal data, there’s a lot of systems involved, and their obligations that usually meet a higher bar, and generally speaking, the OCR has different qualifiers as far as who needs to be notified in the event of a data breach. Typically speaking for most companies that aren’t healthcare oriented, that aren’t providing care, managing health data, having some type of identifiable PII, your social and your name, or a two-phase approach would trigger a notification, your name alone would not trigger a notification, and for healthcare matters, that’s changed as of recently. Just having your name appear in the data set would create a burden for the organization to notify you.

Average cost of sending a notification letter is about a buck end-to-end, just to send that letter. It’s higher if credit monitoring services are offered, and it’s really about under 10% of those who receive a letter, if not lower, who actually might sign up for credit monitoring. So, something just to be aware of. A lot of these facts and stats are focused on blended rates, but I get a lot of questions involving that sometimes, and from just asset testing with folks, that’s generally where we typically end up.

So, I’m going to kick it off to John Wilson just to talk about ransomware, how they work, and actually what we’re seeing in general outside of ransomware, how a ransom might get into and enterprise, and/or just how an enterprise may be compromised in general via a number of different vectors.

John Wilson

Thanks, Mike. So, ransomware is essentially, you can think of it as a virus or a malicious program that gets executed on your computer, and they can get there in many different ways. The key difference with ransomware versus other virus or malicious program activity is that most ransomware attempts to encrypt your data and put it into an encrypted bucket so that you no longer have access to your data, and the original ransomware models were very much just that it would just say, hey, I’ve now encrypted all the data on your computer, and you’ve got to pay me a ransom to get back into your data, whatever that data is. And those ransomware attacks do take many forms, they can come through phishing attacks, they can come through many different avenues, whether somebody gets a file onto your system that triggers a ransomware, or somebody clicks a phishing email in the organization that then installs something and starts taking over the machine.

The interesting evolvement of this ransomware world is that they’re no longer interested in just encrypting your data. Now, they’re creating urgency, they’re creating pressure on the owners and individuals, because they’re, hey, we’ve got all your corporate data, we’ve now encrypted it, and we’ve also transmitted it, we’ve downloaded it, and we’re going to share it to the public, if you don’t pay us the ransom within seven days, or within 10 days, or within 30 days, whatever it is, depending on the particular ransomware attack. They’re getting much more focused about it. They’re now starting to exfiltrate that data. They’re using that data as a threat. There was a recent case where a CEO of a major corporation was ransomwared, because on his device, when they ransomed it, they found photos and information that put him in a very compromising position, and would do significant public damage to the organization, and so that’s the kind of thing they’re starting to attack.

And then similarly, as we talked a little bit when you were looking at the stats, and we see that there’s a decline in reported ransom attacks, those ransom attacks are getting much more sophisticated. So, it’s not the old days of getting a phishing email with a bunch of terrible writing and sentences that don’t make sense, and a lot of typos. Microsoft announced yesterday that there’s almost an exact duplicate clone of a Microsoft message that comes from a spoofed address that looks like it’s coming from your internal IT systems, requiring you to put in some credential information, and it is very legit looking, and they’re much harder to detect now. You’ve got to be very cautious about what you click on in an email, and that’s just one example of the sophistication. The sophistication has actually moved also to where they’re no longer just, hey, I’m going to go put stuff out and see who I can get online, and who’s going to execute my phishing emails. They’re sending phishing emails to specific individuals that they want to get into those specific networks and those specific resources. They’re being significantly more targeted about it, and that’s creating significant challenges, because they’re going out, they’re leveraging that social media information, to really ensure that they have a good chance of executing their attack.

Michael Sarlo

And it’s been increasingly turned into a highly sophisticated business model for threat actors, and the way that they work together. They work in cartels, they’re criminal organizations with hierarchies, and org charts. There is an entire network of highly sophisticated, polished web-based tools that allow for collaboration between different actors with different skill sets in the ransom marketplace. Those who are hunting for vulnerabilities or hunting for targets may then collaborate with a platform that actually might deploy ransom with the touch of a button. There are then negotiators who are set up to negotiate and facilitate ransom payments. The first ransomware ever documented back in the ‘80s was the AIDS trojan, which was actually a floppy disk that you popped in and then it encrypted your computer and you had to send money to a PO box with about 200 bucks to try to restore that data. The advent explosion and what we’re seeing here with ransom really correlates directly with the dawn and rise of Bitcoin. That’s the key element here, through being able to anonymize the collection of money to giving back somebody their files, and again, as John mentioned, just having backups isn’t enough. They will exfiltrate your data at the same time. Usually, actually, ahead of that, somebody will be in your network, you won’t notice it, they’re data outside, and then they ransom you, and you’re basically caught in a position that even if you could restore the data, if you don’t pay that ransom, they’re going to basically data shame you. They’ll post it on public [E-zines], and they’ll leak it to the media, and all the customer data can go out, and it can be very bad.

Really important, and always a consideration when paying a ransom, is the concept of attribution, who is actually the attacker, and we, HaystackID, all the incident response companies, we all collaborate on what’s called attacker fingerprinting during any event to try to understand who’s actually behind the attack. There could be major repercussions if a ransom is paid to a state sanctioned actor. OFAC comes in, they don’t like that, and a lot of these organizations rebrand. They disappear and rebrand once they get a big hit. The political climate on a global scale totally has an effect on the quantity of attacks that we see. It’s used as a warfare tactic to influence policy decisions on a global scale. We saw a massive uptick in ransom events over the past year. It seemed to somewhat correlate with negotiations going on about the Nord Stream 2 pipeline, and then now a decline. So, there’s other elements that go into some of these bigger events that we see, and the majority of the time, they probably are state actors that are allowing them to happen, or are facilitating them for these very large newsworthy attacks, but there’s a lot that just happen in typical criminal enterprises as well.

So, that’s the brief history of ransom, and it’s not going away. It’s getting more sophisticated, for sure, and there’s other methods that they’re moving to as well.

John Wilson

Yes, and just one last quick comment to throw in there is just in reference to the sophistication and the advancement of it. So, most people probably have already heard of the Kaseya attacks, and that was actually where an entire supply chain, they compromised software that was sold from a company that provided IT support services – from a company that provided software for IT support service companies, and then they went only to the corporate, the headquarters, and said, hey, we’ve compromised 700 of your customers, pay us X, or we’re going to blow up all your customers. And in addition to that, a couple of big players in the ransomware cyber world are now actually acting like venture capitalists to the rest of the ransomware world, saying, hey, you go out there, we’ll fund you, and if you can get some break-ins, we’ll take a split of the revenue, and that’s an entirely new model that just developed this year. So, the attacks are definitely getting significantly more advanced and frightening. Thanks.

Michael Sarlo

Thanks, John. So, we’re going to kick off to John Brewer, our Chief Data Scientist, also incident response extraordinaire and jack of all things IT, to talk about the first 48 here and how you should respond and think about any response to a security incident. Go ahead, John.

John Brewer

Thank you very much, Mike. So, yes, I’m talking about the first 48 hours after you discovered that you’ve been hit, but before I talk about that, I’m going to talk a little bit about signs that you are about to get hit. Now, these will change from month-to-month, so it’s important to stay up with recommendations from whoever your cybersecurity vendors are, but the things that are fairly consistent across the ages, partial MFA logins. As a civilization, we’ve gotten pretty good at deploying MFA to critical enterprise systems, and this gives us a very useful tool in our arsenal. If your IT staff or if your security team or your security operation center as a service group is seeing lots and lots of users who are logging in with the correct username and password, but they’re failing the MFA check, that’s a sign that at least one of your users, sometimes multiple of your users, may have been compromised and we have attackers who are just banging away at that, hoping that somebody is going to open up their phone, see the security challenge and just accept it. That’s something that we see more and more these days.

Brute force attacks, these are the same attacks that you’ve seen since the ‘90s, where a group, for whatever reason, thinks that they have an advantage in guessing the administrative password, they have some hint, they have some piece of intelligence that leads them to believe that if they go through a list of 100,000 or a million passwords, that one of those is going to work on whatever account or systems they are targeting. A sudden spike there means that somebody thinks it’s worth it to be throwing those resources at your system.

Phishing emails landing with strange domains, now this one is starting to get a little dated. As John Wilson was saying earlier, we are seeing a radical increase in the sophistication level of phishing emails that are hitting customers and victims of ransomware attacks. So, if you’re seeing phishing emails in coming from domains that are almost your organization’s domain, or almost your bank’s domain, for instance, having an I and an L flipped in the name, having an O replaced with a zero, those sorts of things, things that most users wouldn’t immediately pick up on. Anything that comes like that, especially from financial institutions, is an indication that somebody is actively hunting your organization.

Jump boxes spinning up. Now, this, again, is something that we’ve seen more in the past. Jump boxes are going out of style in IT, but they are definitely something that’s still out there in a lot of places. For anybody who doesn’t know, a jump box is a machine that is inside the secure area of the network, but has access to it from the outside. Usually, it’s only allowed to be connected to from a couple of different IP addresses, usually from the CIO’s home, or system administrator’s residence, or another office, but if one of those locations gets compromised, attackers will relay through that in order to use these backdoors through the firewall. If those start spinning up at times that you don’t expect them to, or they start sending lots of requests out to the network, that’s one of the signs that we’re about to get hit.

SMB, Kerberos, LDAP, basically, any time that your authentication or file sharing protocols get requests from unexpected places, the classic example here is if the perimeter router for your network suddenly starts asking for accounting files, it’s probably a sign that it’s not supposed to. Most organizations will have security measures in place for their most sensitive data so that it doesn’t immediately get taken out that way, but some don’t. And also, if that approach doesn’t work, again, these attacks are driven by humans, who will try other attacks, other venues, other vectors as they try to get into your system.

Broadcast traffic from Point-to-Site VPNs, this is something that we see a lot more since the pandemic; sent everybody home and everybody’s connecting to their offices through VPN. If an attacker gets VPN credentials that can be used from anywhere, they will connect into your network, and usually one of the first signs that something has gone haywire, is they’ll send out what’s called broadcast traffic, basically requests the whole network saying, hey, what’s out there, what servers are up, what services are available? That’s rarely something that we see regular users do on the network. It’s worth raising an alarm if you see it.

And abrupt increases in non-HTTPS traffic from client machines. This is actually something that’s easier to do now, because almost everything these days in terms of applications that users actually interact with on a daily basis runs over HTTPS. Almost all applications that users are using on a day-to-day basis, run through a web browser, whether it’s Office talking to Microsoft servers via HTTPS over a web API, or whether it’s users logging into Dropbox, or [Toggle], or any other of a dozen different commonly used applications. Any time that we’re starting to see any information that’s not going over HTTPS out of the network, that’s often a sign that we have some sort of telemetry from malware that’s exfiltrating the network, whether it’s command and control, or whether it’s actually exfiltrating files and data from that system.

So, let’s talk about right after you’ve actually been hit. Now, when I talk about this, I’m talking about when you find out you’ve been hit. Most organizations will have been infiltrated for hours, days, sometimes even weeks or months, before they discover that they’ve had an intruder, and sometimes they don’t find out they’ve had an intruder until they get an email from the attacker with a ransom demand. Now, in those first 48 hours, there are a couple of priorities that we have here. We’re confirming that data has actually been accessed. Usually, right off the top, we don’t know how much data has gone out. Even if we have a statement from the attackers saying how much they have, that’s not necessarily the truth, and almost always, the people who find out this in the first place don’t know what their legal exposure or responsibilities are. This is not something that people just read up on in their spare time because they’re curious about it.

So, in terms of like the first couple of minutes after you’ve found out, whether you’re an executive, an IT professional, or just a regular user, the first step is do not wait. Whatever emergency line you have in progress, whatever your highest level of escalation in your IT organization or in your support organization is, use that number. Don’t be shy, because assuming that the leak is still active, locking down the system is the highest priority at that point. Wake people up if you have to, call people who are on vacation. I know it’s a faux pas from a social perspective, but it’s really important that if there is somebody available who can get your systems locked down and secured as quickly as possible, that person be reached out to.

Change passwords on whatever account may have been compromised, and don’t be shy about changing passwords in other places. As John Wilson was mentioning earlier, the operational impact to what’s happening might be the least of your problems.

Halting all systems that rotate or delete logs, this is something that usually gets forgotten by most organizations. There’s going to be an investigation, there are going to be questions, and if logs are getting rotated out, deleted or otherwise, passing into oblivion, that needs to be stopped immediately, because you may need to go back weeks or months in your log files in order to determine what the original point of ingress was, and if you don’t have those logs, one, it’s going to make your responsibility internally trying to find out what the ingress point was much harder, and two, it’s not going to look good later on.

And secure all backups and start moving to off-site backups. We frequently see – or start moving off-site backups back to the site, I should say. Again, from an operational perspective, if we have an encrypted system that’s actually been taken down, if this wasn’t just a damage egress, but actually production systems were stopped, you’re going to want to take your off-site backups back onto the site, so that you can get ready to restore from those. An awful lot of ransomware that we see out there in the market today has pretty long timers on it. So, if you’re running weekly backups, two weekly, even monthly backups, you could still have the malware in your system from those backups, and when you restore, you’ll just see it all encrypted again. Going and getting the oldest backups that you can, even if you need to do some hybrid restore, where you restore the system from one set and the data from another, that may be your best path forward.

OK, and now the five questions that we really need to answer in the aftermath of finding out that you’ve been hit. First off, who was exposed? Was customer data taken, employee data, vendor data? Other information that you’re responsible for, the classic case here is credit reports, but certainly, if we’re in a PHI situation, we could have in a doctor’s office patient information for patients who aren’t necessarily are customers or employees, but we’re still responsible for and who obviously would have been compromised by the breach.

When did the attacker get in, and what time were they locked out? Again, this is going to be really important to put error bars on how much data they could have gotten out. Knowing how long they were in the system can help us figure out exactly how much data could have been transferred out in that time, and if we have data disposal policies, how far back they could have information that we currently consider to have been destroyed and deleted.

Was anything altered? Now usually, we don’t see alterations to data where people go in and change operational data. If we’re going to see information changed, it’s going to be like mass encryptions, as we’re familiar with ransomware, but also, it’s important to look were new accounts created. This is especially common for targets that might be subject to repeated attacks, where the attackers go in, create a set of accounts for themselves, or reset passwords on existing and rarely used accounts, so that they can get back in after the restore to attack the site again.

Were permissions changed? This can be anything from adjusting it so that an inside person is able to get access to data that they shouldn’t, all the way up to setting a whole bunch of AWS buckets to publicly readable so that those can be read from the outside again, and the incident and the breach continues past the restore, past detection.

What did they have access to? Frequently, this is, again, something you can only put error bars on. What’s the best case scenario? Maybe they only had access to this one machine that we saw get encrypted. Now, what’s the worst case scenario? Which is, OK, we know that they had this level of credentials, and that level of credentials had access to the entire customer database or the entire production database. We don’t know if they knew that they had access to that, so maybe they didn’t read it, but that’s something we need to put in our worst case scenario.

And then finally, what did you do? This is something that, again, gets frequently overlooked, but document everything that you do in response to the attack, especially if you don’t have a written procedure in place. Just in the first hours and days afterwards, any good faith action to try to contain the damage and try to protect the data, even if that subsequently turns out to be a moot point, is going to factor in later on. Do not delete anything that isn’t an immediate threat, because, again, there’s going to be an investigation, there’s going to be a follow-up, there may be regulatory consequences, and if we are deleting things that could arguably be relevant later, that can have unforeseen consequences later in the investigation process.

And so now I think I’m going to be passing to Jenny on the effective IR plan design.

Jennifer Hamilton

Yes, so we’ve come to the part where we need to figure out what to triage, how to triage it, who’s on first. So, let’s start going through what makes for an effective incident response plan.

So, first, we’ve got key players. We’ve discussed this a number of times in a number of different webinars around cybersecurity and ransomware. We can’t emphasize enough to decide in advance proactively who is in charge, which is the age old question. Is it IT? Is it legal? Is it outside counsel? Who is running point? And that often comes down to who needs to be providing direction, who is actually making decisions. So, those things in advance are incredibly important, because what you don’t want is you don’t want the person who is advising and handling some of the more challenging substantive aspects of the incident response also in charge of making all the decisions and becoming a bottleneck for communications, and this can easily happen.

So, when do you have legal in charge versus IT versus other players in a corporation and outside counsel. So, this is an area where you have to decide early on and, again, who’s making the decision, as to what types of notifications might need to be made, what needs to be reported and to who, and any more when you have a cybersecurity breach of data that has personal information, healthcare records, as Mike mentioned earlier, or you even have a ransomware where – I think the statistics are about half the time the ransomware, the data is actually exfiltrated and ransomed, then you have obligations, depending on what type of data you have to make reports, and those obligations become very complex, very extensive, and very time sensitive. And what I mean in terms of extensive as it you could be facing making a breach notification to all 50 states, the OCR, as Mike mentioned, multiple countries, Europe being a big one, but even China, India and Brazil these days could be part of this notification, and when we talk about doing it quickly, we’re talking about within 72 hours, in many cases. So, this would be very challenging to have whoever is running point on the breach notification process also making technical decisions, providing direction, interfacing outside counsel, PR firms, insurance, etc., to really think carefully about the workloads, and how to balance them out.

Outside counsel can be a great lead in these events, but it really comes down to not necessarily the role aside from privilege considerations, but really experience and I’m going to call it a rainbow of experience when it comes to the right people to run with the incident and manage all these different moving parts, and when I say rainbow of experience, I think that it really is someone who can see the beginning all the way to the end, so the beginning in terms of what contracts require notifications be made to whom, all the way to if this ended up in litigation, does this person have that line of sight as to what really is the priority to protect the company across from the very beginning to the end? Obviously, data security experience, experience in the insurance industry and coverage, and working on the panels can be critical, make the difference, and I also like to emphasize how important it is to have some type of electronic discovery experience, both in terms of understanding workflows and crisis management and triage, but also, in the extensive – the extent of the data flows around an organization, where is the data coming from, what’s in it, where’s it going, and how to identify and prioritize the risk mitigation practices.

And then anymore, aside from litigation, it’s having that experience in privacy. This is very hard to do, to find someone that has that range of experiences, but that’s really the people you want on the core team versus expand team, and in a position to triage out the response with a playbook or, in some cases, without a playbook. And then also establishing, again, back to who is making decisions? It’s not usually the same person. They might be making some of those decisions, but in terms of high level gating decisions, and reporting up through the chain, that experience is also extremely helpful. Bonus if this lead or group of leads from IT to legal has experience reporting to boards as well, and providing the right level of information.

So, when we talk about roles versus not just names on the plan, that’s a situation where people and organizations change frequently, especially in this area. And so, you want to know who – always be clear on who is in that role, has the title changed, and how do you figure out who to engage, when. That’s usually super important when it comes to eDiscovery, and likewise here in a sort of cyber event.

And then I touched on who is on the core team versus the expanded team and I think that’s important because you want the smallest number of players that you can identify to move the ball forward and be quick. But you also will need to reach out to various subject matter experts who can speak that language. And we’ve talked about insurance is a perfect area, where whoever is on the core team and involved in direction, advice, or decisions needs to speak somewhat the language of the insurers and the policies, and have relationships already developed with your risk management team internally. So, that’s helpful to identify all those different things.

I like doing it through creating a RASCI chart where you have an exercise with a group, because there are a lot of subject matter experts involved in something like this, and working through who is, ultimately, responsible for making sure certain things get executed, who is accountable, who is consulted, and who is informed. And those items, just working through that piece of it with whoever is on the core team versus the expanded team, you may not even have time to reference that in the middle of an incident, but understanding what different groups need at different times can be extremely helpful when it comes to go-time.

Mary, please weigh in.

Mary Mack

I’m so excited to hear about the RASCI chart with the accountabilities and what level of decision making each person has, it brings me back to the early days of litigation-readiness where people just picked up and did. And certainly, in the first instances that works, but then you get people with job descriptions and some things are overlapping, and if you have a core team versus an expanded team, it’s so important to get that down, and discussed prior. Even if, as Jennifer said, you don’t use it, I find in litigation, investigations, and here in the cyber discovery, it’s very important to know who gets to make the final decision. Because otherwise, you can waste time with trying to figure that out, trying to work in a highly charged, highly visible, highly political environment. So, having those roles down, I think, that’s a wonderful gift, Jennifer, the RASCI chart for this.

Jennifer Hamilton

It’s funny, it was one of the first conferences I attended when I was at John Deere and that was brought up, and I thought, wow, that’s really interesting, and it’s been probably one of the most useful tools in my career from litigation over to cyber discovery. So, I highly encourage you to look up RASCI charts and use them. Again, it’s a great exercise to bring people together and provide clarity. That can be one of the most important things you do to prepare for any kind of crisis type dispute.

So, in the same way, let’s talk about workstreams. We’ve been talking about having workflows and how important it is. Again, you may not have time to refer to it in the middle of an event, but just the practice, the experience of putting them together so that the team, as a whole, understands what is a typical workflow. And obviously, in most crisis situations, there’s a lot of improvisation that happens. It doesn’t really neatly flow. Just like in eDiscovery, things don’t neatly flow from one phase to the next, and so that’s where your tabletop exercises can be helpful.

I find it’s hard to even have those exercises, because it’s such a daunting endeavor, especially for teams who really haven’t experienced this before. And so, what I like to think in terms of roles and responsibilities and blending with workstreams is figure out what is the highest risk event your organization can face. Let’s get down to the top one, two, maybe even three. Let’s start with the highest risk event. And this is where legal really wants to be involved.

Legal wants to lend itself to helping assess the risk. And so, I think that’s where you can have an event that is highly technical in nature and need the Johns and the Mikes involved to a very granular degree, but also running that by the legal in terms of is this really one of the highest risk events, and going back to what needs to be reported can really drive that decision. Data, privacy, and breach notifications, compliance with insurance policies.

And I also will throw in here when it’s good to get legal more deeply involved or maybe in taking a lead as the non-playbook matters. Again, if you have that person, and it doesn’t have to be an attorney, but the person who has the most experience from the beginning to the end of the crisis, then that can be really helpful. Because there are events that are going to happen, like ransomware, people were not event-prepared, and I call it the Non-Playbook Matter. So, that can be where legal can help really support the workflow and strategy, if not drive.

And also, a key point here is that these things – and we talk about improvisation, we’re also going to talk a lot about in parallel, things are happening in parallel at the same time. So, where does it make sense? If you have to make a report in 72 hours, or you have 24 hours to make a report, then who is going to be doing what at the same time. So, these are things, I think, that can all be discussed and worked out in advance.

I don’t know, Mary, if you had any thoughts on that as well.

Mary Mack

I think just like with a presentation, if you have a script and have an outline and you know where you’re going, certainly ransomware is where you’re… it’s like you put your finger in the light socket, and if you’re talking about the worst possible thing that could happen to an organization and getting legal involved at that point, because that’s the highest octave of risk, I think it’s so important to document the workstream, so that you at least have one path through. It may not survive, what is it, the onset of battle, everybody throws their manuals out the window and they just address the crisis. But even some of the subparts are going to be helpful. And as you work through your various cyber events, you’ll see which things work for your organization, and then be able to iterate and improve on them.

We’re right now, sort of, for most organizations, right at the very beginning, and it’s so important to invest the time to document and to develop the trust and the relationships amongst the people who are going to have to form this, in essence, Tiger Team.

Wouldn’t you think so, Jennifer?

Jennifer Hamilton

Yes, trust and relationship building is critical here. And I think that this is an area where doing the day-to-day work can really take you off course of doing this advanced planning and trust building exercises, but you really wish you would have done them if you don’t make the time for it.

And speaking of that, in terms of good communication and having a plan, this is where I like… there’s always all this advice and there’s playbooks that are eight to 20 pages long. Ransomware, really, deserves its own playbook. It’s becoming a norm, and whether the data is exfiltrated or whether it’s just encrypted and ransomed, then these scenarios are hot on the list to develop your communication plan.

And I think the shortest possible plans, the better, because in real life, if you have something more than a couple of pages, there’s really no time to dive in and analyze it, and figure out how to make it apply. And so, I like things that are one-page, I like more of bullet points or visual, visio type diagrams, and again, crafted by role.

What people need to know is who to engage and when to engage them and how to engage them. Again, that’s just eDiscovery 101 as well. If you can get that into a one-page plan, you’re pretty far ahead in this process and you also need to know when you aren’t the lead. In a lot of the communications, these are special events, and crisis communication is different than every day, even in a litigation and how we talk to each other and who does what. And so, in that sense, it’s helpful to read up, there are some great books out there on crisis communications and understanding how it’s very different from a day-to-day project, and then just leveraging the teams that you have to just have that – even if you did a tabletop exercise just on communication – that would be a valuable investment.

John Wilson

Jenny, a one-pager, even if you’re going to have a full plan that’s 20, 10, whatever many pages, having that kind of flashcard one-pager that says, “Here’s the person I talk to if I need somebody for this” becomes really important. Because these things, again, especially as they’re getting more and more sophisticated, they’re putting time urgency on, “Hey, we’ve captured your data, we know you’re about to do an M&A deal, and we’re going to make that information public, and you have to pay our ransom in 72 hours”. There can be some very tight time constraints for figuring out what’s going to happen, who needs to be involved and everything. So, having that one-pager that really helps you expedite the process and know who you need to contact when becomes really important.

Jennifer Hamilton

That’s right, John. And even what to use, and having it queued up before the event happens, so Signal is an app that’s becoming incredibly popular. It’s on everybody’s phones, it’s encrypted, and you want to have these groups by role that follow the plan, to some extent, already organized and ready to go, so you’re not trying to create… getting everybody to download Signal in the middle of an event is not ideal by any means, so that’s my other takeaway here.

Well, let’s move it along to data mapping. We can travel back a little bit here. But in data mapping, again, this is another thing that’s very helpful in terms of proactive incident response planning, but it can also be very useful post-breach in the discovery process. You have privacy teams and eDiscovery teams and various other IT folks who are more on the info gov side who probably, in some organizations, have created already a map, or a diagram, or a spreadsheet tracking some of the more critical data flows through the organization that would have the type of data you would be most concerned about. Where is the sensitive personal information? Where are the health records, the financial records, some of the company crown jewels?

And I will say that there is different groups, over the years, we started to come up with data mapping, what, Mary, like 15, 20 years ago in litigation, but there’s various groups that picked up and ran with it, like the privacy teams, to comply with GDPR, and that’s also going to be a requirement coming up here for other new state privacy laws that have emerged in the last few months. You’re going to have to do it, if you didn’t have to do it for Europe.

So, why reinvent the wheel and why not go to those records and kind of speed up the groupthink about where you need to concentrate your efforts for remediation, for reporting. Whether it’s reporting out to individuals that were affected or to regulators, or just to report back to the company, “Hey, guess what? This is the type of information that was in this database that we weren’t even aware of before”. So, this is the way to go get not your post-breach cyber discovery process, and also leverage the institutional knowledge you have with the eDiscovery teams, the privacy teams etc. And some companies are really getting ahead of this and using 365 to tag and develop retention.

But your best friend here is to not have the data in the vulnerable position that it’s in, and so, to the extent that can be an investment in the sort of proactive planning. So, not keeping data around beyond its useful life to the business. And that’s where you get into thinking about can you budget for some remediation projects. Obviously, you could probably upend the organization doing this across the board, across all the legacy systems, the databases, email accounts, but if you, as an organization, can go through and do a privacy audit or eDiscovery audit and assess, again, your highest risk repositories, where maybe it’s your customer information or patient health records, and start small and iterative, let’s see what’s even there and let’s figure out what needs to be remediated that’s well beyond the retention schedule or the useful life, and not on legal hold, this is going to be where you are most effective at actually managing an actual breach.

And then we’ve already touched on response and notification, and how to make sure your workflows are going seamlessly and in parallel. Breach response, again, is it’s whole – we could have a whole webinar just on that, but the goal is to speed it up. So, to the extent that you can leverage your institutional knowledge, as we talked about, leverage your vendors to anymore… not only do the litigation support, eDiscovery, document reviews, but also do they know how to identify this information quickly? Do they have the technology? Are they using artificial intelligence? Are they buttressing it with other ways to validate what’s there in a very, very fast manner and get that information in the hands of the groups who are responsible or accountable for any sort of breach notification is critical. So, the more that you have vendors and business partners and folks in legal who work at the intersection of IT, litigation, cyber, all these different groups who already understand a lot, don’t have to be taught anything along the way, they’re intimately familiar with your business, with your processes, with your people, have those trusted relationships built, then this can make a huge difference in the success of managing one of those events.

Michael Sarlo

Thank you, Jenny. That was great. Thank you, Mary, so much. There’s a lot that goes into an incident response playbook. And the post-breach workstreams outside of the technical piece is where we find that even the most sophisticated organizations are lacking.

One thing I do want to point out, we started talking about MSAs and whatnot, and there’s a, typically speaking, based on the Capital One decision after their breach out of Virginia, IT services procured, ahead of a breach, not in relation to a legal matter, are not technically covered under the attorney/client privilege umbrella. So, bifurcating communications in certain ways and being aware of that as far as who you engage and how you construct engagements in relation to responding to a breach is very critical to make sure that what the industry believes should be a privileged event, we tend to believe that cyber is a legal issue. You need to make sure that you’re handling that appropriately. Any of the premier breach coaches are highly sophisticated in that to mitigate that exposure, which is something to be aware of that sometimes your usual go-to is not the right go-to for certain pieces of the workstream.

So, what is the post-breach discovery workflow? We don’t have a lot of time left, so we’re going to zippity-click through this presentation now. But typically speaking, we get impacted data sources, either we’re onsite preserving them, or we’re actually communicating directly with threat actors. They’re usually getting posted to some type of public [E-zines]. we pull them into an infrastructure that we have that is completely dedicated to breach events. Very important. I think a lot of data may be comingled in the vendor community. Imagine you’ve got your big litigation case in one database and now this in another one, and one set of data may be filled with malicious filetypes. We also handle a lot of zero-day events as well. In those situations, you have no capability to identify it.

So, the big question is, is there sensitive data in that dataset at this point? And sensitive data, oftentimes, is going to be PII, PHI things like that, but for… you’re dealing with any type of business sensitivity, intellectual property, contracts, communications with clients, that’s all really important too, especially for the people that need to go contact our clients and tell them that there’s been a breach and deal with those repercussions.

Typically speaking, there’s going to be some data processing. We prefer Nuix, in this case, especially where that we may need to do some forensic analysis on files if we have more shifting types of malware that tends to change, MD5 hashes or different things, or we really want to dig deep into the components of an individual file, or from an investigation standpoint, but also to identify certain types of IOCs that may be embedded in files that aren’t necessarily transparent.

At that point in time, really high level delivery that really operationalizes these engagements is really what we call an Impact Assessment Report, and we do these a couple of different ways. We have what would be a low level impact assessment that really happens right away based on a massive library of regular expressions, search techniques, and both from a content standpoint, file and folder paths standpoint that is enriched back into our proprietary ECA workflow, what we call ReviewRight Protect Analytics. And then we’ve actually developed our own AI that we’ve refined and honed through many events that does a very good job of identifying sensitive data.

And at that point, usually, there’s – working closely, either… we have our fully managed offering here that will get you from breach to a disclosure list, let’s say, a disclosure list, I mean a listing of those entities that have been compromised, humans, corporations, their information that was compromised. Then we’d work with one of the major notification vendors, be it Equifax, Experian to check addresses and then notifications are sent out to those folks. And the clock is usually around 65 days when you’re dealing with HIPAA. And when that clock starts, it’s usually as soon as you look at a document. And you’ll hear different things about when and where that clock starts, and being strategic about that is incredibly important for very large-scale breaches, more across multiple geographies. It’s really important to get a sense of where your potential data subjects are located, not just within the enterprise, but where they actually live, and from whence and where their data was collected and for what purpose. And really, going back into those systems that maybe the CRM, maybe the electronic medical records system, that maybe some other system can, oftentimes, be a good indicator about what you’re dealing with from a geography standpoint, what regulators you’re dealing with.

That AI impact assessment report and all of that work product tends to then go through a workflow where we are statistically validating tranches of documents based on their hits, specifically with the… we also return confidence intervals, how accurate the computer thinks it was, and that has gotten better over time, and we’re looking for high value targets to move straight to data mining, what we would typically call in the eDiscovery space, Review, and/or extraction, data mining or extraction. And you can get some very large teams working through these matters that are actually collating different types of PII elements, correlating them back to entities.

And the whole goal here is to, basically, get to a deduplicated rolled up list, and basically, being able to identify every little piece of information about you or me in the data universe, where and whence it came from, and basically, being able to deduplicate those metadata elements. We’re not talking about deduplicating documents here, we are talking about deduplicating more structured data that we’re collating. And very important, because it just becomes a massive, big data challenge.

We use a variety of techniques to detect data from an AI standpoint. John, do you want to pop in here for a second, since you’re the Chief AI Master.

John Brewer

Sure. I know we’re short on time, so I won’t go too much into detail here but the key takeaway from this slide is that we use a combination of older techniques, things like Word2vec template matching, which basically use patterns in words, more accurately, patterns in the arrangement of words in documents to help us kind of get some very crude, rough understanding of what the content of that document is so that we can make more intelligent, computerized deductions about the content there and whether or not it’s relevant.

And then we use a lot of other models right now that are being used that are almost in a research phase, and are just starting to enter production, things like GPT, which you may have heard of in the news is neo-GPT or transformers, triumvirate cognitive models, which is essentially a fancy way of using three different algorithms to get the same information and then combining that information usefully to get a better result for our customers. Sentiment detection, which of course was originally developed as a marketing tool, but has a great deal of use in our particular field here in breach discovery and analysis. And then non-entity key phrases, which is, again kind of associating people with titles and being able to use those interchangeably in a way that a human might be able to, if they were trying to use this data for nefarious purposes. For instance, being able to tell that a reference to the HaystackID chief data scientist was also a reference to John Brewer.

OK, Mike, I think that’s the salient points here.

Michael Sarlo

And what we’re able to get back our customers – and this is for really any matter where you need to identify sensitive data, with cross-border issues you have sensitive data just in a general litigation matter, there might not be a protective order in place, it may need to be redacted. Highly configurable, this is just a stock graphic, I actually have a series of dashboards and a tough of fielded data that allows and facilitates an incredible amount of workflow related to dealing with privacy data and if anybody’s interested in learning more about this, just contact the HaystackID team, we’ll be happy to show you a demo and take you through the entire workflow both in the context of breach and for any type of general eDiscovery engagement where you’re dealing with sensitive data.

And from a review standpoint, and we’ve been in the remote review space for about 10 years, when it was a faux pas to have remote reviewers, and now we were well positioned for COVID, so to speak. We’ve always have been technology enabled where we actually have a web based platform where we organize our reviewers, we manage them, and any reviewer coming into our enterprise actually is tested on their capability to review. Important here because, technically, a breach sometimes may not require the license or requirements of an attorney, you’re not necessarily making legal calls, so you’ll see what appears to be very low pricing sometimes on the review side, it just may be paralegals, law school students, or maybe offshore. And making sure that these people are still a good reviewer and understand concepts about sensitive data is critical. So, we’ve developed a special test and a bench of experts, privacy experts in this domain of both non-attorneys and attorneys, insurance carriers don’t technically want to pay for attorneys in some scenarios, so you need to sometimes on the prior side, on the law firm side, you need to understand the differences between both. But leveraging the testing can result in really high quality output.

Additionally, for all of our reviews, we always start with a gauge analysis, meaning we get a representative sample of the data, it’s coded by the review team management, review leaders, by counsel, and then also by the reviewers. And we compare those and have remediation rounds, and this is a great way, early on, to get teams acclimated to the data so that everybody is in line with the protocol and what they’re doing. I recommend this for any review matter, big or small. It’s a really great way to prevent the usual feedback loop that may happen a week later when QC batches finally become available, or especially for very fast moving matters where a review team spins up in a day and you’re shooting documents out the door three or four days later and there really isn’t the appropriate feedback loops between counsel and a vendor like HaystackID to get everybody aligned.

Really important is workflow. Item level dedupe, cutting down the size of the population is incredibly important. We want to be able to sample sets of documents that don’t hit on AI, oftentimes, by filetype, paths, and we want to be able to basically use statistical sampling methods to cut those documents out. Likewise, we want to be sampling different tranches of pockets that do hit on terms or AI to see if those are actually working as expected, and we would make promotion decisions based on that and document everything, especially in cutting workflows it’s very important.

All of the typical stuff, domain analysis, item level deduplication, again, no reason to look at the same document over and over from an attachments’ standpoint, leveraging search terms analysis outside of the context, that’s typical sensitive data detection strings. Batching as well, and really understanding – the thing that pops up in all of these is we’d call LDS documents or really big Excel files, database files. We didn’t talk about databases and how we handle those. That’s a whole other advanced tech webinar that we could go deep into. But note, that can be a major wrench and they’re always present, especially when you have databases that might contain hundreds of thousands of individual entities. That needs to be merged back into the population, that singular list of individuals that’s also extracted from documents, so you’re really doing two things. Dedupe does not happen in an eDiscovery pull, it happens more in big data type databases, Hadoop, Google, Bitquery, things like that. We use different methods depending on the size and scale of the data and the quantity of individual fields that need to be deduped, usually, in a hierarchical order. So, you might combine social – start out the gate and first name plus a medical record number, and you start adding in things to get deeper and tighter concision. And different vendors are going to have different successes here. We’ve seen a lot coming out of data and have written quite a bit of code to clean that data up, so that we get better deduplication results.

And in general, we are going through a workflow where we need to identify, usually, trying to see the documents in scope, in general, that qualifies for a notification. It’s usually classified in some way, there could be many different ways that – many different metadata fields that we’re populating. There is a mass extraction of data points that can go on programmatically. If we get repeating forms, things like that, we may actually go back to CRMs or other databases that may be onsite at the customer, and would choose to actually kick out raw documents we may be looking at in favor more structured data from whence that data might have been generated that we’re looking at. If it’s a PDF that gets sent every day that has a bunch of customer information, you’re better off going back to the platform. And a ton of quality control goes on at different layers at the review side and also at the data science side, and that’s incredibly important on the technical side.

So, you have a lot more technical inflows looking at data, normalizing data, working with reviewers than you would in a typical eDiscovery oriented review.

Of course, the reporting here is completely customizable and we’re very focused on reporting on the different types of PII categories that we’re seeing. Also, in situations where we have a lot of cover entities, things like that, BAAs where one breach is actually 50 breaches because you had individuals who are robo-signing contracts and didn’t know what they were getting into from their contractual obligations. And now, you have to report individually to those organizations that may have been infected. Sometimes structuring these reports at that level, of both who needs to get notified as a business partner standpoint, and then the data subjects within those categories can be very useful.

There’s a lot of normalization that goes on. We say normalization, we mean standardization of data. So, you get first names, last names, first initial, getting those all broken out really allows for much better deduplication results using a variety of techniques here depending on the data. Things here can get a lot tricky when you start to get addresses from Ireland that describe a small house at the end of a street, rather than the way that we tend to think about them here in the US. So, you might end up in different workstreams, entirely different based on the geographies the data is coming from.

And then, certainly, statistically measuring, validating those results. There is a concept of proportionality in this, and it’s kind of a squeeze the bean until you get every drop out. In some scenarios, some breach coaches have different viewpoints on that, and it’s really a legal determination as far as – from a risk standpoint, how far you need to go. You could sit there and massage these lists until the end of time when you start dealing with hundreds of thousands of pieces of data about individuals, but at a certain point, there’s a cut. Name normalization is very hard. You hear people ask for it quite a bit, but nobody does want to obfuscate somebody’s name so their PII gets mixed with somebody else, they don’t get a letter, that’s a big problem. We’ve developed some technology to get us partially there, but legal teams tend to shy at the last moment when you start to ask them to agree on confidence intervals, margins of errors, things like that. It just does not comport.

And there is no AI that magically can just go through a dataset and auto-associate all the different elements of somebody to somebody. So, we get this question all the time. The biggest thing to kind of walk away from here and you start to think about AI in the context of data breach is that it’s a force multiplier for humans, and it’s typically the same case in eDiscovery. You’re still going to require a ton of manpower. In some cases, things can get more automated in certain ways, just structuring the review and removing complexity as much as possible, just like any other engagement, and having a battle tested workflow. Working with somebody who has documented workflows, documented playbooks, and documented outcome based work product, defensibility reports, things that they can show you that you’ll get back if you choose to engage in a fully managed process or partially partnered process.

That, my friends, is the last slide and I’m going to kick it back to Rob. We did have one question. I don’t know if we’re going to have time for one of them, but somebody asked us, “So, what are good instructions to help spot phishing and ransomware attempts that are expert forgeries? We can’t say they should never apply their credentials under circumstances. What is the best practice here?”

Well, the best practice, in general, is you get something in email, it asks for your credentials, don’t click on it. You should always do analysis of the link, hover your mouse, if it looks suspicious, it likely is suspicious. I never, ever, ever click on a link from any type of major retailer, any account I know I have, anything. I would basically go back into the site myself usually using an app or just accessing the site and I would log in there.

There’s a lot of training here available. We conduct tons of simulations here at HaystackID. We get fake phishing emails, you have to report them, and this is how we make sure our staff is trained. It’s important to be vigilant here. Even the most sophisticated people can be vulnerable to this. We see a lot of these come via text message now too, right, but there’s free trainings, Google offers here some here as well that runs full training programs on detecting phishing. There’s a lot out there on the internet. I highly recommend it for any organization that may not have the budget to deploy more enterprise training programs, videos, all that stuff, testing.

You just need to assume that everything is bad, in some cases, and to stay away from it. John and John, this is probably one for you. We can probably only spend about a minute on it as well to talk about it. But we have another one here.

“We are preparing a cloud migration, when it comes to backups and ransomware, immutable storage including backups that cannot be accessed by admins is becoming a hot topic. Can you discuss, please?” Certainly, taking away administrative access to our administrators here at HaystackID certainly has been a hot topic as well.

Just to kind of pipe in there. Go ahead, John and John, what advice can you give us?

John Brewer

So, I can say that immutable storage is usually something I hear in reference to backups, and that goes back as far as the 60s or 70s when we had write-once read-many or WORM tapes. Now, I’m not sure that that’s particularly applicable to ransomware as we’re discussing it here, because those backups are usually still accessible in a read context to the administrators, because otherwise they would not be useful in the event of a disaster recovery scenario. Preventing them from being writable is definitely handy in preventing a ransomware attacker from reaching out and actually encrypting those backups, which is kind of the worst case scenario from an operational perspective where you’ve had both your production system and your backups ransomed.

But John, did you want to comment on that a little more?

John Wilson

Of course, there is a lot of talk about it, but the flipside of that coin, it does help protect the backups once they exist. The problem is if the backups get the encrypted data written to them, it doesn’t help you much.

Michael Sarlo

And let me just say one thing too here, we walk into so many organizations that are massive enterprises, highly sophisticated, and when it comes time to access the backups, they’re broken, or they’re not even able to be restored in some ways or they would never be able to be restored in some amount of time that’s reasonable. We see it all the time.

So, you never know how good your backups really are either. So, just something to think about, in general, unrelated to this.

John Brewer

So, the one point that I did want to make that I’m not sure that I did previously is that immutable storage does not save you from having your data ransomed, because as long as those backups are still accessible, somebody can steal those backups and use that for a data shaming attack or otherwise to attack the organization by having that data as opposed to encrypting it.

Michael Sarlo

Thanks guys. All right, well, thank you guys so much. We really appreciate it. Please feel free to reach out to any of us, first initial, last name, HaystackID.com, we’d be happy to share, collaborate, teach, educate, learn from you.

I’m going to kick it off to Rob Robinson to close us out. Thank you, again, as well, we really appreciate it. Thank you.


Thank you so much, Mike, and thank you to the entire team, and also our supporters from the EDRM and ACEDS. And as a reminder to everybody on the call, a copy of the presentation slides are available from the tab beneath your current viewing window and an on-demand version of the presentation will be available shortly after the end of today’s call. Additionally, we want to thank each and every one of you who took the time to attend today. We know how valuable your time is and we certainly are grateful for you sharing it with us today.

And last but not least, we hope you have an opportunity to attend our next education webcast. It’s scheduled for September the 15th at noon Eastern time, and it will be titled, Breaches, Responses, and Challenges: Cybersecurity Essentials That Every Lawyer Should Know. We certainly hope you can attend.

And again, thank you for attending today and this formally concludes today’s webcast. Please have a great day.


2021.08.11 - HaystackID - Ransomware Incident Response Cyber Discovery - August2021 Webcast - FINAL


About HaystackID®

HaystackID is a specialized eDiscovery services firm that helps corporations and law firms securely find, understand, and learn from data when facing complex, data-intensive investigations and litigation. HaystackID mobilizes industry-leading cyber discovery services, enterprise managed solutions, and legal discovery offerings to serve more than 500 of the world’s leading corporations and law firms in North America and Europe. Serving nearly half of the Fortune 100, HaystackID is an alternative cyber and legal services provider that combines expertise and technical excellence with a culture of white-glove customer service. In addition to consistently being ranked by Chambers, the company was recently named a worldwide leader in eDiscovery services by IDC MarketScape and a representative vendor in the 2021 Gartner Market Guide for E-Discovery Solutions. For more information about its suite of services, including programs and solutions for unique legal enterprise needs, go to HaystackID.com.