3 Key Takeaways from the 2023 ElevateIT Dallas Closing Keynote

At ElevateIT in Dallas on Wednesday, June 7th, Joshua Aaron– Aiden CEO, moderated the closing keynote panel on Cybercrime, Nation-States, and the Emerging Threat Landscape for guest speakers John Kindervag, Founder of Zero Trust, Stefan Hare Network Intrusion Forensic Analyst, U.S. Secret Service, and Joshua Jacobs, Special Agent, FBI Cyber, Dallas. They discussed various issues, including the increasing levels of organization displayed by ransomware groups, the potential future of a post-quantum world, and what companies can do to mitigate the damage caused by data breaches and ransomware attacks. Here are our top 3 takeaways from the Keynote:

Have a plan in place in the event of a data breach.

While a robust cyber defense is critical, too many companies go without a backup plan if compromised. Having company staff trained and ready to execute an incident response plan that includes proper logging of the incident is extremely important–and according to both Stephan Hare and Joshua Jacobs, keeping proper logs is extremely beneficial to law enforcement looking to investigate the ransomware groups that cause data breaches.

“It’s being prepared for when it happens, not if it happens.” – Joshua Jacobs

Joshua Jacobs suggested IT security leaders keep an out-of-band communications system in case company comms are brought down or compromised. John Kindervag recommended that companies keep encrypted backups of all their data to speed up recovery after a data breach.

According to John Kindervag, one way to prevent the harmful effects of data theft that is becoming more and more common in ransomware attacks is to kill your useless data.

“Kill your data. Have dead data. Encrypt your data. The only good data is dead data.” – John Kindervag.

Another issue brought up was data sprawl, an issue that tends to get out of hand; properly culling old data can reduce the potential damage data theft can cause.

“Companies just allow the data that’s useless, not doing anything for them to sit around. I was always about killing old data. Find it in your organizations and get rid of it.” – Joshua Aaron

The panelists then discussed how some ransomware, just like the old data of a data sprawl, can linger on systems for years. Kindervag mentioned that GoDaddy, Citrix, and Nortel are all companies that serve as monuments to the damage these multi-year breaches can cause. Joshua Jacobs followed this up by continuing to emphasize the importance of logging, which can be hugely helpful in investigating years-long incursions like this.

“Some of these nation-state actors, even cybercriminals, they’re on your systems for days if not months…you can get into years!” – Joshua Jacobs

Kindervag discussed one experience where a company he was talking to was hacked mid-conversation, and the best solution would have been to unplug the Wi-Fi. Data breaches come in many forms, so tech leaders need to be prepared for anything, even if that means physically unplugging the router mid-incursion.

Joshua Aaron pointed out that while unplugging the internet can be critical, the power shouldn’t be turned off as it can be key in the following investigation.

“Whenever you have an incident, unplug. Hopefully, not the power but the internet. And make sure you preserve something with power so they can run a cyber forensic investigation on it.” – Joshua Aaron

Tech leaders should strive to facilitate better communication between their IT and Cybersecurity teams. Transparency is important.

IT and Cybersecurity teams work in siloes reducing transparency and communication. According to the panelists, this industry-standard needs to change. They are on the same team, fighting against the same threats (ransomware, zero-day application vulnerabilities, phishing emails). Lack of communication between the two is what leads to things like incident response plans being fumbled when a cyberattack does hit.

“CEOs are blindsided when they’ve had an attack… While somebody below knew something was wrong but didn’t want to bring it to someone higher up. These companies aren’t transparent.” – John Kindervag.

Transparency is key for more than just ending divisions between IT and Cyber. It is also huge in helping companies maintain a robust security profile. As Kindervag alludes to above, keeping clear, transparent communications, even across departmental divides, will greatly help reduce the number of vulnerabilities in your security profile.

3. Reach Out to Law Enforcement and Make a Point of Contact with Them Before Any Breach Occurs

Jacobs, Hare, and Aaron discussed the importance of company leaders engaging with law enforcement far before a breach ever happens. Both the FBI and the secret service can be hugely helpful in providing input for incident response plans/offer advice on preparing your company’s plans for how to respond to a variety of data breaches and can help to keep your company in the loop on the latest emerging threats.

“Call somebody. Reach out to your local field office. Make that face-to-face contact…. that human interaction prior to something happening is huge.”- Stephan Hare

According to Joshua Jacobs, it is important to already have a contact at your local field office so that when a breach does occur, the office already knows you and can be of greater assistance.

“If you engage with us and say, ‘we had a data exfiltration event on this date, and this is where we think it went’, you give us an IP address of where it went, then we can come back to you…and say that we think it’s this ransomware group to give you some level of confidence of what to expect moving forward.” – Joshua Jacobs

However, some people do get nervous about calling upon the FBI or the Secret Service.

“We’re not looking to get into your stack, we don’t want to drive. We just want to be there to assist as necessary. We’re not there to fix the problem, we’re just there to help along the process and investigate the criminal activity.” – Stephen Hare

When asked by an attendee later in the Keynote what companies should do with a compromised system so that they are not charged with tampering with evidence, Joshua Jacobs responded that a company that is the victim of a ransomware attack hasn’t ever been charged with tampering with evidence as far as he is aware. To further assuage these worries, Stephen stated:

“We’re going to work with you towards a single goal, and we don’t take the stance that you are a perpetrator of a crime just because you need to get up and functional. By all means, continue to do what you’ve been doing. We’re not going to view you as anything other than the victim of a crime, because that’s what happened.” – Stephan Hare

Another attendee asked whether companies should tell the FBI whether they have paid a ransom or not, as the Department of Treasury sanctions some ransomware organizations. Jacobs answered that the FBI never recommends paying a ransom but would not punish a company for doing so. Ultimately, he said, that sort of thing would be a Department of the Treasury issue. The FBI and the Secret Service can be invaluable partners in protecting your company from cybercrime.

“If you had a critical vendor in your stack, I think the way you would want to think about it is as a serious point of contact with that vendor. It’s no different. If you have an incident, you want to know who you can contact right away and get the right people involved.” – Joshua Aaron

The Wrap-Up

These were our key takeaways from the 2023 ElevateIT Dallas Closing Keynote. The group also briefly discussed machine learning, quantum computing, and other trends in ransomware, but these three were the topics that really stuck out above the rest.