Mon, Apr 20, 2020

Effective Business Email Compromise and Ransomware Mitigation

Understand six key legal and technical steps to bolster defenses against business email compromise (BEC) and ransomware attacks. This webinar, co-hosted with James Melendres of Snell & Wilmer, explores fundamental approaches to mitigate the risk posed by these threats and streamline incident response plans. There is no “easy button” to push—but there are certainly some easy wins. 

This webinar covers: 

  • The impact of multi-factor authentication and best practices for implementation 
  • How to leverage endpoint monitoring efficiently
  • Considerations for protecting incident response investigations under privilege 
  • Effective board and C-suite engagement
  • Incident response plan reviews, fine-tuning 
  • Successful elements of a robust backup strategy 


  • Jonathan Fairtlough, Managing Director, Cyber Risk, Kroll, a division of Duff & Phelps 
  • James P. Melendres, Partner and Co-Chair, Cyber Security, Data Protection and Privacy, Snell & Wilmer

Notable Passages from the Presentation

How a Data Map Helps 

“ Asking questions and identifying the places where, and the types of data that you have ensures that you're going to have a data inventory. This inventory is useful in many ways, but probably the most important way is when there is an issue, when something has been accessed, when a system has been disabled or affected. You can know exactly what information was on it and whether or not that information triggers any legal, regulatory or potential client based requirements. If you don't know what you have, it's both difficult to protect it and extremely difficult to figure out how to respond to an issue with it.” – Jonathan Fairtlough

Why Relationships with Third-parties Need to be Reviewed

Make sure you have appropriate review of vendor contracts. Keep good copies of the contracts in a documented form and include your review of third parties in your audit in testing. If you have a clause that allows for inspection, you really should make use of it. – Jonathan Fairtlough

On a more specific point, the contract review that Jonathan mentioned is extremely important because, in the event of a ransomware attack, a business email compromise, any other type of cyber incident, there very well may be contractual obligations that your company has to notify its vendors, its counterparties. It is much easier to assess those obligations during a data inventory rather than in the fog of war while you're attempting to recover from a ransomware attack. We stress reviewing those third-party contracts as a critical part of preparation. – James Melendres

Data and System Backup, Multi Factor Authentication

The reason why backups fail, the reason why we are seeing people having to consider paying ransoms is because one in many cases, people aren't doing a backup properly. They are either backing up the wrong information, not backing up what is important to the business but what IT thinks is important. The media failed and no one actually checked it, or which is very common the attackers have turned off the backup processes. They are in the networks. They're zeroing out the network connected backup information leaving you with no options. […] The other tool that can help you protect against the modern form of attack is multi-factor authentication. This is an industry term that really focuses on doing more than having username and password for access. Having some other thing that is in your possession, like a token or a phone that receives a code that has to be entered before access is granted. I cannot stress this enough username and password is simply no longer enough. There is too much, too many data breaches from found out credentials that make it possible to either identify and guess username and password or to simply look it up. – Jonathan Fairtlough

Expanding Endpoint Threat Detection and Response

We're no longer in a world where all your data stays behind that nice firewall in your network in your office building. Your data is being accessed by your staff, by your key decision makers on their mobile devices on their laptops and they're using the common infrastructure of the cloud and the internet to get access to your data. It means that each and every one of those individuals is in fact an endpoint. They are the wall of your network, and they need to be protected. The best way to do this is to use the next generation tool sets that are called endpoint threat detection tools. There are many of them out there, and the goal is very simple. They identify and flag bad executables similar to antivirus but more effective. Because they're not just basing it off a pattern match, they're looking at what the executables do. That means they have the capability to analyze behavior shown on a computer against attack patterns and methods. […] A good endpoint threat program identifies, analyzes but also uses information from other sources to add to its knowledge. It gives you the capability with a good team member to threat hunt, meaning to look for things that might be indications of an attacker being in the system and trying to learn their way around. Finally, the key part is when you do all this when you get this visibility, you have to have a way to rapidly notify the team to act on a validated threat. This is the concept behind an endpoint threat detection. This concept of total network visibility and it is the way in which you get security in a world of highly mobile, highly editable attack vectors. – Jonathan Fairtlough

Crucial Steps To Take Before an Incident

You need to make sure that you have comfort and trust in the advice and approach of your firm that's helping you with legal matters before you start to ask for that advice. You need to make sure that your technical teams and your systems are known and comfortable and your approach is structured with your incident response firm so that they're not learning as they walk in the door trying to help you. All of this means making sure that you're taking the steps to line up the help that you need and making sure that you're putting in place the legal structures that are easy to draw them and you're ready to roll. – Jonathan Fairtlough

Protecting Incident Response Under Privilege 

All of this means that in addition to the preparation, you need to think about how you're going to respond. Have you built an incident response plan? You know, it's easy to download one of those from the internet and just drop it on the desk and say you have to check the box in the compliance checklist. Does your incident response define what an incident is? Has that been discussed with the people who would need to make that decision? Does the team have decision making authority? How often is the criteria that you are using to define escalation and incident reviewed? How often do you test this thing? Is it just a dusty documents sitting on the desk? Or is it an active part of how your team works with this? – Jonathan Fairtlough

The takeaways here, practically speaking, are if you are in the circumstance where you are responding to cyberattacks, it is going to be to your benefit to add outside counsel who have been retained specifically to assist with that incident response. Again, in anticipation of litigation to ensure that they are included in all internal external correspondence. Consider having all correspondence among your IT team directed to outside counsel. Certainly, the entire IT team needs to be included on the communication, but it can be a very helpful practice in litigation down the road for email messages in dispute to be directed to the outside firm. Absolute must, is that all email correspondence, all records and reports generated as part of the incident response are marked with the attorney-client privilege header, the attorney work product header. – James Melendres

Download webinar slides.

*** ©2019 All rights reserved. Notice: As part of our effort to inform you of changes in the law, Snell & Wilmer provides legal updates and presentations regarding general legal issues. Please be aware that these presentations are provided as a courtesy and will not establish or reestablish an attorney-client relationship or assumption of responsibility by Snell & Wilmer to take any action with respect to your legal matters. The purpose of the presentations is to provide seminar attendees general information about recent changes in the law that may impact their business. The presentations should not be considered legal advice or opinion because their individual contents may not apply to the specific facts of a particular case. *** 

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.


Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.

Office 365 Security, Forensics and Incident Response

Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.