Negotiating with a ransomware criminal.
The News4JAX I-TEAM is finding out what it’s like at the virtual negotiation table, going behind the curtain of the process with Billy Steeghs, Chief Operating Officer of OnDefend.
Originally Aired On: News4Jax
OnDefend enables companies to reduce risk against ransomware by testing and validating controls against the real-world strains. Discover how OnDefend empowered by BlindSPOT’s attack capabilities are supporting security programs through Ransomware Defense Validation.
Discover if your environment is prepared for a ransomware attack with OnDefend’s comprehensive Ransomware Defense Validation service. This multi-level assurance offering supports security leaders in reducing risk by simulating real-world ransomware threats to validate your security measures.
Learn More About Ransomware Defense Validation.
Ascension St. Vincent health system has temporarily halted some elective procedures, including tests and appointments, as they delve into a cybersecurity concern. Following the detection of unusual network activity yesterday, hospital officials are probing the incident and assessing the potential compromise of patient data.
Chris Freedman, CEO of OnDefend, sheds light on why hospitals remain a prime target for cybercriminals in an interview with Action News Jax.
You can watch the full interview here:
Story Originally aired on: Action News Jax. For more details, visit: https://www.actionnewsjax.com/news/local/ascension-cyberattack/3f21a506-bd2d-4cf2-8cd6-13443409e63e/
Welcome to our new series from OnDefend, where we delve into some of the most critical cybersecurity headlines.
We’re breaking down the Blackcat ransomware gang’s attack on Optum, the operator of the Change Healthcare platform.
OnDefend’s VP of Communications Lauren Verno sits down with James Case, CISO of Baptist Health Jacksonville, to get his insider perspective.
The Ransomware Attack:
The CEO of UnitedHealth Group, the parent company of Change Healthcare, Andrew Witty testified in front of a congressional committee on Wednesday, May 1st, 2024, about the details behind the February attack by the #BlackCat #ransomware gang. The hackers gained initial access through stolen credentials used on a Citrix portal that did not have multi-factor authentication enabled. It was revealed the threat actor used these compromised credentials to remotely access the company’s system for nine days before deploying the ransomware. During that time, the cybercriminals stole files containing sensitive patient information, including Protected Health Information (PHI) and Personally Identifiable Information (PII) of most Americans. Witty told Congress he took sole responsibility for the decision to pay the ransom, saying, ‘This was one of the hardest decisions I’ve ever had to make, and I wouldn’t wish it on anyone.’
Watch the Full Interview Here
Interview with James Case, Baptist Health Chief Information Security Officer (CISO):
Lauren: What goes through your head as a healthcare leader when you see an attack like this?
James Case: The entire healthcare industry is impacted. It’s a giant third party that affects thousands of companies and hospitals. There are backend processes that, if taken offline, prevent hospitals from accessing essential services like payment processing or authorizations. So, there’s a huge ongoing impact from that one company that was impacted, affecting the entire nation.
Lauren: Does that automatically spur a change in your own security program when something like this happens?
James Case: It’s a reminder—it’s third party risk—so maybe in our tabletops, it’s a reminder or feeds back into our feedback loop on scenarios to really tabletop. So, really tabletopping third party risk that we should all do more and more.
Lauren: Practice, practice, practice.
James Case: Practice and then find ways to improve, so it’s really both. And then education, right? It’s all the above.
Lauren: When you go into your security program and you talk to your people, what are you saying to them specifically about ransomware and what you guys should be doing without going into any specifics obviously.
James Case: Definitely prevention, but what we’ve learned over the last decade is that we also have to detect and respond, so we have to practice those. Practice finding things like tabletops, really practice responding, so we can move quicker, have muscle memory.
Lauren: Let’s talk about Ransomware and healthcare, they just go hand and hand at this point?
James Case: It’s the number one risk for most hospitals.
Lauren: It’s more impacting than people think, in what way?
James Case: The hospital itself, patients know their charts are gone so people are going back to paper and now that we’re in 2024, the whole phrase going back to paper is getting less and less real. Now we have more doctors and folks that have never used paper, so they’re going to paper for the first time, they’re going to downtime procedures. So, we can practice for it and drill for it but when you’re really doing patient care it’s different.
Lauren: What would you say is the number one concern when it comes to a ransomware threat?
James Case: Easy answer there, absolutely is the patient care.
Lauren: Why ransomware, why healthcare?
James Case: The answer is pretty easy there, it’s about the money. Healthcare is a pretty easy target and also healthcare is kind of behind. Like the financial sector is years ahead from a controls perspective and a regulatory perspective and way more financial resources. Going back to hospitals trying to break even or trying to make a 1% margin just to stay afloat, well then there’s not money to add to the budget and add more controls and add more technology to stop the attackers. So, it’s a tough balance.
Lauren: Overall, do you think we’ll ever beat out the bad guys?
James Case: There’s no answer to that, right? It’s always going to be cat and mouse. Just like there’s no way to eliminate all risk, there’s probably no way to eliminate all bad guys. All you can do is find risk and reduce it and hope that you’re not the next person.
Ransomware Defense Validation
Reduce risk by testing and validating controls against real-world ransomware threats, discover how OnDefend empowered by BlindSPOT’s attack capabilities are supporting security programs through Ransomware Defense Validation.
Discover if your environment is prepared for a ransomware attack with OnDefend’s comprehensive Ransomware Defense Validation service. This multi-level assurance offering supports security leaders in reducing risk by simulating real-world ransomware threats to validate your security measures.
OnDefend named the 37th fastest growing Gator business globally in 2024 by the University of Florida Alumni Association’s prestigious Gator100 program.
This recognition celebrates the achievements of alumni-led businesses worldwide and underscores the significant contributions of Gators in various industries.
Gator Leadership Driving Growth
Our remarkable journey of growth and innovation is in part due to OnDefend Co-Founder & CEO, Chris Freedman, a proud alumnus of the University of Florida with a BS degree from the class of 2001. Under Chris’s visionary leadership in partnership with co-founders Ben Finke & Billy Steeghs, OnDefend has surged forward in the highly competitive IT services industry, continuously expanding our reach and enhancing our offerings to meet the evolving needs of our clients.
About the Gator100
The Gator100 program annually acknowledges and honors the 100 fastest-growing Gator-owned or Gator-led businesses around the world. The selection criteria focus on sustained growth over a three-year period, making this recognition a testament to persistent excellence and performance.
Our Industry Impact
Operating from Jacksonville, FL, our focus has been on pioneering solutions that address complex challenges in cybersecurity. Our approach has not only fueled our growth but also positioned us as leaders within the tech community, propelling our company to the forefront of innovation.
A Word from Our CEO, Chris Freedman
“I am immensely proud of our team’s hard work and dedication. Being recognized as the 37th fastest growing Gator business is not just a reflection of our company’s success but also a testament to the robust foundation provided by the University of Florida. This honor reinforces our commitment to strive for excellence and to continue pushing the boundaries in securing our world against threats.”
This announcement is a proud moment for everyone associated with our company, and we look forward to building on this success with continued passion and perseverance.
CHICAGO, April 16, 2024 – BDO Digital, the technology advisory arm of BDO USA, P.C., today announced that it has adopted cybersecurity innovator OnDefend’s breach and attack simulation technology, BlindSPOT, to enhance its IT security service offering called Active Assure.
BlindSPOT simulates real-world attack scenarios from both established and emerging cyber adversaries to identify vulnerabilities, test controls, and improve incident response time to help mitigate cyber risks.
The technology integration is a significant extension to BDO Digital’s Active Assure service, which provides continual threat simulations, purple teaming, and resilience assessments to validate the strength of an organization’s managed extended detection and response (MXDR) solutions. It also works seamlessly with Microsoft security tools to help improve the overall customer experience. With the addition of BlindSPOT, BDO’s clients will be able to better anticipate and prepare for evolving threats, identify security gaps, and adapt defenses so they remain resilient in the face of changing attack landscapes.
“Our collaboration with OnDefend empowers BDO Digital to offer our clients real-time validation that enhances defenses against the dynamic and sophisticated nature of cyber threats,” said Ric Opal, BDO Digital Principal & National Leader of IT Solutions and Strategic Partnerships. “It also helps users navigate the complex interaction between artificial intelligence (AI) and risk management, furthering our dedication to offer the best-in-class, full-service cyber solutions to our clients. Together, we help our clients thrive through greater cyber awareness and resilience.”
As the 2023 Microsoft Security Partner of the Year, BDO Digital is dedicated to delivering top-tier, resilient, and adaptive defense strategies to its clients. The new strategic relationship with OnDefend reinforces this commitment to helping clients mitigate cyber risks and strengthens BDO Digital’s Perpetual Defense cyber threat management solution.
“We are proud to empower BDO Digital with our attack simulation tool BlindSPOT, providing organizations visibility into the effectiveness of their security controls and proving the value of these investments,” said Chris Freedman, Co-Founder of OnDefend. “It is no longer a question of if but when a company will face an attack. While organizations invest in technical security controls to prevent, protect, and prepare, we’ve found that security programs needed a way to validate those tools will work during those critical moments.”
To learn more about Active Assure and the other components of Perpetual Defense, please visit: BDO Digital: Active Assure
About BDO USA
Our purpose is helping people thrive, every day. Together, we are focused on delivering exceptional and sustainable outcomes and value for our people, our clients and our communities. BDO is proud to be an ESOP company, reflecting a culture that puts people first. BDO professionals provide assurance, tax and advisory services for a diverse range of clients across the U.S. and in over 160 countries through our global organization.
BDO is the brand name for the BDO network and for each of the BDO Member Firms. BDO USA, P.C., a Virginia professional corporation, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. For more information, please visit: www.bdo.com.
About OnDefend
OnDefend, established in 2016, stands at the forefront of preventative cybersecurity testing and advisory services, a reputation further enhanced by the introduction of its advanced Breach and Attack Simulation (BAS) Software as a Service (SaaS) platform, BlindSPOT. OnDefend is a trusted partner, empowering organizations globally to proactively combat real-world cyber threats. From ensuring compliance with industry standards to building out mature security programs, our mission is to ensure that the security resources our customers invest in are well-utilized, effective, and provide tangible results. For more information about their services and solutions, please visit www.OnDefend.com.
Contact
BDO Digital: Ellen Evans
EEvans@TheBlissGrp.com
212‑840‑1661
—
OnDefend: Lauren Verno,
Media@ondefend.com
Lauren.verno@ondefend.com
904-299-3669
Customer Success: Ransomware & Healthcare
The Chief Information Security Officer of a major hospital system needed visibility into the effectiveness of their security controls. OnDefend’s breach and attack simulation solution, BlindSPOT was able to provide visibility, validation, and clear results.
Ready to leverage BlindSPOT to simulate ransomware in your environment? Check out Ransomware Defense Validation, where we safely simulate ransomware attacks using our proprietary BlindSPOT attack simulation tool to test and validate that your defense in depth is prepared for real-world threats. Get Started Here
Originally aired on Action News Jax: Thousands potentially compromised in Jacksonville Beach, Beaches Energy cyberattack – Action News Jax
JACKSONVILLE BEACH, Fla. — A cybersecurity attack potentially compromised thousands of people’s private information, specifically those who have homes in Jacksonville’s three beaches, Ponte Vedra and Palm Valley.
The City of Jacksonville Beach sent out a statement, Wednesday, about a data security incident. The release stated the breach may have affected the privacy of information for certain employees of the city and customers of Beaches Energy Services, a utility that serves 35,000 customers according to its website.
Action News Jax learned on Thursday that the city was listed on a website found on the dark web. It has since been removed.
While the City of Jacksonville Beach won’t release how many people have been impacted, Action News Jax learned through the Maine Attorney General’s Office that 48,949 people have been impacted, including thirty-eight Maine residents. (Office of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches) We’ve reached out to the Florida Attorney General’s Office for comment but haven’t heard back.
“About a month ago, I noticed that I wasn’t getting charged or any email confirmations,” Cierra Glasgow said. “So, I knew something was happening. I just never got notification that anything was wrong.”
Glasgow has been a Beaches Energy customer for four years and has her billing set up to auto-pay. She said she still hasn’t received any communication on why there’s a payment delay.
“It’s definitely concerning for the people that do pay online with our banking information, social security on there,” Glasgow said. “It’s definitely an unsettling feeling knowing that that could be in the hands of hackers.”
An investigation revealed that between the dates of January 22 and January 29, information may have been taken from the city network, according to the City of Jacksonville Beach spokesperson.
Action News Jax told you at the end of January, when the city had an “information systems issue” due to a “cybersecurity event” that forced city hall and city facilities to close down on Monday.
At the time, the city said it had “no indication” that personal, sensitive data was compromised.
Action News Jax reporter, Meghan Moriarty, learned on Thursday that the City was given information on February 22 indicating that sensitive information “pertaining to certain individuals” was involved in the cybersecurity incident from January.
In a formal statement Wednesday, the city said its’ employees and customers of Beaches Energy Services may have been impacted, including social security numbers, driver’s license information and bank account information.
When we asked about the gap in notification a spokesperson said:
“Comprehensive computer forensic investigations take time. After the City identified certain files were involved in the event during the investigation, it began a thorough review of those files to determine their contents and to obtain contact information for individuals so that it could issue written notice.”
— City of Jacksonville Beach spokesperson
“I think you can also assume that your login credentials were stolen, so maybe change your username and password, certainly your password across all your platforms you use,” Chris Freedman, the CEO of OnDefend, said.
He said smaller municipalities have become the big target for cyber attacks.
“They really have unsecure programs and they’re softer targets,” Freedman said. “If the data was stolen, it’s likely for financial reasons, for profitable reasons. So certainly, checking their credit, freezing their credit.”
Freedman recommends taking proactive measures by monitoring your identity and monitoring your credit. He also recommended ‘Have I been Pwned’ a website where you can check if your information is involved in a data breach.
A City of Jacksonville Beach spokesperson said if your information was compromised, you’ll get a letter in the mail with information and a code to use a credit monitoring service. Anyone who believes they are potentially impacted by this incident or have additional questions may call the dedicated assistance line at 844-709-0703.
For Media Inquiries: Lauren Verno, OnDefend
Media@ondefend.com
Originally written for Forbes: How To Prepare For A Ransomware Attack (forbes.com)
Let’s start by working our way back. To set the scene: You and your team successfully repelled a ransomware attack. You stop it before it spreads, disrupts your work or steals your data. You avoid the dreaded “I” word (incident).
Sure, there were a few malicious email attachments, and some credentials were compromised. However, your team quickly identified and contained the compromised endpoints, effectively executing a well-practiced plan. It’s truly magnificent!
So, how did you succeed where so many others have failed?
A Plan Of Action
First, you had a plan that your team not only knew about but also practiced and could execute competently. That leads me to my first recommendation: Have a plan and be able to execute it, with a hard emphasis on the “execute” part. So many organizations have a plan, and it could be a great one, but if you don’t execute the plan well, then what’s the point?
Second, your team had the necessary visibility to detect malicious activity before the ransomware could cause significant damage. This was achieved by identifying the right malicious data (telemetry) and then collecting it someplace where your team can hunt through it and build analytics to highlight possible problems (detections). Proper data collection, effective detection capabilities and training are crucial for success.
You might expect me to mention vulnerability scanning, but it’s not the ultimate solution to your ransomware problem. Ransomware attacks often start with access methods that don’t require exploitation, such as phishing emails. Not to mention the constant parade of zero-day vulnerabilities that unless your vulnerability management program lets you identify and patch in less than 24 hours, odds are exploitable vulnerabilities will always be a challenge. This leads you back to identifying and responding once an adversary gains access.
Just to note—I’m certainly not suggesting you abandon your vulnerability management program. Just be realistic about the total effectiveness of preventing these kinds of attacks.
In short, here’s the plan that has led to our success.
1. Have a plan.
2. Ensure your team can execute the plan effectively.
3. Collect the right data (telemetry).
4. Apply effective analytics (detections) to the collected data.
5. Train your team to effectively utilize security tools and gather telemetry for reliable detections.
You may be looking at this list and thinking, “Yep, check on all of those! I’m set.”
However, how are you grading the maturity of each? How do you discover the gaps?
When you were in school, how did teachers score your level of retention of material throughout the year? Testing.
Testing, Testing, Testing
In this case, test your plan by executing adversary activity within your environment.
Frequently, this takes form in a network penetration test, but I would argue a singular pentest will not fully express the success or failure of a program. Pentests generally tell you how effective an attack path may be in a given scenario, but often, those actions reflect the individual pentester’s capabilities rather than a true adversarial attack.
Instead, consider unit and functional testing, then a full dress rehearsal. Unit testing evaluates specific security tool performance, while functional testing combines telemetry and detection. Full dress rehearsals, such as tabletop exercises or red team exercises, simulate real adversary attacks.
In unit testing, ask specific questions like “Does our EDR prevent the execution of regsvr32.exe to execute an unknown DLL?” This allows you to establish a baseline or an understanding of the current state. Then, you can continuously test and monitor changes to ensure the security tool remains effective. You’ll also get a chance to see what telemetry the unit test action generates and whether any detections built for it are correctly tuned.
As a quick aside, I have seen a lot of situations where a security tool blocks something, such as the example above, and the SOC teams will close the alert without investigation. Cue, my brain exploding.
I get it; most teams are frequently drowning in a sea of alerts, and there is just not enough time in the day, but my goodness- something just happened where your tools had to block an issue expressly! Wouldn’t you want to know what happened? What if there happened to be other activity that didn’t get blocked?
One way to help reduce these vast volumes of alerts is to write more effective detections in the first place.
Here is where functional testing can come into play—the execution of a chain of events to see if we can leverage our telemetry to put together multiple detections into a single incident. In addition to the benefit of using functional testing, we can also test tuning out the normal activity in the environment. This gives us fewer, but better alerts that our team can now investigate. The findings lead to feedback in detections and/or telemetry, which then leads to amplifying your team’s plan and their ability to execute it.
The reality is that so many security teams spend their days just closing false positive alerts that they don’t spend much time preparing to identify and expel an intrusion. It’s imperative to prioritize practicing the execution of an incident response plan.
Once all of that has been done, you’re ready for a full dress rehearsal—which means simulating the exact tactics and techniques of these adversaries to ensure you understand the timing of everything: detection, response and containment times.
These processes for working through your preparations will continually influence the others. As your detection and mitigation capabilities improve, so will your plan. As the team exercises the plan more often, they will find the need for increased capabilities in the security tools or their ability to use them. But, testing at each stage will give you real metrics and data to understand the maturity of your preparation and where your next improvement should be.
That way, when opening night comes (and I promise it will), you will have already performed these tests enough times to know you’re ready.
Originally reported on News4Jax: ‘Sophisticated cyberattack’ on city of Jacksonville Beach potentially impacts personal data of workers, residents (news4jax.com)
—-
JACKSONVILLE BEACH, Fla. – The city of Jacksonville Beach plans to reach out to residents about a “sophisticated cyberattack” that occurred at the end of January that could have potentially affected personal data.
The city first informed residents of what it called a “cyberattack conducted by a criminal organization” that crippled city operations, causing city hall and other city facilities to abruptly shut down.
An investigation was opened as the city worked to address the issue and it revealed that “certain files in the City’s systems were subject to unauthorized access.” Officials believe that information may have been accessed between Jan. 22, 2024, through Jan. 29, 2024.
Sensitive information such as social security numbers, driver’s license numbers and/or bank account information is believed to be impacted. The city did say that the information varies by individual.
City employees and customers of Beaches Energy Services will receive a notice in the mail if they are affected. The city will also provide notice of the cyberattack directly to other people who were involved.
“The City takes this event and the security of information in our care very seriously, and we are working to determine the full extent of the event,” Communications Manager for the City of Jacksonville Beach Jacob Board said.
Chris Freedman, CEO of OnDefend, explained why smaller cities such as Jacksonville Beach would be targeted for a cyberattack.
“Smaller cities just like smaller private organizations, they’re usually less funded to build proper cybersecurity programs. They have less measures in place to defend against cyber attacks, less money for training their employees to avoid these types of things as well. So it really is just a lack of investment which makes them softer targets,” Freedman said.
Anyone who believes they were potentially impacted is urged to call 844-709-0703 between 9 a.m. and 9 p.m.
Click here to learn about the credit monitoring resources the city is offering for protection.
Jacksonville University & OnDefend are proud to announce the appointment of Ben Finke, Chief Technology Officer (CTO) at OnDefend, to the Advisory Board of the Center of Cybersecurity and the Department of Computing Science.
Mr. Finke brings a wealth of experience and expertise in the field of cybersecurity, making him an invaluable addition to the university’s efforts in fostering cybersecurity education and innovation.
The Jacksonville University Center of Cybersecurity is dedicated to addressing the rising demand for skilled cybersecurity professionals by producing highly qualified graduates, providing top-notch training and certification programs, and establishing itself as a hub for innovation in cybersecurity research and teaching. The Department of Computing Science offers Bachelor of Science majors in Computing Science and Cybersecurity, along with minors in Computing Science and Cybersecurity.
As a member of the Advisory Board, Ben Finke will play a crucial role in shaping the mission and objectives of the Center of Cybersecurity and the Department of Computing Science. His responsibilities include contributing to the ongoing evaluation of the mission statement, reviewing and evaluating undergraduate programs’ curriculum, and providing insights into the expected core competencies of graduates.
Furthermore, Mr. Finke’s role will involve creating a demand for graduates through internships, co-op positions, and permanent positions. Additionally, he will work to increase the visibility of the Cybersecurity and Computing Science Programs locally, statewide, and regionally.
Ben Finke, OnDefend’s lead security assessor, brings a diverse skill set to the Advisory Board. With expertise in penetration testing, web application security, vulnerability management, and compliance assessments, Mr. Finke serves as a security architect and manager of OnDefend’s security operations practice. His commitment to sharing and collaboration, coupled with a pragmatic approach to problem-solving, has positioned him as a thought leader in the industry.
Finke joins a list of cybersecurity industry leaders including, Cybersecurity and Infrastructure Security Agency’s (CISA) supervisory protective security advisor Dr. Kirby Wedekind, AMCS Group chief enterprise architect Evan Schwartz, Federal Bureau of Investigation (FBI) supervisory special agent Paul Magnusson, and NLP Logix co-founder and CIO Matt Berseth.
OnDefend Media Contact: Lauren Verno, media@ondefend.com