Lately I’ve been dealing with a lot of ransomware cases. And often our team runs into issues with the IT staff from the victim organization.

Jul 18, 2021 · 9:39 PM UTC

33
260
56
1,306
Whether they’re embarrassed or afraid of being shown up or for whatever other reason, they’re uncooperative or in some cases actively working against our investigation.
2
6
1
252
So on a recent case, during our engagement kick-off call, I laid it out like this. “We’re going to investigate and figure out where this started. And it will be an unpatched system, or somebody clicking a link, or somebody just being unlucky with a web site they visited.”
3
14
3
263
“And NONE of that is YOUR FAULT. All organizations are vulnerable, because I have yet to meet an org whose security budget exceeds their attack surface.”
4
22
3
377
“You are not the assholes here. The assholes are the ones who took that vulnerability and used it to drop ransomware all over your network. Just because you forgot and left your door unlocked doesn’t make it right for somebody to come in and trash your place.”
4
15
1
303
“We are the good people. The ones who are trying to figure out what happened and make things better. This is a team effort that is going to require everybody’s help. Nobody is to blame, we are all just trying to fix this mess we find ourselves in.”
2
6
254
Later in the engagement, several people from all levels in the IT staff said they appreciated those words and the timing and it helped them move on from the initial FUD stage of the incident and be more productive. Your mileage, as always, may vary.
16
13
580
Load newest
Replying to @hal_pomeranz
That is an absolutely excellent approach. Most orgs get very defensive and territorial about things when something goes really wrong. Defusing the situation up front and building a collaborative relationship… A+!
18
GIF
Replying to @hal_pomeranz @fs0c131y
@threadreaderapp
Replying to @hal_pomeranz
Great approach, you must remove blame from any investigation, or will not be effective. Orgs can learn or blame, not both.
6
Replying to @hal_pomeranz
I think part of the problem is that they feel like their org has no faith in them when it comes to solving the problem. That they call you in the first place and they put you in charge over them. I wouldnt be happy if you would start telling my team what to do either.
4
9
Replying to @hal_pomeranz
This is a great thread. Folks who have IR experience tend to have less fog of war in these situations. We see attacks all of the time. The client typically has not. Humility and empathy goes a long way to help deescalate tension.
1
1
31
Replying to @hal_pomeranz
Part of our job is also triaging the human aspect. Talking people down off of the ledge, get some consensus, convey confidence.
2
Replying to @hal_pomeranz
Well said, and thank you for that perspective.
Replying to @hal_pomeranz
Don’t get me wrong but can it be that the in-brief/initial meeting was not handled correctly and the IT audience not involved or not fully addressed about the scope and the activities? Maybe it was too “high level” and the IT guys were not there… Just my guess.
Replying to @hal_pomeranz
This is helpful on a number of levels. Thank you
Replying to @hal_pomeranz
What are the issues and why?
Load more