Lately I’ve been dealing with a lot of ransomware cases. And often our team runs into issues with the IT staff from the victim organization.

Whether they’re embarrassed or afraid of being shown up or for whatever other reason, they’re uncooperative or in some cases actively working against our investigation.

So on a recent case, during our engagement kick-off call, I laid it out like this. “We’re going to investigate and figure out where this started. And it will be an unpatched system, or somebody clicking a link, or somebody just being unlucky with a web site they visited.”

“And NONE of that is YOUR FAULT. All organizations are vulnerable, because I have yet to meet an org whose security budget exceeds their attack surface.”

“You are not the assholes here. The assholes are the ones who took that vulnerability and used it to drop ransomware all over your network. Just because you forgot and left your door unlocked doesn’t make it right for somebody to come in and trash your place.”

“We are the good people. The ones who are trying to figure out what happened and make things better. This is a team effort that is going to require everybody’s help. Nobody is to blame, we are all just trying to fix this mess we find ourselves in.”

Later in the engagement, several people from all levels in the IT staff said they appreciated those words and the timing and it helped them move on from the initial FUD stage of the incident and be more productive. Your mileage, as always, may vary.

It's interesting that you find that necessary. Doing IR on the inside, I've taken the approach of being transparent to management about small incidents, and including as much of the business as is appropriate. 1/