After Fidelity National Financial Inc. (FNF) reported in a filing with the Securities and Exchange Commission that it was the victim of a cybersecurity incident, Gregory McDonald, CEO of Cloudstar provided insight into what might be happening in these days after the attack.
The filing noted that the incident “resulted in disruptions to [FNF’s] business.”
It continued, “FNF promptly commenced an investigation, retained leading experts to assist the company, notified law enforcement authorities, and implemented certain measures to assess and contain the incident. Among other containment measures, we blocked access to certain of our systems, which resulted in disruptions to our business. For example, the services we provide related to title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries, have been affected by these measures.”
Many agents are likely asking many questions, including, “How could this happen?”
While it would be great to know exactly what happened and how it happened, McDonald said that at this stage, its hard to know.
“One article speculated that it could be a Citrix vulnerability, but there’s really no way of knowing that at this point,” he said. “There’s several different attack vectors that can be used.
“In any organization, whether it’s what happened to me or whether its Fidelity, they’re not going to know what happened right away,” McDonald continued. “They have to do their research, they need to lock things down. They need to bring in outside experts and they need to find out exactly what happened so they are going to be very tight lipped about it, just like anybody would be. The first thing that you do is you close the doors, you lock them up, you control communication and you figure out what happened.”
He said its extremely frustrating to not be able to share what is happening.
“Its extremely frustrating because we’re all on the same team, right?” McDonald said. “When that happened to me, I’m on team customer, and Fidelity is too. Fidelity is on the side of the customer. We’re all on the same team. The bad people, they’re over in Russia. The bad people are trying to harm me, the bad people are trying to harm Fidelity, the bad people are trying to harm the customer. We’re all on the same team. The reason its frustrating is that we want to help the customer… and the way that we help the customer is by fixing the problem.”
And a lot of people trained to handle these situations are going to get involved and direct you, often at the direction of your insurance carrier.
“The first thing you are going to do is call the insurance company,” he said. “There’s a good reason for that. Its because the insurance company is going to pay for the resources that you need. The first thing the insurance company is going to do is they’re going to bring in the cybersecurity experts.
McDonald said these data security and forensic experts are going to help triage and stop the bleeding and isolate where the threat is coming from.
Insurance providers will also bring in ransomware negotiation teams, people that can figure out who the threat actors are and how to talk to them.
There are also lawyers that will get involved, and they are going to advise you on what you can and cannot say in order to protect you, and by extension, your customers.
“From a customer standpoint, they’re going to think that you’re not saying something because you have something to hide,” McDonald said. “And its important to know they are not. Of course lawyers are trying to protect everyone, but you have someone that is trying to extort millions and millions and millions of dollars.”
He also noted that like other types of ransom situations, a negotiator is trying to guide you on what to say because the criminal you are negotiating with is going to be listening in on everything that you say.
“[Another] reason that communication is limited is because anything that you say can upset that criminal," McDonald said. “They can decide, ‘We’re going to publish all of that data, or we’re going to retaliate against your customers.”
As disruptions to business continue, they are also likely asking “Why can’t you just use back ups?”
McDonald said that while that is a fair question to ask, the answer is a lot more complicated when it comes to dealing with ransomware than perhaps it was when addressing the viruses of the past.
First, he noted that criminals know you have backups off site and they attack those too.
He noted that in the past, when you got a virus, it attacked your computer and the computer was toast. But you could go to your backups and get your data back. The virus was not intelligent and was unaware that you have backups somewhere across the country.
“What’s going on today, people are not getting viruses as often,” McDonald said. “What’s going on today is organizations are being strategically attacked by foreign organizations with teams of people that are rewarded by millions of dollars if they attack both your production systems and your backups. When criminal enterprises are rewarded with millions of dollars, they’re going to go after your back ups. They are going to have someone working 40 hours a week to find where those backups are located. And they are going to tear them down, otherwise they have no leverage.
He said having data replicated off site is important if you are impacted by a fire or there’s an earthquake, tornado, hurricane or other natural disaster but will not help in the event of a ransomware attack.
McDonald also noted that there are many ways these criminals can get access to credentials. One not often spoken of way is by going to individuals who work at off shore companies. They approach these hardworking people trying to provide for their families, ask them for a username and password and offer them perhaps $5,000 or $10,000.
“Everyone’s always real quick to say, ‘Oh well, it wouldn’t happen if they didn’t’ click on that link in the email,” he said. “My employees are really smart. They know not to click on links in an email. That’s how it happened 20 years ago, and it’s how it could happen today, but I don’t think that’s how this happened. I don’t know how it happened. Its usually something more sophisticated.”
He said restoring data is not like turning a switch back on.
“In my case, we had a couple of petabytes of data,” McDonald said. “Lets say you want to restore something like that. That can take weeks to restore.
“And how do you just restore?,” he continued. “When you’ve had an infiltration like that, suppose you restore it and that data is infected? You need to track it and see and that’s what’s going on right now. Fidelity just can’t make something live, even if they think that its clean, even if they think they isolated that, they need to make sure. If they restore services to quickly, maybe the threat actor can get access to capital. You don’t know how long they’ve been sitting there or when the infiltration happened. They could have been in there for three months. So if you restore last week’s data, you probably start a new [breach].”
He said it could take a long time to figure out how long the threat actor was in your system.