Although experts say it's best for enterprises to assume they've already been breached, rarely does that reality sink in. More often, companies get a ransom notice from a hacker demanding payment in exchange for not publicly dumping their sensitive data.
Organizations are in a tight position when figuring out what to do and if paying a ransom is the best option. The situations are becoming more common: Security firm FireEye has responded to more disruptive breaches over just the past year than since it was founded in 2004, says Charles Carmakal, vice president with FireEye's Mandiant forensics unit, in an interview with Information Security Media Group. He says dealing with hackers and negotiating a potential resolution is a tricky proposition.
"There could be an emotional response based on you not responding, or an emotional response based on you responding in a very maybe condescending or antagonistic way," he says. "You've got to be very careful and script out how you're going to engage with a threat actor."
Some hackers have made good on their threats in instances where the victim did not give into an extortion demand.
"We have seen the threat actors release that information in a very public, very embarrassing way to our clients, and it was a very challenging situation for our clients to have to live through that," he says.
In this interview (see link to audio player below photo), Carmakal discusses:
How carefully engaging the hackers could buy your organization more time and figure out if data has really been stolen or if the attackers are just bluffing; Why paying a ransom may not prevent data from being publicly released; How to recover after a breach and ensure a second breach doesn't occur.Carmakal joined Mandiant five years ago as a vice president. He was previously a director at PricewaterhouseCoopers. His background includes penetration testing, web application security assessments, social engineering and computer forensic investigations.