This news is a few days old but, as I think most people in security are aware, the last week or so of RSA and RSA-related fun.

A few days ago, Epiq software was "hit with a ransomware attack, prompting the e-discovery and managed services company to take its systems offline for the foreseeable future."

Who is Epiq? They are one of the largest companies in the global e-discovery field. The extent of the event isn't clear at this point, but all business has been halted. 

As a young man, I worked IT in the legal industry. Time is, literally, money. Your time is billed in the smallest increments possible, and a very high percentage of your time is spent in document review. If you can't review documents, you can't bill for discovery.

See where I'm going? This is having ripples throughout the legal industry, though it's doubtful the full extent will become clear. 

How did this happen? Ryuk ransomware via Trickbot, best explained here: https://complexdiscovery.com/ransomware-ryuk-and-risk-beginning-to-understand-the-epic-attack-on-epiq/

"TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing emails.

Once TrickBot is installed, it will harvest various data, including passwords, files, and cookies, from a compromised computer and will then try spread laterally throughout a network to gather more data.

When done harvesting data on a network, TrickBot will open a reverse shell to the Ryuk operators.

The Ryuk Actors will then have access to the infected computer and begin to perform reconnaissance of the network. After gaining administrator credentials, they will deploy the ransomware on the network’s devices using PowerShell Empire or PSExec.

In Epiq Global’s case, Ryuk was deployed on their network on Saturday morning, February 29th, 2020, when the ransomware began encrypting files on infected computers."

I write and say this all the time: we have to be right every single time, thousands and millions of times a day; they only have to get lucky once. 

One of the first issues here is that there was no visibility of dataflows. If you can't see it, you can't create policies to create it, and if you can't create policies you can't protect it. 

A secondary issue: without a robust way to enforce the application segmentation policies that you've visualized, you have no way to stop a rapid recon/exploit path that leads to a ransomware event or a loss of private information. 

It sounds like Epiq is doing all the right things, following a solid resiliency plan and potentially restoring from good backups, etc., but the time=money equation just keeps getting larger. If more organizations considered segmentation not just a function of networking or security but of a broader resiliency program, there would be one more way of preventing them from getting lucky.

Have a great day, and thanks for reading!