web analytics

An inside look at Mapfre’s 2020 ransomware response – Source: www.csoonline.com

an-inside-look-at-mapfre’s-2020-ransomware-response-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

Security Director Guillermo Llorente discusses what it was like to lead the Spanish multinational’s response to the 2020 cyberattack, as well as the lessons he learned in turning the incident into a security management success story.

In the summer of 2020, insurance company Mapfre suffered a ransomware attack that impacted thousands of the company’s servers and workstations in Spain. The timing could not have been more complicated — in the middle of the pandemic and on the eve of a holiday when many Spanish citizens are on vacation and the demand for Mapre’s roadside assistance services increases. 

But the company managed to emerge stronger from the incident. The Spanish Data Protection Agency itself would later stress that the multinational company had the appropriate security measures in place to deal with the cyberattack, which enabled it to act diligently and minimize its effects. It also highlighted the insurer’s ability to communicate this situation transparently. 

Guillermo Llorente, CSO and head of crisis management at Mapfre, not only experienced this situation firsthand but also led the insurance company’s response to it. The executive explains to CSO Spain what lessons he learned and how Mapfre managed to turn a ransomware attack into a success story in security management. 

Let’s go back to the summer of 2020. How did Mapfre experience the largest cyberattack in the company’s history? What were those first moments like after the incident and what were the first decisions you made?  

Llorente: What happened, which is what usually happens in these cases, is that suddenly the lights went out, and it is the CISO or crisis management person who must get them back on. 

Today we know a lot more about what happened that day. For example, that the cyberattack began to take shape a year earlier, when someone bought internet domains similar to the one we have at Mapfre with the intention of launching ransomware, which happened on Aug. 14, 2020, the year of the pandemic and in the middle of the holiday period in Spain and much of the world — and already 9pm on a weekend, too. That day was, therefore, the day when there were the fewest people in Mapfre’s offices in our history, while the following day, Aug. 15, was the day with the highest number of road trips in Spain, an important date for a leading car insurance company like ours that at that time had a 20% market share and, therefore, multiple potential clients who were going to demand attention. 

This was not an attack by a guy in a garage, but by an industry; a long-prepared and specifically designed attack, as we learned in the forensic analysis, from which we learned that the attackers repeatedly detonated viruses that our antivirus stopped, until one of them got through the security barrier.  

But even though the timing of the attack was so complex, they were successful. How did they do it? 

First, because we were somewhat lucky. Second, because of the preparation we had, since, thanks to the pandemic situation, we had a well-oiled crisis management system. In this sense, although there is no business continuity and crisis management plan that contemplates all possible scenarios — such as receiving a major cyberattack during a pandemic that forced massive teleworking — woe to those who do not have this. … Third, because of the capacity of our team; and fourth, because of its high capacity to work and to absorb the reinforcements that the company would later make available to us. 

In such an attack, companies are faced with the decision of whether or not to pay the ransom. But in the case of Mapfre… 

We decided not to pay. If you choose to do this, you have no choice but to be transparent, and that’s what we did. It was a decision we could afford because we had a safe backup, and we could set up a replica in a safe space to continue providing service. To be honest, I have to say that I was not a fan of the transparency option. I had enough problems that night without adding the communication problem. 

The cost of making such a decision is intense. The first was the media exposure; our president and vice president went out to explain to the media and we issued statements explaining that we had been attacked, although we could not give much more information because we did not know. We knew that there had not been a massive data breach, but we did not know how long the attackers had been in our systems; we only knew that they had detonated our systems and encrypted the data. In fact, it took us months to certify that no data had been taken.

Of course, the communication part must be quite a challenge… 

I was unaware of the full significance of the incident. In addition, the incident not only had to be reported to the Spanish regulators but also to 23 regulators in 23 different countries, who had to be kept constantly informed. We also had to be in constant communication with the security managers of Mapfre’s partner companies — and at various levels within these companies — and with the clients. Being able to maintain a consistent message in times of chaos throughout the company was one of our successes. 

On the other hand, as a result of this transparency and communication, the world knew that we were vulnerable and, of course, that week we received a multitude of attempted attacks. An example: On Aug. 15, and I am very proud of this, no Mapfre client was left without receiving their service, although, logically, not with the usual quality standards — inevitably there were more delays, etc. — so we rewarded them with price reductions when renewing their insurance. Well, many clients received a mobile message with a fake link to trick them. … The ‘time to market’ of criminal groups is spectacular. 

Have you found out who was behind the cyberattack? 

Ukrainian, Russian, or Belarusian groups, among the many that exist. Normally several of them work in a coordinated manner and each one is in charge of one aspect of the cyberattack until the final extortion comes. Since we decided to cut off all communications and the Internet, they were unable to continue with the attack. One of these groups had even obtained privileged user credentials, which forced us to continue, months after the incident, with very strict conditions for access to the Internet and remote work. 

Did this incident mark a turning point in Mapfre’s security policy? 

If we managed to survive that, it is because we had done a lot of work beforehand and we were prepared, but this reinforced some aspects that, although we had them in mind, were not so internalized, such as the importance of communication. That was one of the great lessons learned, together with the homogeneity of the baseline, that is, that in all countries there are the same security requirements, and the notable increase in monitoring and response capabilities to increasingly sophisticated attacks. 

Is the company currently receiving many attacks? 

The state of our threat is in line with what any report from the Department of Homeland Security, the National Cryptologic Center (NCC), or even the World Economic Forum says: that the cyber threat continues to grow. It is a race that has no end and whose solution is different from the current one, which consists of companies exponentially increasing investment in security. This is unsustainable in the long term because we are facing parastatal, not to say state-owned, groups. Companies must also count on the defense of the State. The model must be changed and this involves direct intervention by the States for the control and security of the network and an assumption of responsibility by the large technology companies, many of which have a hegemonic position with their software, for which they launch constant security updates when, in theory, it should already be secure. Yes, both software developers and network companies have a responsibility, as do governments. 

And how much does Mapfre invest in cybersecurity? 

We are in the upper average of investment in security within our sector. In addition, the good part of the pandemic is that no one is discussing the cybersecurity budget anymore. At Mapfre, of course, there is a high awareness of the importance of security, which is essential, because it is not all about money. 

When it comes to choosing security providers, are there any restrictions on the use of technology from certain manufacturers in countries such as China or Russia? 

These are issues that need to be considered. If most of the attacks come from certain areas and gangs, compromising your network with systems from a certain source has consequences. We have a process that begins with the approval of suppliers, followed by a risk analysis of the initiative. In addition, we take into account the recommendations issued by both the EU and our country in particular; we are guided by products approved by the CCN. 

Another challenge is to take on all the regulations coming from Europe, such as DORA (Digital Operational Resilience Act).

 Yes, being a European insurance group with a presence in many countries of the Union and of a significant size (more than 30 billion premiums), we are in the focus of the regulator and we have to adapt to this complex scenario. Our objective, of course, is to comply with the regulation.

Cooperation between CIO and CISO is essential. What is your relationship with the company’s CIO?  

I am lucky to work with a spectacular CIO like Vanessa Escrivá, with whom I have a more than good professional relationship. Our efforts converge towards the same goal: To provide Mapfre with the best systems that are sustainable and secure, although our roles are different; hers is to provide the service and mine is to ensure that it is done safely. Our relationship is one of close and permanent collaboration, although we work in independent areas — under the same boss — following the criterion of segregation of functions, as recommended. 

You left the Army for the private sector. How do you assess this stage of your career? 

Indeed, I am a lieutenant colonel in the infantry on leave. I value these years in the private sector very positively. It is an experience that has allowed me to grow, and I am now a much richer professional than before. On the other hand, I believe that I have managed to incorporate into my work the preparation to constantly combat in crisis situations that comes from having been in the Army. This is very useful because companies today operate in a scenario of permanent crisis in which security is not only a matter of technology but of governance. And the main value that those responsible for security bring to companies is to make them resilient.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3593333/an-inside-look-at-mapfres-2020-ransomware-response.html

Category & Tags: Incident Response, Insurance Industry, Ransomware – Incident Response, Insurance Industry, Ransomware

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos