[BreachExchange] Toll Group still mopping up after ransomware attacks

[Destry Winant]

https://www.itnews.com.au/news/toll-group-still-mopping-up-after-ransomware-attacks-555046

Lessons provide some post-mortem hints.

Toll Group is still mopping up more than nine months after an
encounter with ransomware in late January, with the security executive
in charge of recovery describing the “very, very long tail from a
cyber incident” that victims get caught in.

Global head of data, IT security and governance Diana Peh said 2020
“has been a very forgettable year”, though she and Toll had taken
plenty away from two separate ransomware infections experienced months
apart.

The logistics giant was first hit by Mailto ransomware at the end of
January, which took six weeks to recover from.

It then suffered a second attack in early May that used the Nefilim
malware and was similarly devastating.

“265 days ago, and one day before I actually started my new role in IT
security, I faced into a large scale ransomware attack, which impacted
my company, which is a very global organisation,” Melbourne-based Peh
told Privasec’s Privacon 2020 summit yesterday.

“And 94 days later, I went through a second cyber attack, on a global
scale again, and arguably more sophisticated.”

At the end of July, Peh led the announcement of a one year
“accelerated cyber resilience program” run by a rebuilt security team
split across two countries.

The following month, Toll landed the services of former Telstra Asia
Pacific CISO Berin Lautenbach, who will now run the information
security function globally.

Peh told the Privasec summit that both cyber incidents had led to a
“long tail” of actions that continued.

“If anyone has been through a major cyber incident, it is a fact that
the impacts of many incidents live beyond the containment and
remediation,” Peh said.

“There is actually a very very long tail from a cyber incident,
whether that's managing ongoing customer concerns, regulatory
obligations, and so much more.

“Even for myself nine months on, we're still feeling the impacts.
We're still working through and doing some mop-up.”

Contributing factors

Unlike past conference presentations from the victims of substantial
attacks, Peh did not provide a detailed post-mortem on how Toll became
infected.

She did, however, point to a series of potentially contributing
factors, the pandemic among them.

“2020 has been a very unique year defined by Covid-19, where our
workforce has been working remotely from home, and our normal ways of
working, our normal ways of engagement, [and] our tooling have all
been rudely interrupted,” she said.

Peh also referenced Toll’s incident response plan, particularly how
well understood it was.

“In a time of crisis, it can get really confusing. Everybody wants to
help, but you need to know who's in charge, you need a leader,” she
said.

“My experience with both cyber incidents have been very different. I
found it really hard for the first incident, [but] the second one
[was] much better than the first.

“In the first one in particular, there were lots of questions around
who's in charge, and what are the roles and responsibilities.

“It’s really important upfront that you actually are clear on roles
and responsibilities going in and that you're ready, because in a time
of crisis, you really want to make sure that you try to eliminate as
much chaos as you possibly can.”

Peh said that an incident response plan should lay out “the next 20
steps” clearly, with plenty of practice runs.

“You need to make sure that you run lots and lots of practice runs
with your teams, so that everyone is clear,” she said.

“We're doing this quarterly at the moment, not just with the executive
crisis management teams, but with the teams on the ground, and my
reflection is that this is actually a lot harder than it sounds,
especially if you have teams that are spread across the globe and
working across different time zones.

“My personal experience is that having run a couple of them by now,
we're still finding lots of opportunities to improve and making sure
that our teams really deeply understand the drill.”

Calling in experts

Toll’s approach to security technology likely also played a role, and
Peh said she curated a small band of external cybersecurity experts to
aid the company’s recovery and to help prosecute the case for change.

Peh said she came into the crises “not having a great deal of cyber
experience from a very technical perspective.”

“On many many fronts, I was challenged by my colleagues and by my
peers,” she said.

“Case in point, we were an AV [anti-virus] shop. I dragged us into EDR
[endpoint detection and response] technology within two weeks of the
second incident.

“[There was] lots of robust debate and lots of decisions made, but my
external experts were actually really the ones that actually helped me
to really understand what it is that I needed to do to consolidate my
thinking and then to actually engage in a very rich debate and
discussions with the leadership team.

“Once we had a decision, we got behind it.”

Peh said it was easy to be overwhelmed by offers of assistance,
particularly after experiencing an attack.

“When something happens, everyone will call you to offer to help, but
the reality is not everyone will be helpful,” she said.

“You don't really want a cast of thousands in the mix. You need to
actually have a vital few to help you so, again, it's not terribly
chaotic.”

Peh said one of the “most profound” outcomes from “living through two
major incidents was [the realisation] that security isn't necessarily
just about relying on internal capabilities.”

“We often talk about the fact that it takes a village to raise a
child, and reflecting on the two experiences, which are different, a
key learning for me is that you really need to surround yourself with
experts who live and breathe this on a daily basis with their other
customers and to really partner with them to manage your incidents,”
Peh said.

“There is a bit of work upfront in terms of working out who they are
very early on in the piece, and this is where the value of your
network in the cybersecurity space will really kick in.”

Staying customer focused

Peh said Toll prioritised its customers from the start of the security
incidents.

“I'm proud to say that we've taken a very proactive and direct
communication approach with our customers to minimise the impact on
business operations,” she said.

She said open and direct communications were key to “minimising the
impact of business operations for your customers, but also … ensuring
that we share what information we can to also make sure that they
themselves are adequately protected.”

“When you have an incident, it really is the time to actually
over-service your customer hotlines, and to have daily check-ins with
your customers over the phone,” Peh said.

“I've been on the other side of these types of situations where my
partners and suppliers have been compromised, and honestly, I just
wanted to have that phone call that tells me what is going on, what my
real risks are, and what we need to do to actually protect ourselves.”

A big part of that is being able to communicate, Peh said, noting the
importance of planning communications channel workarounds in case
primary methods like email are taken out, or seen by customers as too
risky.

“My experience is that some of our customers actually opted to cease
email communications as a preventative measure, so that basically just
means that you need to have a plan,” Peh said.

“Be ready to use your WhatsApp channels or Microsoft Teams.”

Staff welfare in a crisis

Part of Peh’s presentation also dealt with her own mindset during the
twin crises as well as that of staff, and how Toll tried to ensure
staff were rested enough to participate in the recovery activities.

“My favourite mantra is to ‘keep calm and carry on’,” she said.

“Nine months into the security game, I think a lot of my learnings and
reflections has been the fact that in a time of crisis, it is actually
really important to pause, to take stock, and to breathe; to think,
‘OK, what it is that I need to do to do next?’; and to have some
system and structure around how you actually tackle some of those
incidents.”

Peh said Toll recognised early the long-lasting implications that
staff faced as they responded to the incidents.

“It's incredibly stressful,” she said.

“Teams are working around the clock. The pressure is really intense.

“I think it's important to call out: don't be too hard on yourself,
don't be too hard on your teams when things go wrong. Things will go
wrong, you should plan for things to go wrong.

“When there is so much going on, people will miss things. You will
likely miss things yourself - no one's infallible.”

Peh said Toll Group quickly set up a staff rostering system to ensure
staff could rest.

“We were so conscious of the pressure in the crisis that hours into
the crisis, one of the things that we actually did very quickly was to
actually build up a roster for our teams so that people could have
planned breaks,” she said.

“It was actually a very conscious decision to make sure that we
rostered people on so that people could take breaks, rest up and
[then] perform properly in the time of a crisis - maybe not
necessarily at peak, but they could function well, and they were
rested.

“Crisis management can take days and weeks to resolve, and I think the
callout here is the fact that you're going to have to make sure you
take some steps to make sure that the workload is sustainable.

“People will be working more than 100 percent [of their capacity] in
many, many instances, but the rest is incredibly important.”