ESI Survival Guide INTERVIEW (Part 1) with Kevin Treuberg – Digital Forensics and Investigations SME

In Part 1 of this ESI Survival Guide extended interview, we are joined by Kevin Treuberg, an expert in computer forensics and investigations with over 28 years of experience.  He is the Manager of the Digital Forensics and eDiscovery Group at The Home Depot, but is also involved in film production, is one of the best Dad’s I have had the pleasure of knowing, is an Atlanta, GA resident by way of New Jersey, and is a Legionnaire in the ranks of the Tough Mudder Nation. 

As we machete our way through the electronic wilderness, we talk about the intrigue of being a special agent with the U.S. Army, the intrigue of Instant Pots, the current state of ransomware, preventing and reacting to attacks, cooperation lessons from cybergangs, lessons in patience from cybergangs, ransomware attack anatomy, to pay or not to pay, cyber terminology, industry sector vulnerabilities, how an FBI raid can be a good thing, why you MUST understand attack timelines, and that age old question: If a tree falls and no one is around…will your Zoom video have delays if said tree took out the entire neighborhood’s Internet?   

Below are the highlights of the various topics of our conversation, along with various Survival Tips and insights. 

The conversation is broken into my questions and comments in bold, Kevin’s answers and insights in italics, and any editorial and other additions in plain text labeled “ESI-SG.”

And I should highlight, if you are the type who gets a little wary of longish, fantastic video conversations, do not worry, on YouTube we have included video timestamps to help guide you to where you want to go.  Check out the video with Kevin on the ESI Survival Guide YouTube Channel (the one with the logo), and support us by sharing, commenting, liking or, better yet, subscribing!       

Following our lead-in and our disclaimer, I introduce our remarkable polymath of a guest Kevin Treuberg.  Now Kevin was on a cellular network during our conversation thanks to a tree falling and taking out his local Internet service, which made for some interesting blooper reel moments.  However, any interruptions were few and far between and the cell network held up pretty darn well.  No felled trees were going to stop us, and we soldiered on.

Kevin is a computer forensics and investigations extraordinaire and has been a professional in the space for over 28 years across numerous industries in the private and public sectors.  Just to give a few professional highlights from his impressive background, Kevin has held the following positions:

  • Counterintelligence Special Agent – Force Protection Specialist
  • Senior Technology Investigator – CNA Financial
  • Senior Cyber-Forensic Examiner – US Department of Energy
  • Senior Security Analyst – AIG
  • Forensics Manager – Sullivan & Cromwell LLP
  • Director, Electronic Investigations – Mintz Group
  • Director of Forensic Services – Complete Discovery Source, Inc.
  • Manager, Digital Forensics & eDiscovery Group – The Home Depot

At this point, we jumped into the electronic wilderness.

Matt: What was it like being in the army as a counterintelligence Special Agent?

Kevin: I thought the best job in the military was being a special agent doing force protection types of investigations.  I was in for about seven years, a little over seven years, but it wasn’t until the last two years that I got involved in information warfare and computer forensics and network intrusion investigations.  The prior five years was all wearing the tree suit going out and deploying into the field, doing low level source operations and force protection work.  That was quite rewarding; a lot of grunt time carrying a pack.  The 10th Mountain Division Light Infantry is anything but light, everything is on your back.  But I can say that the last two years of it, I was in a more strategic position doing targeted investigations, like network intrusions that are coming from a foreign government into our US Army systems. It was pretty exciting.

Matt: You’ve worked in almost every major area where cyberthreats are a daily concern, which dovetails right into the main topic I want to talk about today – ransomware and other cyberthreats.  But first, were computer forensics, investigations and technology areas in which you were always interested, or did that come about while you were in military service?

Kevin: That interest was definitely a result of being in the military.  I joined the military wanting to do more intelligence type work, and I did intelligence work for a little over seven years.  The last two years I just kind of fell into the computer forensics and the information warfare fields.  It was during my last duty station that we had an opportunity to go and do more of a counterintelligence deep career track or go into the cyber field.  And I’m happy I chose the cyber field. I mean, it has been booming since 2000 when I got out of the military, and definitely the focus has shifted a lot from regular standalone forensics to eDiscovery and now to cybersecurity.  There’s a lot of work out there; there’s a lot of threats out there. So having more people trained in these tactics, especially in cybersecurity is a boon for any company.

ESI-SG: Kevin and I go on to discuss how people come into this industry from so many unique backgrounds, and I unsuccessfully compare my music background to his military background. 

I also want to highlight Kevin’s numerous professional certifications and culinary prowess.  One that he recently achieved during the lockdown is the CERT Insider Threat Program Manager certificate from Carnegie Mellon University.  Though he also did learn to blow things up in the kitchen with an Instant Pot.  I got my OneTrust Certification and am re-upping my CIPP/E, but also learned how to ruin a kitchen with attempts at baked goods.     

We then jump into two concerning trends:

  • The growth in ransomware attacks.
  • The change in the cyberthreat landscape during the COVID pandemic.

One of the most concerning widespread trends in 2020 moving into 2021 is the widespread growth in ransomware.  It cooled down a bit over the past holiday season, but attacks have been increasing through 2021.  Just a few statistics:

  • The New York Times reported that ransomware attacks had increased by 41%, from 2018 to 2019, with other reports claiming that almost 188 million ransomware attacks happened during the same period.
  • In their 2020 Consumer Threat Landscape Report, Bitdefender highlighted a 485% increase in ransomware attacked from 2019.
  • Cybersecurity ventures reported that a company was attacked every 11 seconds in 2020. They project that the cost related to ransomware attacks will be upwards of 20 billion in 2021.

Although the recent Colonial Pipeline payout is very troubling, the one attack in recent memory that really stood out for me was the 2020 attack on a New York entertainment law where a whole bunch of celebrity data was compromised.  At first, the attackers wanted $21 million, but when they were lowballed and not paid, they then upped that to $42 million.  They had also claimed that they had information related to then-President Trump, which of course helped to up the ante.  What is especially concerning is that we are seeing that cybergangs are working together, often in a very decentralized manner where one group builds the code, then they might license this code out to affiliate criminals for some of the take.  There have been some recent arrests, but it seems like they haven’t put much of a dent into the rising tides of bad actors.

Matt: What do you think is behind this big rise in ransomware?  Outside of just the fact there is more and more tech, why is this happening now?

Kevin: Well, ransomware has been around for several years.  I think it’s just getting more and more press.  Now number one, because more folks are doing it the percentage rate is increasing with regards to companies getting hit with ransomware, or at least people probing and trying to install ransomware.  But that fact is that it’s easy to do this type of crime.  It’s incredibly easy.  Like you said, you have a lot of people writing this code, you have a lot of people writing the actual programs and applications, and then they just want their percentage of what the take is – if there is a take.  I’ve seen in past lives, working on consulting contracts, these folks getting hit with ransomware and they’re in conversations with the folks to pay them.  They want to have a sample of the key so they can give them a sample of the data back.  They want to make sure that the key being provided, that is being paid for, works.  And then it doesn’t even work. Some of these folks that are deploying this ransomware might not even have the key to unlock your data.  There are negotiations and they may be paying in Bitcoin or some other type of cryptocurrency, you just might lose your shirt and might not even get your data back.  So yeah, it’s scary.  The statistics that you were talking about, a lot of that is just the reported victims of ransomware.  Many victims may go unreported.  You may have some folks that get hit, they do pay and maybe they get their data unlocked.  Their data and the reputational damage and the hit to their brand is certainly worth the price to try and pay for the ransomware key.

ESI-SG: To explore some the trends that Kevin highlights, I read the recent Sophos’ State of Ransomware 2021 report.  There were several interesting findings.  Out of the 5,400 IT professionals that were surveyed across 30 countries:

  • – 32% paid the ransom to get their data back, an increase of 26% from last year’s survey.
  • – 57% were able to use backups to restore their data, which is in line with last year’s finding. Overall, almost everyone (96%) got some of their data back.
  • – Even if you pay an attacker’s ransom, your chances of getting all your data back are slim. On average, those organizations that paid ransoms got back just 65% of the encrypted files, leaving over one-third of their data inaccessible.
  • – 29% of respondents reported that 50% or less of their files were restored.
  • – Only 8% of responding organizations reported that they got all their data back.

It is very clear that there is an exigent need for diligence and solutions. 

SURVIVAL TIP!  When thinking about protecting yourself, just act under the mindset of that scary ole cybersecurity adage, “It’s not IF you are going to get attacked, but WHEN!”

Matt: We want to make sure that we are providing valuable insights to both beginners and exports alike here on ESI Survival Guide.  So just to give a few definitions in the context of the cyber landscape.  What is a threat?  What is vulnerability?  What are some of the different terms that you use in this space?

Kevin: You can interchange “information security” or “IT security” with “cybersecurity.”  Those can be the same depending on the organization.  When you’re talking about the “threats,” those can be those threat actors, those attackers or groups that are trying to do conduct phishing or spear phishing campaigns against you and trying to exploit potential code that might be on your outwardly facing systems to gain access into your network.  In this context, the threats are those advanced persistent threats, those bad actors that are trying to get entrance into your network.  You may have altruistic actors that may be trying to just poke around in an effort to say, “Hey, we’re a good organization, we’re just kind of pointing out the security threats for you or doing some bug bounties.”  Or again, there are those that are trying to get a foothold into your network, crawl around, take as much data as they can, and then when they are done, they release that ransomware.  The threat actors can come in different flavors, right.  

And then we talk about “risk.”  The way I see it, when we talk about risk, the number one, in my opinion, deterrent for ransomware is education.  Education for all of your staff or clients from a cybersecurity perspective.  You want to make sure that folks aren’t double clicking on certain attachments, they’re not going to unknown websites and they aren’t clicking links with unknown origins.  This is how a lot of this bad stuff can get into your network.  You’re trying to mitigate that risk, which you can do through a good education program. 

And then the “vulnerability” is, for example, if you have folks that are coming after your domain, or trying to probe your outside facing web servers, or database servers, there can be a vulnerability in that server they can exploit because maybe it wasn’t patched properly, or maybe not even patched at all.  There may have been an alert highlighting that this type of server is vulnerable to this type of attack.  Then these threat actors are simply combing through the Internet looking for certain servers that have these vulnerabilities.  Regardless of the industry you’re in, if you’re in technology, government, education, retail – they don’t care.  They’re just looking for an opening to get in and then try to capture some data from you.

ESI-SG: Check out Global Knowledge’s Glossary of Cybersecurity Terms for more awesome words and their definitions.   

Matt: There does seem to be lots of interchangeability in the terminology depending on the context, but what about a negligent actor.  Let’s say I have employees that are uneducated about the risks associated with various cybersecurity threats.  They are not receiving the proper training with regards to dealing with attachments, outside links, etc.  Would those uneducated employees be considered a threat or a vulnerability, or both? 

Kevin: There are different ways to look at it if you’re looking at it from an insider threat perspective.  So, we are looking at an unintentional disclosure of information?  If someone’s not educated, and they’re clicking on a link, and they’re not intending to be the threat, they’re not intending to release company data, or have somebody come in and get a foothold, that’s where education become paramount.  If you’re looking at this type of threat from the outside as a threat actor and you’re looking at an organization, you’re going to look for the different vulnerabilities that are on those networks or those servers and try to expose the in order to get a foothold into the organization.

Matt: It sounds like when you’re assessing the full threat landscape there are so many different vectors and factors to consider in terms of outside threats, inside threats, both human and technological vulnerabilities, and more.  With regards to industry, there was a 2020 IBM X Force Report that showed that the manufacturing industry was often hit hardest by ransomware, followed by professional services companies than government organizations.  But with the COVID pandemic, you’re seeing a rise in attacks on educational institutions and healthcare institutions.  Back on October 28, 2020, the FBI, CIA, NSA and The Department of Health and Human Services released an advisory regarding an imminent cybercrime threat to hospitals and health care providers.  Though it is pretty clear that no industry is invulnerable to ransomware attacks, what makes one industry sector more vulnerable than the next?

ESI-SG: Note that the 2021 IBM X Force Report has been released since Kevin spoke with The Guide.  In this report, the manufacturing industry was the second most targeted sector in 2020, with the finance and insurance sector taking the number one spot.  Manufacturing has risen as a target from being the eighth most targeted industry in 2019.  The responses to Sophos’ The State of Ransomware 2021 survey revealed that the retail and education sectors experienced the most attacks.  The takeaway from these two reports, regardless of any discrepancies between them, is that no industry is immune from ransomware.

Kevin: I think it’s a couple things.  First, is the data that a particular sector or corporation within that that sector the type of data that attackers want?  Is it data that could prove to be very lucrative like personally identifiable information (PII) where it can be used to conduct identity theft?  Is it PCI data, credit card information, that can be sold on the dark web?  Then there is the state of the industry sector itself in terms of cybersecurity.  Are they sophisticated enough to hire and maintain an adequate cybersecurity or IT security infrastructure?  For example, we see that the educational space, they might generally not get enough funding to take the steps necessary to adequately protect themselves.  Then look at the Fortune 100/200 companies.  They’re going to have a more robust cybersecurity infrastructure to protect all of their data.  It depends on those two factors:

  • There’s the data that attackers are looking for; the data that they want.
  • And then how easy of a target is the organization because they’re not patching all of their systems, or they don’t have a proper intrusion detection system, or any endpoint security on their systems.
Whether one industry sector is more vulnerable that another is kind of a mix of both of these factors.

Matt: That’s interesting.  It’s clear that he corporations with the high-profile C-Suites and Boards of Directors are the obvious targets.  But like you said, those large corporations also have the highest amount of investment in intrusion protection and defense mechanisms for these types of attacks.  In the press, you often hear about these big-name corporations that get hit – they make the big headlines.  But I can image that likely lots of smaller organizations are targeted, and those attacks likely fly under the radar.  It goes to what you said earlier that ransomware is an issue that is much more prevalent issue than we all realize from just reading the press.  

From a practical standpoint, say I am that small company, and I don’t have the necessary resources to have all the core controls in place, and I get hit with a ransomware attack.  Can you tell me, what does the attack actually look like?  Does my computer just shut down?  Do I get a notice?  Do I get something on another device?  What does it look like?

Kevin: When I was a consultant, and not with my current employer, but we ran into a ransomware attack with one of our clients.  A ransomware attack hit their systems.  And it pretty much locked all their systems; it shut them all down.  When the folks were logging in, they would see a warning banner on their screen that said, “You have been infected by the Royal ransomware,” or whatever type of ransomware, and there would be instructions on how to contact these folks to give them money so they can give you the key.  Ransomware has the potential to crawl through your entire network to encrypt all of your systems, and to cripple even your backups if they’re connected.  It’s very nasty stuff.  And you see a lot of these incredibly tactical and dedicated threat actors where they won’t just unleash the ransomware right away.  They will first gain access to your network.  Then they’ll navigate around and collect whatever data they think is valuable to them or to you.  Then once they’ve gotten all they can take, THEN they release the ransomware.  They’re telling you, “Hey, we’ve collected all of your day, we’ve encrypted everything in place, we’ve also gotten some of your data that we’re going to release on the dark web.”  That can cause serious harm to brand reputation. Some of these law firms, like you said, might have some really, really incredibly sensitive client data. These situations can be really bad for a company PR-wise. 

ESI-SG: And for all you lawyers and law firms out there.  You must take these issues seriously!  Law firms are a prime target and, traditionally, you don’t think of law firms as being heavily invested in data security.  That is changing, but law firms must be extremely diligent based on the sensitive nature of the client data they handle and the types of matters they support. 

Here is a great piece authored by CEO and Co-Founder of Everlaw, AJ Shanker, for focused specifically on law firms and ransomware.

Kevin: Going back to that ransomware scenario, there was actually a good outcome for this particular client based on how we initially got involved supporting them.  Initially, that client had been raided by the FBI and we had to collect all of their systems in an effort to preserve various data stores for litigation.  Then, fast forward six or eight months, and THEN they got hit with the ransomware attack.  They asked us if we had happened to have all of the previously collected data and luckily, we did.  Because of that earlier preservation and collection project, we were able to make them whole as of about six months prior to the ransomware.  Typically, they would have lost six months of data and work product, but in this particular scenario they were able to get back on their feet rather quickly and didn’t necessarily have to pay that ransomware.  However, a lot of companies aren’t so fortunate.  Either they have to suck it up and pay the fee, and hopefully get the key, or they’re sunk.

Matt: Can you attack the attackers by tracing the mechanisms they use to collect the ransom?  Can you trace cryptocurrency in the ransomware context or is that almost impossible?

Kevin: Yeah, that’s going to be difficult unless you’re unless you’re a government organization that has subpoena powers to start accessing the logs where all this data is going through.  As an individual consumer, it’s going to be very difficult.

Matt: What can an individual do, aside from just contacting the authorities?  God forbid, I’m a victim of ransomware, what are some of the first things I should be thinking about?

Kevin: I think the best way to answer that is to take a step back.  What are the things that you should do to try to prevent it first, and then maybe that can help mitigate what your response would be once you get hit?  Obviously, education is key.  Don’t click on any emails from folks that you don’t know, links, documents that are leading you to unknown websites, always be careful.  Don’t pick up thumb drives that you’ll find in a parking lot at the mall and plug them into your computer.

SURVIVAL TIP!  As with ANYTHING in the cybersecurity space – educate yourself! If you receive something on your computer or are in an unfamiliar part of the web, DO NOT CLICK!   

Kevin: A lot of this is common sense stuff.  But what are you going to do when it happens?  Your response will be different for the different levels at which you’re getting hit. 

SURVIAL TIP!  If you are an individual attacked with ransomware, an initial step to mitigate harm is to cut off your Internet access as soon as possible.

SURVIVAL TIP!  If you are a corporation attached with ransomware, an initial step to mitigate harm is to immediately engage your incident response team.  If you don’t currently have one, build one now!

Kevin: At the corporate level, there’s going to be some kind of incident response that involves not only your cybersecurity or IT security folks, but it’s also going to involve your legal team, maybe your corporate security teams, a core incident response management team and maybe more.  There is going to be all kinds of public relations activity and internal and external communications.  Lots of folks will usually be involved. 

If you don’t have a robust internal cybersecurity group, you have to go find someone that can help you out, engage consultants, engage outside cybersecurity firms, or even if you are farming out your cybersecurity work to an outside organization, maybe you have a ton of your servers and your data is in the cloud and folks are managing it for you, those would be the folks that you’re going to have to engage to help get this cleaned up.  It’s different for every situation unfortunately, but I think as an individual, one way to prevent some of this and at least bounce back and recover quickly is to keep offline backups.  Or you can keep backups of your data in a separate type of cloud location or account.  Then you can replicate, and then hopefully, quickly reconstitute what you were doing over the past few days so you can carry on with your business.

SURVIVAL TIP!  Do not store backups of your data on your network.  Keep backups offline or at an offsite location.

Matt: So obviously a ransomware attack that’s designed to simply lock up your data will prevent you from being able to perform your day-to-day activities on your network.  Having offline backups is definitely a great idea.  However, I assume that doesn’t play out as well for somebody who might have sensitive data, embarrassing data or things they may be trying to hide on their laptop.  That is a different type of issue.  Is it the case that once your data is encrypted at rest those bad actors have it?  Even if you disconnect your internet, shut off your computer, change your computer, they are now in possession of that information? 

Kevin: Well, they might not necessarily possess it. They may have encrypted it at rest on your own systems, it’s just you cannot gain access.  And what they’re doing is they’re just asking money for the key.  You might still have that data in your possession, but all of your systems might be locked up.  And they might not have any of that data, at least you hope they don’t have that sensitive data, the majority of it could just be encrypted in place.  And one thing you have to be aware about backups to is you have to be very cognizant of the timeline of the incident.  If you’re doing incremental backups, or systematic backups, and you’re preserving your data over a certain cadence or schedule of time, you don’t want to restore data that might have that ransomware executable software in it.  You want to make sure that you use your best efforts to identify when some of this occurred, and how it occurred.  Then when you’re restoring a backup or reconstituting your data, you’re not starting all over again because the ransomware is somewhere in there.

SURVIVAL TIP!  Be aware of the timeline of an attack when restoring a backup o reconstituting data.  You do not want to restore data that might contain the ransomware executable.  Then you are back at square one! 

Matt: So feasibly you could pay the ransom, get the key, and then go through a backup effort and reinitialize that ransomware?

Kevin: I’m sure crazier things have happened.

Matt: I can’t imagine having to go back to the gang and be like, “Hey guys, can I get that key again?”

Kevin: Or going or even going back to your board and saying, “Yeah, I need another 100 million dollars!”

Matt: “Remember that beating we just took in the press?  Yeah, you guys haven’t read the papers today, have you?” 

ESI-SG:  This is Part 1 of 2 of our talk with Kevin Treuberg.  We are thrilled that he was able to join us on The Guide and look forward to posting Part 2 within the week.  During the second half of our conversation, Kevin and I dive even deeper into the cyber world with more stories, insights and survival tips. 

Whether you watched the full video, viewed the snippets or read the blog, we cannot thank you enough for your support and interest!

This is Matt from ESI Survival Guide telling you to please Stay Safe in the Electronic Wilderness.  See you next time!

Written by Matthew Knouff

Matthew F. Knouff, Esq., CIPP/US, CEDS, RCSP, Sr. Solutions Consultant, Legility LLC Matthew has been navigating the ESI and data law wilderness for over fifteen years as an attorney, consultant and academic. He currently serves as a Sr. Solutions Consultant with Legility LLC., an award-winning global provider of eDiscovery and data management services and technology. He is an expert in eDiscovery law and process, global data privacy and the movement of data across borders. In addition to contributing to and holding leadership positions with several organizations dedicated to supporting the legal profession, he has developed numerous CLE programs and assessment tools, and frequently speaks and writes on various topics related to the intersection of data, law and technology. He holds the CIPP/US, CEDS and RCSP certifications, is an avid distance runner, an active board member with Education Through Music, a Tarheel through and through, a life-long musician and an obsessive autodidact. Matthew lives with his son in New York City.

All author posts   |   LinkedIn