What happens in a cyber attack? Experts discuss incident response

March 18, 2024 4:00 AM

Over the past few months, cybercriminals have been attacking mortgage players at an alarming rate.

Major companies like Loandepot and Mr. Cooper are reeling financially from recent incidents, while businesses continue to battle lawsuits from affected customers. Some of those complaints have revealed more color about the hacks and the companies' respective responses, details which aren't typically disclosed.

One major cyberattack began when an employee clicked on a search result about road maintenance agreements in Florida, according to court filings. Another sizable breach began when a threat actor exploited the credentials of a bank's contractor, which eventually led to a previously undisclosed bitcoin ransom payment.

Attacks may appear more frequent because of new notification requirements, but experts say the pain isn't felt only by the largest lenders and servicers.

"We're really seeing two kinds of parallel crises," said Jordan Bingham, founder and CEO of Utah-based cybersecurity firm LendSafe. "The larger companies are freaking out about ransomware and at the same time, the smaller shops are undergoing quite a bunch of pressure from attackers."

To understand what happens during a cyberattack, National Mortgage News spoke to cybersecurity veterans who described the typical timeline of an incident. Lenders, servicers and technology vendors may follow similar game plans.

How does an intrusion occur?

Most threat actors are simply logging in to a target company via stolen credentials rather than hacking in, according to experts.

Criminals use phishing attacks to obtain an employee's information. They're also utilizing generative artificial intelligence to create more compelling lures, said Jim Routh, chief trust officer at technology business Saviynt.

Other criminals are buying user logins on the dark web. Once threat actors are in a company's servers, they will target Social Security numbers or customer login information, which can be used to perpetrate lucrative identity theft.

Ransomware attacks, in which criminals hold sensitive data hostage for a payout, are high-profile but aren't the most common data breach method, experts said.

"What threat actors are doing in ransomware situations is actually releasing some of the data publicly to create a public relations challenge for the enterprise to coax them into paying the ransom," said Routh.

Flagstar paid a $1 million bitcoin ransom payment in late 2021 to unidentified criminals to access and delete stolen data, according to filings in a data breach suit. Academy Mortgage also allegedly faced a ransom threat last year; it's unclear if the lender paid the criminals.

Threat actors could also use some of the same tools utilized by vendors to test a company's protections. Consumers in a lawsuit against Bayview Asset Management for example claim the firm failed to test its servers with CobaltStrike, a penetration testing software that hackers allegedly used against the servicer owner in late 2021.

More often such tools are open-source, or freely available penetration testing tools, said Routh.

How do companies respond?

Attacks are known as events or incidents prior to identification as a "breach"; the term has a distinct meaning from a legal perspective, said Michael Nouguier, director of cybersecurity services at Richey May. The National Institute of Standards and Technology, a U.S. Department of Commerce arm, defines a breach as the unauthorized disclosure or acquisition of personally identifiable information.

As incidents are identified, firms usually call their cyberinsurers first.

"They have a panel of incident responders and data privacy lawyers that can come in and identify what you need, all under the contract that you already paid for to cover that," said Nouguier.

Incident responders are always on-call, he added. Threat actors will aim to strike at vulnerable moments such as overnight or on holidays. While cybersecurity experts in the past had to be on-site to work, today they can easily access a company's network remotely.

Routh laid out a framework companies should follow: Gather the facts; determine who was impacted and what the operational impact will be; determine the root cause; consider corrective actions to end the threat and apply lessons learned going forward.

Who do companies call?

Data breach complaints describe a myriad of cybersecurity firms involved in incidents. Companies range from including anti-malware providers, vulnerability scanners, instruction defense providers, virtual private network (VPN) providers and password managers.

Businesses should have playbooks for different cyberattack scenarios, experts said. Affected organizations shouldn't shut down their systems or unplug any technology; incident responders will take photographs of computers including the screen and wires plugged in. Such photographs may be required in future litigation, Bingham said.

Firms may also hire professional negotiators to speak with hackers directly via email or chat. Flagstar's cyberinsurer engaged Tetra Defense to speak with the bank's attackers and eventually obtained access to Flagstar's compromised data on an encrypted server, according to a deposition excerpt.

Who’s in charge during an incident?

The parties responding to a data breach must follow a strict chain of command. Nouguier compared the process to detailed project management.

"Just because the cybersecurity person is there does not mean that they are the best legal expert in the house," said Nouguier. "It does not mean that they have the best capability to make a public announcement about downtime or anything like that."

Routh said the affected company and security operations team leaders own the incident response. A CEO is in charge of major decisions such as whether to pay a ransom. Then-Flagstar CEO Alesandro DiNello and the depository's board of directors allegedly decided to pay ransomware culprits to retrieve data in late 2021.

"If you practice that scenario dozens of times and you understand what it takes to recover and what the implications are for recovery, you're in a much better position to make the call," said Routh.

After the breach

An individual employee who clicked on a bad link or who was the victim of a phishing attempt isn't blamed following an incident. The employees involved in the onset of hacks at Bayview and Flagstar were referred to, but not targeted in data breach litigation. Rather, it's a firm's management and its policies, practices and tools that come under scrutiny.

Rules like the Securities and Exchange Commission's disclosure requirement, and the Federal Trade Commission's upcoming mandate for non-bank lenders, are geared to promote transparency for both regulators and investors. Still, breaches can go unreported, especially if a company's home state doesn't have strict reporting requirements.

Bob Zukis, founder and CEO of Digital Directors Network, which helps corporate boards retain cybersecurity experts, suggested publicly traded firms are not currently following the SEC's disclosure rules correctly.

"I think as investors start to understand truly how dependent their investments are on the information system, they're going to be shocked," he said. "They're gonna start to demand accountability. And, frankly, that accountability starts with the corporate boardroom, and the board has been derelict in responding to these issues."

The end of a breach also isn't easily defined; experts say it's up to legal counsel to interpret a timeline and definition of what happened. Experts consistently emphasized to NMN that firms should repeatedly train for incidents and take an introspective look following an attack.

"The number one thing that mortgage bankers, originators and servicers can do is really build the visibility into your IT program that shows where your gaps and weaknesses are," said Nouguier. "Then focus on building resilience across the board so that you can withstand these incidents as they're happening."