Toll Group still mopping up after ransomware attacks

Toll Group is still mopping up more than nine months after an encounter with ransomware in late January, with the security executive in charge of recovery describing the “very, very long tail from a cyber incident” that victims get caught in.

Global head of data, IT security and governance Diana Peh said 2020 “has been a very forgettable year”, though she and Toll had taken plenty away from two separate ransomware infections experienced months apart.

The logistics giant was first hit by Mailto ransomware at the end of January, which took six weeks to recover from.

It then suffered a second attack in early May that used the Nefilim malware and was similarly devastating.

“265 days ago, and one day before I actually started my new role in IT security, I faced into a large scale ransomware attack, which impacted my company, which is a very global organisation,” Melbourne-based Peh told Privasec’s Privacon 2020 summit yesterday.

“And 94 days later, I went through a second cyber attack, on a global scale again, and arguably more sophisticated.”

At the end of July, Peh led the announcement of a one year “accelerated cyber resilience program” run by a rebuilt security team split across two countries.

The following month, Toll landed the services of former Telstra Asia Pacific CISO Berin Lautenbach, who will now run the information security function globally.

Peh told the Privasec summit that both cyber incidents had led to a “long tail” of actions that continued.

“If anyone has been through a major cyber incident, it is a fact that the impacts of many incidents live beyond the containment and remediation,” Peh said.

“There is actually a very very long tail from a cyber incident, whether that’s managing ongoing customer concerns, regulatory obligations, and so much more.

“Even for myself nine months on, we’re still feeling the impacts. We’re still working through and doing some mop-up.”

Contributing factors

Unlike past conference presentations from the victims of substantial attacks, Peh did not provide a detailed post-mortem on how Toll became infected.

She did, however, point to a series of potentially contributing factors, the pandemic among them.

“2020 has been a very unique year defined by Covid-19, where our workforce has been working remotely from home, and our normal ways of working, our normal ways of engagement, [and] our tooling have all been rudely interrupted,” she said.

Peh also referenced Toll’s incident response plan, particularly how well understood it was.

“In a time of crisis, it can get really confusing. Everybody wants to help, but you need to know who’s in charge, you need a leader,” she said.

“My experience with both cyber incidents have been very different. I found it really hard for the first incident, [but] the second one [was] much better than the first.

“In the first one in particular, there were lots of questions around who’s in charge, and what are the roles and responsibilities.

“It’s really important upfront that you actually are clear on roles and responsibilities going in and that you’re ready, because in a time of crisis, you really want to make sure that you try to eliminate as much chaos as you possibly can.”

Peh said that an incident response plan should lay out “the next 20 steps” clearly, with plenty of practice runs.

“You need to make sure that you run lots and lots of practice runs with your teams, so that everyone is clear,” she said.

“We’re doing this quarterly at the moment, not just with the executive crisis management teams, but with the teams on the ground, and my reflection is that this is actually a lot harder than it sounds, especially if you have teams that are spread across the globe and working across different time zones.

“My personal experience is that having run a couple of them by now, we’re still finding lots of opportunities to improve and making sure that our teams really deeply understand the drill.”

Calling in experts

Toll’s approach to security technology likely also played a role, and Peh said she curated a small band of external cybersecurity experts to aid the company’s recovery and to help prosecute the case for change.

Peh said she came into the crises “not having a great deal of cyber experience from a very technical perspective.”

“On many many fronts, I was challenged by my colleagues and by my peers,” she said.

“Case in point, we were an AV [anti-virus] shop. I dragged us into EDR [endpoint detection and response] technology within two weeks of the second incident.

“[There was] lots of robust debate and lots of decisions made, but my external experts were actually really the ones that actually helped me to really understand what it is that I needed to do to consolidate my thinking and then to actually engage in a very rich debate and discussions with the leadership team.

“Once we had a decision, we got behind it.”

Peh said it was easy to be overwhelmed by offers of assistance, particularly after experiencing an attack.

“When something happens, everyone will call you to offer to help, but the reality is not everyone will be helpful,” she said.

“You don’t really want a cast of thousands in the mix. You need to actually have a vital few to help you so, again, it’s not terribly chaotic.”

Peh said one of the “most profound” outcomes from “living through two major incidents was [the realisation] that security isn’t necessarily just about relying on internal capabilities.”

“We often talk about the fact that it takes a village to raise a child, and reflecting on the two experiences, which are different, a key learning for me is that you really need to surround yourself with experts who live and breathe this on a daily basis with their other customers and to really partner with them to manage your incidents,” Peh said.

“There is a bit of work upfront in terms of working out who they are very early on in the piece, and this is where the value of your network in the cybersecurity space will really kick in.”

Staying customer focused

Peh said Toll prioritised its customers from the start of the security incidents.

“I’m proud to say that we’ve taken a very proactive and direct communication approach with our customers to minimise the impact on business operations,” she said.

She said open and direct communications were key to “minimising the impact of business operations for your customers, but also … ensuring that we share what information we can to also make sure that they themselves are adequately protected.”

“When you have an incident, it really is the time to actually over-service your customer hotlines, and to have daily check-ins with your customers over the phone,” Peh said.

“I’ve been on the other side of these types of situations where my partners and suppliers have been compromised, and honestly, I just wanted to have that phone call that tells me what is going on, what my real risks are, and what we need to do to actually protect ourselves.”

A big part of that is being able to communicate, Peh said, noting the importance of planning communications channel workarounds in case primary methods like email are taken out, or seen by customers as too risky.

“My experience is that some of our customers actually opted to cease email communications as a preventative measure, so that basically just means that you need to have a plan,” Peh said.

“Be ready to use your WhatsApp channels or Microsoft Teams.”

Staff welfare in a crisis

Part of Peh’s presentation also dealt with her own mindset during the twin crises as well as that of staff, and how Toll tried to ensure staff were rested enough to participate in the recovery activities.

“My favourite mantra is to ‘keep calm and carry on’,” she said.

“Nine months into the security game, I think a lot of my learnings and reflections has been the fact that in a time of crisis, it is actually really important to pause, to take stock, and to breathe; to think, ‘OK, what it is that I need to do to do next?’; and to have some system and structure around how you actually tackle some of those incidents.”

Peh said Toll recognised early the long-lasting implications that staff faced as they responded to the incidents.

“It’s incredibly stressful,” she said.

“Teams are working around the clock. The pressure is really intense.

“I think it’s important to call out: don’t be too hard on yourself, don’t be too hard on your teams when things go wrong. Things will go wrong, you should plan for things to go wrong.

“When there is so much going on, people will miss things. You will likely miss things yourself – no one’s infallible.”

Peh said Toll Group quickly set up a staff rostering system to ensure staff could rest.

“We were so conscious of the pressure in the crisis that hours into the crisis, one of the things that we actually did very quickly was to actually build up a roster for our teams so that people could have planned breaks,” she said.

“It was actually a very conscious decision to make sure that we rostered people on so that people could take breaks, rest up and [then] perform properly in the time of a crisis – maybe not necessarily at peak, but they could function well, and they were rested.

“Crisis management can take days and weeks to resolve, and I think the callout here is the fact that you’re going to have to make sure you take some steps to make sure that the workload is sustainable.

“People will be working more than 100 percent [of their capacity] in many, many instances, but the rest is incredibly important.”