How do you build an insurer cyber incident response unit? [A Must Read]



Response head on trends, growth plans, and talent

In January of this year, Larry Crocker joined the cyber insurer as head of DFIR and incident response. At NetDiligence Philadelphia earlier this month, he discussed ideas for the unit he has been tasked with creating and how the company is handling threat actors that are increasingly looking for larger sums of money.

Crocker and his colleagues are another example of how hard insurance firms have fought to bring in forensic, cyber, and negotiating expertise. Crocker is a retired special investigator with the Alabama Attorney General’s Office who is from Alabama and can work remotely. Prior to that, he worked there as a special agent, forensic examiner, and police investigator.


Prior to working at At-Bay and after leaving the police force, Crocker held executive positions with the cybersecurity firms Secureworks and Kivu Consulting.

Crocker’s new position at At-Bay brings both a fresh challenge and an opportunity, as he is tasked with “from the ground up” developing the insurer’s DFIR and response unit.

What does it take to build a cyber incident response unit?

Crocker has enjoyed the assignment and has more than 30 years of experience in incident response and digital forensics. He has been expanding his team’s talent pool by hiring endpoint detection and response (EDR) specialists, former government employees, and retired FBI agents.

We have a fantastic, knowledgeable set of people assisting us with the incident response, and we’re doing great, according to Crocker.

Although the At-Bay Security division is a separate legal organization from At-Bay and has its own LLC, the insurer, which earlier this year became a full-stack carrier, continues to fund and oversee the division.

Additional factors have been taken into account as a result of the security firm’s distinct standing, and even though they may not be “showstoppers,” in Crocker’s words, these technological aspects have proven crucial. For instance, choosing an invoicing platform and creating a new company from scratch present “more things to worry about” in terms of administration and how the entity really functions.

“We have a good foundation, we have strong processes and procedures, and we have good relationships with breach counsellors on the claims team,” Crocker said of the scenario six months in. “I believe that as time goes on, we will continue to grow.”

The cyber threat – clients may lack internal resources and expertise

Smaller and medium-sized enterprises (SMEs) may only be expected to deal with one case in their lifetime – this is edging closer to two now, Crocker said – and this means they may lack the resources to tackle a breach on their own. Clients may have some expertise on board to deal with cyber incidents.

“They don’t get the experience that my team or another response practice [might have] by working multiple cases, understanding multiple yield,” said Crocker.

His team’s “big thing” is to consider how to draw lessons from each episode and use them in other cases.

“The more we learn about our current actors – their access vector, how they get into the environments, what they do with the tooling that they use – the better we can apply that to the next thing, and make [our response] better, faster, and stronger,” Crocker said.

Ransomware and business email compromise are the top dangers.

Crocker stated that At-Bay is experiencing a “steady influx” of instances involving business email hacking, which he described as “a down and dirty, quick way for threat actors to get money”.

In the meantime, ransomware attackers are growing “more sophisticated” in how they gain access to victims’ settings. Demand for decryptors has increased as well, reaching a “higher than normal” level for the SME sector.

“[Years ago] demand for decryptor pricing was somewhere in the neighborhood of $5,000, $6,000, and sometimes $20,000,” added Crocker. “Now, depending on the [leverage] they believe they have over the clients, we’re starting to see that increase to $500,000, $1 million, or more.”

Negotiating with cybercriminals

The size of demands may be growing, but, according to Crocker, this can be a negotiation tactic used by bad actors. By starting with a price tag of $1 million, they may be hoping to get it significantly lower, like to $500,000, and thereby obtain more money than if they had started with a lower figure.

One of the main difficulties for At-Bay’s incident response team when dealing with bad actors is figuring out who they are and what their objectives are, especially when more of them are always emerging.

You might not be aware of their affiliations or who they are formally, according to Crocker. There are many things you may look at throughout the negotiation phase to try to ascertain who they are, including building a relationship with them, interacting with them, and understanding what their demand is.

This step is crucial because it is forbidden to pay a ransom to a sanctioned entity, which may include nation state actors.

Federal participation is more likely to occur when firms are under attack from nation states. Even though paying a ransom might not be an option in some circumstances, crucial information can still be obtained.

“We try to identify who they are as quickly as possible, but also being thorough to ensure we’re not paying anybody we’re not,” Crocker said.

Leave a Reply

Your email address will not be published. Required fields are marked *