Cyber forensics: helping businesses deal with the aftermath of a cyber attack

Created four years ago by cyber insurance and information security expert Anthony Hess and co-founder senior forensics expert Neil Meikle, London-based Asceris has grown considerably and now employs 19 people in the UK, Germany, Canada and the US.

“Our services primarily break down into solutions to address common incident types seen in a cyber claim: email compromises, ransomware, and data breaches. We also have built capabilities in cyber threat intelligence and dark web monitoring to support those service lines,” Hess explains.

With a focus wholly on the insurance industry, Asceris has already become the go-to incident response company for several global insurers and Hess has big plans to expand across more geographical regions.

An insurance-focused response team

“We’re employee owned and built around the insurance market so we can do things that are less immediately commercially viable, as opposed to being in a big company or an investor-driven one where there’s more of a focus on immediate payback,” says Hess.

“Companies like Asceris can help accelerate the pace at which these businesses can get back up and running.” Anthony Hess, Asceris

While other companies were cashing in on “the ransomware boom”, as Hess calls it, Asceris decided to take a more focused route. “We wanted to make the best business email compromise response that anybody’s ever seen, so that’s what we did,” he says.

“We said to ourselves: ‘nobody else is going to try this hard, because they’re such tiny cases.’” So that was the strategy: to do something that nobody else cared for, and do a really good job of it. That was our first service.”

Fast-forward a few years and the company now deals with other incident types and can offer clients different options according to their needs.

“We gather intelligence on threat actors and can also help with negotiations. We have built an end-to-end ransomware solution: whether it’s in-sourced or we work with partners, we’re able to provide that response to people.”

Data breach is another area that keeps Asceris busy. Once data has been stolen, the company can step in and speed up the investigative process. “Attackers say: ‘we’re going to release this data if you don’t give us money’, so we help the client figure out what data was stolen, whose data it was, and how they are impacted,” Hess explains.

“Using various automated tools we analyse what the data was, and we have partners who do the manual review work.”

At the insurer’s side

Cyber forensics is not just about data breaches and ransomware. Another aspect of this fast-growing industry is dark web monitoring. “Sometimes after an attack, the attackers have stolen data and threaten to post it on the dark web,” Hess says.

“Asceris will watch these dark websites to make sure the data hasn’t been leaked—clients do like us for this particular service.”

Although cyber is still a niche area of insurance, cyber forensics are already playing a vital part in the claims process and Asceris is keen to be at the forefront of the market.

“If there is a cyber claim, we want to be the provider that insurance companies can turn to,” states Hess. “When people say: ‘I have an insurance policy so I’ll call my insurer’, that’s where we fit in.”

He wants more insurers to direct their clients to Asceris, where the team can start investigations to help minimise business interruption costs.

Asceris also works closely with the legal industry, allowing insurance companies to carry out necessary investigations while adhering to strict money laundering regulations.

When a company is forced to pay a ransomware attacker, “you need to know who you’re paying”, Hess stresses. “You can’t just send money off to a random group and hope for the best. We do intelligence work to figure out who the attacker is, by closely monitoring the dark web and spotting technical details”

“If you’re writing primary insurance to small or mid-sized businesses who don’t have their own response solution set up, the cyber insurer is providing that response solution. We do the technical part.”

Taking on the threat actors

“Clients come to us after a ransomware attack and they want answers,” Hess says. “First, we find out if the company is safe. How did the attackers get in, is the way they got in closed down, and are they out of the network now? Then we turn to the data: what sensitive data did they steal and from whom?”

What happens when an attacker brings down a company’s entire network, including backups, and nothing works at all? Hess is clear: “Our job sometimes involves negotiating the smallest ransom possible that the attacker will accept in order for them to delete the data or give the client the encryption key to get a business going again.

“In these situations, the insurer is generally on the hook and paying business interruption costs. Companies like Asceris can help accelerate the pace at which these businesses can get back up and running.”

Investigating stolen data, rebooting networks and negotiating with threat actors are all in a day’s work for Asceris but, Hess admits, there is one particular situation that can be challenging.

“The time pressure of a ransomware attack is probably the most challenging thing we deal with because you need a lot of specialist expertise, but there is not a lot of time and you have to make quick decisions,” he says.

“Ransom negotiation can be a stressful part of that, depending on the attackers, although sometimes we run into attackers who are extremely nice and friendly. It’s funny to see the different approaches, such as: ‘don’t worry, you have another day, we’re not going to leak your data, nobody stress’, versus much more aggressive ones who say: ‘pay right now, or we’re going to leak your files’.

“Anything that adds to the intense time pressure around a cyber incident is the most stressful part of what we do.”

Employing a company such as Asceris and partnering with seasoned experts in the information technology world to take on the stress of managing a cybersecurity incident response is possibly the way forward for insurers in the future.

Anthony Hess is a cyber insurance podcaster and the chief executive officer of Asceris. He can be contacted at: ahess@asceris.com

Discover key insights into the cyber insurance market by tuning into the Asceris Podcast. Click here to listen and stay ahead of the curve!

Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.