The average ransomware loss hit $353,000 this year 📈

Coalition Claims Chronicles: ‘Please, do not ignore this message’

Featured Image for Coalition Claims Chronicles: ‘Please, do not ignore this message’

The last thing you want is to have your business disrupted by a cybersecurity failure. Nobody expects to be the victim of a ransomware attack, funds transfer loss, or data breach. But, once a cyber incident occurs, it’s important to know you have a team of experts ready to help you figure out what happened — and what happens next. This series shares real stories from Coalition policyholders who navigated a cyber insurance claim. The organizations will remain anonymous to protect their privacy and security.

This is not an email you want to receive.

Subject: DDoS attack reason. Please, don't ignore this message

Text: Hello, dear representatives of [COMPANY]. As you may have noticed, DDOS attacks are periodically made on your site. I must say that it makes the organization of [redacted]. We are not satisfied with a lot of things in your site, as well as pricing policy, your attitude to customers, and so on. We are ready to make concessions to you, if you [give us free stuff], then DDoS attacks on your resource will be over. Please do not ignore this message, otherwise you will only get worse 😍

Side note: This email was edited to remove specifics, but the spelling and grammar have not been changed, including the emoji. DDoS = Distributed Denial of Service. This type of attack is used to flood online resources to exhaustion with the goal of taking a service offline. Think of your internet-facing applications connected through a series of pipes. These pipes are designed to handle a certain amount of water, and a DDoS attack is an unexpected flood that prevents your real customers from reaching you.

Don’t wait to take action

Sometimes, this kind of note is just noise or an empty threat — but our customer had experienced once-daily attacks which took their store offline for 4-5 minutes each time.

This email was passed from the customer support team to the CEO. No economic damage, yet. But even with the demanded items only valued at $400, the company didn’t want to pay and possibly face repeat demands, which was the likely outcome.

The CEO reached out to Coalition, using our standard communication channel, approaching 9 pm California time. We responded within 20 minutes, and within an hour, we were on the phone with the CEO.

After a brief explanation, and details of efforts to date, the CEO looped in the company’s IT team which runs their custom e-commerce infrastructure. We started a multi-time zone call to dive in, combing through logs, reviewing DNS settings, and digging into firewall configurations. The customer was already using Cloudflare, a service recommended by Coalition (see below), but over the years, some of the choices made while operating their business left the company with some holes in their defenses.

Cyber risk is different from, say, climate risk. The nature of cyber threats is constantly evolving. Worse yet, one of the elements that makes cyber risk different is that it’s so dynamic; there is a human adversary on the other side of the attack, and when we make a move, the adversary may respond.

During the conversation, the company updated its AWS security groups, proxied (protected) more traffic through Cloudflare, and changed their server’s public IP address. Those helped, but there was still a vulnerability.

After some more back-and-forth, we uncovered a firewall rule put in place long ago which allowed all traffic from the United States through, regardless of other protections.

whitelist-us

Since the company is focused on its US business, the goal was to avoid blocking any possible customers. Unfortunately, networks used in DDoS attacks include plenty of US traffic, too.

Lesson: Even if your customer base is only from one country, it’s dangerous to allow all traffic from anywhere.

Once this rule was removed, all was well. The attackers returned in the following days, but their throttled attempts were not disruptive, and the attack activity stuck out like the proverbial sore thumb — easy to mitigate.

How does insurance help with DDoS?

Business interruption is the key coverage in play. If a security failure such as a DDoS disrupts your business, you may qualify for lost income and expenses under your insurance policy. This coverage typically has a time-based deductible, known as a waiting period, as well as a dollar based self-insured retention.

Coalition is unique in the marketplace in that our waiting period does not act as a deductible, just a trigger for the time period that a business interruption must satisfy prior to coverage being available. Several services qualify for Coalition’s enhanced waiting period, which means less interruption (only 1 hour) before coverage kicks in.

Of those services, Coalition has the most experience with Cloudflare, and the price is right. Even Cloudflare’s free service includes notable DDoS protection.

Coalition’s pre-claims assistance is one of the benefits included with our insurance. Essentially, your insurance premium with Coalition puts expertise on your side, but you don’t have to wait for something to go wrong to lean on our in-house experts. We describe our team as a collection of very biased experts — biased in favor of anything that reduces our customers’ losses.

Personal note: Before Coalition, I was the Head of Product at Cloudflare, so I know this problem inside and out. While at Cloudflare, I personally helped mitigate some significant attacks, including one against the NYTimes in 2013. Others on our team have impressive experience with other kinds of cyber attacks, and I’m grateful to work with them and learn from them every day.

While this customer qualified for Coalition’s enhanced waiting period, the CEO was smart enough to not wait until there was a significant problem, so they didn’t need to file a claim. After all, every customer prefers to avoid a bad day (or wants to reduce the impact of a bad day) even with the financial resilience of Coalition insurance available if all else fails.

Tip: All policyholders with an issue, please call 24x7 toll free at +1 833 866 1337 or email claims@coalitioninc.com. The sooner the better.

We love the opportunity to help our customers solve cyber risk before there’s a problem. We are ready to help when things are at their worst, and my colleagues will share some of those stories soon. But it’s easier, more profitable, and more rewarding, to go around the (virtual) pothole or pave it over instead of hitting it at full speed and then worrying about repairs.

After-action report

All of the above happened months ago, in July 2020.

Our best reward? Four months later, the customer renewed their Coalition cyber insurance for another year, with these kind words shared by their insurance broker: “I spoke to the insured this morning regarding the renewal and he shared how satisfied he had been with his interaction with your staff in regards to the recent DDoS incident. He found your staff to be very knowledgeable and helpful.

What you should know

When it comes to your business, speed and expertise matter. Coalition brings a deep understanding of cyber risk to bear instantly. The faster you request help as a policyholder, the faster you get back to business.

Coalition’s Claims and Security Incident Response teams respond immediately to keep our policyholders safe after an incident, at no additional cost. If you have questions about our claims process or ways to better protect yourself, feel free to reach out to our team.