It’s been said that the best defense is a good offense. By that same token, many in the information technology community consider former hackers to be among the best cybersecurity consultants.
During his session at the 2026 National Settlement Services Summit (NS3) in Kansas City, Mo., on May 20, educator and consultant Matt Lee spared no details as he broke down how he would go about infiltrating a title agency and holding its data for ransom. Along the way, Lee, who serves as security and compliance senior director at Pax8, shared preventative tips and his philosophy on why cyber defenders should also know how to go on offense.
“So very many defenders don’t go down the path of learning how to be an offender, they don’t learn how to hack, they don’t learn how to do the things and learn the trade craft, and oftentimes that leaves them defenseless in a lot of cases,” Lee said.
To illustrate what it can look like for a title agency to fall victim to a sophisticated and determined cyber attack, Lee walked the crowd through a hypothetical scenario complete with a timeline of events, starting with sketchy-but-ultimately-ignored behavior from a managed service provider (MSP).
“You start your day on Monday morning, just like any other day. As a title company, you come into work … and you get a call from Globex. Globex is introducing a new authentication (process) to make sure they can verify who you are when you call into your MSP,” Lee said. “Now you’re thinking, ‘why are they calling me on my cell?’ But you walk through it. You’re then asked to go to your own website. You’re asked for a few verification steps to make sure that you’re really human. And then you’re dumped off to what you already recognize as a Microsoft sign-in page. You sign in, you get the same push notification, you get the number … you move on, business as usual.”
Later on in the cautionary tale, the subject company finds its email servers flooded with messages from partners, clients, vendors and other contacts asking for verification of suspicious communication they’ve received.
“Thursday morning, you get these emails in your inbox, and I would imagine some of you have dealt with this - tons and tons of emails from your people you work with, saying, ‘Did you send this? Did you guys do this? Was this you?’ Phone calls coming in, people saying they’re getting weird emails from your mailbox,” Lee said.
At this point in the incident, many organizations struggle with whether or not to contact their insurance providers, Lee said, since there hasn’t yet been a loss, only suspicious email activity and potential reputation harm. So, often, the impacted accounts – including passwords and tokens – simply get reset so that, presumably, the threat actor is removed and the organization is back to work.
A month later, however, systems are locked down, employees are barred from doing their jobs and ransomware notices are posted everywhere. Hackers are demanding a payout in return for lifting the lockdown and meanwhile, customers are getting angry and impatient as closings and other critical functions are frozen. The business is effectively paralyzed.
Even when insurance is brought into the loop at this point, Lee said, relief from the incident is still a ways off. Most cyber insurance providers must assign a panel to respond to an incident, which can be a lengthy and complicated process. These panels typically include a breach counsel, a digital forensics incident response team and a ransomware negotiator.
“So you’re waiting, your advisors are saying ‘sorry about the closings,’ until insurance calls back and gets a team assigned,” Lee said. “(Meanwhile,) you’re waiting, and you’re down. I’ve had people send employees home because there’s nothing they can do. I’ve had people bring in trauma counselors because of the anger levels that are happening in spaces.”
As painful as the downtime can be, however, it’s important to methodically line up the correct response to any given incident. Ransomware negotiators, Lee clarified, are particularly crucial in situations possibly involving foreign nationals who have attacked a U.S.-based business. If that business pays the ransom imposed by these attackers, the Office of Foreign Asset Control (OFAC) could very well step in and enforce sanctions – which the targeted business absolutely does not want to be responsible for.
“What happens if you pay someone knowingly on an OFAC sanctions list, or even unknowingly, in a lot of cases? It’s not great,” Lee said. “So, ransomware negotiators are often there as a barrier just to actually prove what the threat actor group is and try to make attribution and determine whether they’re on a sanction list that can be paid or not.”
Unfortunately, there’s a dark side to the necessity of ransomware negotiators as well. Lee explained that in some instances, negotiators are being paid off by hackers to secure higher payoffs in exchange for a share of the takings. So, as with all things, diligence is key.
Another crucial part of the response to cybersecurity incidents is the role of the breach counsel. Lee explained it’s the breach counsel’s responsibility to make an expert determination of whether or not a data breach has truly occurred. Lee emphasized that under no circumstances should the word “breach” be used lightly in an official capacity.
“If you take nothing else away from my talk today, unless you are the attorney that is willing to stand behind that from a breach counsel perspective, you do not say the word ‘breach,’ or else you can make it one in quite a few states,” Lee said. “So be careful with that word. Say ‘incident’ or ‘event.’”
Tools of the hacker’s trade
After walking through his hypothetical cybersecurity incident scenario, Lee explained some of the tools used by modern hackers to gain actionable information, infiltrate networks and cover their tracks.
Lee demonstrated various tools available to individuals on either side of the law, including large language models that can automatically comb through millions of webpages to seek out vulnerabilities and source code databases that can be used to program malware, create false identities and proxies that make infiltrations nearly impossible to track and erase digital footprints.
The vectors through which malicious actors can break into data environments and steal livelihoods are nearly limitless, but Lee shared reasons for hope, including key security takeaways that can reduce the risk of an incident dramatically. Many of those come down to training, preparedness and awareness.
One key factor of preparedness Lee shared was a caution against “clickfix” attacks. Commonly used by hackers, the clickfix technique tricks users into running harmful commands by exploiting their desire to fix minor tech issues. It involves giving instructions to click prompts and execute commands in Windows tools. This method often combines phishing, malvertising and drive-by attacks, impersonating real brands to lower user suspicion.
“This is called clickfix,” Lee said. “It is an attack that is very effective because it lets me get hands on keyboard without having hands on keyboard. I’m asking you to paste just raw text, which does not get caught in filters. It does not get stopped in a lot of cases. I’m asking you to paste raw text and run it at a command line.”
Lee insisted that, in the real world, there would “never” be a legitimate reason for a cybersecurity MSP to ask you to verify your identity with a clickfix, adding that any clickfix request allegedly coming from one’s MSP should be immediate cause for concern.
Other lessons of note that Lee left the audience with included:
- Trust your gut, ask questions
- Keep your website up to date
- If you have cybersecurity insurance, don’t wait to file a claim
- Don’t try to go it alone. MSPs have their limitations and drawbacks, but the worse alternative is dealing with cybersecurity risks without support.