Cyber Incident Response Proposed Strategies

Presented by:

Kemar WilliamsInformation Security Incident Response Management

University of Technology, JamaicaSeptember 23, 2017

www.opensecurityalliance.orgRGIT, Mumbai 02/24

IRP - Strategies

IR Preparation

Identify Attack Vectors

How is the Attack Deployed

Detection Strategies

Analysis Strategies

Prevention Strategies

Email

Network

End User

Recovery & Review

www.opensecurityalliance.orgRGIT, Mumbai 02/24

Incident Preparation

Organize IR Operation Centre.

Have end users and IR team members trained in responding to a ransomware.

Prepare incident response contact list.

Provide backup storage

Provide supplies in the event od an incident:

Notebooks & pens

Laptops, Multifunction Printer, backup UPS and batteries

Provide Software to:

• Perform Computer Analysis (anti-virus, anti-malware etc.)

• Recover data from infected hard drives.

• Recover password for locked computers

Equip IR operation center with rations and petty cash

Provide law enforcement contact numbers

www.opensecurityalliance.orgRGIT, Mumbai 02/24

Identifying The Attack Vectors

Fig. 1 Attack Vectors

How is The Attack Deployed

• Comes as an

email

attachment

• Often very

generic but

could include a

real vendor

name or even

your company

name.

• Once open,

ransomware

silently begins

encrypting all

the files it can

without any user

interaction or

notification

• Locks the user

screen

displaying a

ransom

notification with

an expiry date

• Payment is

usually in

bitcoins

• Paying ransom

increase risk of

future attacks

www.opensecurityalliance.orgRGIT, Mumbai 02/24

Detection Strategies

Detection:

Setup a file activity monitoring application such as LANGuardian to:

Detect both a real time and historical record of all file and folder activity the

network file shares.

Monitor increase in file renames - When Ransomware strikes, it will result in

a massive increase in file renames as your data gets encrypted.

Update Intrusion Detection System systems with exploit kit detection rules

Create a sacrificial network share Drive

When Ransomware strikes, it typically looks for local files first and then

moves onto network share drives.

A sacrificial network share can act as an early warning system and also

delay the Ransomware from getting to your critical data

Use client based anti-ransomware agents

Analysis and Documentation Strategies

After the detection of a ransomware infection the next step is the gathering information on

the incident by analyzing the scope of the attack. Depending on the type of ransomware

variant the following will be conducted:

Disconnect and Quarantine infected computer(s)

Determine the Scope of the Infection, Check the Following for Signs of Encryption

a. Mapped or shared drives

b. Mapped or shared folders from other computers

c. Network storage devices of any kind

d. External Hard Drives

e. USB storage devices of any kind (USB sticks, memory sticks, attached

phones/cameras)

f. Cloud-based storage: Drobox, Google Drive, OneDrive etc.

Determine Ransomware Strain

a. What strain/type of ransomware? For example: CryptoWall, Teslacrypt etc.

Determine Response

a. Now that you know the scope of your encrypted files as well as the strain of

ransomware you are dealing with, you can make a more informed decision as to

what your next action will be.

www.opensecurityalliance.orgRGIT, Mumbai 02/24

Analysis and Documentation Strategies – Cont’d

.Emron Technologies Inc. Incident Reporting Form

LOCATION: NAME OF DEPT./DIVISION:

Employee Name: Ext No: E-MAIL ADDRESS:

Date of Incident: Time of Incident:

Who Notified: Time of Notification:

Brief Description of Incident:

No. Of Host Infected: ____________

Host IP Address: ____________

Operating system: ____________

Impact Level:

Severe 7

6

Major

5

4

3

Minor 2

1

Negligible 0

Reporting Staff Name: _________________ Signature: ___________________ Date: ______________

CISO Name: ________________ Signature: ___________________ Date: ______________

Prevention Strategies

Prevention – Email:

Enable strong spam filters to prevent phishing emails from reaching the end

users and authenticate inbound email using

Scan all incoming and outgoing emails to detect threats and filter executable files

from reaching end users.

Scan and filter all downloads

Prevention Strategies – Cont’d

Prevention – Network:

Segment the Network by creating VLANS

This will contain the ransomware infection and slow down its propagation.

Configure firewall to block access to known malicious IP addresses

Patch operating systems, application software, and update firmware on network

devices. Consider using a centralized patch management system.

Configure enterprise security suite to perform daily scans of the network and

endpoints automatically.

Virtualize servers

Maintain offsite backup of crucial key servers and data.

Prevention Strategies – Cont’d

Prevention – Network: Sacrificial Network

Prevention Strategies – Cont’d

Prevention – End User:

Install anti-virus/antimalware software

Recommend the use of google chrome instead of internet explorer.

Disabling execution of scripts running in the browser

Download and install Microsoft windows/security updates.

Disable the use of thumb drives

Recovery and Review

Restore from backup (if possible)

Now that you’ve contained the infection and put the rest of your users on guard, the

best way to fix your user’s computer without paying the ransom is to restore it from

your backup. Before you wipe the computer, however, make sure your backup is up-

to-date and that you have a good copy of that data. You don’t want to hit the nuke

button and realize your last backup was two months ago.

Training:

Conduct training or existing and new employees to raise awareness of the risks of

ransomware attack vectors. Remind employees never to click on unsolicited links or

attachments. Emails from unknown sources should be treated with suspicion.

THE END