cyber incident response proposed strategies
Post on 22-Jan-2018
120 Views
Preview:
TRANSCRIPT
Cyber Incident Response Proposed Strategies
Presented by:
Kemar WilliamsInformation Security Incident Response Management
University of Technology, JamaicaSeptember 23, 2017
www.opensecurityalliance.orgRGIT, Mumbai 02/24
IRP - Strategies
IR Preparation
Identify Attack Vectors
How is the Attack Deployed
Detection Strategies
Analysis Strategies
Prevention Strategies
Network
End User
Recovery & Review
www.opensecurityalliance.orgRGIT, Mumbai 02/24
Incident Preparation
Organize IR Operation Centre.
Have end users and IR team members trained in responding to a ransomware.
Prepare incident response contact list.
Provide backup storage
Provide supplies in the event od an incident:
Notebooks & pens
Laptops, Multifunction Printer, backup UPS and batteries
Provide Software to:
• Perform Computer Analysis (anti-virus, anti-malware etc.)
• Recover data from infected hard drives.
• Recover password for locked computers
Equip IR operation center with rations and petty cash
Provide law enforcement contact numbers
www.opensecurityalliance.orgRGIT, Mumbai 02/24
Identifying The Attack Vectors
Fig. 1 Attack Vectors
How is The Attack Deployed
• Comes as an
attachment
• Often very
generic but
could include a
real vendor
name or even
your company
name.
• Once open,
ransomware
silently begins
encrypting all
the files it can
without any user
interaction or
notification
• Locks the user
screen
displaying a
ransom
notification with
an expiry date
• Payment is
usually in
bitcoins
• Paying ransom
increase risk of
future attacks
www.opensecurityalliance.orgRGIT, Mumbai 02/24
Detection Strategies
Detection:
Setup a file activity monitoring application such as LANGuardian to:
Detect both a real time and historical record of all file and folder activity the
network file shares.
Monitor increase in file renames - When Ransomware strikes, it will result in
a massive increase in file renames as your data gets encrypted.
Update Intrusion Detection System systems with exploit kit detection rules
Create a sacrificial network share Drive
When Ransomware strikes, it typically looks for local files first and then
moves onto network share drives.
A sacrificial network share can act as an early warning system and also
delay the Ransomware from getting to your critical data
Use client based anti-ransomware agents
Analysis and Documentation Strategies
After the detection of a ransomware infection the next step is the gathering information on
the incident by analyzing the scope of the attack. Depending on the type of ransomware
variant the following will be conducted:
Disconnect and Quarantine infected computer(s)
Determine the Scope of the Infection, Check the Following for Signs of Encryption
a. Mapped or shared drives
b. Mapped or shared folders from other computers
c. Network storage devices of any kind
d. External Hard Drives
e. USB storage devices of any kind (USB sticks, memory sticks, attached
phones/cameras)
f. Cloud-based storage: Drobox, Google Drive, OneDrive etc.
Determine Ransomware Strain
a. What strain/type of ransomware? For example: CryptoWall, Teslacrypt etc.
Determine Response
a. Now that you know the scope of your encrypted files as well as the strain of
ransomware you are dealing with, you can make a more informed decision as to
what your next action will be.
www.opensecurityalliance.orgRGIT, Mumbai 02/24
Analysis and Documentation Strategies – Cont’d
.Emron Technologies Inc. Incident Reporting Form
LOCATION: NAME OF DEPT./DIVISION:
Employee Name: Ext No: E-MAIL ADDRESS:
Date of Incident: Time of Incident:
Who Notified: Time of Notification:
Brief Description of Incident:
No. Of Host Infected: ____________
Host IP Address: ____________
Operating system: ____________
Impact Level:
Severe 7
6
Major
5
4
3
Minor 2
1
Negligible 0
Reporting Staff Name: _________________ Signature: ___________________ Date: ______________
CISO Name: ________________ Signature: ___________________ Date: ______________
Prevention Strategies
Prevention – Email:
Enable strong spam filters to prevent phishing emails from reaching the end
users and authenticate inbound email using
Scan all incoming and outgoing emails to detect threats and filter executable files
from reaching end users.
Scan and filter all downloads
Prevention Strategies – Cont’d
Prevention – Network:
Segment the Network by creating VLANS
This will contain the ransomware infection and slow down its propagation.
Configure firewall to block access to known malicious IP addresses
Patch operating systems, application software, and update firmware on network
devices. Consider using a centralized patch management system.
Configure enterprise security suite to perform daily scans of the network and
endpoints automatically.
Virtualize servers
Maintain offsite backup of crucial key servers and data.
Prevention Strategies – Cont’d
Prevention – Network: Sacrificial Network
Prevention Strategies – Cont’d
Prevention – End User:
Install anti-virus/antimalware software
Recommend the use of google chrome instead of internet explorer.
Disabling execution of scripts running in the browser
Download and install Microsoft windows/security updates.
Disable the use of thumb drives
Recovery and Review
Restore from backup (if possible)
Now that you’ve contained the infection and put the rest of your users on guard, the
best way to fix your user’s computer without paying the ransom is to restore it from
your backup. Before you wipe the computer, however, make sure your backup is up-
to-date and that you have a good copy of that data. You don’t want to hit the nuke
button and realize your last backup was two months ago.
Training:
Conduct training or existing and new employees to raise awareness of the risks of
ransomware attack vectors. Remind employees never to click on unsolicited links or
attachments. Emails from unknown sources should be treated with suspicion.
THE END
top related