incident response workshop · 2020-02-07 · incident response workshop aleksandra vold counsel...
TRANSCRIPT
Incident Response Workshop
Aleksandra Vold
Counsel
Baker & Hostetler LLP
Chicago
312-416-6249
Jim Wolford
CEO/Founder
Atomic Data
Minneapolis, MN
612-466-2100
Bill Hardin
Vice President
Charles River Associates
Chicago
+1-312-619-3309 direct
Dave Wasson
Vice President – Cyber Liability
Practice Leader
Hays Companies
Minneapolis, MN
Incident
Response
Partners
HAYS COMPANIES▪ Founded in 1994
▪ Became part of the Brown & Brown Team in 2018
▪ Full-service insurance brokerage consultancy specializing in:
▪ Employee Benefits
▪ Property & Casualty
▪ Risk Management Consulting
▪ Private Client Group
▪ National Programs
▪ Wholesale Brokerage
▪ Organic growth – we grow client by client
▪ Local presence with national resources ▪ Passionate consultants & unrivaled expertise
▪ A culture built on discipline and customer focus
▪ Our customers are our purpose
▪ Authentic and experienced team who you can place your
trust in
▪ Proactive, responsive service with a sense of urgency
Insurance - Hays
• Insurance Placement• Identify exposures
• Negotiate coverage terms and conditions
• Push carriers for new enhancements
• Claims• Engage internal claims staff to advocate on client’s behalf
• Review non-cyber placements for potential coverage
• Facilitate engagement of legal and forensics firms
Legal - Baker & Hostetler
• Act as “breach coach”
• Engage vendors
• Work with your insurer
• Guide forensics
• Identify legal triggers for individual/regulatory/contractual notice
• Quarterback all aspects of notifications/external communications
• Handle regulatory inquiries
7
Having responded to thousands of clients matters in the cyber security space, Charles River Associates (“CRA”)
deploys a team of experienced operators to tackle disruption to help our clients get back to business as usual.
Our team has an expansive set of skills and capabilities to assist our clients as they respond to and recover from a
broad spectrum of cybersecurity matters.
CRA Cybersecurity & Incident Response Overview
Incident response
and investigations
Strategic cyber
servicesPost-incident
review
CRA Cyber Security Services
100%60%30%10%
Privileged and Confidential - Attorney Client Work Product
Draft – For Discussion Purposes Only
Our goal is to manage the disruptions and get organizations back to business as usual.
Extortion
Business Email Compromise
Malware
APT
Internal Investigations
Cyber Due Diligence
Board Reviews
Compromise Assessments
Training
Dark Web Monitoring
9
ATOMIC DATA
Founded Atomic Data in 2001
Previously at Visi.com, Mutual of Omaha
Loves family, tech, giving back, and BBQ
JIM WOLFORD – CEO & OWNER
10
ATOMIC DATA
20 years in business
Privately held, Minneapolis-based
Offices in San Diego, New York, Los Angeles, Colorado, & France
210 full-time employees
600+ clients, 1% attrition rate
®
ACCREDITEDBUSINESS
SOC for Service Organizations |
Serv
ice
Org
an
iza
tio
nsAICPA
SOCaicpa.org/soc4so
™
2 017
WINNER
DATA SECURITY SER VICES PROVIDER
11
ATOMIC DATA
WHO WE SERVE
WE MEET YOU WHERE YOU ARE
ITaaS
CLIENTSSupport and Monitoring
Enterprise Infrastructure
Security and Compliance
Implementation
ArchitectureProfessional Services
Cloud
12
SAFE. SIMPLE. SMART.IT security is not optional. This idea drives what we do and how we think.
IT is complex. We manage this complexity like a boss so you can focus on your business.
IT doesn’t stand still. Neither do we. We make it our priority to stay ahead of the IT curve so you are well positioned for what’s coming two years, five years, even 10 years down the road.
YOU DO YOU, WE DO IT.
13
14
ATOMIC DATA
24x7 Network (NOC) and Security (SOC) Monitoring
On-Site and Remote Support/Response
Patch Management and Intrusion Prevention Systems (IPS)
Server and Workstation Backups
Antivirus and Mail Filtering
Security Awareness Training + Phishing Simulations and Education
Policy Advisory and Development + IT Governance Consulting
Disaster Recovery and Business Continuity Center
PREVENTION & MANAGEMENT
The Legal &
Practical
Landscape of
Incident Response
Things are not Slowing Down
Incident Causes
Source: BakerHostetler 2019 Data Security Incident Response Report
Hack or Malware
49%
Unintended Disclosure
23%
Insider5%
Social Engineering13%
Portable Device3%
Physical Loss/Non-Electronic Record
4%
Payment Card Fraud
1%
Other1%
Unknown1%
2017 FINANCIAL
INCIDENTS
Some combination of this data in conjunction with a first
name (or initial) and last name is generally the protected
personally identifiable information (PII) by
most state data breach statutes.
What Data is at Risk?
Account TakeoversCredential
Stuffing Tools Help Hackers
Break Into Accounts
PHISHINGBest Practices:✓Train employees to spot phishing emails.
Utilize test-phishing campaigns as a
training device.
✓Educate employees not to provide login
credentials or use the same credentials for
multiple sites.
✓Enable Multi-Factor Authentication (MFA)
throughout your entity.
- BakerHostetler, 2018 Data Security Incident Response Report, at p. 4 (2018).
Ransomware Criminals will evolve their tactics,
including launching well-
researched, targeted attacks
intended to infect specific high-
value assets known to hold critical
data.
-Stroz Friedberg (AON), 2018 Cybersecurity Predictions,
at p. 18 (2018).
$5B
Is the estimated global cost for
organizations of ransomware
attacks in 2017 – up 400%
from 2016.
- Stroz Friedberg (AON), 2018 Cybersecurity
Predictions, at p. 19 (2018).
How it Happens:
Hackers gain access to your computer’s file system by
installing a program via phishing link/attachment or by
poorly configured Remote Desktop Protocol service.
The ransomware prevents a user from accessing the
operating system, or encrypts all the data stored on the
computer.
The user asks the ransom to pay a fixed amount of money,
as opposed to decrypting files or allowing access again to
the operating system.
Best Practices:
✓ Maintain a robust, off-site backup of data
✓ Properly configure Remote Desktop Protocol services.
- BakerHostetler, 2018 Data Security Incident Response
Report, at p. 4 (2018).
BakerHostetler
The
LegalLandscape
• Federal & state laws govern the handling of PII/PHI
• Laws covering SSNs / disposal of PII• Employment-related laws (e.g. FMLA, ADA, GINA)• Other federal and state regulations (e.g. FTC Act,
Mass. Regs)
• GLBA• Applies to companies that offer consumers financial
services, such as loans, financial or investment advice, or insurance.
• Requires FI’s to safeguard sensitive customer data and explain data sharing practices.
• State breach notification laws
• State medical information breach reporting laws
• International data protection regulations
The Privacy “Patchwork”
24
State Laws50 States, D.C., & U.S. territories
Laws vary between jurisdictions
Varying levels of enforcement by state
attorneys general
Limited precedentWhat does “access” mean?
What is a reasonable notice time?
BakerHostetler
WISCONSIN
Personal information includes name (first and last or first initial and last name): ❖ Social Security number❖Driver’s license or identification card number❖Account number, credit or debit card number, in combination with a linked security or access code, or password of an individual’s financial account.❖DNA profile.❖The individual’s unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
Notification Trigger: When the entity knows that personal information in the entity's possession has been acquired by a person whom the entity has not authorized to acquire the personal information. There is a risk of harm exception.
Timing:❖ Must notify residents within 45 days❖ Wisconsin licensed insurers, gift annuities, warranty plans, motor clubs and employee benefit plan administrators are requested to
notify the Commissioner of Insurance of any unauthorized access to personal information of Wisconsin residents as soon as practicable, but not later than 10 days after it becomes aware of such unauthorized access.
There is a HIPAA exemption.
No notice to AG required.
If more than 1,000 residents, then must also notify the Credit Reporting Agencies.
MINNESOTA
Personal Information means an individual’s first name or initial and last name with any of the following:
❖Social Security number❖Driver’s license or identification card number❖Account number, credit or debit card number, security or access code, or password of an individual’s financial account..
Breach of Security means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. No risk of harm analysis permitted.
Notice is required to be made expediently and without unreasonable delay
No AG notice, but if 500+ Minnesotans are impacted, must notify the Credit Agencies within 48 hours of notification.
NORTH DAKOTA
Personal Information means an individual’s first name or initial and last name with any of the following:❖The individual’s Social Security number.❖The operator’s license number assigned to an individual by the Department of Transportation.❖A nondriver color photo identification card number assigned to the individual by the Department of Transportation.❖The individual’s financial institution account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial accounts.❖The individual’s date of birth.❖The maiden name of the individual’s mother.❖Medical information.❖Health insurance information.❖An identification number assigned to the individual by the individual’s employer in combination with any required security code, access code or password.❖The individual’s digitized or other electronic signature.
Breach of Security means unauthorized acquisition of computerized data when access to personal information has not been secured by encryption.Notice is required to be made expediently and without unreasonable delayAG notice if more than 250 residents are impactedThere is a HIPAA exemption
Tabletop
Exercise
Our Company
DAY 1 -
Thursday
9:00 a.m. You get a call from a client who says they are still waiting on a$400,000 disbursement from their trust account that they requested onTuesday be wired to their checking account. You check with your assistant,who said he processed the disbursement on Wednesday mid-day asinstructed. He said it took longer because the client emailed him with newwiring instructions right before he was about to send it. He forwards you theemail chain and the proof of wire transfer, which you provide to the client.
The client says they never sent new wiring instructions to yourassistant and demands you fix this immediately.
DAY 1 -
Thursday
9:15 a.m. You call the trust bank, you call thebank where the funds were sent. You tell bothwhat happened, you give them the accountnumbers, transaction times.
What do you think happens?
A – They stop the transfer completely
B – The money is gone
C – The receiving bank says they have the funds,but they need an indemnity letter from the trustbank, and the trust bank says they won’t give youan indemnity letter unless you can show youhave $800,000 in liquid assets.
DAY 1 -
Thursday
9:45 a.m. You’re trying to figure out how thishappened. You ask your assistant to step aside whileyou read and re-read the emails with the client. Yougo into his deleted folder and find 875 spammessages that were sent, and then deleted, by hisaccount. He cannot explain, except that he definitelydid not send those messages, which seem to havegone to his contact list – both employees and clients.
What do you do now?
A – Change his password, send an email to all875 recipients and say “sorry, disregard”, andkeep working on the wire issue
B – Call the FBI
C – Call X Financial’s MSP – Atomic Data
DAY 1 -
Thursday
10:45 a.m. You have a call with Atomic Data, who looks at youremail logs, and identifies that your assistant’s email accounthas been logged into from Nigeria. Your assistant has definitelynot been to Nigeria.
Atomic Data asks your assistant if he recently received anyunusual emails. “Yup! On Monday I got an email from a clientwith an attachment that was marked urgent, but when I openedit, the attachment was blank.”
DAY 1 -
Thursday
10:46 a.m. Your partner’s assistant calls yourassistant and reports that her computer is“frozen” and asks whether his computer is havingissue. At the same time, a bunch of otheremployees come out of their offices saying thesame thing.
What do you do now?
A – Call Atomic Data
B – Call the FBI
C – Call Hays
DAY 1
11:15 a.m. Atomic Data reports that 49 workstations appear to havebeen infected. In addition, the asset management database has beentaken completely offline while certain email and file sharing servers alsoappear to have been infected. Atomic Data is working with your on siteIT to determine the availability of backups for these systems.
Atomic Data identifies a “RyukReadMe.txt” file. The file indicates that XFinancial’s systems have been infected with Ryuk Ransomware. Themessage contains an email address to contact the attacker to obtain thedecryption key to the systems.
What do you do now?
A – Wipe all the computers and get back to work.
B – Call the FBI
C – Call Hays
D – Activate your incident response team
E – Call that client back from this morning and tellhim you’ve got bigger things going on and he’sgoing to have to wait
DAY 1
11:45 a.m. The incident response team conducts a status call. Thecall agenda is:
• Does the Incident Response Protocol (IRP) provide guidance?
• Status of the infected systems? 49 workstations have beenidentified as infected, along with the servers supporting the AMdatabase and certain email and file servers.
• Plan for cleaning the infected devices
• Availability of back-ups.
• Communicating with the attacker.
• Engaging outside forensics firm
• Internal and external communications
• Legal/regulatory obligations
• Insurance
DAY 1
3:05 p.m. Hays has noticed a claim to your carrier, who put you intouch with a Baker attorney. Baker has been briefed on the incidentand recommends engaging an external forensic firm, CRA, to conductan investigation through counsel.
A scoping call with forensic firm occurs with Atomic Data and Baker onthe line. CRA asks for X Financial’s device inventory, data maps,network diagrams, available logs and an explanation of the availablebackups. CRA follows up with an endpoint monitoring toolkit andinstructions for deploying the tools throughout X Financial’s network.
CRA can also assist with attacker communications, bitcoin facilitation(depending on the demand size), proof of decryption ability, and testingof decryption keys for malware.
DAY 1
6:25 p.m. IT reports on its efforts to restore the infectedservers from backups. Backups for the file and email servershave been obtained and those services can be restored to fulloperation in 2 days.
IT has also obtained backups for the AM database; however,the backups appear to have been encrypted.
Most of the infected workstations are backed up; however, insome cases the backups are more than 30 days old. Backupsfor 14 of the workstations are initially undetermined.
DAY 1
7:00 p.m. The client with the wire fraud issue calls and wantsan update. He wants his money in his account by tomorrowmorning at 9 am or he’s going to sue you.
DAY 2
7:08 a.m. X Financial’s IT director receives the followingemail from an individual identified as the Dark Overlord.
From: The Dark Overload [mailto:[email protected]] Sent: Tuesday, 2/6/2020 7:08 AMTo: X Financial
Subject: X Financial’s Data Belongs to Me
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
I am The Dark Overlord.
Your systems have been compromised by me. i have root privileges on several systems. I have dumped all your data from the systems to offshore servers. There is data extremely sensitive and confidential that I have discover. You have 5 days to make a payment of 400 bitcoin to the bitcoin wallet address below or I will put the databases up for sale on the dark web.
BTC: 55D4p6AQ5PfGBXDGq3IRbg4uzGxeq0r4uq9o
DAY 2
9:00 a.m. X Financial reports the extortion demand to Baker andCRA during an update call. After learning about the status of thebackups for the infected systems, CRA recommends engagingwith the attacker behind the ransomware.
CRA contacts the threat actor behind the initial ransomwareinfection. CRA requests proof that the data can be decrypted andthe cost to obtain the decryption key. The ransomware attackerresponds with a ransom demand for 350 Bitcoin.
Would you Pay?
A – Yes
B – No. I don’t negotiate with terrorists
C – No. I don’t have a bitcoin wallet
D – No. I don’t think it matters
DAY 2
X Financial decides to contact the FBI. An FBI Special Agentcomes on-site within hours. The Agent asks for copies of theransomware, a list of any IP addresses associated with theattacker and the BTC wallet address. The Agent also asks tomake copies of the servers involved.
DAY 3
The attacker behind the ‘Dark Overlord’ extortion demandresponds to CRA and provides a screenshot of data files thathe claims to have obtained from X Financial. Thescreenshots are reviewed and confirmed to have thepersonal information on certain X Financial’s customers andemployees.
Would you Pay?
A – Yes
B – No. I don’t negotiate with terrorists
C – No. I don’t have a bitcoin wallet
D – No. I don’t think it matters
Additional questions – who makes the decision? Is it covered byinsurance? Who pays? How quick is the process? Is it legal?
DAY 4
The email and file services are back on line and the spreadof the ransomware appears to have been contained. XFinancial continues to experience business disruption asmultiple clients are complaining that they are not able toupload to the portal. Staff also express frustration that theycannot access the AM database.
DAY 5
The incident response team meets. The agenda is:
• Available measures to assist employees and clients whilethe AM database and the portal are down.
• Impact on business operations from the outage.
• Internal and external communications
DAY 6The external forensics firm provides preliminary findings:
• February 3, 2020 – IOCs for multiple trojans, including Emotet and TrickBot areobserved based on review of the AV logs, Windows event logs and registry hives.
• February 3, 2020 – Multiple foreign connections to your assistant’s email account
• February 6, 2020– Suspicious execution of psexesvc.exe is observed, which may havebeen utilized by the threat actors for malicious activity
• Initial time of access has not been determined. Due to limits in available logging,forensics may not be able to make a conclusive determination. The attacker alsoappears to have run C-Cleaner.
• A “patient 0” for the infection has been identified as your assistant
• The forensic firm has not identified any RDP connections from foreign or external IPaddresses
• Over 100 devices in X Financial’s environment had SMB protocol 1 enabled, whichwould make the environment susceptible the EternalBlue exploit, allowing an attackerto execute arbitrary code on a victim device.
DAY 6
The incident response team meets. The agenda is:
• Forensic findings and continued investigation.
• Update on cleaning infected devices
• Decision on ransom payment for AM database and othercritical systems
• Decision on paying extortion demand to prevent release ofdata
• Internal and external communications
• Legal/regulatory obligations
DAY 7Decryption tools obtained for AM database and other criticalsystems. CRA completes testing to of the tools for malware andprovide guidance to Atomic Data on deployment.
The incident response team meets. The agenda is:
• Prioritization of systems for restoration.
• Internal and external communications
Atomic Data – What questions do you ask to help determinepriority? How do you determine if the client needs assistance?
DAY 7
You decide to engaged CRA to conduct a review of theassistant’s email account.
CRA requests administrative access to your email environmentand a copy of the assistant’s PST.
CRA: What do you do next?
DAY 8
Brian Krebs sends an email stating that he is working on astory regarding a recent uptick in banking trojans andransomware attacks. He is aware that X Financial hassuffered a similar attack where the ransom payment is 20BTC. He reports that he is on a deadline to post a story by 6pm ET. He provides his cell number and requests a call.
DAY 10
The FBI contacts counsel to report that a third party identifieda posting on a dark web forum offering for sale the contentsof a database that appears to be X Financial’s AM database.The Special Agent asks whether an extortion payment wasmade and whether X Financial wishes for a case to beopened.
DAY 13
CRA determines that the attacker was able to access XFinancial’s network through the assistant’s VPN account afterthe assistant was phished and opened a malicious attachmentthat infected his device with TrickBot and Emotet X Financial’snetwork using the assistant’s VPN credentials (gathered bythe malware) and spread to other users through a combinationof the EternalBlue exploit, password guessing and credentialharvesting malware.
DAY 13
Forensic Update Continued: Through the spread of TrickBot, theattacker obtained credentials and compromised 8 X Financial’semployee’s email accounts. On one of the affected accounts, theattacker connected via IMAP and may have downloaded the fullmailbox. The remaining accounts were accessed solely through OWA,which may allow the forensic firm to identify the specific emails viewed.
CRA has not been able to remove all instances of the malware, andexpects that the process could take another 7-10 days. CRA providescontainment and remediation recommendations, including a fullpassword reset for all users.
DAY 13
The Incident Response team discusses the forensic firm’sfindings. The employee whose full mailbox was downloadedworks in an HR function and likely had access to personalinformation on all X Financial’s employees.
The nature of the non-IMAP connections means that we cannotdetermine whether any emails were actually viewed oracquired by the attackers.
DAY 13
CRA tells you that these attackers are generally financiallymotivated, and use email accounts generally only to conductmore phishing campaigns to propagate their ransomwarescheme.
Baker tells you that in most matters, the attackers run searchterms when accessing the email account to find emails thathave financial information.
What do you?
• A - Search the email account to identify all instances ofpotential PII
• B – Nothing. They took the client data base, so we are goingto notify those people, and the employees already know, sono need to notify.
• C – Look only at the HR person’s email account. Allcustomers’ information in any email account would beduplicative of the AM Database.
DAY 16
The programmatic search flags 13,246 emails and attachmentsas requiring a manual review to identify personal information.CRA onboards a team of reviewers and begins the review. Thereview team estimates that the review process will takeanother 8-10 days.
DAY 23
Forensic Update: The forensic firm’s analysis hascompleted. No signs of data exfiltration were found otherthan the credentials harvested, AM database, and emailaccounts already identified.
IT has also completed restoration and cleaning of the mostcritical systems. They expect to complete all workstationswithin 5 days.
DAY 27
The incident response team receives the results of the manualreview. There are 306 individuals, mostly employees and theirdependents, with personal information in the employee’saccounts. The information involved includes names, dates ofbirth, usernames and passwords, driver’s license numbers,bank account numbers, and SSNs. Most of the employeeslisted still X Financial does not know the location of thedependents currently.
The AM database contains 9,000 individuals names, SSNs,financial account information, and dates of birth.
DAY 30
X Financial has engaged a mailing vendor and provided thelist of individuals that require notice. X Financial and outsidecounsel prepare notification letter templates and deliver themto the mailing vendor. X Financial also obtains identity theftprotection services for individuals with certain informationinvolved and prepares scripted responses to FAQs.
DAY 34
Notification process begins!
DAY 36
Notification has occurred:
• The call center is sending escalations – who is returning the escalated calls?
• Some escalated callers are demanding compensation because they were inconvenienced;
• A few callers are reporting financial losses; and
• The local newspaper is calling to ask how many clients were affected.
• The wire fraud customer is calling, livid that he only got a letter about credit monitoring.
Let Forensics Drive the Decision Making
Know where your “crown jewels” are, have accurate network
diagrams, log access, and internal imaging/collection
capabilities.
Vet several vendors and negotiate the MSA before an event
happens.Do on-boarding with primary forensic firm before an incident
Review technical incident response capabilities and run books pre-
incident.
Have a backup – one firm may not be available or
appropriate for all events.
Retain counsel for incident response that understands
technology and cyber issues to reduce response time.
Establish protocols to maintain privilege
Perform tabletop exercises with your vendors
Risk
Management &
Prevention
--
-
PREVENTION = PROTECTIONVendor Management
Security Awareness/Education
Basic Data Security Good Practices
Risk Assessment
Policies and Procedures
Consistent Enforcement of Policies and
Procedures
Practice breach response initiative
Delete data when it is no longer needed
BASIC DATA SECURITY BEST PRACTICESData Identification & Classification
Data hygiene don’t collect what you don’t need)
Access restrictions
Is there a need for this employee to handle PII?
Education
Does the workforce know how to identify and safeguard personal
information?
Does workforce understand the importance of data security
compliance
Document retention/destruction
-
IT OPERATIONS & HYGIENE
Proper IT governance
On-going review and audits
Patch management of all endpoints
Intrusion Prevention Systems
Firewalls, network hardening, and systems configuration hardening
SOC/NOC monitoring and logging
Active Directory maintenance and monitoring
Vendor policy enforcement
Mail filtering, endpoint antivirus
Multifactor authentication
-
Security Awareness & EducationTrain employees at the time of hiring.
How do employee’s spot security problems?
What is the reporting procedure?
Are leaders trained to handle reports from staff (e.g., is a gag order
appropriate)?
Continue training employees regularly throughout their employment.
What does your training program include for security issues and
procedures? Annual?
Formal online training course vs. in-person?
Monthly staff meetings?
Newsletters?
Risk AssessmentPeriodic Review of Administrative Safeguards
Periodic Review of Physical Safeguards
Periodic Review of Technical Safeguards
Periodic Review of Data Flows – has the quantity/nature/sensitivity of the data
changed?
-
Policy & ProceduresSecurity Incident Response Plan
BYOD Policy and Social Media Policy
Information Security and User Policies
What users can and must do to use network and
organization’s computer equipment.
Define limitations on users to keep the network
secure (password policies, use of proprietary
information, internet usage, system use, remote
access)
IT Policies
Virus incident and security incident
Logs
Backup policies
Server configuration, patch update, modification
policies
Firewall policies
Wireless, VPN, router, and switch security
Email retention
General Policies
Program Policy
Crisis Management Plan
Disaster RecoveryServer Recovery
Data Recovery
End-user Recovery
Phone System Recovery
Emergency Response Plan
Workplace Recovery
-
Questions
Thank You!
Aleksandra Vold
Counsel
Baker & Hostetler LLP
Chicago
312-416-6249
Jim Wolford
CEO/Founder
Atomic Data
Minneapolis, MN
612-466-2100
Bill Hardin
Vice President
Charles River Associates
Chicago
+1-312-619-3309 direct
Dave Wasson
Vice President – Cyber Liability
Practice Leader
Hays Companies
Minneapolis, MN