Ransomware A case study of the impact, recovery and remediation events

Similar documents
Ransomware A case study of the impact, recovery and remediation events

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

CYBERSECURITY RISK LOWERING CHECKLIST

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Designing and Building a Cybersecurity Program

The GenCyber Program. By Chris Ralph

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Training for the cyber professionals of tomorrow

Cyber Resilience. Think18. Felicity March IBM Corporation

Gujarat Forensic Sciences University

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

2017 Annual Meeting of Members and Board of Directors Meeting

Endpoint Security for DeltaV Systems

ACM Retreat - Today s Topics:

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Service Provider View of Cyber Security. July 2017

Assessing Your Incident Response Capabilities Do You Have What it Takes?

CCISO Blueprint v1. EC-Council

Cybersecurity Auditing in an Unsecure World

Security Fundamentals for your Privileged Account Security Deployment

A Comprehensive Guide to Remote Managed IT Security for Higher Education

Cyber security tips and self-assessment for business

Cybersecurity The Evolving Landscape

Too Little Too Late: Top Reasons Why You Got Hacked

K12 Cybersecurity Roadmap

Click to edit Master title style. DIY vs. Managed SIEM

Business continuity management and cyber resiliency

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

The Common Controls Framework BY ADOBE

CND Exam Blueprint v2.0

Security by Default: Enabling Transformation Through Cyber Resilience

Nebraska CERT Conference

Building a Resilient Security Posture for Effective Breach Prevention

Cybersecurity: Achieving Prevailing Practices. Session 229, March 8 Mark W. Dill, Partner and Principal Consultant,

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Take Risks in Life, Not with Your Security

Security Audit What Why

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

SECURITY & PRIVACY DOCUMENTATION

Security Gaps from the Field

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Sage Data Security Services Directory

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Cybersecurity in Government

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

WHO AM I? Been working in IT Security since 1992

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

May the (IBM) X-Force Be With You

CERT Development EFFECTIVE RESPONSE

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

WHITE PAPER- Managed Services Security Practices

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Seqrite Endpoint Security

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Snort: The World s Most Widely Deployed IPS Technology

Building Resilience in a Digital Enterprise

SentryWire Next generation packet capture and network security.

SentryWire Next generation packet capture and network security.

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Incident Response Table Tops

Reinvent Your 2013 Security Management Strategy

Juniper Vendor Security Requirements

Industry 4.0 = Security 4.0?

Don t Be the Next Data Loss Story

ISO27001 Preparing your business with Snare

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

50+ Incident Response Preparedness Checklist Items.

SIEM (Security Information Event Management)

Office 365 Buyers Guide: Best Practices for Securing Office 365

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

ICS Security Monitoring

Built-in functionality of CYBERQUEST

Transcription:

Ransomware A case study of the impact, recovery and remediation events Peter Thermos President & CTO Tel: (732) 688-0413 peter.thermos@palindrometech.com Palindrome Technologies 100 Village Court Suite 102 Hazlet, NJ 07730 www.palindrometech.com Palindrome Technologies all rights reserved 2016 PG: 1

Agenda Incident Events Detection, analysis containment of the threat Threat Remediation About Palindrome Palindrome Technologies all rights reserved 2016 PG: 2

NJ Statistics on Cyber Security Cybersecurity is hardly the only area that governments need to consider as they try to cut down on technological risk Ref: M. Pheiffer, Rutgers University Nov. 2015, Study on NJ Municipalities and Cybersecurity 565 Local Governments 3rd Party IT Audit 24% 174 Evaluated No 3 rd Party IT Audit 76% 9 local governments have data breach policy Only 56 have performed any sort of strategic planning 30 local governments commissioned third-party audit and/or intrusion testing Its 10pm, do you know where your data breach policy is? Palindrome Technologies all rights reserved 2016 PG: 3

Events The steps to contain and recover from attack and also institute a vulnerability and threat management program. Detection Analysis and containment Recovery Remediation a) Event detected by Municipality IT b) Impacted critical servers and workstations a) Palindrome engaged b) Performed server and network traffic forensics c) Determined that a user s workstation was infected d) Attack vector: Phishing email e) Workstation Antivirus not updated a) IT team recovered affected files from backups b) Enhanced firewall filters c) Performed Vulnerability Assessment & penetration testing d) Developed a Remediation Plan a) Addressed vulnerabilities identified from penetration testing (patches, host/wifi configuration, network controls) b) Deployment of SIEM Network/Host monitoring Vulnerability Management c) Awareness Training Palindrome Technologies all rights reserved 2016 PG: 4

Attack User receives promotional email Email contains a link to a file containing the ransomware Once the user downloads and opens the file they get infected The ransomware silently propagates to local drive and network shares! URL Downloads a.zip file that contains malware!!! Within 1 hour of attack the infection propagated on domain servers and started encrypting files Tuesday 9:00AM - Users cant access files on critical servers Palindrome Technologies all rights reserved 2016 PG: 5

Email spear-phishing Attack Overview The attacker may: Address the recipient by name Use lingo/jargon of the organization Reference actual procedures or instructions that the user is familiar The email appears to be genuine. Sometime these emails have legitimate operational and exercise nicknames, terms, and key words in the subject and body of the message. Palindrome Technologies all rights reserved 2016 PG: 6

Phishing Example Palindrome Technologies all rights reserved 2016 PG: 7

Malware/Ransomware through Phishing URL Downloads a.zip file that contains malware!!! Palindrome Technologies all rights reserved 2016 PG: 8

Additional email Phishing Examples Palindrome Technologies all rights reserved 2016 PG: 9

Analysis, containment, recovery Host Forensics Recovery Analyze active memory, processes, OS logs, filesystem and network shares to determine behavioral patterns of ransomware (Cryptowall). Network Forensics Network traffic captures & firewall logs were reviewed in order to extract traffic patterns that may help narrow the initial activity of the malware. Containment Plan Stringent User permissions Firewall filters to prevent inbound/outbound propagation, Update antivirus/malware signatures Examine and validate if most recent backup reference is infected Restore data from backup prior to infection Prepare remediation strategy Hosted awareness training Palindrome Technologies all rights reserved 2016 PG: 10

Threat Remediation Perform Vulnerability Assessment & Penetration Testing Establish Continuous Monitoring Program Categorize/Prioritize Vulnerabilities and develop remediation plan Deploy SIEM (Vulnerability and Threat Management) Remediate Vulnerabilities Palindrome Technologies all rights reserved 2016 PG: 11

About Palindrome Professional Services Information Security and Assurance Vulnerability Assessments Penetration Testing Risk and Threat Analysis Security Policy Architecture Review Forensics Incident Response Governance Compliance Disaster Recovery Planning Managed Services SIEM Alerting Event Correlation Log Normalization User Monitoring Malware Detection Mobile Security Solutions Recap Mobile Security Vulnerability and Threat Management Palindrome Technologies all rights reserved 2016 PG: 12

Managing Cyber Threats Managed Services Security Information and Event Management Log analysis Linked to the intrusion detection and incident response plan Alerting - Configure and receive automatic alerts based on customized event thresholds. Event Correlation - Multiple forms of event correlation are available for all events including statistical anomalies, associating IDS event with vulnerabilities, and alerting on 'first time seen' events. Log Normalization - Normalize, correlate, and analyze user and network activity from log data generated by any device or application across the enterprise in a central portal. User Monitoring - Monitor user activity. Associate events such as a NetFlow, IDS detection, firewall log activity, file access, system error, or login failure with specific users for easy reporting and insider threat detection. Malware Detection - monitors all processes running on Windows machines for malware processes, and can alert the security team if malware is discovered. Palindrome Technologies all rights reserved 2016 PG: 13

Q & A Peter Thermos, MSc President & CTO Chris Reid SIEM/MSS Cell: +1(732) 688-0413 Peter.thermos@palindrometech.com 100 Village Court Hazlet, NJ 07730 USA www.palindrometech.com 100 Village Court Hazlet, NJ 07730 USA www.palindrometech.com Cell: +(732) 841-5047 Chris.reid@palindrometech.com Assurance, Trust, Confidence Palindrome Technologies all rights reserved 2016 PG: 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback