Ransomware A case study of the impact, recovery and remediation events

Similar documents
Ransomware A case study of the impact, recovery and remediation events

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

CYBERSECURITY RISK LOWERING CHECKLIST

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Cybersecurity The Evolving Landscape

Incident Response Table Tops

Cybersecurity Today Avoid Becoming a News Headline

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

50+ Incident Response Preparedness Checklist Items.

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Cyber security tips and self-assessment for business

CCISO Blueprint v1. EC-Council

Too Little Too Late: Top Reasons Why You Got Hacked

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Cybersecurity Auditing in an Unsecure World

ACM Retreat - Today s Topics:

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cyber Attack: Is Your Business at Risk?

Service Provider View of Cyber Security. July 2017

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Certified Information Security Manager (CISM) Course Overview

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

A Comprehensive Guide to Remote Managed IT Security for Higher Education

Cybowall Solution Overview

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Gujarat Forensic Sciences University

You ve Been Hacked Now What? Incident Response Tabletop Exercise

Designing and Building a Cybersecurity Program

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

2017 Annual Meeting of Members and Board of Directors Meeting

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

Business continuity management and cyber resiliency

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

SECURITY & PRIVACY DOCUMENTATION

Information Governance, the Next Evolution of Privacy and Security

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

Cyber Insurance: What is your bank doing to manage risk? presented by

Legal Aspects of Cybersecurity

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

Training for the cyber professionals of tomorrow

Getting Started with Cybersecurity

10 FOCUS AREAS FOR BREACH PREVENTION

Take Risks in Life, Not with Your Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Top Five Ways to Protect Your Organization from Data Loss & Cyber Hackers

The Common Controls Framework BY ADOBE

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

Art of Performing Risk Assessments

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

HIPAA 2017 Compliancy Group, LLC

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Department of Management Services REQUEST FOR INFORMATION

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Monthly Cyber Threat Briefing

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Cyber Security. Building and assuring defence in depth

Security Audit What Why

Technology Incident Response and Impact Reduction. May 9, David Litton

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

Secure Product Design Lifecycle for Connected Vehicles

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

falanx Cyber Falanx Phishing: Measure your resilience

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

The GenCyber Program. By Chris Ralph

Sage Data Security Services Directory

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Electronic Communication of Personal Health Information

Building a Resilient Security Posture for Effective Breach Prevention

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

External Supplier Control Obligations. Cyber Security

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Security Information & Event Management (SIEM)

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

locuz.com SOC Services

Dell EMC Isolated Recovery

Information Security in Corporation

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

FDIC InTREx What Documentation Are You Expected to Have?

Transcription:

Ransomware A case study of the impact, recovery and remediation events Palindrome Technologies 100 Village Court Suite 102 Hazlet, NJ 07730 www.palindrometech.com Peter Thermos President & CTO Tel: (732) 688-0413 peter.thermos@palindrometech.com Christopher Reid SIEM Administrator 732.276.9368 chris.reid@palindrometech.com Palindrome Technologies all rights reserved 2016 PG: 1

What is the IT Team s estimated cost of a breach or ransomware attack? Have they computed this? Lisa Jackson asked a great question at the June GPA meeting What can she ask her IT department as part of Cyber Security Readiness? How does the IT Team feel about their vulnerability management program? Has the IT Team had a 3 rd party vulnerability assessment / penetration testing? If so, how often do they rotate vendors? Has the IT Team budgeted for cyber security in the coming year? Has the IT Team educated their staff on Cyber Security Awareness? Does the IT Team maintain a written Information Security Policy? Who reviews it? Palindrome Technologies all rights reserved 2016 PG: 2

Lisa Jackson asked a great question at the June GPA meeting What can she ask her IT department as part of Cyber Security Readiness? What is the IT Team s Incident Response capabilities in the event of a Cyber Attack? How are Cyber Insurance requirements validated? Does a 3 rd party verify the declarations? Is the Information Technology Team ready to Learn Security Forward Palindrome Technologies all rights reserved 2016 PG: 3

Agenda Incident Events Detection, analysis containment of the threat Threat Remediation About Palindrome Palindrome Technologies all rights reserved 2016 PG: 4

NJ Statistics on Cyber Security Cybersecurity is hardly the only area that governments need to consider as they try to cut down on technological risk Ref: M. Pheiffer, Rutgers University Nov. 2015, Study on NJ Municipalities and Cybersecurity 565 Local Governments 3rd Party IT Audit 24% 174 Evaluated No 3 rd Party IT Audit 76% 9 local governments have data breach policy Only 56 have performed any sort of strategic planning 30 local governments commissioned third-party audit and/or intrusion testing Its 10pm, do you know where your data breach policy is? Palindrome Technologies all rights reserved 2016 PG: 5

Events The steps to contain and recover from attack and also institute a vulnerability and threat management program. Detection Analysis and containment Recovery Remediation a) Event detected by Municipality IT b) Impacted critical servers and workstations a) Palindrome engaged b) Performed server and network traffic forensics c) Determined that a user s workstation was infected d) Attack vector: Phishing email e) Workstation Antivirus not updated a) IT team recovered affected files from backups b) Enhanced firewall filters c) Performed Vulnerability Assessment & penetration testing d) Developed a Remediation Plan a) Addressed vulnerabilities identified from penetration testing (patches, host/wifi configuration, network controls) b) Deployment of SIEM Network/Host monitoring Vulnerability Management c) Awareness Training Palindrome Technologies all rights reserved 2016 PG: 6

Attack User receives promotional email Email contains a link to a file containing the ransomware Once the user downloads and opens the file they get infected The ransomware silently propagates to local drive and network shares! URL Downloads a.zip file that contains malware!!! Within 1 hour of attack the infection propagated on domain servers and started encrypting files Tuesday 9:00AM - Users can t access files on critical servers Palindrome Technologies all rights reserved 2016 PG: 7

Email spear-phishing Attack Overview The attacker may: Address the recipient by name Use lingo/jargon of the organization Reference actual procedures or instructions that the user is familiar The email appears to be genuine. Sometime these emails have legitimate operational and exercise nicknames, terms, and key words in the subject and body of the message. Palindrome Technologies all rights reserved 2016 PG: 8

Phishing Example Palindrome Technologies all rights reserved 2016 PG: 9

Malware/Ransomware through Phishing URL Downloads a.zip file that contains malware!!! Palindrome Technologies all rights reserved 2016 PG: 10

Additional email Phishing Examples Palindrome Technologies all rights reserved 2016 PG: 11

Employee Training Phish-Me-Not Palindrome s Phish-Me-Not service trains your most vulnerable asset the Municipal Computer User how to avoid Phishing Attacks and Social Engineering Attacks including Vishing, tailgating, media drop, combination attacks. Phishing attacks are the most prevalent method of distributing Encryption malware. Mr. Evil Hacker says Pay me in Bitcoins!!! Phishing Attack The Happy Organization Computer User FREE Phish-Me-Not Demonstration available. Palindrome Technologies all rights reserved 2016 PG: 12

Analysis, containment, recovery Host Forensics Recovery Analyze active memory, processes, OS logs, filesystem and network shares to determine behavioral patterns of ransomware (Cryptowall). Network Forensics Network traffic captures & firewall logs were reviewed in order to extract traffic patterns that may help narrow the initial activity of the malware. Containment Plan Stringent User permissions Firewall filters to prevent inbound/outbound propagation, Update antivirus/malware signatures Examine and validate if most recent backup reference is infected Restore data from backup prior to infection Prepare remediation strategy Hosted awareness training Palindrome Technologies all rights reserved 2016 PG: 13

Data Breach Impact Notification and Response Costs Emergency Response and Remediation Public loss of PII State and Federal requirements Vendor notification Lost Employee Productivity Diverted employee attention from work Attack may disable communications Employees unable to communicate with customers / residents Breach Costs Permanent Loss Data pay Ransom? Credibility of Organization Legal Protection Lawsuits Cyber Insurance Do you have the right coverage??? Was Due Diligence Completed? Palindrome Technologies all rights reserved 2016 PG: 14

Threat Remediation Perform Vulnerability Assessment & Penetration Testing Establish Continuous Monitoring Program Categorize/Prioritize Vulnerabilities and develop remediation plan Deploy SIEM (Vulnerability and Threat Management) Remediate Vulnerabilities Security is a process not a product! Palindrome Technologies all rights reserved 2016 PG: 15

Typical Attack Vectors Enterprise Network Palindrome Technologies all rights reserved 2016 PG: 16

Managing Cyber Threats Managed Services Security Information and Event Management - SIEM Log analysis Linked to the intrusion detection and incident response plan Alerting - Configure and receive automatic alerts based on customized event thresholds. Event Correlation - Multiple forms of event correlation are available for all events including statistical anomalies, associating IDS event with vulnerabilities, and alerting on 'first time seen' events. Log Normalization - Normalize, correlate, and analyze user and network activity from log data generated by any device or application across the enterprise in a central portal. User Monitoring - Monitor user activity. Associate events such as a NetFlow, IDS detection, firewall log activity, file access, system error, or login failure with specific users for easy reporting and insider threat detection. Malware Detection - monitors all processes running on Windows machines for malware processes, and can alert the security team if malware is discovered. Palindrome Technologies all rights reserved 2016 PG: 17

SIEM Vulnerability Management Palindrome Technologies all rights reserved 2016 PG: 18

SIEM Correlation Directives Snort: *ET TROJAN CryptoLocker EXE Download Palindrome Technologies all rights reserved 2016 PG: 19

About Palindrome Professional Services Information Security and Assurance Vulnerability Assessments Penetration Testing Risk and Threat Analysis Security Policy Architecture Review Forensics Incident Response Governance Compliance Disaster Recovery Planning Managed Services SIEM Alerting Event Correlation Log Normalization User Monitoring Malware Detection Mobile Security Solutions Recap Mobile Security Vulnerability and Threat Management Palindrome Technologies all rights reserved 2016 PG: 20

Q & A Peter Thermos, MSc President & CTO Chris Reid SIEM/MSS Cell: +1(732) 688-0413 Peter.thermos@palindrometech.com 100 Village Court Hazlet, NJ 07730 USA www.palindrometech.com 100 Village Court Hazlet, NJ 07730 USA www.palindrometech.com Cell: +(732 )276-9368 Chris.reid@palindrometech.com Assurance, Trust, Confidence Palindrome Technologies all rights reserved 2016 PG: 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback