Lockdown
Lessons Learned
CYB670- Capstone
Hello
This is the Lessons Learned presentation
provided by Group 4 - Hytema for CYB 670 - UMGC
1
Agenda
Situation Summary
Incident Response
Areas of Improvement
June 1, 2022
2
Our agenda today will include the investigative efforts of the forensic team.
We will detail what occurred during the emergency,
The incident response
and areas of improvement
2
Reventon Investigation
June 1, 2022
3
Ransomware event that occurred during the Global Economic Summit (GES).
Took place between May 11th and May 25th of 2021.
Is the combined efforts of the security, engineering, and forensics team during the ransomware event
that occurred during the Global Economic Summit (GES).
This document will present the results of the Reventon Ransomware Investigation,
which took place between May 11th and May 25th of 2021.
3
Situation Summary
Subtitle
Letter > Extorsion > No Action
Unsecured Laptop with a noted password
Attachment with Macros
Ransom payment $500 > $5000
June 1, 2022
4
We now start with the first topic which is to cover what happened during the ransomware attack.
A letter was found that details how an employee was being extorted to perform the ransomware event and was scared for her family.
The management reported this, but nothing was said to senior leadership.
No other pertinent information was done by management, and there wasn’t anything written to senior leadership
Investigation revealed that two employees were members of the web Development and Server operations Team who seemed to be missing from the office
A laptop that was assigned to one of the employees seemed to be open to the office community for anyone to log in and use.
The password was written in clear text on a sticky attached to the laptop for everyone to see and use
A user opened the spreadsheet on the computer and enabled the macros
The macros began to run a script on the endpoint
which resulted the attack on the desktop, resulting in ransomware being downloaded
The Chief Information Security Officer (CISO) mentioned the notification received was that
the ransomware extortionist increased their demands on ransom payment from $500 to $5000 in bitcoin
4
Incident Response
Actions
Endpoints Scans
Repeat Attack Mitigation
Snort
Yara rulesets
June 1, 2022
5
Now that we know what happened, we now look at how the situation was handled:
Endpoint Scans
The ransomware was activated at the endpoint.
In response, the security team requested full mitigation using antivirus scans on all endpoints
Repeat Attack Mitigation
The Security team used Yara rules to determine if the malware could be found present on any other workstation to mitigate and contain the situation
Wireshark and snort found files like ransomwre.exe, infor.txt.docx, along with the excel file that was found on the workstation.
Hashes of these files were documented and made into snort and Yara rulesets.
Making this ruleset will allow the team to be notified if a file with this type of hash is identified.
5
Areas of Improvement
Recommendations
User Awareness Training
Monitoring Tools (IDS / IPS)
Snort / Yara rules
Endpoint Protection
Group Policy Configurations
DNS Whitelist / Blacklist
Blocking External Storage Devices
June 1, 2022
6
Areas of Improvement
One of the key components of this attack was the user’s vulnerability to extortion.
Social Engineering is one of the leading cause of cybersecurity incidents
User Awareness Training can help mitigate these type of attack by training users
on the appropriate security measures against a cyberattack
to prevent users in the future for being victims of extorsion or phishing attacks
Set up Written procedures that will be enacted to ensure that users are informed about the risks and threats currently applicable to them.
The information on this ransomware attack will be made available to the organization to keep everyone aware,
and minimize the likelihood of a successful repeat attack, people will know what to do and what not to do
Being aware of the dangers of browsing the web, checking mail, and interacting online are all components of cybersecurity awareness’
Everyone in an organization needs to understand concepts like SPF records and DNS cache poisoning,
but empowering every employee with information relevant to their role helps them stay safe online both at work and home
Implement system monitoring such as IDS and IPS to discover threats before they become much worse and prevent an attack if possible
Alerting Tools-Snort/Yara
We can build rulesets to detect the ransomware using indicators discovered during the technical analysis of the incident.
To secure workstations we would like to strengthen endpoint protection
The Security team Hytema will set Endpoint protection software,
including various security applications that protect the organization’s endpoints,
such as servers and PCs, from malware attacks, cyberattacks, and ransomware attacks
GPO to disable Macros
We will ensure that NIST controls are followed and enabled in the environment to protect the organization and employees.
The team understands that the ransomware exploit was deployed using macros enabled in office documents.
A Group Policy will be set using Group Policy (GPO) settings in the environment;
this policy will automatically be replicated to other domain controllers in the same domain
Most users do not need to run macros. We should identify users who need this functionality.
Macro enabled files can be restricted to a specific directory to limit any possible damage from an attack
Whitelisting and Blacklisting DNS
Hytema will take a striker approach and whitelist items to meet security controls.
This approach will only allow things in your system that has been proven to be safe
Lastly,
We would like to block External Storage Devices
Restrict USB -drives for all computers in specific AD container object units.
Hytema will apply the USB block policy to the entire domain,
6
Closing
Detail the investigative effort of what occurred during the attack
Incident response was effective in mitigating the spread of the attack
Develop specific areas of improvement
Propose the need for other recommendations
June 1, 2022
7
In conclusion our team has detail the investigative effort of what occurred during the attack
We found that the incident response was effective in mitigating the spread of the attack
We develop specific areas of improvement such as endpoint protection and the lack of effective Group Policies that could have prevented the exploit from occurring.
Lastly, we detailed the need for other recommendations such as improved awareness trainings against extorsion and phishing attacks to avoid or reduce the chances of future attacks.
7
Thank You
Group 4 - Hytema
June 1, 2022
8
This concludes our presentation.
Thank you for your time and have a good rest of your day!
8