[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:30.21,0:00:37.26,Default,,0000,0000,0000,,Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]
Dialogue: 0,0:00:37.26,0:00:42.19,Default,,0000,0000,0000,,it's late in the evening this is meleeway stage in case you're wondering
Dialogue: 0,0:00:42.23,0:00:48.18,Default,,0000,0000,0000,,and the next talk is going to be about incident report responses
Dialogue: 0,0:00:48.48,0:00:59.52,Default,,0000,0000,0000,,so if you're curious about how to even get there to have an incident response how you could \Nprepare for an incident response and how you could support a new organization
Dialogue: 0,0:00:59.52,0:01:07.26,Default,,0000,0000,0000,,uh, the incident response team in doing the job and trying to fix whatever broke
Dialogue: 0,0:01:07.26,0:01:11.68,Default,,0000,0000,0000,,let's put it that way um we have the right talk for you
Dialogue: 0,0:01:11.68,0:01:17.35,Default,,0000,0000,0000,,this is stories from the life of an incident from incident responders Harry and Chris
Dialogue: 0,0:01:17.35,0:01:23.50,Default,,0000,0000,0000,,please a very warm Round of Applause [Applause]
Dialogue: 0,0:01:28.92,0:01:36.68,Default,,0000,0000,0000,,so, good evening and thank you for joining us today um we will tell you a little bit of our
Dialogue: 0,0:01:36.68,0:01:43.66,Default,,0000,0000,0000,,life as incident responders and I'm Chris I did my computer science
Dialogue: 0,0:01:43.66,0:01:48.78,Default,,0000,0000,0000,,studies at the University of alang and Nuremberg I do this security stuff for
Dialogue: 0,0:01:48.78,0:01:55.39,Default,,0000,0000,0000,,over 10 years now so my CV is a little bit longer at the moment I'm a detection
Dialogue: 0,0:01:55.42,0:02:01.42,Default,,0000,0000,0000,,engineer before that I was a long time working in dfir so digital forensic incident
Dialogue: 0,0:02:01.42,0:02:06.62,Default,,0000,0000,0000,,response in different organizations and
Dialogue: 0,0:02:07.41,0:02:12.39,Default,,0000,0000,0000,,yeah I'm Harryr I studied electrical and computer engineering at RWTH
Dialogue: 0,0:02:12.40,0:02:18.16,Default,,0000,0000,0000,,University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH
Dialogue: 0,0:02:18.16,0:02:24.52,Default,,0000,0000,0000,,during my masters I worked at x41 dsac doing pen testing patch analysis
Dialogue: 0,0:02:24.59,0:02:32.36,Default,,0000,0000,0000,,so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced
Dialogue: 0,0:02:32.36,0:02:36.62,Default,,0000,0000,0000,,analytics doing digital forensics and incident handling
Dialogue: 0,0:02:38.80,0:02:45.39,Default,,0000,0000,0000,,first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks
Dialogue: 0,0:02:45.39,0:02:51.97,Default,,0000,0000,0000,,like and in the second part of the talk I will tell you how the incident
Dialogue: 0,0:02:51.97,0:02:58.17,Default,,0000,0000,0000,,responders work and what you can do in advance to make it go as smooth as possible and support the incident
Dialogue: 0,0:02:58.17,0:03:05.35,Default,,0000,0000,0000,,response team so as Harryr told you I will probably
Dialogue: 0,0:03:05.35,0:03:12.29,Default,,0000,0000,0000,,we'll talk about ransomware because the customers we usually have are small and
Dialogue: 0,0:03:12.29,0:03:17.54,Default,,0000,0000,0000,,medium-sized businesses universities and hospitals and those are regularly
Dialogue: 0,0:03:17.54,0:03:23.27,Default,,0000,0000,0000,,unfortunately regularly hit by um um
Dialogue: 0,0:03:24.17,0:03:29.56,Default,,0000,0000,0000,,ransomware gangs the main reason for this and that's if you heard the last
Dialogue: 0,0:03:29.56,0:03:35.96,Default,,0000,0000,0000,,talk um why they maybe not that responsive
Dialogue: 0,0:03:35.96,0:03:42.58,Default,,0000,0000,0000,,and are not so interested in they just lack the resources so the manpower to do
Dialogue: 0,0:03:42.58,0:03:48.42,Default,,0000,0000,0000,,uh proper security measurements to secure their systems especially in in erm
Dialogue: 0,0:03:48.42,0:03:53.62,Default,,0000,0000,0000,,situations where you are for example in a hospital have medical devices
Dialogue: 0,0:03:53.62,0:03:59.38,Default,,0000,0000,0000,,um which where you cannot simply install an AV on or even patch the system
Dialogue: 0,0:03:59.38,0:04:07.32,Default,,0000,0000,0000,,because you lose the certification as a medical device then but also in in
Dialogue: 0,0:04:07.32,0:04:12.95,Default,,0000,0000,0000,,companies manufacturing companies on the shop floor we're talking about systems\N
Dialogue: 0,0:04:12.95,0:04:21.29,Default,,0000,0000,0000,,that have run times of 25 plus years so if you look back now 2023
Dialogue: 0,0:04:21.29,0:04:26.82,Default,,0000,0000,0000,,we're talking about XP and older systems fun fact I was in a ransomware case and
Dialogue: 0,0:04:26.82,0:04:34.23,Default,,0000,0000,0000,,Wannacry in 2017 when I got a call from from a person from the shop floor
Dialogue: 0,0:04:34.23,0:04:38.00,Default,,0000,0000,0000,,asking me if we have a nt4 expert, um
Dialogue: 0,0:04:40.20,0:04:47.38,Default,,0000,0000,0000,,that can tell us if WannaCry is affecting nt4 of course you don't need
Dialogue: 0,0:04:47.38,0:04:54.71,Default,,0000,0000,0000,,to be a expert for NT-4 this one requires of course not affecting nt4
Dialogue: 0,0:04:54.71,0:04:59.60,Default,,0000,0000,0000,,systems so due to the time uh slot we thought
Dialogue: 0,0:04:59.60,0:05:04.92,Default,,0000,0000,0000,,memes are the best way to to tell you those stories and we have a lot of them
Dialogue: 0,0:05:06.45,0:05:12.82,Default,,0000,0000,0000,,so in the first uh um section I tell you a little bit of how an attack Works
Dialogue: 0,0:05:12.82,0:05:21.62,Default,,0000,0000,0000,,um there are a lot of different possibilities how you can describe and how to structure the how an attack works
Dialogue: 0,0:05:22.26,0:05:28.99,Default,,0000,0000,0000,,there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko
Dialogue: 0,0:05:28.99,0:05:34.85,Default,,0000,0000,0000,,um here on the stage there's the original cyber kill chain from from Lockheed Martin you have
Dialogue: 0,0:05:37.19,0:05:42.48,Default,,0000,0000,0000,,stuff from from companies like Mandy and their targeted the tech life cycle but
Dialogue: 0,0:05:42.48,0:05:47.55,Default,,0000,0000,0000,,that's all in my opinion two two fine-grained it's that's the reason I
Dialogue: 0,0:05:47.55,0:05:53.28,Default,,0000,0000,0000,,just take three simple steps yeah get a foothold in the door
Dialogue: 0,0:05:53.28,0:06:00.64,Default,,0000,0000,0000,,look move play around and cash out those three uh I will just go over
Dialogue: 0,0:06:03.14,0:06:07.84,Default,,0000,0000,0000,,so start with uh get a foot in the door so normally we
Dialogue: 0,0:06:07.84,0:06:14.76,Default,,0000,0000,0000,,see three ways how attackers can can get into the environment in the ransomware
Dialogue: 0,0:06:14.76,0:06:20.66,Default,,0000,0000,0000,,cases you have vulnerabilities in uh remote uh internet facing systems you
Dialogue: 0,0:06:20.66,0:06:25.88,Default,,0000,0000,0000,,have the remote Services itself and you have malware
Dialogue: 0,0:06:26.71,0:06:35.51,Default,,0000,0000,0000,,starting with the with the the vulnerabilities and um I just looked uh up the last four
Dialogue: 0,0:06:35.51,0:06:42.60,Default,,0000,0000,0000,,years and maybe somebody remembers netscaler the the so-called Citrix
Dialogue: 0,0:06:42.60,0:06:49.79,Default,,0000,0000,0000,,vulnerability in December 2019 um it was released mid of uh 2019 uh
Dialogue: 0,0:06:49.79,0:06:55.89,Default,,0000,0000,0000,,December 2019 the first POC publicly available POC was in beginning of
Dialogue: 0,0:06:55.89,0:07:03.29,Default,,0000,0000,0000,,January and the patch was available in middle of January so there was a round one week to one and a half weeks between
Dialogue: 0,0:07:03.29,0:07:10.49,Default,,0000,0000,0000,,a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw
Dialogue: 0,0:07:10.49,0:07:17.19,Default,,0000,0000,0000,,during 2020 a lot of companies patched but the patch didn't remove the the
Dialogue: 0,0:07:17.19,0:07:25.47,Default,,0000,0000,0000,,compromise so they were already compromised and um yeah with it with the patch they
Dialogue: 0,0:07:25.47,0:07:31.11,Default,,0000,0000,0000,,didn't remove the compromise so what we found what we could provable
Dialogue: 0,0:07:31.11,0:07:36.18,Default,,0000,0000,0000,,see or proof evidence for uh was nine
Dialogue: 0,0:07:36.18,0:07:42.29,Default,,0000,0000,0000,,month uh customer was breached after nine months using this this vulnerability
Dialogue: 0,0:07:43.18,0:07:51.43,Default,,0000,0000,0000,,and we had other customers where we could see that the netscaler was affected after two years but we couldn't
Dialogue: 0,0:07:51.43,0:08:00.73,Default,,0000,0000,0000,,prove that this this compromise was the reason for the actual ransomware case
Dialogue: 0,0:08:00.28,0:08:04.91,Default,,0000,0000,0000,,and of course such vulnerabilities happen not that often
Dialogue: 0,0:08:06.30,0:08:13.35,Default,,0000,0000,0000,,yeah so 2021 gave us uh hafnium exchange
Dialogue: 0,0:08:13.35,0:08:18.74,Default,,0000,0000,0000,,vulnerability also a similar situation the patch
Dialogue: 0,0:08:18.74,0:08:25.41,Default,,0000,0000,0000,,appeared as an out-of-band patch from Microsoft on a Tuesday evening 10 o'clock in German time
Dialogue: 0,0:08:26.48,0:08:32.53,Default,,0000,0000,0000,,we saw during our uh incidents or the the assessments we did that
Dialogue: 0,0:08:34.48,0:08:41.52,Default,,0000,0000,0000,,um the first exploit exploitation attempts were seen on Wednesday in the morning at
Dialogue: 0,0:08:41.52,0:08:50.31,Default,,0000,0000,0000,,5:00 am so around seven eight hours later um I know one guy who could patch
Dialogue: 0,0:08:50.31,0:08:56.69,Default,,0000,0000,0000,,because he was online when the patch was released otherwise Germany was unable to patch in
Dialogue: 0,0:08:56.69,0:09:04.15,Default,,0000,0000,0000,,time and of course we can go on with 2021 proxy shell also
Dialogue: 0,0:09:04.15,0:09:10.39,Default,,0000,0000,0000,,exchange vulnerability proxy nutshell also exchange vulnerability
Dialogue: 0,0:09:10.39,0:09:16.37,Default,,0000,0000,0000,,we have uh in 2022 VMware Horizon the the virtual desktop infrastructure
Dialogue: 0,0:09:16.37,0:09:23.63,Default,,0000,0000,0000,,from VMware just to name also open source stuff Zimbra a collaboration platform
Dialogue: 0,0:09:23.63,0:09:28.92,Default,,0000,0000,0000,,including an email server uh has had a vulnerability actually the vulnerability
Dialogue: 0,0:09:28.92,0:09:34.68,Default,,0000,0000,0000,,was in cpio from 2015 I think which led
Dialogue: 0,0:09:34.68,0:09:40.16,Default,,0000,0000,0000,,to a compromise using via email so you send an email
Dialogue: 0,0:09:40.16,0:09:48.39,Default,,0000,0000,0000,,with a cpio with a specially crafted archive file and you could drop a web
Dialogue: 0,0:09:48.39,0:09:55.95,Default,,0000,0000,0000,,shell in one of the directories yeah you have of course 40 OS which is a
Dialogue: 0,0:09:55.95,0:10:02.69,Default,,0000,0000,0000,,40 gate VPN and firewall operating system
Dialogue: 0,0:10:03.22,0:10:08.25,Default,,0000,0000,0000,,and if you read the news we start at the beginning again
Dialogue: 0,0:10:08.25,0:10:15.12,Default,,0000,0000,0000,,netscaler had some issues several weeks ago according to foxIT we have 1900
Dialogue: 0,0:10:15.12,0:10:21.54,Default,,0000,0000,0000,,still unpatched net scalers worldwide how many patched
Dialogue: 0,0:10:22.39,0:10:27.74,Default,,0000,0000,0000,,was netscale has exists that um have not been checked for compromise we
Dialogue: 0,0:10:27.74,0:10:32.58,Default,,0000,0000,0000,,don't know of course so that will be a nice year probably
Dialogue: 0,0:10:33.73,0:10:41.56,Default,,0000,0000,0000,,um so what can you can you do against this kind of of attack vector patch your systems is one thing as you
Dialogue: 0,0:10:41.81,0:10:49.38,Default,,0000,0000,0000,,see this that doesn't lead to the the um or what you need to do afterwards in
Dialogue: 0,0:10:49.38,0:10:57.35,Default,,0000,0000,0000,,such cases you need to check your systems for possible compromise
Dialogue: 0,0:10:57.35,0:11:03.97,Default,,0000,0000,0000,,that is important to reduce this I highly suggest put your
Dialogue: 0,0:11:03.97,0:11:11.58,Default,,0000,0000,0000,,uh Services behind some VPN so that only people who already have
Dialogue: 0,0:11:11.58,0:11:17.54,Default,,0000,0000,0000,,connection to the VPN um can access your services or the services
Dialogue: 0,0:11:17.54,0:11:22.65,Default,,0000,0000,0000,,they need and that would reduce the attack surface
Dialogue: 0,0:11:22.65,0:11:28.29,Default,,0000,0000,0000,,at least to the VPN server so but I
Dialogue: 0,0:11:28.29,0:11:32.100,Default,,0000,0000,0000,,of course we can also think about remote services without vulnerabilities
Dialogue: 0,0:11:34.66,0:11:41.59,Default,,0000,0000,0000,,um there can be configuration mistakes so the admin does something wrong there can
Dialogue: 0,0:11:41.59,0:11:50.34,Default,,0000,0000,0000,,be insecure default configurations like this um I don't know if you know it but the
Dialogue: 0,0:11:50.34,0:11:55.61,Default,,0000,0000,0000,,local admins or the administrators on the Windows system are are
Dialogue: 0,0:11:55.61,0:12:02.10,Default,,0000,0000,0000,,automatically in the remote desktop users group you know and so
Dialogue: 0,0:12:02.10,0:12:08.43,Default,,0000,0000,0000,,we had several cases especially in the beginning of the pandemic when everybody moved from uh to the home offices and
Dialogue: 0,0:12:08.43,0:12:15.54,Default,,0000,0000,0000,,they needed to put people fast in the position to to access their the assist
Dialogue: 0,0:12:15.54,0:12:22.12,Default,,0000,0000,0000,,the internal systems again they just put a RDP server on the internet and hope for the best
Dialogue: 0,0:12:25.14,0:12:29.77,Default,,0000,0000,0000,,um additionally if you put services on the internet of course brute forcing and
Dialogue: 0,0:12:29.77,0:12:35.95,Default,,0000,0000,0000,,credential uh stuffing are attacks that are possible so brute forcing just trying the the
Dialogue: 0,0:12:37.12,0:12:42.20,Default,,0000,0000,0000,,username and password combinations uh credential stuffing using already leaked
Dialogue: 0,0:12:42.20,0:12:47.64,Default,,0000,0000,0000,,passwords or credentials from leaks you find on the internet
Dialogue: 0,0:12:48.54,0:12:53.92,Default,,0000,0000,0000,,what you can do about this kind of of attack Vector is uh just as I said use
Dialogue: 0,0:12:53.92,0:13:00.91,Default,,0000,0000,0000,,multi-factor Authentication and reduce the attack surface as in the
Dialogue: 0,0:13:00.91,0:13:06.70,Default,,0000,0000,0000,,point with the vulnerabilities before by moving the services behind a VPN and
Dialogue: 0,0:13:06.70,0:13:09.69,Default,,0000,0000,0000,,then use multi-factor authentication on VPN of course
Dialogue: 0,0:13:12.79,0:13:18.14,Default,,0000,0000,0000,,the last Vector that we see normally that the attackers can get in the
Dialogue: 0,0:13:18.14,0:13:23.89,Default,,0000,0000,0000,,network is malware we all know this about
Dialogue: 0,0:13:23.89,0:13:28.66,Default,,0000,0000,0000,,those funny emails you get with the attachments
Dialogue: 0,0:13:28.66,0:13:35.31,Default,,0000,0000,0000,,um include that have either Word documents
Dialogue: 0,0:13:35.31,0:13:41.76,Default,,0000,0000,0000,,attached either zip files with with Visual Basic scripts javascripts and
Dialogue: 0,0:13:41.76,0:13:47.34,Default,,0000,0000,0000,,what you can get isos you see a lot these days
Dialogue: 0,0:13:48.85,0:13:54.21,Default,,0000,0000,0000,,um or what you can also have that you can have just a link inside the email and
Dialogue: 0,0:13:54.21,0:14:01.90,Default,,0000,0000,0000,,you download the respective file from some some shady file sharing website
Dialogue: 0,0:14:03.38,0:14:09.44,Default,,0000,0000,0000,,um what we saw over the last year was uh USB sticks again funnily
Dialogue: 0,0:14:10.74,0:14:16.48,Default,,0000,0000,0000,,um I'm not sure if you have heard about raspberry Robin which is a malware that
Dialogue: 0,0:14:16.48,0:14:26.43,Default,,0000,0000,0000,,warms via USB sticks um but I haven't seen it as a vector for
Dialogue: 0,0:14:27.23,0:14:31.78,Default,,0000,0000,0000,,ransomware yet on my own but there are people who said that it's
Dialogue: 0,0:14:33.22,0:14:37.77,Default,,0000,0000,0000,,an initial access broker for some of the ransomware gangs
Dialogue: 0,0:14:38.73,0:14:42.88,Default,,0000,0000,0000,,so what can you do about this if you think the
Dialogue: 0,0:14:45.17,0:14:53.42,Default,,0000,0000,0000,,you can of course ban simply some file extensions in your mail server or you
Dialogue: 0,0:14:53.72,0:15:00.95,Default,,0000,0000,0000,,change the file Association types in your operating system meaning that you
Dialogue: 0,0:15:00.95,0:15:06.27,Default,,0000,0000,0000,,don't open the JavaScript and Visual Basic script files using for example the
Dialogue: 0,0:15:06.27,0:15:11.61,Default,,0000,0000,0000,,windows scripting host but open it with notepad and that will
Dialogue: 0,0:15:11.61,0:15:14.76,Default,,0000,0000,0000,,of course some people will be
Dialogue: 0,0:15:18.15,0:15:23.60,Default,,0000,0000,0000,,uh some people will think about what this this is then and ask the IT guys
Dialogue: 0,0:15:23.60,0:15:27.41,Default,,0000,0000,0000,,but it's better than running the the script itself
Dialogue: 0,0:15:28.26,0:15:35.11,Default,,0000,0000,0000,,one thing I I I don't like to to say it but keep your AV updated
Dialogue: 0,0:15:35.55,0:15:39.79,Default,,0000,0000,0000,,um uh this is one thing keep it updated and read the logs
Dialogue: 0,0:15:40.72,0:15:46.66,Default,,0000,0000,0000,,we see a lot of incidents where we see that the already
Dialogue: 0,0:15:46.54,0:15:51.71,Default,,0000,0000,0000,,days or weeks before we you can could have seen that there's something going
Dialogue: 0,0:15:51.71,0:15:59.61,Default,,0000,0000,0000,,on in your network yeah and if you see malware in your AV logs
Dialogue: 0,0:16:00.48,0:16:05.85,Default,,0000,0000,0000,,then react to it just check it you don't know how long this AV this malware has
Dialogue: 0,0:16:05.85,0:16:11.30,Default,,0000,0000,0000,,been on your system the thing is that
Dialogue: 0,0:16:11.30,0:16:16.79,Default,,0000,0000,0000,,just because you're AV detected it now it might have been get received an
Dialogue: 0,0:16:16.79,0:16:22.29,Default,,0000,0000,0000,,update for its signatures and the malware was active for days or weeks
Dialogue: 0,0:16:22.29,0:16:27.60,Default,,0000,0000,0000,,before so when they are inside
Dialogue: 0,0:16:29.77,0:16:34.30,Default,,0000,0000,0000,,then they usually look move and play around a little bit
Dialogue: 0,0:16:36.20,0:16:41.42,Default,,0000,0000,0000,,so when they look around what they do
Dialogue: 0,0:16:41.42,0:16:47.61,Default,,0000,0000,0000,,is they they enumerate AD they do Ports scan the you they search for
Dialogue: 0,0:16:47.61,0:16:54.39,Default,,0000,0000,0000,,vulnerabilities they check uh what they how they can escalate
Dialogue: 0,0:16:54.39,0:16:59.83,Default,,0000,0000,0000,,their privileges they try to find credentials
Dialogue: 0,0:16:59.83,0:17:03.87,Default,,0000,0000,0000,,um Kerber roasting we heard in the talk before for example is this one thing
Dialogue: 0,0:17:07.89,0:17:11.70,Default,,0000,0000,0000,,um they try to identify accounts you around
Dialogue: 0,0:17:11.70,0:17:16.98,Default,,0000,0000,0000,,have running on your systems they can use they can get the credentials from and you reuse
Dialogue: 0,0:17:18.60,0:17:24.15,Default,,0000,0000,0000,,and for that reason one of the most important things I think is that you
Dialogue: 0,0:17:24.15,0:17:33.25,Default,,0000,0000,0000,,have a principle of least privileges in your environment so only what a account needs
Dialogue: 0,0:17:33.36,0:17:38.38,Default,,0000,0000,0000,,you should be able to do you should use dedicated service
Dialogue: 0,0:17:38.38,0:17:43.66,Default,,0000,0000,0000,,accounts for your services of course and just for your information
Dialogue: 0,0:17:44.40,0:17:50.47,Default,,0000,0000,0000,,um service account is not an account that has a SVC underscore in front of it
Dialogue: 0,0:17:50.30,0:17:56.88,Default,,0000,0000,0000,,and is otherwise a normal user account um there I exist educated service
Dialogue: 0,0:17:56.93,0:18:01.45,Default,,0000,0000,0000,,accounts in Windows environments so use them use strong passwords I still
Dialogue: 0,0:18:01.47,0:18:06.42,Default,,0000,0000,0000,,I today I can I know companies who still use eight
Dialogue: 0,0:18:06.42,0:18:13.34,Default,,0000,0000,0000,,character long passwords um I think that's 20 minutes on a decent
Dialogue: 0,0:18:13.34,0:18:18.67,Default,,0000,0000,0000,,graphics card today so use strong passwords length matters
Dialogue: 0,0:18:19.66,0:18:25.46,Default,,0000,0000,0000,,12 plus characters is the minimum in my opinion
Dialogue: 0,0:18:26.62,0:18:31.17,Default,,0000,0000,0000,,and don't reuse passwords especially on your
Dialogue: 0,0:18:31.62,0:18:42.33,Default,,0000,0000,0000,,systems the local administrator especially in small and medium-sized businesses you see a lot that people use
Dialogue: 0,0:18:42.33,0:18:47.14,Default,,0000,0000,0000,,the same password for all local administrators so if I have it on one
Dialogue: 0,0:18:47.14,0:18:51.39,Default,,0000,0000,0000,,system I have the whole company don't reuse it
Dialogue: 0,0:18:56.90,0:19:00.90,Default,,0000,0000,0000,,um yeah [Audience LoL]
Dialogue: 0,0:19:04.55,0:19:12.50,Default,,0000,0000,0000,,so when they they move around in your network using either a password hashes they found valid credentials they they
Dialogue: 0,0:19:12.50,0:19:18.53,Default,,0000,0000,0000,,discovered somewhere vulnerabilities are also used to to move around in your
Dialogue: 0,0:19:18.53,0:19:22.92,Default,,0000,0000,0000,,environment they try to to establish persistence mechanisms here we heard
Dialogue: 0,0:19:22.92,0:19:28.58,Default,,0000,0000,0000,,also in the talk before about the C2 channels command and control channels they use
Dialogue: 0,0:19:28.62,0:19:36.13,Default,,0000,0000,0000,,um they install in some cases directly any desk team viewer and or other remote
Dialogue: 0,0:19:36.13,0:19:43.57,Default,,0000,0000,0000,,control software or sometimes they also use tunneling softwares like ngrok or recently they
Dialogue: 0,0:19:43.57,0:19:49.74,Default,,0000,0000,0000,,started using cloudflare G um and this is what you need to do is
Dialogue: 0,0:19:49.74,0:19:55.91,Default,,0000,0000,0000,,prop have a proper Network segmentation and with the proper Network segmentation I don't talk about subnetting
Dialogue: 0,0:19:57.49,0:20:04.30,Default,,0000,0000,0000,,subnetting means you just have different subnets you need to have a firewall between them
Dialogue: 0,0:20:04.30,0:20:08.14,Default,,0000,0000,0000,,and you have need to have rules between them that
Dialogue: 0,0:20:09.89,0:20:16.82,Default,,0000,0000,0000,,restrict access between your your subnets and one thing is especially important
Dialogue: 0,0:20:17.88,0:20:24.71,Default,,0000,0000,0000,,please keep or use Network segmentation to
Dialogue: 0,0:20:24.71,0:20:30.22,Default,,0000,0000,0000,,restrict the access to your backup and your Management Systems as far as
Dialogue: 0,0:20:30.22,0:20:36.20,Default,,0000,0000,0000,,possible we see a lot especially as I said in the small and medium-sized businesses or in
Dialogue: 0,0:20:36.20,0:20:40.18,Default,,0000,0000,0000,,the other organizations we we have as customers that
Dialogue: 0,0:20:42.45,0:20:46.87,Default,,0000,0000,0000,,yeah they have they tell us in in in in in in workshops yeah we have
Dialogue: 0,0:20:46.87,0:20:54.33,Default,,0000,0000,0000,,a network segmentation every building is one segment and on the question yeah you
Dialogue: 0,0:20:54.33,0:20:59.60,Default,,0000,0000,0000,,can move between in a segment you can access everything yes you can and
Dialogue: 0,0:21:00.42,0:21:05.91,Default,,0000,0000,0000,,between the the buildings you can have also a firewall and you cannot access
Dialogue: 0,0:21:05.91,0:21:11.93,Default,,0000,0000,0000,,anything no you can access everything and also your your uh VMware Management
Dialogue: 0,0:21:11.93,0:21:17.42,Default,,0000,0000,0000,,console oh yes yes we can so everybody can access it yes of course and that
Dialogue: 0,0:21:17.46,0:21:21.76,Default,,0000,0000,0000,,doesn't work so
Dialogue: 0,0:21:26.91,0:21:30.26,Default,,0000,0000,0000,,um when they play around they normally try
Dialogue: 0,0:21:30.26,0:21:38.29,Default,,0000,0000,0000,,to to gain more privileges so privilege escalation is assisting local privilege escalations normally but also using
Dialogue: 0,0:21:38.29,0:21:43.44,Default,,0000,0000,0000,,vulnerabilities um or misconfigurations insecure default
Dialogue: 0,0:21:43.44,0:21:48.98,Default,,0000,0000,0000,,configurations um my personal favorites are Group
Dialogue: 0,0:21:48.98,0:21:53.21,Default,,0000,0000,0000,,Policy preferences or passwords in group policy preferences
Dialogue: 0,0:21:54.69,0:22:01.89,Default,,0000,0000,0000,,this is no longer possible since I think 2014 to put passwords in group policy
Dialogue: 0,0:22:01.89,0:22:07.99,Default,,0000,0000,0000,,preferences however if you had your password stored in those preferences
Dialogue: 0,0:22:07.99,0:22:16.16,Default,,0000,0000,0000,,before the patch in 2015 2014 then they're still there and yeah there
Dialogue: 0,0:22:16.16,0:22:20.93,Default,,0000,0000,0000,,are AES encrypted but the encryption key is on the Microsoft website
Dialogue: 0,0:22:21.78,0:22:26.66,Default,,0000,0000,0000,,so you can just download it and just take it and decrypt the keys
Dialogue: 0,0:22:28.83,0:22:33.48,Default,,0000,0000,0000,,um then during that phase they also try to disable your security measures
Dialogue: 0,0:22:34.91,0:22:41.52,Default,,0000,0000,0000,,the thing you can do is of course patch your system so you know try to get your
Dialogue: 0,0:22:41.52,0:22:46.66,Default,,0000,0000,0000,,availabilities out of of this equation can try to configure your systems in a
Dialogue: 0,0:22:46.66,0:22:52.58,Default,,0000,0000,0000,,secure way this is not always possible due to some shitty uh third-party software
Dialogue: 0,0:22:52.90,0:22:58.78,Default,,0000,0000,0000,,and keep your AV um updated and please please as I said
Dialogue: 0,0:22:58.78,0:23:02.89,Default,,0000,0000,0000,,already check the locks and act accordingly
Dialogue: 0,0:23:05.51,0:23:09.74,Default,,0000,0000,0000,,so in the last phase they cash out that's when when they
Dialogue: 0,0:23:10.71,0:23:16.88,Default,,0000,0000,0000,,start using a uh being your backup service so they copy
Dialogue: 0,0:23:16.88,0:23:21.91,Default,,0000,0000,0000,,data from your your environment using um
Dialogue: 0,0:23:21.91,0:23:27.57,Default,,0000,0000,0000,,file sharing platforms for example yeah Mega and set was was once the thing we
Dialogue: 0,0:23:27.57,0:23:33.16,Default,,0000,0000,0000,,transfer we had already uh every every other file sharing platform you you can
Dialogue: 0,0:23:33.16,0:23:38.89,Default,,0000,0000,0000,,think about is a possible way to exfiltrate data they also use their
Dialogue: 0,0:23:38.89,0:23:47.27,Default,,0000,0000,0000,,their C2 communication channels so sometimes you they also they just use the the possibilities in any desk or in
Dialogue: 0,0:23:47.27,0:23:53.01,Default,,0000,0000,0000,,in RDP clients or they use uh file transfer protocols
Dialogue: 0,0:23:53.01,0:23:57.01,Default,,0000,0000,0000,,like um SS SFTP um
Dialogue: 0,0:23:59.67,0:24:06.26,Default,,0000,0000,0000,,we saw for example in one case that they try to install filezilla on every machine they had access to
Dialogue: 0,0:24:06.26,0:24:11.70,Default,,0000,0000,0000,,um because on the first one it didn't work on the second it didn't work on the third it didn't work yet because SFTP
Dialogue: 0,0:24:11.70,0:24:17.94,Default,,0000,0000,0000,,was blocked uh outgoing and that is one of the things you can do to to prevent
Dialogue: 0,0:24:17.94,0:24:21.76,Default,,0000,0000,0000,,exfiltration block at least
Dialogue: 0,0:24:24.61,0:24:30.46,Default,,0000,0000,0000,,protocols you know that you don't need in your environment and proper Network segmentation of
Dialogue: 0,0:24:30.46,0:24:39.02,Default,,0000,0000,0000,,course is a general thing so in the last step that's when they
Dialogue: 0,0:24:39.02,0:24:44.78,Default,,0000,0000,0000,,start the encryption um they're running the ransomware or
Dialogue: 0,0:24:44.78,0:24:50.17,Default,,0000,0000,0000,,normally they are have domain admins at that point so they can run it on all
Dialogue: 0,0:24:50.17,0:24:57.28,Default,,0000,0000,0000,,domain connected systems they can also disable of course when they are domain admin they can disable
Dialogue: 0,0:24:57.46,0:25:04.55,Default,,0000,0000,0000,,the AV before they they start to run somewhere ransomware's today disable services like
Dialogue: 0,0:25:04.55,0:25:10.30,Default,,0000,0000,0000,,databases and such things so that they have the full power of the machine for
Dialogue: 0,0:25:10.30,0:25:14.59,Default,,0000,0000,0000,,the uh for the encryption
Dialogue: 0,0:25:15.90,0:25:23.00,Default,,0000,0000,0000,,um if you get lucky not how everything works perfectly because they use
Dialogue: 0,0:25:23.00,0:25:29.33,Default,,0000,0000,0000,,group names and windows is especially picky when you have a non-english uh
Dialogue: 0,0:25:32.34,0:25:39.43,Default,,0000,0000,0000,,windows installed for example in Germany the the group everybody is called yida
Dialogue: 0,0:25:40.32,0:25:47.32,Default,,0000,0000,0000,,and we had cases where the ransomware didn't really work that well because they couldn't
Dialogue: 0,0:25:47.32,0:25:51.32,Default,,0000,0000,0000,,change the permissions of the files first um
Dialogue: 0,0:25:53.44,0:25:59.28,Default,,0000,0000,0000,,they use different encryption schemas normally they they come with the
Dialogue: 0,0:25:59.28,0:26:05.74,Default,,0000,0000,0000,,asymmetric and the symmetric encryption type the asymmetrics or public key cryptography the public key comes with
Dialogue: 0,0:26:05.74,0:26:12.25,Default,,0000,0000,0000,,the ransomware and is used to encrypt the symmetric keys they generate on in
Dialogue: 0,0:26:12.25,0:26:20.11,Default,,0000,0000,0000,,your environment depending on the ransomware they they generate one key for each system or even one key for each
Dialogue: 0,0:26:20.11,0:26:25.88,Default,,0000,0000,0000,,file it depends a little bit on the on the ransomware how it works but that's
Dialogue: 0,0:26:25.88,0:26:32.100,Default,,0000,0000,0000,,the usual thing they use um I would never count on the the fact
Dialogue: 0,0:26:32.100,0:26:39.52,Default,,0000,0000,0000,,that there are possibly maybe there could be
Dialogue: 0,0:26:39.52,0:26:47.54,Default,,0000,0000,0000,,decryptable uh things um in in my opinion in my uh in my world
Dialogue: 0,0:26:49.12,0:26:55.20,Default,,0000,0000,0000,,The ransomware Gangs have learned and used the standard Microsoft Windows or
Dialogue: 0,0:26:55.20,0:26:59.23,Default,,0000,0000,0000,,some other publicly available libraries to to do the encryption
Dialogue: 0,0:27:00.77,0:27:09.22,Default,,0000,0000,0000,,they executed by a remote tools like PSX Powershell or some use
Dialogue: 0,0:27:09.22,0:27:14.98,Default,,0000,0000,0000,,gpos group policies to execute the ransomware on every
Dialogue: 0,0:27:14.98,0:27:21.15,Default,,0000,0000,0000,,machines they they connected to the domain and what can you do about this no it's
Dialogue: 0,0:27:21.15,0:27:26.53,Default,,0000,0000,0000,,it's hard but the the most important thing is have online backups offline
Dialogue: 0,0:27:26.53,0:27:33.82,Default,,0000,0000,0000,,backup sorry thanks you you see you see off online backups
Dialogue: 0,0:27:33.82,0:27:39.41,Default,,0000,0000,0000,,are not that are great but not that great offline backups is the most important this is the most important
Dialogue: 0,0:27:39.41,0:27:45.39,Default,,0000,0000,0000,,thing so um don't have it connected to your environment
Dialogue: 0,0:27:45.97,0:27:52.21,Default,,0000,0000,0000,,the the the USB disk on the system is not offline backup
Dialogue: 0,0:27:55.59,0:28:00.79,Default,,0000,0000,0000,,um in my opinion if you see that something is is still encrypting
Dialogue: 0,0:28:01.44,0:28:07.63,Default,,0000,0000,0000,,I I'm I'm always hesitant to say shut down the system because you can break
Dialogue: 0,0:28:07.63,0:28:15.53,Default,,0000,0000,0000,,the encryption and maybe the file that is currently in under encryption or the files will never be decryptable if you
Dialogue: 0,0:28:15.53,0:28:23.59,Default,,0000,0000,0000,,want to buy a decrypter um or gather the cryptos through some
Dialogue: 0,0:28:25.67,0:28:32.15,Default,,0000,0000,0000,,discussions with the with the ransomware guys um if it's a VM just suspend it and
Dialogue: 0,0:28:32.15,0:28:38.35,Default,,0000,0000,0000,,that's it and if everything is already encrypted
Dialogue: 0,0:28:39.20,0:28:43.58,Default,,0000,0000,0000,,keep cool and call your incident responder
Dialogue: 0,0:28:51.31,0:28:58.61,Default,,0000,0000,0000,,so now let's talk about incident response what happens when it's already too late and what can you do to support
Dialogue: 0,0:28:58.61,0:29:04.11,Default,,0000,0000,0000,,your incident response team at first the things I'll say in this chapter are
Dialogue: 0,0:29:04.11,0:29:10.55,Default,,0000,0000,0000,,for our company and how we work so other companies might work a little bit different than that
Dialogue: 0,0:29:12.79,0:29:17.02,Default,,0000,0000,0000,,first for some reason incidents always come on Friday afternoon
Dialogue: 0,0:29:18.95,0:29:23.95,Default,,0000,0000,0000,,so some customers think it is a good idea to try to solve a case by
Dialogue: 0,0:29:23.95,0:29:30.78,Default,,0000,0000,0000,,themselves maybe until the end of the week and if they didn't solve it until the end of the week they call the
Dialogue: 0,0:29:30.78,0:29:35.88,Default,,0000,0000,0000,,incident response team please don't do that it doesn't help your company and it
Dialogue: 0,0:29:35.88,0:29:43.79,Default,,0000,0000,0000,,doesn't make your incident Response Team happy to have to work on the weekend and in addition the longer you wait with
Dialogue: 0,0:29:43.79,0:29:50.86,Default,,0000,0000,0000,,calling the incident Response Team the longer the incident response will take and the more complicated forensics will
Dialogue: 0,0:29:50.86,0:29:56.52,Default,,0000,0000,0000,,be because you have lock retention times while trying to do stuff by yourself
Dialogue: 0,0:29:56.70,0:30:01.57,Default,,0000,0000,0000,,maybe you modify some of the systems and it becomes much more harder to do
Dialogue: 0,0:30:02.40,0:30:08.13,Default,,0000,0000,0000,,precise forensics so what happens on our site when such a
Dialogue: 0,0:30:08.13,0:30:13.59,Default,,0000,0000,0000,,new incident ticket arrives the first thing we do is team internal coordination
Dialogue: 0,0:30:13.59,0:30:18.94,Default,,0000,0000,0000,,so we discussed do we have enough people do we have a person for each role in our
Dialogue: 0,0:30:18.94,0:30:25.08,Default,,0000,0000,0000,,team we have three roads incident handling forensics analyst and Mayweather analyst
Dialogue: 0,0:30:26.25,0:30:32.52,Default,,0000,0000,0000,,so first let's talk about incident handling incident Handler is responsible for all
Dialogue: 0,0:30:32.52,0:30:39.79,Default,,0000,0000,0000,,the tasks that our customer facing and the first point is always get the customer out of that headless chicken
Dialogue: 0,0:30:39.79,0:30:45.12,Default,,0000,0000,0000,,mode like we call it because when an incident comes at our customer site
Dialogue: 0,0:30:45.12,0:30:52.24,Default,,0000,0000,0000,,everyone is like running around in so-called like headless chicken doing something but not doing anything helpful
Dialogue: 0,0:30:53.40,0:31:00.95,Default,,0000,0000,0000,,so this is always the first task for the incident Handler Handler structure the customer do meetings and then do all the
Dialogue: 0,0:31:00.95,0:31:06.61,Default,,0000,0000,0000,,relevant decisions leading to a secure emergency operation mode that means in
Dialogue: 0,0:31:06.61,0:31:13.48,Default,,0000,0000,0000,,this case that you have working core infrastructure so working domain controller maybe a working email server
Dialogue: 0,0:31:13.48,0:31:19.30,Default,,0000,0000,0000,,and whatever you need or whatever you define as very business critical systems
Dialogue: 0,0:31:21.32,0:31:28.78,Default,,0000,0000,0000,,let's go a little bit more in detail probably the first measure will be to cut off the internet connection because
Dialogue: 0,0:31:28.78,0:31:33.16,Default,,0000,0000,0000,,you just buy you a lot of time with doing that no matter how many back doors
Dialogue: 0,0:31:33.16,0:31:38.83,Default,,0000,0000,0000,,the attackers placed in the network if you cut off the internet connection the attackers can't access their back doors
Dialogue: 0,0:31:38.95,0:31:46.28,Default,,0000,0000,0000,,anymore and then you will start to rebuild your network you will Define everything in
Dialogue: 0,0:31:46.28,0:31:51.32,Default,,0000,0000,0000,,your current infrastructure as red Network and then start building up a
Dialogue: 0,0:31:51.32,0:31:57.59,Default,,0000,0000,0000,,green network with clean systems maybe you will start with some admin workstations so that the
Dialogue: 0,0:31:57.59,0:32:05.42,Default,,0000,0000,0000,,administrators can work properly and then we go through a prioritized system list and build up the most
Dialogue: 0,0:32:05.42,0:32:11.42,Default,,0000,0000,0000,,important systems this can be of course like I said domain controllers or email
Dialogue: 0,0:32:11.42,0:32:17.84,Default,,0000,0000,0000,,servers but also whatever is important for your current company and for the
Dialogue: 0,0:32:17.84,0:32:23.08,Default,,0000,0000,0000,,business this is of course in a hospital something very different from a small
Dialogue: 0,0:32:23.08,0:32:30.74,Default,,0000,0000,0000,,business or maybe a university and please have such a prioritized list before your first incident because when
Dialogue: 0,0:32:30.74,0:32:37.69,Default,,0000,0000,0000,,you start discussing in an incident which system is the most important then everyone in the company will tell you
Dialogue: 0,0:32:37.69,0:32:44.80,Default,,0000,0000,0000,,something else and everyone will tell you that their system is the most important and has to be migrated and
Dialogue: 0,0:32:44.80,0:32:48.70,Default,,0000,0000,0000,,checked and analyzed at first and this isn't really helpful
Dialogue: 0,0:32:50.49,0:32:56.36,Default,,0000,0000,0000,,so during incident handling there might also be obstacles for example if you
Dialogue: 0,0:32:56.36,0:33:02.52,Default,,0000,0000,0000,,have backups and you encrypted your backups this is great but you should think about where to
Dialogue: 0,0:33:02.52,0:33:08.91,Default,,0000,0000,0000,,store that encryption key because when you store it in your password manager and the password
Dialogue: 0,0:33:08.91,0:33:13.75,Default,,0000,0000,0000,,manager database is in a VM which then gets encrypted by the ransomware well
Dialogue: 0,0:33:13.75,0:33:18.67,Default,,0000,0000,0000,,you have backups but you don't have your key to decrypt the backup so this
Dialogue: 0,0:33:18.97,0:33:25.81,Default,,0000,0000,0000,,doesn't help you very much and this is not only two for password
Dialogue: 0,0:33:25.99,0:33:34.23,Default,,0000,0000,0000,,this is also true for like everything else which you could need during an incident like contact lists or network
Dialogue: 0,0:33:34.27,0:33:39.17,Default,,0000,0000,0000,,lists and so on so
Dialogue: 0,0:33:40.57,0:33:47.27,Default,,0000,0000,0000,,working with third parties is also a task for the incident Handler this could be a data Protection Agency
Dialogue: 0,0:33:47.33,0:33:52.76,Default,,0000,0000,0000,,or the customers customers because they also often yeah have some panic and have
Dialogue: 0,0:33:52.76,0:33:58.02,Default,,0000,0000,0000,,questions which the customer maybe can't answer so this is also a talk a task for
Dialogue: 0,0:33:58.02,0:34:03.13,Default,,0000,0000,0000,,the incident Handler and of course also working with law enforcement but there's
Dialogue: 0,0:34:03.18,0:34:09.76,Default,,0000,0000,0000,,one thing to keep in mind Law Enforcement wants to do criminal investigation incident response wants to
Dialogue: 0,0:34:09.76,0:34:17.54,Default,,0000,0000,0000,,bring you back to business as soon as possible this is not necessarily the same goal but it finally makes sense to
Dialogue: 0,0:34:17.57,0:34:25.21,Default,,0000,0000,0000,,allow your incident responders to share all information with law enforcement because this is beneficial for everyone
Dialogue: 0,0:34:26.65,0:34:32.71,Default,,0000,0000,0000,,um so why do I do forensics at all one could ask well the less precise the
Dialogue: 0,0:34:32.73,0:34:39.19,Default,,0000,0000,0000,,forensic results are the more conservative the rebuild needs to be so if you don't know anything about the
Dialogue: 0,0:34:39.19,0:34:45.63,Default,,0000,0000,0000,,attack you have to rebuild everything from scratch so let's say you have maybe two week or
Dialogue: 0,0:34:45.63,0:34:51.09,Default,,0000,0000,0000,,backups and you know the initial access of the attackers was only one week ago
Dialogue: 0,0:34:51.16,0:34:56.35,Default,,0000,0000,0000,,then you could use that two weeks old backups for rebuilding which is really
Dialogue: 0,0:34:56.35,0:35:00.99,Default,,0000,0000,0000,,great but if you don't know how long the attackers were in the
Dialogue: 0,0:35:01.38,0:35:05.52,Default,,0000,0000,0000,,network then it's really hard to to say
Dialogue: 0,0:35:06.99,0:35:12.08,Default,,0000,0000,0000,,a second Point why you should do forensics is to estimate the impact
Dialogue: 0,0:35:12.16,0:35:18.68,Default,,0000,0000,0000,,especially in an early um phase of an attack it is important to know that the attackers only compromise
Dialogue: 0,0:35:18.68,0:35:23.77,Default,,0000,0000,0000,,some user devices or did they already gain domain administrative privileges
Dialogue: 0,0:35:24.21,0:35:30.75,Default,,0000,0000,0000,,because then the incident handling is completely different and of course it is also relevant to
Dialogue: 0,0:35:30.75,0:35:36.48,Default,,0000,0000,0000,,know which attack path the attack is used so you can Harden your network and
Dialogue: 0,0:35:37.10,0:35:42.75,Default,,0000,0000,0000,,improve in the future how should incident how should forensics
Dialogue: 0,0:35:42.75,0:35:48.79,Default,,0000,0000,0000,,be it should of course be correct it should be non-disruptive for the customer so they can concentrate on
Dialogue: 0,0:35:48.97,0:35:55.06,Default,,0000,0000,0000,,rebuilding their infrastructure and it should be fast what means correct you want to have a
Dialogue: 0,0:35:55.21,0:36:00.50,Default,,0000,0000,0000,,dedicated forensics analyst so you want to have incident response team which is
Dialogue: 0,0:36:00.69,0:36:07.02,Default,,0000,0000,0000,,doing incident response in their day-to-day business and you want in your forensics teams one
Dialogue: 0,0:36:07.02,0:36:12.91,Default,,0000,0000,0000,,person who can really concentrate on forensics and is not also doing the incident handling and the malware
Dialogue: 0,0:36:12.91,0:36:17.23,Default,,0000,0000,0000,,analysis and so on because then you can't really concentrate on doing the technical work
Dialogue: 0,0:36:19.33,0:36:25.68,Default,,0000,0000,0000,,it also should be non-disruptive as I said that means for our company we do remote triage collection we use the tool
Dialogue: 0,0:36:25.74,0:36:33.34,Default,,0000,0000,0000,,videos adapter for it this is an official logo of velociraptor it's a really nice tool because we just send
Dialogue: 0,0:36:33.34,0:36:38.64,Default,,0000,0000,0000,,our customers an exe file the customer just has to execute the exe file and
Dialogue: 0,0:36:38.64,0:36:43.90,Default,,0000,0000,0000,,then it collects all the logs we need all the um yeah information we need
Dialogue: 0,0:36:44.84,0:36:49.84,Default,,0000,0000,0000,,and absolute uploads it to our um to our infrastructure so we don't
Dialogue: 0,0:36:49.84,0:36:58.13,Default,,0000,0000,0000,,need to drive to the customer and like start copying hard disks for a week for weeks because this doesn't help anyone
Dialogue: 0,0:36:58.49,0:37:04.33,Default,,0000,0000,0000,,I should also said it should be fast so we have a lot of Automation and tooling
Dialogue: 0,0:37:04.33,0:37:10.54,Default,,0000,0000,0000,,to make the work really fast automatically pushing our the uploaded files we want
Dialogue: 0,0:37:10.54,0:37:16.70,Default,,0000,0000,0000,,to lose this infrastructure automatically doing reporting and so on I won't go in detail here because this
Dialogue: 0,0:37:16.70,0:37:22.28,Default,,0000,0000,0000,,is enough for a single talk about it maybe maybe on Congress let's see
Dialogue: 0,0:37:23.28,0:37:28.44,Default,,0000,0000,0000,,so what happens when we do manual forensic analysis
Dialogue: 0,0:37:28.62,0:37:35.71,Default,,0000,0000,0000,,there are some questions you normally want to answer one is of course about the vectors you want to find all vectors
Dialogue: 0,0:37:35.71,0:37:40.97,Default,,0000,0000,0000,,the attack is placed in the network of course you want to have General IUC
Dialogue: 0,0:37:40.97,0:37:47.53,Default,,0000,0000,0000,,so indicators of compromise so maybe which IP addresses did the attackers use so you can block them in the firewall or
Dialogue: 0,0:37:47.53,0:37:53.34,Default,,0000,0000,0000,,which tools did they use so you can scan over the whole it infrastructure and
Dialogue: 0,0:37:53.38,0:37:59.50,Default,,0000,0000,0000,,find further compromised systems and if you have the iocs you can also cross-correlate between cases or show
Dialogue: 0,0:37:59.77,0:38:05.21,Default,,0000,0000,0000,,them share them with law enforcement another important thing is of course
Dialogue: 0,0:38:05.27,0:38:13.27,Default,,0000,0000,0000,,lateral movement because you can use lateral movement to build a timeline of the attack so the mythology here is to
Dialogue: 0,0:38:13.39,0:38:20.82,Default,,0000,0000,0000,,look where the attackers came from and where the attackers went so if you have a system a and you see the attackers
Dialogue: 0,0:38:20.82,0:38:27.57,Default,,0000,0000,0000,,came from system B then you analyze system B and go back in time and the same you could do forward in time until
Dialogue: 0,0:38:27.57,0:38:34.29,Default,,0000,0000,0000,,you found yeah all relevant systems which were compromised and have a proper timeline of the case
Dialogue: 0,0:38:36.21,0:38:41.85,Default,,0000,0000,0000,,and other common thing in the life of an incident responder is to fall in a rabbit hole
Dialogue: 0,0:38:42.23,0:38:47.44,Default,,0000,0000,0000,,because it can be really really interesting to do forensics but yeah you need to
Dialogue: 0,0:38:48.46,0:38:55.04,Default,,0000,0000,0000,,check what the customer really wants to know or what your incident Handler really wants to know
Dialogue: 0,0:38:55.04,0:39:01.53,Default,,0000,0000,0000,,and not just analyze something and fall into the rabbit hole because this yeah
Dialogue: 0,0:39:01.53,0:39:08.17,Default,,0000,0000,0000,,really doesn't help anyone here also the 80 20 rule applies so I'd say you get like 80 percent of
Dialogue: 0,0:39:08.28,0:39:14.44,Default,,0000,0000,0000,,the relevant forensics results in 20 of the time and often this is enough for the incident Handler to do the right
Dialogue: 0,0:39:14.44,0:39:20.35,Default,,0000,0000,0000,,decisions to rebuild the customer Network customer's networks as fast as possible
Dialogue: 0,0:39:21.63,0:39:26.73,Default,,0000,0000,0000,,so let's go into reporting nobody really likes reporting
Dialogue: 0,0:39:28.07,0:39:34.10,Default,,0000,0000,0000,,but producing fancy forensics results doing fancy technical stuff is worthless
Dialogue: 0,0:39:34.10,0:39:40.07,Default,,0000,0000,0000,,if you can can't explain it to a manager nobody pays us to do fancy technical
Dialogue: 0,0:39:40.07,0:39:45.42,Default,,0000,0000,0000,,stuff nobody understands but we are paid to help our customers and explain the
Dialogue: 0,0:39:45.42,0:39:52.96,Default,,0000,0000,0000,,situation to them and to do the right decisions so yeah nobody likes reporting but it is a really really important
Dialogue: 0,0:39:52.96,0:39:56.82,Default,,0000,0000,0000,,thing so after learning the report the
Dialogue: 0,0:39:56.84,0:40:02.43,Default,,0000,0000,0000,,incident is over and all work is done right no not really because such a
Dialogue: 0,0:40:02.47,0:40:08.05,Default,,0000,0000,0000,,report normally contains a lot of recommendations what to do
Dialogue: 0,0:40:08.70,0:40:14.76,Default,,0000,0000,0000,,for the customers and as I already said incident response more or less stops
Dialogue: 0,0:40:15.36,0:40:20.60,Default,,0000,0000,0000,,when the customer is in an emergency operation mode with a core infrastructure and the most critical
Dialogue: 0,0:40:20.67,0:40:28.13,Default,,0000,0000,0000,,systems are working but there's still a lot to do and of course security is a process so
Dialogue: 0,0:40:28.30,0:40:32.41,Default,,0000,0000,0000,,there's always something to improve to stay ahead of the attackers
Dialogue: 0,0:40:33.61,0:40:38.04,Default,,0000,0000,0000,,so now let's go into a quick recap
Dialogue: 0,0:40:42.25,0:40:49.36,Default,,0000,0000,0000,,how to protect against those kind of attacks we had this uh the topics just
Dialogue: 0,0:40:49.52,0:40:55.22,Default,,0000,0000,0000,,as a recap patch your systems it's important keep them updated
Dialogue: 0,0:40:56.03,0:41:02.04,Default,,0000,0000,0000,,vulnerabilities come and go that's one thing have a sane privilege
Dialogue: 0,0:41:02.21,0:41:09.04,Default,,0000,0000,0000,,account management so use the correct user accounts for the correct for the
Dialogue: 0,0:41:09.04,0:41:17.86,Default,,0000,0000,0000,,the right task use the second two-factor authentication
Dialogue: 0,0:41:17.93,0:41:24.28,Default,,0000,0000,0000,,for remote services have a proper Network segmentation so
Dialogue: 0,0:41:24.57,0:41:31.30,Default,,0000,0000,0000,,put firewalls and access rules between your networks check your AV logs regularly and act
Dialogue: 0,0:41:31.50,0:41:37.37,Default,,0000,0000,0000,,accordingly and not really protecting your you against an attack
Dialogue: 0,0:41:37.86,0:41:46.33,Default,,0000,0000,0000,,but keeping the the symptoms a little bit um not that that devastating have
Dialogue: 0,0:41:46.33,0:41:52.57,Default,,0000,0000,0000,,offline backups so how to make incident response easier
Dialogue: 0,0:41:52.76,0:41:58.87,Default,,0000,0000,0000,,for you for yourself and for the incident Response Team first thing is don't try to solve this stuff by
Dialogue: 0,0:41:58.87,0:42:05.27,Default,,0000,0000,0000,,yourself just call the incident response team of your trust as soon as you know
Dialogue: 0,0:42:05.27,0:42:11.88,Default,,0000,0000,0000,,you have an incident the second thing is logging policy because if you have a very short lock
Dialogue: 0,0:42:11.88,0:42:16.93,Default,,0000,0000,0000,,retention for example and you only have locks for the last like two days then it
Dialogue: 0,0:42:16.93,0:42:22.15,Default,,0000,0000,0000,,might be hard to find out what happened and if you don't lock stuff at all
Dialogue: 0,0:42:22.48,0:42:28.100,Default,,0000,0000,0000,,especially in the cloud environments this is a thing where you need to look at then it might also be hard to get
Dialogue: 0,0:42:29.17,0:42:34.21,Default,,0000,0000,0000,,proper forensic results then as I said have offline contact
Dialogue: 0,0:42:34.21,0:42:41.03,Default,,0000,0000,0000,,lists because your main server is down your accounts are compromised so you can't use like your Microsoft teams or
Dialogue: 0,0:42:41.03,0:42:47.83,Default,,0000,0000,0000,,whatever you use in your company you need an alternative way to communicate to your colleagues and or
Dialogue: 0,0:42:48.03,0:42:54.10,Default,,0000,0000,0000,,employees then as I said prioritized asset list and network plans
Dialogue: 0,0:42:55.17,0:43:01.81,Default,,0000,0000,0000,,and a disaster recovery plan in best case and please all have all that in a
Dialogue: 0,0:43:01.81,0:43:07.56,Default,,0000,0000,0000,,secure place in best case on paper well nobody likes doing stuff with their
Dialogue: 0,0:43:07.56,0:43:11.68,Default,,0000,0000,0000,,trees I know but that trees don't get ransomware right
Dialogue: 0,0:43:14.32,0:43:21.38,Default,,0000,0000,0000,,so that's it from our site more or less normally this is a point where
Dialogue: 0,0:43:21.38,0:43:26.30,Default,,0000,0000,0000,,you can ask us questions but we want to spin that around and give you some
Dialogue: 0,0:43:26.30,0:43:31.09,Default,,0000,0000,0000,,questions maybe someone can guess the right answer
Dialogue: 0,0:43:31.88,0:43:36.98,Default,,0000,0000,0000,,what do you think is the shortest time to domain admin we saw an incident between initial compromise and the
Dialogue: 0,0:43:36.98,0:43:41.06,Default,,0000,0000,0000,,attackers gaining domain admin
Dialogue: 0,0:43:42.62,0:43:49.50,Default,,0000,0000,0000,,yeah it's not it somebody said 17 seconds two minutes well it's not that
Dialogue: 0,0:43:49.50,0:43:54.33,Default,,0000,0000,0000,,bad six minutes is is what we have seen in incident hmm
Dialogue: 0,0:43:54.74,0:44:00.32,Default,,0000,0000,0000,,what do you think think is the shortest lock retention on a domain controller so how long
Dialogue: 0,0:44:01.21,0:44:08.68,Default,,0000,0000,0000,,zero 10 hours a year well it is 2.5 minutes
Dialogue: 0,0:44:12.87,0:44:18.60,Default,,0000,0000,0000,,what what do you think is the highest number of domain administrator accounts
Dialogue: 0,0:44:18.60,0:44:26.04,Default,,0000,0000,0000,,we saw in an incident 200 nah 50.
Dialogue: 0,0:44:26.04,0:44:30.80,Default,,0000,0000,0000,,64 with 120 people working in IT
Dialogue: 0,0:44:33.04,0:44:39.67,Default,,0000,0000,0000,,what do you think is the longest dwell time so the longest the longest time between being initially compromised and
Dialogue: 0,0:44:39.89,0:44:47.57,Default,,0000,0000,0000,,realizing that you are compromised 60 now it's it's not that bad I hit here
Dialogue: 0,0:44:47.83,0:44:52.12,Default,,0000,0000,0000,,a lot of years well it is like around two years
Dialogue: 0,0:44:53.29,0:44:58.82,Default,,0000,0000,0000,,so well that's really it from our side no time for questions thank you
Dialogue: 0,0:45:01.61,0:45:05.91,Default,,0000,0000,0000,,if you
Dialogue: 0,0:45:09.30,0:45:13.70,Default,,0000,0000,0000,,if you have questions we will be there outside waiting come and join us
Dialogue: 0,0:45:15.48,0:45:21.23,Default,,0000,0000,0000,,thank you thank you thank you Harryr and Kris warmer applause thank you
Dialogue: 0,0:45:23.96,0:45:32.77,Default,,0000,0000,0000,,End of subtitles:[Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]