0:00:30.206,0:00:37.260
Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]

0:00:37.260,0:00:42.187
it's late in the evening this is meleeway stage in case you're wondering

0:00:42.230,0:00:48.176
and the next talk is going to be about incident report responses

0:00:48.476,0:00:59.520
so if you're curious about how to even get there to have an incident response how you could [br]prepare for an incident response and how you could support a new organization

0:00:59.520,0:01:07.258
uh, the incident response team in doing the job and trying to fix whatever broke

0:01:07.258,0:01:11.677
let's put it that way um we have the right talk for you

0:01:11.677,0:01:17.352
this is stories from the life of an incident from incident responders Harry and Chris

0:01:17.352,0:01:23.500
please a very warm Round of Applause [Applause]

0:01:28.925,0:01:36.675
so, good evening and thank you for joining us today um we will tell you a little bit of our

0:01:36.675,0:01:43.664
life as incident responders and I'm Chris I did my computer science

0:01:43.664,0:01:48.784
studies at the University of alang and Nuremberg I do this security stuff for

0:01:48.784,0:01:55.394
over 10 years now so my CV is a little bit longer at the moment I'm a detection

0:01:55.415,0:02:01.425
engineer before that I was a long time working in dfir so digital forensic incident

0:02:01.425,0:02:06.062
response in different organizations and

0:02:07.411,0:02:12.388
yeah I'm Harryr I studied electrical and computer engineering at RWTH

0:02:12.395,0:02:18.165
University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH

0:02:18.165,0:02:24.523
during my masters I worked at x41 dsac doing pen testing patch analysis

0:02:24.589,0:02:32.359
so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced

0:02:32.359,0:02:36.619
analytics doing digital forensics and incident handling

0:02:38.080,0:02:45.390
first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks

0:02:45.390,0:02:51.097
like and in the second part of the talk I will tell you how the incident

0:02:51.097,0:02:58.167
responders work and what you can do in advance to make it go as smooth as possible and support the incident

0:02:58.167,0:03:05.035
response team so as Harryr told you I will probably

0:03:05.035,0:03:12.290
we'll talk about ransomware because the customers we usually have are small and

0:03:12.290,0:03:17.543
medium-sized businesses universities and hospitals and those are regularly

0:03:17.543,0:03:23.268
unfortunately regularly hit by um um

0:03:24.017,0:03:29.557
ransomware gangs the main reason for this and that's if you heard the last

0:03:29.557,0:03:35.096
talk um why they maybe not that responsive

0:03:35.096,0:03:42.058
and are not so interested in they just lack the resources so the manpower to do

0:03:42.058,0:03:48.424
uh proper security measurements to secure their systems especially in in erm

0:03:48.424,0:03:53.618
situations where you are for example in a hospital have medical devices

0:03:53.618,0:03:59.378
um which where you cannot simply install an AV on or even patch the system

0:03:59.378,0:04:07.321
because you lose the certification as a medical device then but also in in

0:04:07.321,0:04:12.953
companies manufacturing companies on the shop floor we're talking about systems[br]

0:04:12.953,0:04:21.292
that have run times of 25 plus years so if you look back now 2023

0:04:21.292,0:04:26.823
we're talking about XP and older systems fun fact I was in a ransomware case and

0:04:26.823,0:04:34.230
Wannacry in 2017 when I got a call from from a person from the shop floor

0:04:34.230,0:04:38.000
asking me if we have a nt4 expert, um

0:04:40.200,0:04:47.380
that can tell us if WannaCry is affecting nt4 of course you don't need

0:04:47.380,0:04:54.071
to be a expert for NT-4 this one requires of course not affecting nt4

0:04:54.071,0:04:59.602
systems so due to the time uh slot we thought

0:04:59.602,0:05:04.915
memes are the best way to to tell you those stories and we have a lot of them

0:05:06.453,0:05:12.822
so in the first uh um section I tell you a little bit of how an attack Works

0:05:12.822,0:05:21.062
um there are a lot of different possibilities how you can describe and how to structure the how an attack works

0:05:22.257,0:05:28.993
there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko

0:05:28.993,0:05:34.854
um here on the stage there's the original cyber kill chain from from Lockheed Martin you have

0:05:37.190,0:05:42.480
stuff from from companies like Mandy and their targeted the tech life cycle but

0:05:42.480,0:05:47.550
that's all in my opinion two two fine-grained it's that's the reason I

0:05:47.550,0:05:53.275
just take three simple steps yeah get a foothold in the door

0:05:53.275,0:06:00.645
look move play around and cash out those three uh I will just go over

0:06:03.141,0:06:07.835
so start with uh get a foot in the door so normally we

0:06:07.835,0:06:14.756
see three ways how attackers can can get into the environment in the ransomware

0:06:14.756,0:06:20.655
cases you have vulnerabilities in uh remote uh internet facing systems you

0:06:20.655,0:06:25.875
have the remote Services itself and you have malware

0:06:26.712,0:06:35.507
starting with the with the the vulnerabilities and um I just looked uh up the last four

0:06:35.507,0:06:42.060
years and maybe somebody remembers netscaler the the so-called Citrix

0:06:42.060,0:06:49.789
vulnerability in December 2019 um it was released mid of uh 2019 uh

0:06:49.789,0:06:55.889
December 2019 the first POC publicly available POC was in beginning of

0:06:55.889,0:07:03.293
January and the patch was available in middle of January so there was a round one week to one and a half weeks between

0:07:03.293,0:07:10.494
a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw

0:07:10.494,0:07:17.194
during 2020 a lot of companies patched but the patch didn't remove the the

0:07:17.194,0:07:25.469
compromise so they were already compromised and um yeah with it with the patch they

0:07:25.469,0:07:31.114
didn't remove the compromise so what we found what we could provable

0:07:31.114,0:07:36.184
see or proof evidence for uh was nine

0:07:36.184,0:07:42.286
month uh customer was breached after nine months using this this vulnerability

0:07:43.176,0:07:51.434
and we had other customers where we could see that the netscaler was affected after two years but we couldn't

0:07:51.434,0:08:00.073
prove that this this compromise was the reason for the actual ransomware case

0:08:00.275,0:08:04.914
and of course such vulnerabilities happen not that often

0:08:06.295,0:08:10.405
yeah so 2021 gave us uh hafnium exchange