1
00:00:30,206 --> 00:00:37,260
Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]

2
00:00:37,260 --> 00:00:42,187
it's late in the evening this is meleeway stage in case you're wondering

3
00:00:42,230 --> 00:00:48,176
and the next talk is going to be about incident report responses

4
00:00:48,476 --> 00:00:59,520
so if you're curious about how to even get there to have an incident response how you could 
prepare for an incident response and how you could support a new organization

5
00:00:59,520 --> 00:01:07,258
uh, the incident response team in doing the job and trying to fix whatever broke

6
00:01:07,258 --> 00:01:11,677
let's put it that way um we have the right talk for you

7
00:01:11,677 --> 00:01:17,352
this is stories from the life of an incident from incident responders Harry and Chris

8
00:01:17,352 --> 00:01:23,500
please a very warm Round of Applause [Applause]

9
00:01:28,925 --> 00:01:36,675
so, good evening and thank you for joining us today um we will tell you a little bit of our

10
00:01:36,675 --> 00:01:43,664
life as incident responders and I'm Chris I did my computer science

11
00:01:43,664 --> 00:01:48,784
studies at the University of alang and Nuremberg I do this security stuff for

12
00:01:48,784 --> 00:01:55,394
over 10 years now so my CV is a little bit longer at the moment I'm a detection

13
00:01:55,415 --> 00:02:01,425
engineer before that I was a long time working in dfir so digital forensic incident

14
00:02:01,425 --> 00:02:06,062
response in different organizations and

15
00:02:07,411 --> 00:02:12,388
yeah I'm Harryr I studied electrical and computer engineering at RWTH

16
00:02:12,395 --> 00:02:18,165
University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH

17
00:02:18,165 --> 00:02:24,523
during my masters I worked at x41 dsac doing pen testing patch analysis

18
00:02:24,589 --> 00:02:32,359
so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced

19
00:02:32,359 --> 00:02:36,619
analytics doing digital forensics and incident handling

20
00:02:38,080 --> 00:02:45,390
first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks

21
00:02:45,390 --> 00:02:51,097
like and in the second part of the talk I will tell you how the incident

22
00:02:51,097 --> 00:02:58,167
responders work and what you can do in advance to make it go as smooth as possible and support the incident

23
00:02:58,167 --> 00:03:05,035
response team so as Harryr told you I will probably

24
00:03:05,035 --> 00:03:12,290
we'll talk about ransomware because the customers we usually have are small and

25
00:03:12,290 --> 00:03:17,543
medium-sized businesses universities and hospitals and those are regularly

26
00:03:17,543 --> 00:03:23,268
unfortunately regularly hit by um um

27
00:03:24,017 --> 00:03:29,557
ransomware gangs the main reason for this and that's if you heard the last

28
00:03:29,557 --> 00:03:35,096
talk um why they maybe not that responsive

29
00:03:35,096 --> 00:03:42,058
and are not so interested in they just lack the resources so the manpower to do

30
00:03:42,058 --> 00:03:48,424
uh proper security measurements to secure their systems especially in in erm

31
00:03:48,424 --> 00:03:53,618
situations where you are for example in a hospital have medical devices

32
00:03:53,618 --> 00:03:59,378
um which where you cannot simply install an AV on or even patch the system

33
00:03:59,378 --> 00:04:07,321
because you lose the certification as a medical device then but also in in

34
00:04:07,321 --> 00:04:12,953
companies manufacturing companies on the shop floor we're talking about systems


35
00:04:12,953 --> 00:04:21,292
that have run times of 25 plus years so if you look back now 2023

36
00:04:21,292 --> 00:04:26,823
we're talking about XP and older systems fun fact I was in a ransomware case and

37
00:04:26,823 --> 00:04:34,230
Wannacry in 2017 when I got a call from from a person from the shop floor

38
00:04:34,230 --> 00:04:38,000
asking me if we have a nt4 expert, um

39
00:04:40,200 --> 00:04:47,380
that can tell us if WannaCry is affecting nt4 of course you don't need

40
00:04:47,380 --> 00:04:54,071
to be a expert for NT-4 this one requires of course not affecting nt4

41
00:04:54,071 --> 00:04:59,602
systems so due to the time uh slot we thought

42
00:04:59,602 --> 00:05:04,915
memes are the best way to to tell you those stories and we have a lot of them

43
00:05:06,453 --> 00:05:12,822
so in the first uh um section I tell you a little bit of how an attack Works

44
00:05:12,822 --> 00:05:21,062
um there are a lot of different possibilities how you can describe and how to structure the how an attack works

45
00:05:22,257 --> 00:05:28,993
there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko

46
00:05:28,993 --> 00:05:34,854
um here on the stage there's the original cyber kill chain from from Lockheed Martin you have

47
00:05:37,190 --> 00:05:42,480
stuff from from companies like Mandy and their targeted the tech life cycle but

48
00:05:42,480 --> 00:05:47,550
that's all in my opinion two two fine-grained it's that's the reason I

49
00:05:47,550 --> 00:05:53,275
just take three simple steps yeah get a foothold in the door

50
00:05:53,275 --> 00:06:00,645
look move play around and cash out those three uh I will just go over

51
00:06:03,141 --> 00:06:07,835
so start with uh get a foot in the door so normally we

52
00:06:07,835 --> 00:06:14,756
see three ways how attackers can can get into the environment in the ransomware

53
00:06:14,756 --> 00:06:20,655
cases you have vulnerabilities in uh remote uh internet facing systems you

54
00:06:20,655 --> 00:06:25,875
have the remote Services itself and you have malware

55
00:06:26,712 --> 00:06:35,507
starting with the with the the vulnerabilities and um I just looked uh up the last four

56
00:06:35,507 --> 00:06:42,060
years and maybe somebody remembers netscaler the the so-called Citrix

57
00:06:42,060 --> 00:06:49,789
vulnerability in December 2019 um it was released mid of uh 2019 uh

58
00:06:49,789 --> 00:06:55,889
December 2019 the first POC publicly available POC was in beginning of

59
00:06:55,889 --> 00:07:03,293
January and the patch was available in middle of January so there was a round one week to one and a half weeks between

60
00:07:03,293 --> 00:07:10,494
a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw

61
00:07:10,494 --> 00:07:17,194
during 2020 a lot of companies patched but the patch didn't remove the the

62
00:07:17,194 --> 00:07:25,469
compromise so they were already compromised and um yeah with it with the patch they

63
00:07:25,469 --> 00:07:31,114
didn't remove the compromise so what we found what we could provable

64
00:07:31,114 --> 00:07:36,184
see or proof evidence for uh was nine

65
00:07:36,184 --> 00:07:42,286
month uh customer was breached after nine months using this this vulnerability

66
00:07:43,176 --> 00:07:51,434
and we had other customers where we could see that the netscaler was affected after two years but we couldn't

67
00:07:51,434 --> 00:08:00,073
prove that this this compromise was the reason for the actual ransomware case

68
00:08:00,275 --> 00:08:04,914
and of course such vulnerabilities happen not that often

69
00:08:06,295 --> 00:08:10,405
yeah so 2021 gave us uh hafnium exchange