[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:30.21,0:00:37.26,Default,,0000,0000,0000,,Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]
Dialogue: 0,0:00:37.26,0:00:42.19,Default,,0000,0000,0000,,it's late in the evening this is meleeway stage in case you're wondering
Dialogue: 0,0:00:42.23,0:00:48.18,Default,,0000,0000,0000,,and the next talk is going to be about incident report responses
Dialogue: 0,0:00:48.48,0:00:59.52,Default,,0000,0000,0000,,so if you're curious about how to even get there to have an incident response how you could \Nprepare for an incident response and how you could support a new organization
Dialogue: 0,0:00:59.52,0:01:07.26,Default,,0000,0000,0000,,uh, the incident response team in doing the job and trying to fix whatever broke
Dialogue: 0,0:01:07.26,0:01:11.68,Default,,0000,0000,0000,,let's put it that way um we have the right talk for you
Dialogue: 0,0:01:11.68,0:01:17.35,Default,,0000,0000,0000,,this is stories from the life of an incident from incident responders Harry and Chris
Dialogue: 0,0:01:17.35,0:01:23.50,Default,,0000,0000,0000,,please a very warm Round of Applause [Applause]
Dialogue: 0,0:01:28.92,0:01:36.68,Default,,0000,0000,0000,,so, good evening and thank you for joining us today um we will tell you a little bit of our
Dialogue: 0,0:01:36.68,0:01:43.66,Default,,0000,0000,0000,,life as incident responders and I'm Chris I did my computer science
Dialogue: 0,0:01:43.66,0:01:48.78,Default,,0000,0000,0000,,studies at the University of alang and Nuremberg I do this security stuff for
Dialogue: 0,0:01:48.78,0:01:55.39,Default,,0000,0000,0000,,over 10 years now so my CV is a little bit longer at the moment I'm a detection
Dialogue: 0,0:01:55.42,0:02:01.42,Default,,0000,0000,0000,,engineer before that I was a long time working in dfir so digital forensic incident
Dialogue: 0,0:02:01.42,0:02:06.06,Default,,0000,0000,0000,,response in different organizations and
Dialogue: 0,0:02:07.41,0:02:12.39,Default,,0000,0000,0000,,yeah I'm Harryr I studied electrical and computer engineering at RWTH
Dialogue: 0,0:02:12.40,0:02:18.16,Default,,0000,0000,0000,,University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH
Dialogue: 0,0:02:18.16,0:02:24.52,Default,,0000,0000,0000,,during my masters I worked at x41 dsac doing pen testing patch analysis
Dialogue: 0,0:02:24.59,0:02:32.36,Default,,0000,0000,0000,,so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced
Dialogue: 0,0:02:32.36,0:02:36.62,Default,,0000,0000,0000,,analytics doing digital forensics and incident handling
Dialogue: 0,0:02:38.08,0:02:45.39,Default,,0000,0000,0000,,first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks
Dialogue: 0,0:02:45.39,0:02:51.10,Default,,0000,0000,0000,,like and in the second part of the talk I will tell you how the incident
Dialogue: 0,0:02:51.10,0:02:58.17,Default,,0000,0000,0000,,responders work and what you can do in advance to make it go as smooth as possible and support the incident
Dialogue: 0,0:02:58.17,0:03:05.04,Default,,0000,0000,0000,,response team so as Harryr told you I will probably
Dialogue: 0,0:03:05.04,0:03:12.29,Default,,0000,0000,0000,,we'll talk about ransomware because the customers we usually have are small and
Dialogue: 0,0:03:12.29,0:03:17.54,Default,,0000,0000,0000,,medium-sized businesses universities and hospitals and those are regularly
Dialogue: 0,0:03:17.54,0:03:23.27,Default,,0000,0000,0000,,unfortunately regularly hit by um um
Dialogue: 0,0:03:24.02,0:03:29.56,Default,,0000,0000,0000,,ransomware gangs the main reason for this and that's if you heard the last
Dialogue: 0,0:03:29.56,0:03:35.10,Default,,0000,0000,0000,,talk um why they maybe not that responsive
Dialogue: 0,0:03:35.10,0:03:42.06,Default,,0000,0000,0000,,and are not so interested in they just lack the resources so the manpower to do
Dialogue: 0,0:03:42.06,0:03:48.42,Default,,0000,0000,0000,,uh proper security measurements to secure their systems especially in in erm
Dialogue: 0,0:03:48.42,0:03:53.62,Default,,0000,0000,0000,,situations where you are for example in a hospital have medical devices
Dialogue: 0,0:03:53.62,0:03:59.38,Default,,0000,0000,0000,,um which where you cannot simply install an AV on or even patch the system
Dialogue: 0,0:03:59.38,0:04:07.32,Default,,0000,0000,0000,,because you lose the certification as a medical device then but also in in
Dialogue: 0,0:04:07.32,0:04:12.95,Default,,0000,0000,0000,,companies manufacturing companies on the shop floor we're talking about systems\N
Dialogue: 0,0:04:12.95,0:04:21.29,Default,,0000,0000,0000,,that have run times of 25 plus years so if you look back now 2023
Dialogue: 0,0:04:21.29,0:04:26.82,Default,,0000,0000,0000,,we're talking about XP and older systems fun fact I was in a ransomware case and
Dialogue: 0,0:04:26.82,0:04:34.23,Default,,0000,0000,0000,,Wannacry in 2017 when I got a call from from a person from the shop floor
Dialogue: 0,0:04:34.23,0:04:38.00,Default,,0000,0000,0000,,asking me if we have a nt4 expert, um
Dialogue: 0,0:04:40.20,0:04:47.38,Default,,0000,0000,0000,,that can tell us if WannaCry is affecting nt4 of course you don't need
Dialogue: 0,0:04:47.38,0:04:54.07,Default,,0000,0000,0000,,to be a expert for NT-4 this one requires of course not affecting nt4
Dialogue: 0,0:04:54.07,0:04:59.60,Default,,0000,0000,0000,,systems so due to the time uh slot we thought
Dialogue: 0,0:04:59.60,0:05:04.92,Default,,0000,0000,0000,,memes are the best way to to tell you those stories and we have a lot of them
Dialogue: 0,0:05:06.45,0:05:12.82,Default,,0000,0000,0000,,so in the first uh um section I tell you a little bit of how an attack Works
Dialogue: 0,0:05:12.82,0:05:21.06,Default,,0000,0000,0000,,um there are a lot of different possibilities how you can describe and how to structure the how an attack works
Dialogue: 0,0:05:22.26,0:05:28.99,Default,,0000,0000,0000,,there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko
Dialogue: 0,0:05:28.99,0:05:34.85,Default,,0000,0000,0000,,um here on the stage there's the original cyber kill chain from from Lockheed Martin you have
Dialogue: 0,0:05:37.19,0:05:42.48,Default,,0000,0000,0000,,stuff from from companies like Mandy and their targeted the tech life cycle but
Dialogue: 0,0:05:42.48,0:05:47.55,Default,,0000,0000,0000,,that's all in my opinion two two fine-grained it's that's the reason I
Dialogue: 0,0:05:47.55,0:05:53.28,Default,,0000,0000,0000,,just take three simple steps yeah get a foothold in the door
Dialogue: 0,0:05:53.28,0:06:00.64,Default,,0000,0000,0000,,look move play around and cash out those three uh I will just go over
Dialogue: 0,0:06:03.14,0:06:07.84,Default,,0000,0000,0000,,so start with uh get a foot in the door so normally we
Dialogue: 0,0:06:07.84,0:06:14.76,Default,,0000,0000,0000,,see three ways how attackers can can get into the environment in the ransomware
Dialogue: 0,0:06:14.76,0:06:20.66,Default,,0000,0000,0000,,cases you have vulnerabilities in uh remote uh internet facing systems you
Dialogue: 0,0:06:20.66,0:06:25.88,Default,,0000,0000,0000,,have the remote Services itself and you have malware
Dialogue: 0,0:06:26.71,0:06:35.51,Default,,0000,0000,0000,,starting with the with the the vulnerabilities and um I just looked uh up the last four
Dialogue: 0,0:06:35.51,0:06:42.06,Default,,0000,0000,0000,,years and maybe somebody remembers netscaler the the so-called Citrix
Dialogue: 0,0:06:42.06,0:06:49.79,Default,,0000,0000,0000,,vulnerability in December 2019 um it was released mid of uh 2019 uh
Dialogue: 0,0:06:49.79,0:06:55.89,Default,,0000,0000,0000,,December 2019 the first POC publicly available POC was in beginning of
Dialogue: 0,0:06:55.89,0:07:03.29,Default,,0000,0000,0000,,January and the patch was available in middle of January so there was a round one week to one and a half weeks between
Dialogue: 0,0:07:03.29,0:07:10.49,Default,,0000,0000,0000,,a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw
Dialogue: 0,0:07:10.49,0:07:17.19,Default,,0000,0000,0000,,during 2020 a lot of companies patched but the patch didn't remove the the
Dialogue: 0,0:07:17.19,0:07:25.47,Default,,0000,0000,0000,,compromise so they were already compromised and um yeah with it with the patch they
Dialogue: 0,0:07:25.47,0:07:31.11,Default,,0000,0000,0000,,didn't remove the compromise so what we found what we could provable
Dialogue: 0,0:07:31.11,0:07:36.18,Default,,0000,0000,0000,,see or proof evidence for uh was nine
Dialogue: 0,0:07:36.18,0:07:42.29,Default,,0000,0000,0000,,month uh customer was breached after nine months using this this vulnerability
Dialogue: 0,0:07:43.18,0:07:51.43,Default,,0000,0000,0000,,and we had other customers where we could see that the netscaler was affected after two years but we couldn't
Dialogue: 0,0:07:51.43,0:08:00.07,Default,,0000,0000,0000,,prove that this this compromise was the reason for the actual ransomware case
Dialogue: 0,0:08:00.28,0:08:04.91,Default,,0000,0000,0000,,and of course such vulnerabilities happen not that often
Dialogue: 0,0:08:06.30,0:08:10.40,Default,,0000,0000,0000,,yeah so 2021 gave us uh hafnium exchange