Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)] it's late in the evening this is meleeway stage in case you're wondering and the next talk is going to be about incident report responses so if you're curious about how to even get there to have an incident response how you could prepare for an incident response and how you could support a new organization uh, the incident response team in doing the job and trying to fix whatever broke let's put it that way um we have the right talk for you this is stories from the life of an incident from incident responders Harry and Chris please a very warm Round of Applause [Applause] so, good evening and thank you for joining us today um we will tell you a little bit of our life as incident responders and I'm Chris I did my computer science studies at the University of alang and Nuremberg I do this security stuff for over 10 years now so my CV is a little bit longer at the moment I'm a detection engineer before that I was a long time working in dfir so digital forensic incident response in different organizations and yeah I'm Harryr I studied electrical and computer engineering at RWTH University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH during my masters I worked at x41 dsac doing pen testing patch analysis so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced analytics doing digital forensics and incident handling first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks like and in the second part of the talk I will tell you how the incident responders work and what you can do in advance to make it go as smooth as possible and support the incident response team so as Harryr told you I will probably we'll talk about ransomware because the customers we usually have are small and medium-sized businesses universities and hospitals and those are regularly unfortunately regularly hit by um um ransomware gangs the main reason for this and that's if you heard the last talk um why they maybe not that responsive and are not so interested in they just lack the resources so the manpower to do uh proper security measurements to secure their systems especially in in erm situations where you are for example in a hospital have medical devices um which where you cannot simply install an AV on or even patch the system because you lose the certification as a medical device then but also in in companies manufacturing companies on the shop floor we're talking about systems that have run times of 25 plus years so if you look back now 2023 we're talking about XP and older systems fun fact I was in a ransomware case and Wannacry in 2017 when I got a call from from a person from the shop floor asking me if we have a nt4 expert, um that can tell us if WannaCry is affecting nt4 of course you don't need to be a expert for NT-4 this one requires of course not affecting nt4 systems so due to the time uh slot we thought memes are the best way to to tell you those stories and we have a lot of them so in the first uh um section I tell you a little bit of how an attack Works um there are a lot of different possibilities how you can describe and how to structure the how an attack works there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko um here on the stage there's the original cyber kill chain from from Lockheed Martin you have stuff from from companies like Mandy and their targeted the tech life cycle but that's all in my opinion two two fine-grained it's that's the reason I just take three simple steps yeah get a foothold in the door look move play around and cash out those three uh I will just go over so start with uh get a foot in the door so normally we see three ways how attackers can can get into the environment in the ransomware cases you have vulnerabilities in uh remote uh internet facing systems you have the remote Services itself and you have malware starting with the with the the vulnerabilities and um I just looked uh up the last four years and maybe somebody remembers netscaler the the so-called Citrix vulnerability in December 2019 um it was released mid of uh 2019 uh December 2019 the first POC publicly available POC was in beginning of January and the patch was available in middle of January so there was a round one week to one and a half weeks between a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw during 2020 a lot of companies patched but the patch didn't remove the the compromise so they were already compromised and um yeah with it with the patch they didn't remove the compromise so what we found what we could provable see or proof evidence for uh was nine month uh customer was breached after nine months using this this vulnerability and we had other customers where we could see that the netscaler was affected after two years but we couldn't prove that this this compromise was the reason for the actual ransomware case and of course such vulnerabilities happen not that often yeah so 2021 gave us uh hafnium exchange