[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:30.21,0:00:37.26,Default,,0000,0000,0000,,Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]
Dialogue: 0,0:00:37.26,0:00:42.19,Default,,0000,0000,0000,,it's late in the evening this is meleeway stage in case you're wondering
Dialogue: 0,0:00:42.23,0:00:48.18,Default,,0000,0000,0000,,and the next talk is going to be about incident report responses
Dialogue: 0,0:00:48.48,0:00:59.52,Default,,0000,0000,0000,,so if you're curious about how to even get there to have an incident response how you could \Nprepare for an incident response and how you could support a new organization
Dialogue: 0,0:00:59.52,0:01:07.26,Default,,0000,0000,0000,,uh, the incident response team in doing the job and trying to fix whatever broke
Dialogue: 0,0:01:07.26,0:01:11.68,Default,,0000,0000,0000,,let's put it that way um we have the right talk for you
Dialogue: 0,0:01:11.68,0:01:17.35,Default,,0000,0000,0000,,this is stories from the life of an incident from incident responders Harry and Chris
Dialogue: 0,0:01:17.35,0:01:23.50,Default,,0000,0000,0000,,please a very warm Round of Applause [Applause]
Dialogue: 0,0:01:28.92,0:01:36.68,Default,,0000,0000,0000,,so, good evening and thank you for joining us today um we will tell you a little bit of our
Dialogue: 0,0:01:36.68,0:01:43.66,Default,,0000,0000,0000,,life as incident responders and I'm Chris I did my computer science
Dialogue: 0,0:01:43.66,0:01:48.78,Default,,0000,0000,0000,,studies at the University of alang and Nuremberg I do this security stuff for
Dialogue: 0,0:01:48.78,0:01:55.39,Default,,0000,0000,0000,,over 10 years now so my CV is a little bit longer at the moment I'm a detection
Dialogue: 0,0:01:55.42,0:02:01.42,Default,,0000,0000,0000,,engineer before that I was a long time working in dfir so digital forensic incident
Dialogue: 0,0:02:01.42,0:02:06.62,Default,,0000,0000,0000,,response in different organizations and
Dialogue: 0,0:02:07.41,0:02:12.39,Default,,0000,0000,0000,,yeah I'm Harryr I studied electrical and computer engineering at RWTH
Dialogue: 0,0:02:12.40,0:02:18.16,Default,,0000,0000,0000,,University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH
Dialogue: 0,0:02:18.16,0:02:24.52,Default,,0000,0000,0000,,during my masters I worked at x41 dsac doing pen testing patch analysis
Dialogue: 0,0:02:24.59,0:02:32.36,Default,,0000,0000,0000,,so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced
Dialogue: 0,0:02:32.36,0:02:36.62,Default,,0000,0000,0000,,analytics doing digital forensics and incident handling
Dialogue: 0,0:02:38.80,0:02:45.39,Default,,0000,0000,0000,,first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks
Dialogue: 0,0:02:45.39,0:02:51.97,Default,,0000,0000,0000,,like and in the second part of the talk I will tell you how the incident
Dialogue: 0,0:02:51.97,0:02:58.17,Default,,0000,0000,0000,,responders work and what you can do in advance to make it go as smooth as possible and support the incident
Dialogue: 0,0:02:58.17,0:03:05.35,Default,,0000,0000,0000,,response team so as Harryr told you I will probably
Dialogue: 0,0:03:05.35,0:03:12.29,Default,,0000,0000,0000,,we'll talk about ransomware because the customers we usually have are small and
Dialogue: 0,0:03:12.29,0:03:17.54,Default,,0000,0000,0000,,medium-sized businesses universities and hospitals and those are regularly
Dialogue: 0,0:03:17.54,0:03:23.27,Default,,0000,0000,0000,,unfortunately regularly hit by um um
Dialogue: 0,0:03:24.17,0:03:29.56,Default,,0000,0000,0000,,ransomware gangs the main reason for this and that's if you heard the last
Dialogue: 0,0:03:29.56,0:03:35.96,Default,,0000,0000,0000,,talk um why they maybe not that responsive
Dialogue: 0,0:03:35.96,0:03:42.58,Default,,0000,0000,0000,,and are not so interested in they just lack the resources so the manpower to do
Dialogue: 0,0:03:42.58,0:03:48.42,Default,,0000,0000,0000,,uh proper security measurements to secure their systems especially in in erm
Dialogue: 0,0:03:48.42,0:03:53.62,Default,,0000,0000,0000,,situations where you are for example in a hospital have medical devices
Dialogue: 0,0:03:53.62,0:03:59.38,Default,,0000,0000,0000,,um which where you cannot simply install an AV on or even patch the system
Dialogue: 0,0:03:59.38,0:04:07.32,Default,,0000,0000,0000,,because you lose the certification as a medical device then but also in in
Dialogue: 0,0:04:07.32,0:04:12.95,Default,,0000,0000,0000,,companies manufacturing companies on the shop floor we're talking about systems\N
Dialogue: 0,0:04:12.95,0:04:21.29,Default,,0000,0000,0000,,that have run times of 25 plus years so if you look back now 2023
Dialogue: 0,0:04:21.29,0:04:26.82,Default,,0000,0000,0000,,we're talking about XP and older systems fun fact I was in a ransomware case and
Dialogue: 0,0:04:26.82,0:04:34.23,Default,,0000,0000,0000,,Wannacry in 2017 when I got a call from from a person from the shop floor
Dialogue: 0,0:04:34.23,0:04:38.00,Default,,0000,0000,0000,,asking me if we have a nt4 expert, um
Dialogue: 0,0:04:40.20,0:04:47.38,Default,,0000,0000,0000,,that can tell us if WannaCry is affecting nt4 of course you don't need
Dialogue: 0,0:04:47.38,0:04:54.71,Default,,0000,0000,0000,,to be a expert for NT-4 this one requires of course not affecting nt4
Dialogue: 0,0:04:54.71,0:04:59.60,Default,,0000,0000,0000,,systems so due to the time uh slot we thought
Dialogue: 0,0:04:59.60,0:05:04.92,Default,,0000,0000,0000,,memes are the best way to to tell you those stories and we have a lot of them
Dialogue: 0,0:05:06.45,0:05:12.82,Default,,0000,0000,0000,,so in the first uh um section I tell you a little bit of how an attack Works
Dialogue: 0,0:05:12.82,0:05:21.62,Default,,0000,0000,0000,,um there are a lot of different possibilities how you can describe and how to structure the how an attack works
Dialogue: 0,0:05:22.26,0:05:28.99,Default,,0000,0000,0000,,there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko
Dialogue: 0,0:05:28.99,0:05:34.85,Default,,0000,0000,0000,,um here on the stage there's the original cyber kill chain from from Lockheed Martin you have
Dialogue: 0,0:05:37.19,0:05:42.48,Default,,0000,0000,0000,,stuff from from companies like Mandy and their targeted the tech life cycle but
Dialogue: 0,0:05:42.48,0:05:47.55,Default,,0000,0000,0000,,that's all in my opinion two two fine-grained it's that's the reason I
Dialogue: 0,0:05:47.55,0:05:53.28,Default,,0000,0000,0000,,just take three simple steps yeah get a foothold in the door
Dialogue: 0,0:05:53.28,0:06:00.64,Default,,0000,0000,0000,,look move play around and cash out those three uh I will just go over
Dialogue: 0,0:06:03.14,0:06:07.84,Default,,0000,0000,0000,,so start with uh get a foot in the door so normally we
Dialogue: 0,0:06:07.84,0:06:14.76,Default,,0000,0000,0000,,see three ways how attackers can can get into the environment in the ransomware
Dialogue: 0,0:06:14.76,0:06:20.66,Default,,0000,0000,0000,,cases you have vulnerabilities in uh remote uh internet facing systems you
Dialogue: 0,0:06:20.66,0:06:25.88,Default,,0000,0000,0000,,have the remote Services itself and you have malware
Dialogue: 0,0:06:26.71,0:06:35.51,Default,,0000,0000,0000,,starting with the with the the vulnerabilities and um I just looked uh up the last four
Dialogue: 0,0:06:35.51,0:06:42.60,Default,,0000,0000,0000,,years and maybe somebody remembers netscaler the the so-called Citrix
Dialogue: 0,0:06:42.60,0:06:49.79,Default,,0000,0000,0000,,vulnerability in December 2019 um it was released mid of uh 2019 uh
Dialogue: 0,0:06:49.79,0:06:55.89,Default,,0000,0000,0000,,December 2019 the first POC publicly available POC was in beginning of
Dialogue: 0,0:06:55.89,0:07:03.29,Default,,0000,0000,0000,,January and the patch was available in middle of January so there was a round one week to one and a half weeks between
Dialogue: 0,0:07:03.29,0:07:10.49,Default,,0000,0000,0000,,a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw
Dialogue: 0,0:07:10.49,0:07:17.19,Default,,0000,0000,0000,,during 2020 a lot of companies patched but the patch didn't remove the the
Dialogue: 0,0:07:17.19,0:07:25.47,Default,,0000,0000,0000,,compromise so they were already compromised and um yeah with it with the patch they
Dialogue: 0,0:07:25.47,0:07:31.11,Default,,0000,0000,0000,,didn't remove the compromise so what we found what we could provable
Dialogue: 0,0:07:31.11,0:07:36.18,Default,,0000,0000,0000,,see or proof evidence for uh was nine
Dialogue: 0,0:07:36.18,0:07:42.29,Default,,0000,0000,0000,,month uh customer was breached after nine months using this this vulnerability
Dialogue: 0,0:07:43.18,0:07:51.43,Default,,0000,0000,0000,,and we had other customers where we could see that the netscaler was affected after two years but we couldn't
Dialogue: 0,0:07:51.43,0:08:00.73,Default,,0000,0000,0000,,prove that this this compromise was the reason for the actual ransomware case
Dialogue: 0,0:08:00.28,0:08:04.91,Default,,0000,0000,0000,,and of course such vulnerabilities happen not that often
Dialogue: 0,0:08:06.30,0:08:13.35,Default,,0000,0000,0000,,yeah so 2021 gave us uh hafnium exchange
Dialogue: 0,0:08:13.35,0:08:18.74,Default,,0000,0000,0000,,vulnerability also a similar situation the patch
Dialogue: 0,0:08:18.74,0:08:25.41,Default,,0000,0000,0000,,appeared as an out-of-band patch from Microsoft on a Tuesday evening 10 o'clock in German time
Dialogue: 0,0:08:26.48,0:08:32.53,Default,,0000,0000,0000,,we saw during our uh incidents or the the assessments we did that
Dialogue: 0,0:08:34.48,0:08:41.52,Default,,0000,0000,0000,,um the first exploit exploitation attempts were seen on Wednesday in the morning at
Dialogue: 0,0:08:41.52,0:08:50.31,Default,,0000,0000,0000,,5:00 am so around seven eight hours later um I know one guy who could patch
Dialogue: 0,0:08:50.31,0:08:56.69,Default,,0000,0000,0000,,because he was online when the patch was released otherwise Germany was unable to patch in
Dialogue: 0,0:08:56.69,0:09:04.15,Default,,0000,0000,0000,,time and of course we can go on with 2021 proxy shell also
Dialogue: 0,0:09:04.15,0:09:10.39,Default,,0000,0000,0000,,exchange vulnerability proxy nutshell also exchange vulnerability
Dialogue: 0,0:09:10.39,0:09:16.37,Default,,0000,0000,0000,,we have uh in 2022 VMware Horizon the the virtual desktop infrastructure
Dialogue: 0,0:09:16.37,0:09:23.63,Default,,0000,0000,0000,,from VMware just to name also open source stuff Zimbra a collaboration platform
Dialogue: 0,0:09:23.63,0:09:28.92,Default,,0000,0000,0000,,including an email server uh has had a vulnerability actually the vulnerability
Dialogue: 0,0:09:28.92,0:09:34.68,Default,,0000,0000,0000,,was in cpio from 2015 I think which led
Dialogue: 0,0:09:34.68,0:09:40.16,Default,,0000,0000,0000,,to a compromise using via email so you send an email
Dialogue: 0,0:09:40.16,0:09:48.39,Default,,0000,0000,0000,,with a cpio with a specially crafted archive file and you could drop a web
Dialogue: 0,0:09:48.39,0:09:55.95,Default,,0000,0000,0000,,shell in one of the directories yeah you have of course 40 OS which is a
Dialogue: 0,0:09:55.95,0:10:02.69,Default,,0000,0000,0000,,40 gate VPN and firewall operating system
Dialogue: 0,0:10:03.22,0:10:08.25,Default,,0000,0000,0000,,and if you read the news we start at the beginning again
Dialogue: 0,0:10:08.25,0:10:15.12,Default,,0000,0000,0000,,netscaler had some issues several weeks ago according to foxIT we have 1900
Dialogue: 0,0:10:15.12,0:10:21.54,Default,,0000,0000,0000,,still unpatched net scalers worldwide how many patched
Dialogue: 0,0:10:22.39,0:10:27.74,Default,,0000,0000,0000,,was netscale has exists that um have not been checked for compromise we
Dialogue: 0,0:10:27.74,0:10:32.58,Default,,0000,0000,0000,,don't know of course so that will be a nice year probably
Dialogue: 0,0:10:33.73,0:10:41.56,Default,,0000,0000,0000,,um so what can you can you do against this kind of of attack vector patch your systems is one thing as you
Dialogue: 0,0:10:41.81,0:10:49.38,Default,,0000,0000,0000,,see this that doesn't lead to the the um or what you need to do afterwards in
Dialogue: 0,0:10:49.38,0:10:57.35,Default,,0000,0000,0000,,such cases you need to check your systems for possible compromise
Dialogue: 0,0:10:57.35,0:11:03.97,Default,,0000,0000,0000,,that is important to reduce this I highly suggest put your
Dialogue: 0,0:11:03.97,0:11:11.58,Default,,0000,0000,0000,,uh Services behind some VPN so that only people who already have
Dialogue: 0,0:11:11.58,0:11:17.54,Default,,0000,0000,0000,,connection to the VPN um can access your services or the services
Dialogue: 0,0:11:17.54,0:11:22.65,Default,,0000,0000,0000,,they need and that would reduce the attack surface
Dialogue: 0,0:11:22.65,0:11:28.29,Default,,0000,0000,0000,,at least to the VPN server so but I
Dialogue: 0,0:11:28.29,0:11:32.100,Default,,0000,0000,0000,,of course we can also think about remote services without vulnerabilities
Dialogue: 0,0:11:34.66,0:11:41.59,Default,,0000,0000,0000,,um there can be configuration mistakes so the admin does something wrong there can
Dialogue: 0,0:11:41.59,0:11:50.34,Default,,0000,0000,0000,,be insecure default configurations like this um I don't know if you know it but the
Dialogue: 0,0:11:50.34,0:11:55.61,Default,,0000,0000,0000,,local admins or the administrators on the Windows system are are
Dialogue: 0,0:11:55.61,0:12:02.10,Default,,0000,0000,0000,,automatically in the remote desktop users group you know and so
Dialogue: 0,0:12:02.10,0:12:08.43,Default,,0000,0000,0000,,we had several cases especially in the beginning of the pandemic when everybody moved from uh to the home offices and
Dialogue: 0,0:12:08.43,0:12:15.54,Default,,0000,0000,0000,,they needed to put people fast in the position to to access their the assist
Dialogue: 0,0:12:15.54,0:12:22.12,Default,,0000,0000,0000,,the internal systems again they just put a RDP server on the internet and hope for the best
Dialogue: 0,0:12:25.14,0:12:29.77,Default,,0000,0000,0000,,um additionally if you put services on the internet of course brute forcing and
Dialogue: 0,0:12:29.77,0:12:35.95,Default,,0000,0000,0000,,credential uh stuffing are attacks that are possible so brute forcing just trying the the
Dialogue: 0,0:12:37.12,0:12:42.20,Default,,0000,0000,0000,,username and password combinations uh credential stuffing using already leaked
Dialogue: 0,0:12:42.20,0:12:47.64,Default,,0000,0000,0000,,passwords or credentials from leaks you find on the internet
Dialogue: 0,0:12:48.54,0:12:53.92,Default,,0000,0000,0000,,what you can do about this kind of of attack Vector is uh just as I said use
Dialogue: 0,0:12:53.92,0:13:00.91,Default,,0000,0000,0000,,multi-factor Authentication and reduce the attack surface as in the
Dialogue: 0,0:13:00.91,0:13:06.70,Default,,0000,0000,0000,,point with the vulnerabilities before by moving the services behind a VPN and
Dialogue: 0,0:13:06.70,0:13:09.69,Default,,0000,0000,0000,,then use multi-factor authentication on VPN of course
Dialogue: 0,0:13:12.79,0:13:18.14,Default,,0000,0000,0000,,the last Vector that we see normally that the attackers can get in the
Dialogue: 0,0:13:18.14,0:13:23.89,Default,,0000,0000,0000,,network is malware we all know this about
Dialogue: 0,0:13:23.89,0:13:28.66,Default,,0000,0000,0000,,those funny emails you get with the attachments
Dialogue: 0,0:13:28.66,0:13:35.31,Default,,0000,0000,0000,,um include that have either Word documents
Dialogue: 0,0:13:35.31,0:13:41.76,Default,,0000,0000,0000,,attached either zip files with with Visual Basic scripts javascripts and
Dialogue: 0,0:13:41.76,0:13:47.34,Default,,0000,0000,0000,,what you can get isos you see a lot these days
Dialogue: 0,0:13:48.85,0:13:54.21,Default,,0000,0000,0000,,um or what you can also have that you can have just a link inside the email and
Dialogue: 0,0:13:54.21,0:14:01.90,Default,,0000,0000,0000,,you download the respective file from some some shady file sharing website
Dialogue: 0,0:14:03.38,0:14:09.44,Default,,0000,0000,0000,,um what we saw over the last year was uh USB sticks again funnily
Dialogue: 0,0:14:10.74,0:14:16.48,Default,,0000,0000,0000,,um I'm not sure if you have heard about raspberry Robin which is a malware that
Dialogue: 0,0:14:16.48,0:14:26.43,Default,,0000,0000,0000,,warms via USB sticks um but I haven't seen it as a vector for
Dialogue: 0,0:14:27.23,0:14:31.78,Default,,0000,0000,0000,,ransomware yet on my own but there are people who said that it's
Dialogue: 0,0:14:33.22,0:14:37.77,Default,,0000,0000,0000,,an initial access broker for some of the ransomware gangs
Dialogue: 0,0:14:38.73,0:14:42.88,Default,,0000,0000,0000,,so what can you do about this if you think the
Dialogue: 0,0:14:45.17,0:14:53.42,Default,,0000,0000,0000,,you can of course ban simply some file extensions in your mail server or you
Dialogue: 0,0:14:53.72,0:15:00.95,Default,,0000,0000,0000,,change the file Association types in your operating system meaning that you
Dialogue: 0,0:15:00.95,0:15:06.27,Default,,0000,0000,0000,,don't open the JavaScript and Visual Basic script files using for example the
Dialogue: 0,0:15:06.27,0:15:11.61,Default,,0000,0000,0000,,windows scripting host but open it with notepad and that will
Dialogue: 0,0:15:11.61,0:15:14.76,Default,,0000,0000,0000,,of course some people will be
Dialogue: 0,0:15:18.15,0:15:23.60,Default,,0000,0000,0000,,uh some people will think about what this this is then and ask the IT guys
Dialogue: 0,0:15:23.60,0:15:27.41,Default,,0000,0000,0000,,but it's better than running the the script itself
Dialogue: 0,0:15:28.26,0:15:35.11,Default,,0000,0000,0000,,one thing I I I don't like to to say it but keep your AV updated
Dialogue: 0,0:15:35.55,0:15:39.79,Default,,0000,0000,0000,,um uh this is one thing keep it updated and read the logs
Dialogue: 0,0:15:40.72,0:15:46.66,Default,,0000,0000,0000,,we see a lot of incidents where we see that the already
Dialogue: 0,0:15:46.54,0:15:51.71,Default,,0000,0000,0000,,days or weeks before we you can could have seen that there's something going
Dialogue: 0,0:15:51.71,0:15:59.61,Default,,0000,0000,0000,,on in your network yeah and if you see malware in your AV logs
Dialogue: 0,0:16:00.48,0:16:05.85,Default,,0000,0000,0000,,then react to it just check it you don't know how long this AV this malware has
Dialogue: 0,0:16:05.85,0:16:11.30,Default,,0000,0000,0000,,been on your system the thing is that
Dialogue: 0,0:16:11.30,0:16:16.79,Default,,0000,0000,0000,,just because you're AV detected it now it might have been get received an
Dialogue: 0,0:16:16.79,0:16:22.29,Default,,0000,0000,0000,,update for its signatures and the malware was active for days or weeks
Dialogue: 0,0:16:22.29,0:16:27.60,Default,,0000,0000,0000,,before so when they are inside
Dialogue: 0,0:16:29.77,0:16:34.30,Default,,0000,0000,0000,,then they usually look move and play around a little bit
Dialogue: 0,0:16:36.20,0:16:41.42,Default,,0000,0000,0000,,so when they look around what they do
Dialogue: 0,0:16:41.42,0:16:47.61,Default,,0000,0000,0000,,is they they enumerate AD they do Ports scan the you they search for
Dialogue: 0,0:16:47.61,0:16:54.39,Default,,0000,0000,0000,,vulnerabilities they check uh what they how they can escalate
Dialogue: 0,0:16:54.39,0:16:59.83,Default,,0000,0000,0000,,their privileges they try to find credentials
Dialogue: 0,0:16:59.83,0:17:03.87,Default,,0000,0000,0000,,um Kerber roasting we heard in the talk before for example is this one thing
Dialogue: 0,0:17:07.89,0:17:11.70,Default,,0000,0000,0000,,um they try to identify accounts you around
Dialogue: 0,0:17:11.70,0:17:16.98,Default,,0000,0000,0000,,have running on your systems they can use they can get the credentials from and you reuse
Dialogue: 0,0:17:18.60,0:17:24.15,Default,,0000,0000,0000,,and for that reason one of the most important things I think is that you
Dialogue: 0,0:17:24.15,0:17:33.25,Default,,0000,0000,0000,,have a principle of least privileges in your environment so only what a account needs
Dialogue: 0,0:17:33.36,0:17:38.38,Default,,0000,0000,0000,,you should be able to do you should use dedicated service
Dialogue: 0,0:17:38.38,0:17:43.66,Default,,0000,0000,0000,,accounts for your services of course and just for your information
Dialogue: 0,0:17:44.40,0:17:50.47,Default,,0000,0000,0000,,um service account is not an account that has a SVC underscore in front of it
Dialogue: 0,0:17:50.30,0:17:56.88,Default,,0000,0000,0000,,and is otherwise a normal user account um there I exist educated service
Dialogue: 0,0:17:56.93,0:18:01.45,Default,,0000,0000,0000,,accounts in Windows environments so use them use strong passwords I still
Dialogue: 0,0:18:01.47,0:18:06.42,Default,,0000,0000,0000,,I today I can I know companies who still use eight
Dialogue: 0,0:18:06.42,0:18:13.34,Default,,0000,0000,0000,,character long passwords um I think that's 20 minutes on a decent
Dialogue: 0,0:18:13.34,0:18:18.67,Default,,0000,0000,0000,,graphics card today so use strong passwords length matters
Dialogue: 0,0:18:19.66,0:18:25.46,Default,,0000,0000,0000,,12 plus characters is the minimum in my opinion
Dialogue: 0,0:18:26.62,0:18:31.17,Default,,0000,0000,0000,,and don't reuse passwords especially on your
Dialogue: 0,0:18:31.62,0:18:42.33,Default,,0000,0000,0000,,systems the local administrator especially in small and medium-sized businesses you see a lot that people use
Dialogue: 0,0:18:42.33,0:18:47.14,Default,,0000,0000,0000,,the same password for all local administrators so if I have it on one
Dialogue: 0,0:18:47.14,0:18:51.39,Default,,0000,0000,0000,,system I have the whole company don't reuse it
Dialogue: 0,0:18:56.90,0:19:00.90,Default,,0000,0000,0000,,um yeah [Audience LoL]
Dialogue: 0,0:19:04.55,0:19:12.50,Default,,0000,0000,0000,,so when they they move around in your network using either a password hashes they found valid credentials they they
Dialogue: 0,0:19:12.50,0:19:18.53,Default,,0000,0000,0000,,discovered somewhere vulnerabilities are also used to to move around in your
Dialogue: 0,0:19:18.53,0:19:22.92,Default,,0000,0000,0000,,environment they try to to establish persistence mechanisms here we heard
Dialogue: 0,0:19:22.92,0:19:28.58,Default,,0000,0000,0000,,also in the talk before about the C2 channels command and control channels they use
Dialogue: 0,0:19:28.62,0:19:36.13,Default,,0000,0000,0000,,um they install in some cases directly any desk team viewer and or other remote
Dialogue: 0,0:19:36.13,0:19:43.57,Default,,0000,0000,0000,,control software or sometimes they also use tunneling softwares like ngrok or recently they
Dialogue: 0,0:19:43.57,0:19:49.74,Default,,0000,0000,0000,,started using cloudflare G um and this is what you need to do is
Dialogue: 0,0:19:49.74,0:19:55.91,Default,,0000,0000,0000,,prop have a proper Network segmentation and with the proper Network segmentation I don't talk about subnetting
Dialogue: 0,0:19:57.49,0:20:04.30,Default,,0000,0000,0000,,subnetting means you just have different subnets you need to have a firewall between them
Dialogue: 0,0:20:04.30,0:20:08.14,Default,,0000,0000,0000,,and you have need to have rules between them that
Dialogue: 0,0:20:09.89,0:20:16.82,Default,,0000,0000,0000,,restrict access between your your subnets and one thing is especially important
Dialogue: 0,0:20:17.88,0:20:24.71,Default,,0000,0000,0000,,please keep or use Network segmentation to
Dialogue: 0,0:20:24.71,0:20:30.22,Default,,0000,0000,0000,,restrict the access to your backup and your Management Systems as far as
Dialogue: 0,0:20:30.22,0:20:36.20,Default,,0000,0000,0000,,possible we see a lot especially as I said in the small and medium-sized businesses or in
Dialogue: 0,0:20:36.20,0:20:40.18,Default,,0000,0000,0000,,the other organizations we we have as customers that
Dialogue: 0,0:20:42.45,0:20:46.87,Default,,0000,0000,0000,,yeah they have they tell us in in in in in in workshops yeah we have
Dialogue: 0,0:20:46.87,0:20:54.33,Default,,0000,0000,0000,,a network segmentation every building is one segment and on the question yeah you
Dialogue: 0,0:20:54.33,0:20:59.60,Default,,0000,0000,0000,,can move between in a segment you can access everything yes you can and
Dialogue: 0,0:21:00.42,0:21:05.91,Default,,0000,0000,0000,,between the the buildings you can have also a firewall and you cannot access
Dialogue: 0,0:21:05.91,0:21:11.93,Default,,0000,0000,0000,,anything no you can access everything and also your your uh VMware Management
Dialogue: 0,0:21:11.93,0:21:17.42,Default,,0000,0000,0000,,console oh yes yes we can so everybody can access it yes of course and that
Dialogue: 0,0:21:17.46,0:21:21.76,Default,,0000,0000,0000,,doesn't work so
Dialogue: 0,0:21:26.91,0:21:30.26,Default,,0000,0000,0000,,um when they play around they normally try
Dialogue: 0,0:21:30.26,0:21:38.29,Default,,0000,0000,0000,,to to gain more privileges so privilege escalation is assisting local privilege escalations normally but also using
Dialogue: 0,0:21:38.29,0:21:43.44,Default,,0000,0000,0000,,vulnerabilities um or misconfigurations insecure default
Dialogue: 0,0:21:43.44,0:21:48.98,Default,,0000,0000,0000,,configurations um my personal favorites are Group
Dialogue: 0,0:21:48.98,0:21:53.21,Default,,0000,0000,0000,,Policy preferences or passwords in group policy preferences
Dialogue: 0,0:21:54.69,0:22:01.89,Default,,0000,0000,0000,,this is no longer possible since I think 2014 to put passwords in group policy
Dialogue: 0,0:22:01.89,0:22:07.99,Default,,0000,0000,0000,,preferences however if you had your password stored in those preferences
Dialogue: 0,0:22:07.99,0:22:16.16,Default,,0000,0000,0000,,before the patch in 2015 2014 then they're still there and yeah there
Dialogue: 0,0:22:16.16,0:22:20.93,Default,,0000,0000,0000,,are AES encrypted but the encryption key is on the Microsoft website
Dialogue: 0,0:22:21.78,0:22:26.66,Default,,0000,0000,0000,,so you can just download it and just take it and decrypt the keys
Dialogue: 0,0:22:28.83,0:22:33.48,Default,,0000,0000,0000,,um then during that phase they also try to disable your security measures
Dialogue: 0,0:22:34.91,0:22:41.52,Default,,0000,0000,0000,,the thing you can do is of course patch your system so you know try to get your
Dialogue: 0,0:22:41.52,0:22:46.66,Default,,0000,0000,0000,,availabilities out of of this equation can try to configure your systems in a
Dialogue: 0,0:22:46.66,0:22:52.58,Default,,0000,0000,0000,,secure way this is not always possible due to some shitty uh third-party software
Dialogue: 0,0:22:52.90,0:22:58.78,Default,,0000,0000,0000,,and keep your AV um updated and please please as I said
Dialogue: 0,0:22:58.78,0:23:02.89,Default,,0000,0000,0000,,already check the locks and act accordingly
Dialogue: 0,0:23:05.51,0:23:09.74,Default,,0000,0000,0000,,so in the last phase they cash out that's when when they
Dialogue: 0,0:23:10.71,0:23:16.88,Default,,0000,0000,0000,,start using a uh being your backup service so they copy
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,data from your your environment using um