0:00:30.206,0:00:37.260
Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]

0:00:37.260,0:00:42.187
it's late in the evening this is meleeway stage in case you're wondering

0:00:42.230,0:00:48.176
and the next talk is going to be about incident report responses

0:00:48.476,0:00:59.520
so if you're curious about how to even get there to have an incident response how you could [br]prepare for an incident response and how you could support a new organization

0:00:59.520,0:01:07.258
uh, the incident response team in doing the job and trying to fix whatever broke

0:01:07.258,0:01:11.677
let's put it that way um we have the right talk for you

0:01:11.677,0:01:17.352
this is stories from the life of an incident from incident responders Harry and Chris

0:01:17.352,0:01:23.500
please a very warm Round of Applause [Applause]

0:01:28.925,0:01:36.675
so, good evening and thank you for joining us today um we will tell you a little bit of our

0:01:36.675,0:01:43.664
life as incident responders and I'm Chris I did my computer science

0:01:43.664,0:01:48.784
studies at the University of alang and Nuremberg I do this security stuff for

0:01:48.784,0:01:55.394
over 10 years now so my CV is a little bit longer at the moment I'm a detection

0:01:55.415,0:02:01.425
engineer before that I was a long time working in dfir so digital forensic incident

0:02:01.425,0:02:06.620
response in different organizations and

0:02:07.411,0:02:12.388
yeah I'm Harryr I studied electrical and computer engineering at RWTH

0:02:12.395,0:02:18.165
University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH

0:02:18.165,0:02:24.523
during my masters I worked at x41 dsac doing pen testing patch analysis

0:02:24.589,0:02:32.359
so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced

0:02:32.359,0:02:36.619
analytics doing digital forensics and incident handling

0:02:38.800,0:02:45.390
first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks

0:02:45.390,0:02:51.970
like and in the second part of the talk I will tell you how the incident

0:02:51.970,0:02:58.167
responders work and what you can do in advance to make it go as smooth as possible and support the incident

0:02:58.167,0:03:05.350
response team so as Harryr told you I will probably

0:03:05.350,0:03:12.290
we'll talk about ransomware because the customers we usually have are small and

0:03:12.290,0:03:17.543
medium-sized businesses universities and hospitals and those are regularly

0:03:17.543,0:03:23.268
unfortunately regularly hit by um um

0:03:24.170,0:03:29.557
ransomware gangs the main reason for this and that's if you heard the last

0:03:29.557,0:03:35.960
talk um why they maybe not that responsive

0:03:35.960,0:03:42.580
and are not so interested in they just lack the resources so the manpower to do

0:03:42.580,0:03:48.424
uh proper security measurements to secure their systems especially in in erm

0:03:48.424,0:03:53.618
situations where you are for example in a hospital have medical devices

0:03:53.618,0:03:59.378
um which where you cannot simply install an AV on or even patch the system

0:03:59.378,0:04:07.321
because you lose the certification as a medical device then but also in in

0:04:07.321,0:04:12.953
companies manufacturing companies on the shop floor we're talking about systems[br]

0:04:12.953,0:04:21.292
that have run times of 25 plus years so if you look back now 2023

0:04:21.292,0:04:26.823
we're talking about XP and older systems fun fact I was in a ransomware case and

0:04:26.823,0:04:34.230
Wannacry in 2017 when I got a call from from a person from the shop floor

0:04:34.230,0:04:38.000
asking me if we have a nt4 expert, um

0:04:40.200,0:04:47.380
that can tell us if WannaCry is affecting nt4 of course you don't need

0:04:47.380,0:04:54.710
to be a expert for NT-4 this one requires of course not affecting nt4

0:04:54.710,0:04:59.602
systems so due to the time uh slot we thought

0:04:59.602,0:05:04.915
memes are the best way to to tell you those stories and we have a lot of them

0:05:06.453,0:05:12.822
so in the first uh um section I tell you a little bit of how an attack Works

0:05:12.822,0:05:21.620
um there are a lot of different possibilities how you can describe and how to structure the how an attack works

0:05:22.257,0:05:28.993
there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko

0:05:28.993,0:05:34.854
um here on the stage there's the original cyber kill chain from from Lockheed Martin you have

0:05:37.190,0:05:42.480
stuff from from companies like Mandy and their targeted the tech life cycle but

0:05:42.480,0:05:47.550
that's all in my opinion two two fine-grained it's that's the reason I

0:05:47.550,0:05:53.275
just take three simple steps yeah get a foothold in the door

0:05:53.275,0:06:00.645
look move play around and cash out those three uh I will just go over

0:06:03.141,0:06:07.835
so start with uh get a foot in the door so normally we

0:06:07.835,0:06:14.756
see three ways how attackers can can get into the environment in the ransomware

0:06:14.756,0:06:20.655
cases you have vulnerabilities in uh remote uh internet facing systems you

0:06:20.655,0:06:25.875
have the remote Services itself and you have malware

0:06:26.712,0:06:35.507
starting with the with the the vulnerabilities and um I just looked uh up the last four

0:06:35.507,0:06:42.600
years and maybe somebody remembers netscaler the the so-called Citrix

0:06:42.600,0:06:49.789
vulnerability in December 2019 um it was released mid of uh 2019 uh

0:06:49.789,0:06:55.889
December 2019 the first POC publicly available POC was in beginning of

0:06:55.889,0:07:03.293
January and the patch was available in middle of January so there was a round one week to one and a half weeks between

0:07:03.293,0:07:10.494
a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw

0:07:10.494,0:07:17.194
during 2020 a lot of companies patched but the patch didn't remove the the

0:07:17.194,0:07:25.469
compromise so they were already compromised and um yeah with it with the patch they

0:07:25.469,0:07:31.114
didn't remove the compromise so what we found what we could provable

0:07:31.114,0:07:36.184
see or proof evidence for uh was nine

0:07:36.184,0:07:42.286
month uh customer was breached after nine months using this this vulnerability

0:07:43.176,0:07:51.434
and we had other customers where we could see that the netscaler was affected after two years but we couldn't

0:07:51.434,0:08:00.730
prove that this this compromise was the reason for the actual ransomware case

0:08:00.275,0:08:04.914
and of course such vulnerabilities happen not that often

0:08:06.295,0:08:13.350
yeah so 2021 gave us uh hafnium exchange

0:08:13.350,0:08:18.736
vulnerability also a similar situation the patch

0:08:18.736,0:08:25.406
appeared as an out-of-band patch from Microsoft on a Tuesday evening 10 o'clock in German time

0:08:26.479,0:08:32.529
we saw during our uh incidents or the the assessments we did that

0:08:34.476,0:08:41.516
um the first exploit exploitation attempts were seen on Wednesday in the morning at

0:08:41.516,0:08:50.308
5:00 am so around seven eight hours later um I know one guy who could patch

0:08:50.308,0:08:56.691
because he was online when the patch was released otherwise Germany was unable to patch in

0:08:56.691,0:09:04.149
time and of course we can go on with 2021 proxy shell also

0:09:04.149,0:09:10.390
exchange vulnerability proxy nutshell also exchange vulnerability

0:09:10.390,0:09:16.367
we have uh in 2022 VMware Horizon the the virtual desktop infrastructure

0:09:16.367,0:09:23.627
from VMware just to name also open source stuff Zimbra a collaboration platform

0:09:23.627,0:09:28.922
including an email server uh has had a vulnerability actually the vulnerability

0:09:28.922,0:09:34.675
was in cpio from 2015 I think which led

0:09:34.675,0:09:40.164
to a compromise using via email so you send an email

0:09:40.164,0:09:48.387
with a cpio with a specially crafted archive file and you could drop a web

0:09:48.387,0:09:55.947
shell in one of the directories yeah you have of course 40 OS which is a

0:09:55.947,0:10:02.690
40 gate VPN and firewall operating system

0:10:03.220,0:10:08.250
and if you read the news we start at the beginning again

0:10:08.251,0:10:15.121
netscaler had some issues several weeks ago according to foxIT we have 1900

0:10:15.121,0:10:21.545
still unpatched net scalers worldwide how many patched

0:10:22.393,0:10:27.743
was netscale has exists that um have not been checked for compromise we

0:10:27.743,0:10:32.580
don't know of course so that will be a nice year probably

0:10:33.728,0:10:41.564
um so what can you can you do against this kind of of attack vector patch your systems is one thing as you

0:10:41.810,0:10:49.378
see this that doesn't lead to the the um or what you need to do afterwards in

0:10:49.378,0:10:57.354
such cases you need to check your systems for possible compromise

0:10:57.354,0:11:03.973
that is important to reduce this I highly suggest put your

0:11:03.973,0:11:11.583
uh Services behind some VPN so that only people who already have

0:11:11.583,0:11:17.540
connection to the VPN um can access your services or the services

0:11:17.540,0:11:22.649
they need and that would reduce the attack surface

0:11:22.649,0:11:28.289
at least to the VPN server so but I

0:11:28.289,0:11:32.996
of course we can also think about remote services without vulnerabilities

0:11:34.661,0:11:41.591
um there can be configuration mistakes so the admin does something wrong there can

0:11:41.591,0:11:50.339
be insecure default configurations like this um I don't know if you know it but the

0:11:50.339,0:11:55.614
local admins or the administrators on the Windows system are are

0:11:55.614,0:12:02.101
automatically in the remote desktop users group you know and so

0:12:02.101,0:12:08.428
we had several cases especially in the beginning of the pandemic when everybody moved from uh to the home offices and

0:12:08.428,0:12:15.545
they needed to put people fast in the position to to access their the assist

0:12:15.545,0:12:22.125
the internal systems again they just put a RDP server on the internet and hope for the best

0:12:25.136,0:12:29.767
um additionally if you put services on the internet of course brute forcing and

0:12:29.767,0:12:35.947
credential uh stuffing are attacks that are possible so brute forcing just trying the the

0:12:37.115,0:12:42.195
username and password combinations uh credential stuffing using already leaked

0:12:42.195,0:12:47.636
passwords or credentials from leaks you find on the internet

0:12:48.536,0:12:53.923
what you can do about this kind of of attack Vector is uh just as I said use

0:12:53.923,0:13:00.912
multi-factor Authentication and reduce the attack surface as in the

0:13:00.912,0:13:06.695
point with the vulnerabilities before by moving the services behind a VPN and

0:13:06.695,0:13:09.691
then use multi-factor authentication on VPN of course

0:13:12.791,0:13:18.141
the last Vector that we see normally that the attackers can get in the

0:13:18.141,0:13:23.887
network is malware we all know this about

0:13:23.887,0:13:28.658
those funny emails you get with the attachments

0:13:28.658,0:13:35.310
um include that have either Word documents

0:13:35.310,0:13:41.764
attached either zip files with with Visual Basic scripts javascripts and

0:13:41.764,0:13:47.344
what you can get isos you see a lot these days

0:13:48.850,0:13:54.210
um or what you can also have that you can have just a link inside the email and

0:13:54.210,0:14:01.901
you download the respective file from some some shady file sharing website

0:14:03.381,0:14:09.435
um what we saw over the last year was uh USB sticks again funnily

0:14:10.744,0:14:16.484
um I'm not sure if you have heard about raspberry Robin which is a malware that

0:14:16.484,0:14:26.427
warms via USB sticks um but I haven't seen it as a vector for

0:14:27.234,0:14:31.784
ransomware yet on my own but there are people who said that it's

0:14:33.220,0:14:37.770
an initial access broker for some of the ransomware gangs

0:14:38.734,0:14:42.884
so what can you do about this if you think the

0:14:45.169,0:14:53.420
you can of course ban simply some file extensions in your mail server or you

0:14:53.723,0:15:00.953
change the file Association types in your operating system meaning that you

0:15:00.953,0:15:06.274
don't open the JavaScript and Visual Basic script files using for example the

0:15:06.274,0:15:11.610
windows scripting host but open it with notepad and that will

0:15:11.610,0:15:14.757
of course some people will be

0:15:18.146,0:15:23.600
uh some people will think about what this this is then and ask the IT guys

0:15:23.600,0:15:27.408
but it's better than running the the script itself

0:15:28.260,0:15:35.110
one thing I I I don't like to to say it but keep your AV updated

0:15:35.547,0:15:39.791
um uh this is one thing keep it updated and read the logs

0:15:40.722,0:15:46.660
we see a lot of incidents where we see that the already

0:15:46.544,0:15:51.714
days or weeks before we you can could have seen that there's something going

0:15:51.714,0:15:59.612
on in your network yeah and if you see malware in your AV logs

0:16:00.476,0:16:05.846
then react to it just check it you don't know how long this AV this malware has

0:16:05.846,0:16:11.302
been on your system the thing is that

0:16:11.302,0:16:16.792
just because you're AV detected it now it might have been get received an

0:16:16.792,0:16:22.287
update for its signatures and the malware was active for days or weeks

0:16:22.287,0:16:27.597
before so when they are inside

0:16:29.770,0:16:34.300
then they usually look move and play around a little bit

0:16:36.200,0:16:41.420
so when they look around what they do

0:16:41.420,0:16:47.612
is they they enumerate AD they do Ports scan the you they search for

0:16:47.612,0:16:54.388
vulnerabilities they check uh what they how they can escalate

0:16:54.388,0:16:59.826
their privileges they try to find credentials

0:16:59.826,0:17:03.871
um Kerber roasting we heard in the talk before for example is this one thing

0:17:07.890,0:17:11.700
um they try to identify accounts you around

0:17:11.700,0:17:16.981
have running on your systems they can use they can get the credentials from and you reuse

0:17:18.600,0:17:24.150
and for that reason one of the most important things I think is that you

0:17:24.150,0:17:33.254
have a principle of least privileges in your environment so only what a account needs

0:17:33.365,0:17:38.385
you should be able to do you should use dedicated service

0:17:38.385,0:17:43.661
accounts for your services of course and just for your information

0:17:44.397,0:17:50.470
um service account is not an account that has a SVC underscore in front of it

0:17:50.298,0:17:56.880
and is otherwise a normal user account um there I exist educated service

0:17:56.930,0:18:01.453
accounts in Windows environments so use them use strong passwords I still

0:18:01.469,0:18:06.419
I today I can I know companies who still use eight

0:18:06.419,0:18:13.342
character long passwords um I think that's 20 minutes on a decent

0:18:13.342,0:18:18.671
graphics card today so use strong passwords length matters

0:18:19.665,0:18:25.455
12 plus characters is the minimum in my opinion

0:18:26.617,0:18:31.170
and don't reuse passwords especially on your

0:18:31.622,0:18:42.329
systems the local administrator especially in small and medium-sized businesses you see a lot that people use

0:18:42.329,0:18:47.140
the same password for all local administrators so if I have it on one

0:18:47.140,0:18:51.390
system I have the whole company don't reuse it

0:18:56.895,0:19:00.895
um yeah [Audience LoL]

0:19:04.550,0:19:12.500
so when they they move around in your network using either a password hashes they found valid credentials they they

0:19:12.500,0:19:18.530
discovered somewhere vulnerabilities are also used to to move around in your

0:19:18.530,0:19:22.915
environment they try to to establish persistence mechanisms here we heard

0:19:22.915,0:19:28.579
also in the talk before about the C2 channels command and control channels they use

0:19:28.621,0:19:36.132
um they install in some cases directly any desk team viewer and or other remote

0:19:36.132,0:19:43.572
control software or sometimes they also use tunneling softwares like ngrok or recently they

0:19:43.572,0:19:49.744
started using cloudflare G um and this is what you need to do is

0:19:49.744,0:19:55.906
prop have a proper Network segmentation and with the proper Network segmentation I don't talk about subnetting

0:19:57.492,0:20:04.302
subnetting means you just have different subnets you need to have a firewall between them

0:20:04.302,0:20:08.143
and you have need to have rules between them that

0:20:09.893,0:20:16.823
restrict access between your your subnets and one thing is especially important

0:20:17.881,0:20:24.711
please keep or use Network segmentation to

0:20:24.711,0:20:30.225
restrict the access to your backup and your Management Systems as far as

0:20:30.225,0:20:36.197
possible we see a lot especially as I said in the small and medium-sized businesses or in

0:20:36.197,0:20:40.183
the other organizations we we have as customers that

0:20:42.448,0:20:46.873
yeah they have they tell us in in in in in in workshops yeah we have

0:20:46.873,0:20:54.333
a network segmentation every building is one segment and on the question yeah you

0:20:54.333,0:20:59.603
can move between in a segment you can access everything yes you can and

0:21:00.416,0:21:05.911
between the the buildings you can have also a firewall and you cannot access

0:21:05.911,0:21:11.930
anything no you can access everything and also your your uh VMware Management

0:21:11.930,0:21:17.420
console oh yes yes we can so everybody can access it yes of course and that

0:21:17.461,0:21:21.761
doesn't work so

0:21:26.913,0:21:30.263
um when they play around they normally try

0:21:30.263,0:21:38.288
to to gain more privileges so privilege escalation is assisting local privilege escalations normally but also using

0:21:38.288,0:21:43.440
vulnerabilities um or misconfigurations insecure default

0:21:43.440,0:21:48.981
configurations um my personal favorites are Group

0:21:48.981,0:21:53.211
Policy preferences or passwords in group policy preferences

0:21:54.686,0:22:01.890
this is no longer possible since I think 2014 to put passwords in group policy

0:22:01.890,0:22:07.994
preferences however if you had your password stored in those preferences

0:22:07.994,0:22:16.161
before the patch in 2015 2014 then they're still there and yeah there

0:22:16.161,0:22:20.932
are AES encrypted but the encryption key is on the Microsoft website

0:22:21.783,0:22:26.663
so you can just download it and just take it and decrypt the keys

0:22:28.834,0:22:33.484
um then during that phase they also try to disable your security measures

0:22:34.914,0:22:41.516
the thing you can do is of course patch your system so you know try to get your

0:22:41.516,0:22:46.655
availabilities out of of this equation can try to configure your systems in a

0:22:46.655,0:22:52.580
secure way this is not always possible due to some shitty uh third-party software

0:22:52.897,0:22:58.777
and keep your AV um updated and please please as I said

0:22:58.777,0:23:02.894
already check the locks and act accordingly

0:23:05.511,0:23:09.741
so in the last phase they cash out that's when when they

0:23:10.707,0:23:16.881
start using a uh being your backup service so they copy

0:23:16.881,0:23:21.906
data from your your environment using um

0:23:21.906,0:23:27.574
file sharing platforms for example yeah Mega and set was was once the thing we

0:23:27.574,0:23:33.155
transfer we had already uh every every other file sharing platform you you can

0:23:33.155,0:23:38.891
think about is a possible way to exfiltrate data they also use their

0:23:38.891,0:23:47.270
their C2 communication channels so sometimes you they also they just use the the possibilities in any desk or in

0:23:47.270,0:23:53.014
in RDP clients or they use uh file transfer protocols

0:23:53.014,0:23:57.014
like um SS SFTP um

0:23:59.670,0:24:06.260
we saw for example in one case that they try to install filezilla on every machine they had access to

0:24:06.260,0:24:11.705
um because on the first one it didn't work on the second it didn't work on the third it didn't work yet because SFTP

0:24:11.705,0:24:17.940
was blocked uh outgoing and that is one of the things you can do to to prevent

0:24:17.940,0:24:21.765
exfiltration block at least

0:24:24.607,0:24:30.456
protocols you know that you don't need in your environment and proper Network segmentation of

0:24:30.456,0:24:39.024
course is a general thing so in the last step that's when they

0:24:39.024,0:24:44.781
start the encryption um they're running the ransomware or

0:24:44.781,0:24:50.171
normally they are have domain admins at that point so they can run it on all

0:24:50.171,0:24:57.284
domain connected systems they can also disable of course when they are domain admin they can disable

0:24:57.461,0:25:04.553
the AV before they they start to run somewhere ransomware's today disable services like

0:25:04.553,0:25:10.303
databases and such things so that they have the full power of the machine for

0:25:10.303,0:25:14.590
the uh for the encryption

0:25:15.899,0:25:23.001
um if you get lucky not how everything works perfectly because they use

0:25:23.001,0:25:29.327
group names and windows is especially picky when you have a non-english uh

0:25:32.344,0:25:39.434
windows installed for example in Germany the the group everybody is called yida

0:25:40.319,0:25:47.322
and we had cases where the ransomware didn't really work that well because they couldn't

0:25:47.322,0:25:51.322
change the permissions of the files first um

0:25:53.436,0:25:59.278
they use different encryption schemas normally they they come with the

0:25:59.278,0:26:05.740
asymmetric and the symmetric encryption type the asymmetrics or public key cryptography the public key comes with

0:26:05.740,0:26:12.254
the ransomware and is used to encrypt the symmetric keys they generate on in

0:26:12.254,0:26:20.112
your environment depending on the ransomware they they generate one key for each system or even one key for each

0:26:20.112,0:26:25.876
file it depends a little bit on the on the ransomware how it works but that's

0:26:25.876,0:26:32.998
the usual thing they use um I would never count on the the fact

0:26:32.998,0:26:39.521
that there are possibly maybe there could be

0:26:39.521,0:26:47.544
decryptable uh things um in in my opinion in my uh in my world

0:26:49.120,0:26:55.200
The ransomware Gangs have learned and used the standard Microsoft Windows or

0:26:55.200,0:26:59.232
some other publicly available libraries to to do the encryption

0:27:00.770,0:27:09.224
they executed by a remote tools like PSX Powershell or some use

0:27:09.224,0:27:14.983
gpos group policies to execute the ransomware on every

0:27:14.983,0:27:21.153
machines they they connected to the domain and what can you do about this no it's

0:27:21.153,0:27:26.533
it's hard but the the most important thing is have online backups offline

0:27:26.533,0:27:33.817
backup sorry thanks you you see you see off online backups

0:27:33.817,0:27:39.414
are not that are great but not that great offline backups is the most important this is the most important

0:27:39.414,0:27:45.388
thing so um don't have it connected to your environment

0:27:45.969,0:27:52.207
the the the USB disk on the system is not offline backup

0:27:55.594,0:28:00.794
um in my opinion if you see that something is is still encrypting

0:28:01.440,0:28:07.630
I I'm I'm always hesitant to say shut down the system because you can break

0:28:07.630,0:28:15.529
the encryption and maybe the file that is currently in under encryption or the files will never be decryptable if you

0:28:15.529,0:28:23.588
want to buy a decrypter um or gather the cryptos through some

0:28:25.669,0:28:32.149
discussions with the with the ransomware guys um if it's a VM just suspend it and

0:28:32.149,0:28:38.351
that's it and if everything is already encrypted

0:28:39.205,0:28:43.575
keep cool and call your incident responder

0:28:51.306,0:28:58.606
so now let's talk about incident response what happens when it's already too late and what can you do to support

0:28:58.606,0:29:04.110
your incident response team at first the things I'll say in this chapter are

0:29:04.110,0:29:10.549
for our company and how we work so other companies might work a little bit different than that

0:29:12.792,0:29:17.022
first for some reason incidents always come on Friday afternoon

0:29:18.950,0:29:23.950
so some customers think it is a good idea to try to solve a case by

0:29:23.950,0:29:30.785
themselves maybe until the end of the week and if they didn't solve it until the end of the week they call the

0:29:30.785,0:29:35.876
incident response team please don't do that it doesn't help your company and it

0:29:35.876,0:29:43.792
doesn't make your incident Response Team happy to have to work on the weekend and in addition the longer you wait with

0:29:43.792,0:29:50.859
calling the incident Response Team the longer the incident response will take and the more complicated forensics will

0:29:50.859,0:29:56.523
be because you have lock retention times while trying to do stuff by yourself

0:29:56.702,0:30:01.572
maybe you modify some of the systems and it becomes much more harder to do

0:30:02.397,0:30:08.127
precise forensics so what happens on our site when such a