-
Hello and good evening on day two of the chaos communication Camp 2023 Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]
-
it's late in the evening this is meleeway stage in case you're wondering
-
and the next talk is going to be about incident report responses
-
so if you're curious about how to even get there to have an incident response how you could
prepare for an incident response and how you could support a new organization
-
uh, the incident response team in doing the job and trying to fix whatever broke
-
let's put it that way um we have the right talk for you
-
this is stories from the life of an incident from incident responders Harry and Chris
-
please a very warm Round of Applause [Applause]
-
so, good evening and thank you for joining us today um we will tell you a little bit of our
-
life as incident responders and I'm Chris I did my computer science
-
studies at the University of alang and Nuremberg I do this security stuff for
-
over 10 years now so my CV is a little bit longer at the moment I'm a detection
-
engineer before that I was a long time working in dfir so digital forensic incident
-
response in different organizations and
-
yeah I'm Harryr I studied electrical and computer engineering at RWTH
-
University and I played a lot of CTF and did some hacking stuff at chaos computer club RWTH
-
during my masters I worked at x41 dsac doing pen testing patch analysis
-
so I also have some kind of offensive security background on for around one year now I'm working at G data Advanced
-
analytics doing digital forensics and incident handling
-
first Christian will give you a short introduction and then he will tell you how a classical ransomware attack looks
-
like and in the second part of the talk I will tell you how the incident
-
responders work and what you can do in advance to make it go as smooth as possible and support the incident
-
response team so as Harryr told you I will probably
-
we'll talk about ransomware because the customers we usually have are small and
-
medium-sized businesses universities and hospitals and those are regularly
-
unfortunately regularly hit by um um
-
ransomware gangs the main reason for this and that's if you heard the last
-
talk um why they maybe not that responsive
-
and are not so interested in they just lack the resources so the manpower to do
-
uh proper security measurements to secure their systems especially in in erm
-
situations where you are for example in a hospital have medical devices
-
um which where you cannot simply install an AV on or even patch the system
-
because you lose the certification as a medical device then but also in in
-
companies manufacturing companies on the shop floor we're talking about systems
-
that have run times of 25 plus years so if you look back now 2023
-
we're talking about XP and older systems fun fact I was in a ransomware case and
-
Wannacry in 2017 when I got a call from from a person from the shop floor
-
asking me if we have a nt4 expert, um
-
that can tell us if WannaCry is affecting nt4 of course you don't need
-
to be a expert for NT-4 this one requires of course not affecting nt4
-
systems so due to the time uh slot we thought
-
memes are the best way to to tell you those stories and we have a lot of them
-
so in the first uh um section I tell you a little bit of how an attack Works
-
um there are a lot of different possibilities how you can describe and how to structure the how an attack works
-
there's the miter attack framework for example there was for example a talk Yesterday by Maker Salko
-
um here on the stage there's the original cyber kill chain from from Lockheed Martin you have
-
stuff from from companies like Mandy and their targeted the tech life cycle but
-
that's all in my opinion two two fine-grained it's that's the reason I
-
just take three simple steps yeah get a foothold in the door
-
look move play around and cash out those three uh I will just go over
-
so start with uh get a foot in the door so normally we
-
see three ways how attackers can can get into the environment in the ransomware
-
cases you have vulnerabilities in uh remote uh internet facing systems you
-
have the remote Services itself and you have malware
-
starting with the with the the vulnerabilities and um I just looked uh up the last four
-
years and maybe somebody remembers netscaler the the so-called Citrix
-
vulnerability in December 2019 um it was released mid of uh 2019 uh
-
December 2019 the first POC publicly available POC was in beginning of
-
January and the patch was available in middle of January so there was a round one week to one and a half weeks between
-
a public proof of concept for the vulnerability and uh patch for the vulnerability and what we saw
-
during 2020 a lot of companies patched but the patch didn't remove the the
-
compromise so they were already compromised and um yeah with it with the patch they
-
didn't remove the compromise so what we found what we could provable
-
see or proof evidence for uh was nine
-
month uh customer was breached after nine months using this this vulnerability
-
and we had other customers where we could see that the netscaler was affected after two years but we couldn't
-
prove that this this compromise was the reason for the actual ransomware case
-
and of course such vulnerabilities happen not that often
-
yeah so 2021 gave us uh hafnium exchange
-
vulnerability also a similar situation the patch
-
appeared as an out-of-band patch from Microsoft on a Tuesday evening 10 o'clock in German time
-
we saw during our uh incidents or the the assessments we did that
-
um the first exploit exploitation attempts were seen on Wednesday in the morning at
-
5:00 am so around seven eight hours later um I know one guy who could patch
-
because he was online when the patch was released otherwise Germany was unable to patch in
-
time and of course we can go on with 2021 proxy shell also
-
exchange vulnerability proxy nutshell also exchange vulnerability
-
we have uh in 2022 VMware Horizon the the virtual desktop infrastructure
-
from VMware just to name also open source stuff Zimbra a collaboration platform
-
including an email server uh has had a vulnerability actually the vulnerability
-
was in cpio from 2015 I think which led
-
to a compromise using via email so you send an email
-
with a cpio with a specially crafted archive file and you could drop a web
-
shell in one of the directories yeah you have of course 40 OS which is a
-
40 gate VPN and firewall operating system
-
and if you read the news we start at the beginning again
-
netscaler had some issues several weeks ago according to foxIT we have 1900
-
still unpatched net scalers worldwide how many patched
-
was netscale has exists that um have not been checked for compromise we
-
don't know of course so that will be a nice year probably
-
um so what can you can you do against this kind of of attack vector patch your systems is one thing as you
-
see this that doesn't lead to the the um or what you need to do afterwards in
-
such cases you need to check your systems for possible compromise
-
that is important to reduce this I highly suggest put your
-
uh Services behind some VPN so that only people who already have
-
connection to the VPN um can access your services or the services
-
they need and that would reduce the attack surface
-
at least to the VPN server so but I
-
of course we can also think about remote services without vulnerabilities
-
um there can be configuration mistakes so the admin does something wrong there can
-
be insecure default configurations like this um I don't know if you know it but the
-
local admins or the administrators on the Windows system are are
-
automatically in the remote desktop users group you know and so
-
we had several cases especially in the beginning of the pandemic when everybody moved from uh to the home offices and
-
they needed to put people fast in the position to to access their the assist
-
the internal systems again they just put a RDP server on the internet and hope for the best
-
um additionally if you put services on the internet of course brute forcing and
-
credential uh stuffing are attacks that are possible so brute forcing just trying the the
-
username and password combinations uh credential stuffing using already leaked
-
passwords or credentials from leaks you find on the internet
-
what you can do about this kind of of attack Vector is uh just as I said use
-
multi-factor Authentication and reduce the attack surface as in the
-
point with the vulnerabilities before by moving the services behind a VPN and
-
then use multi-factor authentication on VPN of course
-
the last Vector that we see normally that the attackers can get in the
-
network is malware we all know this about
-
those funny emails you get with the attachments
-
um include that have either Word documents
-
attached either zip files with with Visual Basic scripts javascripts and
-
what you can get isos you see a lot these days
-
um or what you can also have that you can have just a link inside the email and
-
you download the respective file from some some shady file sharing website
-
um what we saw over the last year was uh USB sticks again funnily
-
um I'm not sure if you have heard about raspberry Robin which is a malware that
-
warms via USB sticks um but I haven't seen it as a vector for
-
ransomware yet on my own but there are people who said that it's
-
an initial access broker for some of the ransomware gangs
-
so what can you do about this if you think the
-
you can of course ban simply some file extensions in your mail server or you
-
change the file Association types in your operating system meaning that you
-
don't open the JavaScript and Visual Basic script files using for example the
-
windows scripting host but open it with notepad and that will
-
of course some people will be
-
uh some people will think about what this this is then and ask the IT guys
-
but it's better than running the the script itself
-
one thing I I I don't like to to say it but keep your AV updated
-
um uh this is one thing keep it updated and read the logs
-
we see a lot of incidents where we see that the already
-
days or weeks before we you can could have seen that there's something going
-
on in your network yeah and if you see malware in your AV logs
-
then react to it just check it you don't know how long this AV this malware has
-
been on your system the thing is that
-
just because you're AV detected it now it might have been get received an
-
update for its signatures and the malware was active for days or weeks
-
before so when they are inside
-
then they usually look move and play around a little bit
-
so when they look around what they do
-
is they they enumerate AD they do Ports scan the you they search for
-
vulnerabilities they check uh what they how they can escalate
-
their privileges they try to find credentials
-
um Kerber roasting we heard in the talk before for example is this one thing
-
um they try to identify accounts you around
-
have running on your systems they can use they can get the credentials from and you reuse
-
and for that reason one of the most important things I think is that you
-
have a principle of least privileges in your environment so only what a account needs
-
you should be able to do you should use dedicated service
-
accounts for your services of course and just for your information
-
um service account is not an account that has a SVC underscore in front of it
-
and is otherwise a normal user account um there I exist educated service
-
accounts in Windows environments so use them use strong passwords I still
-
I today I can I know companies who still use eight
-
character long passwords um I think that's 20 minutes on a decent
-
graphics card today so use strong passwords length matters
-
12 plus characters is the minimum in my opinion
-
and don't reuse passwords especially on your
-
systems the local administrator especially in small and medium-sized businesses you see a lot that people use
-
the same password for all local administrators so if I have it on one
-
system I have the whole company don't reuse it
-
um yeah [Audience LoL]
-
so when they they move around in your network using either a password hashes they found valid credentials they they
-
discovered somewhere vulnerabilities are also used to to move around in your
-
environment they try to to establish persistence mechanisms here we heard
-
also in the talk before about the C2 channels command and control channels they use
-
um they install in some cases directly any desk team viewer and or other remote
-
control software or sometimes they also use tunneling softwares like ngrok or recently they
-
started using cloudflare G um and this is what you need to do is
-
prop have a proper Network segmentation and with the proper Network segmentation I don't talk about subnetting
-
subnetting means you just have different subnets you need to have a firewall between them
-
and you have need to have rules between them that
-
restrict access between your your subnets and one thing is especially important
-
please keep or use Network segmentation to
-
restrict the access to your backup and your Management Systems as far as
-
possible we see a lot especially as I said in the small and medium-sized businesses or in
-
the other organizations we we have as customers that
-
yeah they have they tell us in in in in in in workshops yeah we have
-
a network segmentation every building is one segment and on the question yeah you
-
can move between in a segment you can access everything yes you can and
-
between the the buildings you can have also a firewall and you cannot access
-
anything no you can access everything and also your your uh VMware Management
-
console oh yes yes we can so everybody can access it yes of course and that
-
doesn't work so
-
um when they play around they normally try
-
to to gain more privileges so privilege escalation is assisting local privilege escalations normally but also using
-
vulnerabilities um or misconfigurations insecure default
-
configurations um my personal favorites are Group
-
Policy preferences or passwords in group policy preferences
-
this is no longer possible since I think 2014 to put passwords in group policy
-
preferences however if you had your password stored in those preferences
-
before the patch in 2015 2014 then they're still there and yeah there
-
are AES encrypted but the encryption key is on the Microsoft website
-
so you can just download it and just take it and decrypt the keys
-
um then during that phase they also try to disable your security measures
-
the thing you can do is of course patch your system so you know try to get your
-
availabilities out of of this equation can try to configure your systems in a
-
secure way this is not always possible due to some shitty uh third-party software
-
and keep your AV um updated and please please as I said
-
already check the locks and act accordingly
-
so in the last phase they cash out that's when when they
-
start using a uh being your backup service so they copy
-
data from your your environment using um
-
file sharing platforms for example yeah Mega and set was was once the thing we
-
transfer we had already uh every every other file sharing platform you you can
-
think about is a possible way to exfiltrate data they also use their
-
their C2 communication channels so sometimes you they also they just use the the possibilities in any desk or in
-
in RDP clients or they use uh file transfer protocols
-
like um SS SFTP um
-
we saw for example in one case that they try to install filezilla on every machine they had access to
-
um because on the first one it didn't work on the second it didn't work on the third it didn't work yet because SFTP
-
was blocked uh outgoing and that is one of the things you can do to to prevent
-
exfiltration block at least
-
protocols you know that you don't need in your environment and proper Network segmentation of
-
course is a general thing so in the last step that's when they
-
start the encryption um they're running the ransomware or
-
normally they are have domain admins at that point so they can run it on all
-
domain connected systems they can also disable of course when they are domain admin they can disable
-
the AV before they they start to run somewhere ransomware's today disable services like
-
databases and such things so that they have the full power of the machine for
-
the uh for the encryption
-
um if you get lucky not how everything works perfectly because they use
-
group names and windows is especially picky when you have a non-english uh
-
windows installed for example in Germany the the group everybody is called yida
-
and we had cases where the ransomware didn't really work that well because they couldn't
-
change the permissions of the files first um
-
they use different encryption schemas normally they they come with the
-
asymmetric and the symmetric encryption type the asymmetrics or public key cryptography the public key comes with
-
the ransomware and is used to encrypt the symmetric keys they generate on in
-
your environment depending on the ransomware they they generate one key for each system or even one key for each
-
file it depends a little bit on the on the ransomware how it works but that's
-
the usual thing they use um I would never count on the the fact
-
that there are possibly maybe there could be
-
decryptable uh things um in in my opinion in my uh in my world
-
The ransomware Gangs have learned and used the standard Microsoft Windows or
-
some other publicly available libraries to to do the encryption
-
they executed by a remote tools like PSX Powershell or some use
-
gpos group policies to execute the ransomware on every
-
machines they they connected to the domain and what can you do about this no it's
-
it's hard but the the most important thing is have online backups offline
-
backup sorry thanks you you see you see off online backups
-
are not that are great but not that great offline backups is the most important this is the most important
-
thing so um don't have it connected to your environment
-
the the the USB disk on the system is not offline backup
-
um in my opinion if you see that something is is still encrypting
-
I I'm I'm always hesitant to say shut down the system because you can break
-
the encryption and maybe the file that is currently in under encryption or the files will never be decryptable if you
-
want to buy a decrypter um or gather the cryptos through some
-
discussions with the with the ransomware guys um if it's a VM just suspend it and
-
that's it and if everything is already encrypted
-
keep cool and call your incident responder
-
so now let's talk about incident response what happens when it's already too late and what can you do to support
-
your incident response team at first the things I'll say in this chapter are
-
for our company and how we work so other companies might work a little bit different than that
-
first for some reason incidents always come on Friday afternoon
-
so some customers think it is a good idea to try to solve a case by
-
themselves maybe until the end of the week and if they didn't solve it until the end of the week they call the
-
incident response team please don't do that it doesn't help your company and it
-
doesn't make your incident Response Team happy to have to work on the weekend and in addition the longer you wait with
-
calling the incident Response Team the longer the incident response will take and the more complicated forensics will
-
be because you have lock retention times while trying to do stuff by yourself
-
maybe you modify some of the systems and it becomes much more harder to do
-
precise forensics so what happens on our site when such a
-
new incident ticket arrives the first thing we do is team internal coordination
-
so we discussed do we have enough people do we have a person for each role in our
-
team we have three roads incident handling forensics analyst and Mayweather analyst
-
so first let's talk about incident handling incident Handler is responsible for all
-
the tasks that our customer facing and the first point is always get the customer out of that headless chicken
-
mode like we call it because when an incident comes at our customer site
-
everyone is like running around in so-called like headless chicken doing something but not doing anything helpful
-
so this is always the first task for the incident Handler Handler structure the customer do meetings and then do all the
-
relevant decisions leading to a secure emergency operation mode that means in
-
this case that you have working core infrastructure so working domain controller maybe a working email server
-
and whatever you need or whatever you define as very business critical systems
-
let's go a little bit more in detail probably the first measure will be to cut off the internet connection because
-
you just buy you a lot of time with doing that no matter how many back doors
-
the attackers placed in the network if you cut off the internet connection the attackers can't access their back doors
-
anymore and then you will start to rebuild your network you will Define everything in
-
your current infrastructure as red Network and then start building up a
-
green network with clean systems maybe you will start with some admin workstations so that the
-
administrators can work properly and then we go through a prioritized system list and build up the most
-
important systems this can be of course like I said domain controllers or email
-
servers but also whatever is important for your current company and for the
-
business this is of course in a hospital something very different from a small
-
business or maybe a university and please have such a prioritized list before your first incident because when
-
you start discussing in an incident which system is the most important then everyone in the company will tell you
-
something else and everyone will tell you that their system is the most important and has to be migrated and
-
checked and analyzed at first and this isn't really helpful
-
so during incident handling there might also be obstacles for example if you
-
have backups and you encrypted your backups this is great but you should think about where to
-
store that encryption key because when you store it in your password manager and the password
-
manager database is in a VM which then gets encrypted by the ransomware well
-
you have backups but you don't have your key to decrypt the backup so this
-
doesn't help you very much and this is not only two for password
-
this is also true for like everything else which you could need during an incident like contact lists or network
-
lists and so on so
-
working with third parties is also a task for the incident Handler this could be a data Protection Agency
-
or the customers customers because they also often yeah have some panic and have
-
questions which the customer maybe can't answer so this is also a talk a task for
-
the incident Handler and of course also working with law enforcement but there's
-
one thing to keep in mind Law Enforcement wants to do criminal investigation incident response wants to
-
bring you back to business as soon as possible this is not necessarily the same goal but it finally makes sense to
-
allow your incident responders to share all information with law enforcement because this is beneficial for everyone
-
um so why do I do forensics at all one could ask well the less precise the
-
forensic results are the more conservative the rebuild needs to be so if you don't know anything about the
-
attack you have to rebuild everything from scratch so let's say you have maybe two week or
-
backups and you know the initial access of the attackers was only one week ago
-
then you could use that two weeks old backups for rebuilding which is really
-
great but if you don't know how long the attackers were in the
-
network then it's really hard to to say
-
a second Point why you should do forensics is to estimate the impact
-
especially in an early um phase of an attack it is important to know that the attackers only compromise
-
some user devices or did they already gain domain administrative privileges
-
because then the incident handling is completely different and of course it is also relevant to
-
know which attack path the attack is used so you can Harden your network and
-
improve in the future how should incident how should forensics
-
be it should of course be correct it should be non-disruptive for the customer so they can concentrate on
-
rebuilding their infrastructure and it should be fast what means correct you want to have a
-
dedicated forensics analyst so you want to have incident response team which is
-
doing incident response in their day-to-day business and you want in your forensics teams one
-
person who can really concentrate on forensics and is not also doing the incident handling and the malware
-
analysis and so on because then you can't really concentrate on doing the technical work
-
it also should be non-disruptive as I said that means for our company we do remote triage collection we use the tool
-
videos adapter for it this is an official logo of velociraptor it's a really nice tool because we just send
-
our customers an exe file the customer just has to execute the exe file and
-
then it collects all the logs we need all the um yeah information we need
-
and absolute uploads it to our um to our infrastructure so we don't
-
need to drive to the customer and like start copying hard disks for a week for weeks because this doesn't help anyone
-
I should also said it should be fast so we have a lot of Automation and tooling
-
to make the work really fast automatically pushing our the uploaded files we want
-
to lose this infrastructure automatically doing reporting and so on I won't go in detail here because this
-
is enough for a single talk about it maybe maybe on Congress let's see
-
so what happens when we do manual forensic analysis
-
there are some questions you normally want to answer one is of course about the vectors you want to find all vectors
-
the attack is placed in the network of course you want to have General IUC
-
so indicators of compromise so maybe which IP addresses did the attackers use so you can block them in the firewall or
-
which tools did they use so you can scan over the whole it infrastructure and
-
find further compromised systems and if you have the iocs you can also cross-correlate between cases or show
-
them share them with law enforcement another important thing is of course
-
lateral movement because you can use lateral movement to build a timeline of the attack so the mythology here is to
-
look where the attackers came from and where the attackers went so if you have a system a and you see the attackers
-
came from system B then you analyze system B and go back in time and the same you could do forward in time until
-
you found yeah all relevant systems which were compromised and have a proper timeline of the case
-
and other common thing in the life of an incident responder is to fall in a rabbit hole
-
because it can be really really interesting to do forensics but yeah you need to
-
check what the customer really wants to know or what your incident Handler really wants to know
-
and not just analyze something and fall into the rabbit hole because this yeah
-
really doesn't help anyone here also the 80 20 rule applies so I'd say you get like 80 percent of
-
the relevant forensics results in 20 of the time and often this is enough for the incident Handler to do the right
-
decisions to rebuild the customer Network customer's networks as fast as possible
-
so let's go into reporting nobody really likes reporting
-
but producing fancy forensics results doing fancy technical stuff is worthless
-
if you can can't explain it to a manager nobody pays us to do fancy technical
-
stuff nobody understands but we are paid to help our customers and explain the
-
situation to them and to do the right decisions so yeah nobody likes reporting but it is a really really important
-
thing so after learning the report the
-
incident is over and all work is done right no not really because such a
-
report normally contains a lot of recommendations what to do
-
for the customers and as I already said incident response more or less stops
-
when the customer is in an emergency operation mode with a core infrastructure and the most critical
-
systems are working but there's still a lot to do and of course security is a process so
-
there's always something to improve to stay ahead of the attackers
-
so now let's go into a quick recap
-
how to protect against those kind of attacks we had this uh the topics just
-
as a recap patch your systems it's important keep them updated
-
vulnerabilities come and go that's one thing have a sane privilege
-
account management so use the correct user accounts for the correct for the
-
the right task use the second two-factor authentication
-
for remote services have a proper Network segmentation so
-
put firewalls and access rules between your networks check your AV logs regularly and act
-
accordingly and not really protecting your you against an attack
-
but keeping the the symptoms a little bit um not that that devastating have
-
offline backups so how to make incident response easier
-
for you for yourself and for the incident Response Team first thing is don't try to solve this stuff by
-
yourself just call the incident response team of your trust as soon as you know
-
you have an incident the second thing is logging policy because if you have a very short lock
-
retention for example and you only have locks for the last like two days then it
-
might be hard to find out what happened and if you don't lock stuff at all
-
especially in the cloud environments this is a thing where you need to look at then it might also be hard to get
-
proper forensic results then as I said have offline contact
-
lists because your main server is down your accounts are compromised so you can't use like your Microsoft teams or
-
whatever you use in your company you need an alternative way to communicate to your colleagues and or
-
employees then as I said prioritized asset list and network plans
-
and a disaster recovery plan in best case and please all have all that in a
-
secure place in best case on paper well nobody likes doing stuff with their
-
trees I know but that trees don't get ransomware right
-
so that's it from our site more or less normally this is a point where
-
you can ask us questions but we want to spin that around and give you some
-
questions maybe someone can guess the right answer
-
what do you think is the shortest time to domain admin we saw an incident between initial compromise and the
-
attackers gaining domain admin
-
yeah it's not it somebody said 17 seconds two minutes well it's not that
-
bad six minutes is is what we have seen in incident hmm
-
what do you think think is the shortest lock retention on a domain controller so how long
-
zero 10 hours a year well it is 2.5 minutes
-
what what do you think is the highest number of domain administrator accounts
-
we saw in an incident 200 nah 50.
-
64 with 120 people working in IT
-
what do you think is the longest dwell time so the longest the longest time between being initially compromised and
-
realizing that you are compromised 60 now it's it's not that bad I hit here
-
a lot of years well it is like around two years
-
so well that's really it from our side no time for questions thank you
-
if you
-
if you have questions we will be there outside waiting come and join us
-
thank you thank you thank you Harryr and Kris warmer applause thank you
-
End of subtitles:[Translated by {Yang}{Li} (ITKST56 course assignment at JYU.FI)]
