Cyber Game Plan a tabletop exercise in defending
Cyber Game Plan: a tabletop exercise in defending a ransomware attack NOVEMBER 16, 2017 Moderator: • Frances Floriano Goins, Ulmer & Berne Panelists: • Ryan Macfarlane, FBI • Christopher M. Prewitt, Trusted. Sec, LLC • • Betty Shepherd, R-T Specialty, LLC Gregory P. Stein, Ulmer & Berne
Ransomware Exercise • Overall goals of this exercise: › › Gain a better understanding of how an incident progresses Identify appropriate questions to ask Determine roles and responsibilities during a response Ensure all team members understand the needs and capabilities of the team and organization › Better understand what capabilities exist, how they can be used, and what is needed if there is an incident • Questions and discussion are helpful • No need to wait until the end, ask now, ask later, ask anytime, just ask! 2
Beginnings of an Incident • Public company, manufacturer, global business that includes operations in Europe › IT Support Desk receives phone call from someone in the organization saying they cannot open certain files › As IT dispatches someone to look into it, more and more calls start coming into the IT Support Desk › The issue appears to be ransomware and it is encrypting data across the network 3
Incident Briefing #1 • Your team is investigating the ransomware and you have engaged your Incident Response (IR) team. It is unclear whether you can recover data and systems if you pay the ransom › Email systems are inaccessible for employees › It is unclear whethere are multiple strains of ransomware › Multiple systems are impacted, including systems that enable customers to place orders 4
Incident Briefing #2 • An IR forensic analyst has joined the investigation onsite. Based on logs and initial forensics, it appears that data may have been ex-filtrated in addition to encryption › › Web servers were accessed Internal file shares were accessed Appears that corporate emails were accessed Difficult to identify specifically what was taken or whether data has been permanently lost › Additional malware was found, unclear if it is related or not 5
Incident Briefing #3 • You have paid the ransom, and while some of your systems and data are restored, some are not › Your IR forensic analyst identifies that there are two similar but different payloads that are on your systems; one is taking the decryption key the other is not › Where possible, you have restored from back up, but in some cases, restoration was not possible 6
Incident Briefing #4 • About 8 hours after the incident began, a well known online security journalist posts an article on his blog detailing the ransomware event and breach › He cites an “undisclosed” source › No specific mention of data theft, but describes broad outages › The journalist called your CEO, CIO, and Security Director for a quote 7
Incident Briefing #5 • Investigation determines that the attacker is still active in the environment › Endpoint technology tracks current commands and activity performed by the adversary › Attacker is leveraging an administrative account with access to all areas of the environment (Domain Admin) › IR forensic analyst recommends speeding up remediation process to remove access and lock down the environment and to unplug from the internet 8
Incident Briefing #6 • Large shareholders and important customers have reached out to your company to find out details about the incident › Shareholders have expressed concerns about the impact on the organization › Some large customers have called, asking for meetings to understand their exposure 9
Incident Briefing #7 • IR forensic analyst finalizes report about what happened and includes a list of remediation recommendations: › The report identifies the attack to be tied to an organization working on behalf of the People’s Republic of North Korea › Remediation recommendations require significant time, money, and resources to further lock down the environment › There were other threats, in addition to the ransomware, and it is unclear whether they are related 10
Lessons Learned • Did you understand how a security incident can impact the organization beyond IT? • What are your biggest takeaways from this exercise? • Did anything catch you by surprise? 11
Questions 12
Frances Floriano Goins Co-Chair, Data Privacy & Information Security, and Co-Chair, Financial Services & Securities Litigation Ulmer & Berne fgoins@ulmer. com 216. 583. 7202 Ryan Macfarlane Supervisory Special Agent, Cyber Squad – Cleveland Division Federal Bureau of Investigation grmacfarlane@fbi. gov 216. 522. 1400 Christopher M. Prewitt, CISSP, CISM Vice President, Advisory Services Trusted. Sec, LLC Chris. Prewitt@Trusted. Sec. com 877. 550. 4728 Betty Shepherd Senior Vice President R-T Specialty, LLC Betty. Shepherd@rtspecialty. com 860. 656. 1362 Gregory P. Stein Vice-Chair, Data Privacy & Information Security Ulmer & Berne gstein@ulmer. com 216. 583. 7446
- Slides: 13