Information Security Manager Post

PeterHands

Hi guys,

Ive got through to the final stage of the post mentioned above. I have to do a presentation on the following.

“How do you restore an organisation to health after a ransomware infection such as Cryptolocker"


Any ideas on how I should pursue this would be great.

Im thinking, a quick few slides on the background of Ransomware and its many forms, a short review of asymetric cryptography and how Ransomware works, then onto recovery and prevention.

But any tips on this would be great. Anyone had to do anything similar?

Thanks in advance.

nelson8403

I'd talk about the importance of backups, isolating the threat once found and then educating users on opening attachments or downloading files they are not actively looking for. Talking about the threat itself should probably be kept to a minimum, it doesn't sound like they're asking what Cryptolocker is but how you would come in isolate, recover and educate after the fact.

PeterHands

Thats great, really helps.

Thanks buddy!

beads

Probably should be moved to off-topic but having recently gone through a number of similar incidents (I was shocked at the unreported number) I can say this.

Anti-Virus still needs to be nested, layered and monitored throughout the enterprise. Preferably with at least two different engines monitoring. One in email the other on servers and endpoints. You know the drill.

Backups are still necessary but don't exist until you prove you can restore needed data in a usable format in the timeframe you know to be true. Don't tell me I think it will be about... ummm... 2 or 3 hours when its really an overnight process.

Anti-Virus all suck. They're all great. Some are better at somethings than other products - deal with it.

Off site employees are out of sight, out of mind and will be your biggest source of insomnia not to mention viruses in need of being cleaned. You need a realistic program to check these machines not only remotely but whenever (and if) they come in to corporate. These machines will be compromised until proven innocent. No connecting to the inside corporate assets until cleared or formatted.

Logging of course is critical but most corporations do so poorly so get your check book out and share the pain with all departments.

Forensics both network and desktop may be necessary. So will be training and support. Security is a trade off of convenience and availability. Since the government is placing a premium on corporate security, staying out of court, jails and the prison system from GRC maleficence is a high priority for me - you can make your own risk based decisions here.

If you like the post please feel free to bump the reputation. I never ask unless its an exceptionally difficult to respond to post.

- b/eads

wd40

For some strange unknown reason I felt that I had to +Rep you beads before reading your request

Thanks, great reply.

jt2929

"You must spread some Reputation around before giving it to beads again."

Listen to this man.

beads

@jt2929;

If you can direct the person your quoting my way I would be grateful. I always spread the rep wealth around when deserved.

- b/eads

kiki162

Defense in depth....and ask for lots and lots of money.

YFZblu

beads wrote: »

If you can direct the person your quoting my way I would be grateful. I always spread the rep wealth around when deserved.

- b/eads

...that quote is from techexams.net; a poster can only give so much rep to another poster before that message comes up.

YFZblu

Regarding the question posed by the OP:

The very short answer to your question is going to be a combination of reimaging the affected machine(s), and restoring backups for any affected network shares. Additional points you should make relate to harvesting IOC's from affected machines, determining the how/what/when of what happened, and formulating some prevention and/or alerting mechanisms for the next time.

Probably a better way of getting this information resolved for yourself would be to read white papers on well-known ransomware and form your own conclusions. Places to start:

-Cryptolocker
-Cryptowall 3.0
-Teslacrypt

Cryptowall 3.0: Back to the Basics
Threat Spotlight: TeslaCrypt – Decrypt It Yourself

jt2929

beads wrote: »

@jt2929;

If you can direct the person your quoting my way I would be grateful. I always spread the rep wealth around when deserved.

- b/eads

As YFZ said, that's the message I got when I tried to Rep you. Maybe next time...

pinkydapimp

most important, is that your presentation is concise. Keep it to 3-5 slides max.

lsud00d

Don't forget lessons learned--educate the users. If they click on that link and adequate protections aren't in place, it's game over.

Similarly as others have said, stress defense in depth. You need the spam filter to catch that email before it ever comes in. You need advanced DNS (like OpenDNS) to prevent malicious outbound requests from ransomware like cryptowall (note: ransomeware like cryptolocker uses DGA and fast-flux so it's not as effect). You need specific GPO's in place. Backups...tested backups.

Additional reading:

Cryptolocker Prevention Kit updates |

https://www.reddit.com/r/sysadmin/comments/2hbrrs/cryptowall_hit_a_client_last_night/

PeterHands

pinkydapimp wrote: »

most important, is that your presentation is concise. Keep it to 3-5 slides max.

Thats very interesting, esp since ive 10mins only to present. And then they will be asking questions after I presume based on the presentation.

Alot of replies have been about prevention on here, which of course will be in the presentation on social engineering via email, educating users and yes having defence in depth.

But 'How do I recover after the attack has already taken place to restore normal operations and data. How do I come back from having our network drives locked out due to ransomware.' I dont have the private keys etc.. So is it merely bite the bullet, clean infected systems and restore from backup....painful though it is, or are there quicker ways to do this?

636-555-3226

0. Turn off infected computers.

1. Determine if it actually "infected" any files on the network instead of just encrypting them. Be a shame to do a ton of fixing work only to find out that someone opens a booby-trapped file afterward and re-encrypts everything. This probably involves forensics that are beyond the in-house skill and budget. In that case, bite the bullet and:

2. Restore affected folders from backup. If you don't have backups and need the docs then pay the ransom. Do it quick before your time expires. We have some bitcoins stashed away as a just-in-case scenario. Getting up & running on Bitcoins may take a few days, so get the legwork in ahead of time.

3. Regardless of #2, reimage infected computers. Don't bother cleaning, I can give you a list of 50 places the bad guy can hide that you'll never a) look in and b) even see he's there if you look. Always reimage, even if it is a pain in the butt.

4. Determine how it came in. If it was email, work on email security awareness (start phishing your users) and get a real email filter. If it was over the web, make sure you have some "working" patch management practices. Also make your users a "User" instead of "Administrator." Might not help in this case, but could help guard against persistence.

5. Report it to your local FBI office and IC3. You should already know the name of the FBI guy there and have his business card tacked up on your wall. If you're doing it right, he'll also already have come in and given an hour-long presentation to your executives. Yes, the FBI does this for free and is always more than willing to come in & speak to the executives. If you can get the executives to meet with them....

6. Have your CEO send an email to the company telling them what happened & why its important that practice safe online behaviors. Lots of good resources you can use at https://www.staysafeonline.org.

PeterHands

Thats very kind. Thank you very much.

JoJoCal19

Excellent advice from everyone. Only thing I'd add is since it's for a manager position it seems they are looking for an overall view of how you'd recover, an incident response plan specifically. I'd get familiar with NIST 800-61 incident handling procedures (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf).

PeterHands

Thank you, thats very useful!

beads

Overall there are still many ways to recover from a Cryptolocker infection. Some of which are obvious - many simply pay. Some A/V will detect the activity of a suspected new infection and atleast shut it down (Trend Micro). You restore form back up in any number of ways that would be several paragraphs long. Really its quite the can of worms to contend with here.

-b/eads

PeterHands

Well my presentation is prepared and my interview scheduled for weds 26th, 2pm GMT! Here's where the praying starts!

Im actually super stressed and my body feels as tight as anything.....Just want it over with.....hopefully with good results

cyberguypr

Best of luck!

636-555-3226

Let us know how it goes. Not sure if you want to post an anonymized version of your material, but people here are always glad to provide some feedback.

PeterHands

Hi Guys,

Just to let you know they offered me the job before I even left the room.

The IT Director stopped my halfway through my presentation and said obvious I know my stuff etc... We talked a bit about the role etc etc

Well what can I say, im knackered! but happy.

Thanks for all your help and advice. Very much appreciated!

Pete

bryanthetechie

Congrats for your offer... knock em dead!

stryder144

Great news! Congratulations! Best of luck going forward.

cyberguypr

Congrats!!!

pinkydapimp

congrats

kurosaki00

Gratz! Great job!