November 13, 2020

Incident response Case Studies and lessons learnt on the ground

By venkat

Case studies help a lot in understanding how other companies respond to a crisis situation. What is the learning our organisation can take from it? Can we do a table top exercise using this as a scenario?

Our approach – Reuse as much operational knowledge gained by your peers who have already handled attacks. Most of them are kind enough to help you provided you ask. Below are a series of learnings shared by companies that have handled major incidents and which others can take as actionable items.

Toll Group

Sincere thanks to Diana Peh.

The logistics giant was first hit by Mailto ransomware at the end of January 2020, which took six weeks to recover from.

It then suffered a second attack in early May that used the Nefilim malware and was similarly devastating.

Below are the clear lessons kindly shared:

“In a time of crisis, it can get really confusing. Everybody wants to help, but you need to know who’s in charge, you need a leader,”

“My experience with both cyber incidents have been very different. I found it really hard for the first incident, [but] the second one [was] much better than the first.”

“In the first one in particular, there were lots of questions around who’s in charge, and what are the roles and responsibilities.”

“It’s really important upfront that you actually are clear on roles and responsibilities going in and that you’re ready, because in a time of crisis, you really want to make sure that you try to eliminate as much chaos as you possibly can.”

An incident response plan should lay out “the next 20 steps” clearly, with plenty of practice runs.

“You need to make sure that you run lots and lots of practice runs with your teams, so that everyone is clear,”.

Blue team exercises – “We’re doing this quarterly at the moment, not just with the executive crisis management teams, but with the teams on the ground, and my reflection is that this is actually a lot harder than it sounds, especially if you have teams that are spread across the globe and working across different time zones. 

“My personal experience is that having run a couple of them by now, we’re still finding lots of opportunities to improve and making sure that our teams really deeply understand the drill.

References

https://www.itnews.com.au/news/toll-group-unveils-year-long-accelerated-cyber-resilience-program-551025

https://www.itnews.com.au/news/toll-group-still-mopping-up-after-ransomware-attacks-555046

Maersk

Maersk had to reinstall its entire IT environment in 10 days to recover.

Hydro

Coming soon.

DLA Piper

https://www.itnews.com.au/news/dla-piper-paid-15000-hours-of-it-overtime-after-notpetya-attack-490495

“We spent an awful lot of time trying to test all our computers and validate them and make sure they were clean and safe to put back on the network,” James said. “After about two weeks of doing it and redoing it and redoing it, we made the decision in the end just to wipe everything and start afresh.“In hindsight I would have done that at the beginning and not wasted all that time and effort.

“We’d been hit by something very serious and I think it was not the best use of our time to spend trying to check all of that equipment and see if there was anything that was salvageable.”

General counsel Amber Matthews said one of the “saving graces” for DLA Piper was that the company did not lose any data to the attackers, and that its backups were unaffected.

Still, the company is making changes to its architecture to prevent a similarly catastrophic global failure should it be hit again in future.

In addition to segmenting its network so it can better contain threats, the company is also looking to stand up cloud-based versions of its core systems for business continuity purposes.

“We manage all of our infrastructure on-prem,” James said.

“But for core services we are now looking to host some of those services – at least as a lifeboat solution – in the cloud where we can failover to those very quickly if we need to.

“The assumption being this will probably happen again at some point, somehow, hopefully not on the same scale, but we can’t wait four days to recover email – we need to be able to fail that over almost instantly.”

Interesting case studies that you can practice in your organization

  1. LLM prompt injection attack – Enterprise chatbot
  2. Hydro
  3. Winter Olympics – biggest attribution problem
  4. Colonial Pipeline
  5. Kaseya
  6. Medibank
  7. AIIMS Medical
  8. ICMR – India (P3)
  9. Tata Power – HIVE
    1. https://ciso.economictimes.indiatimes.com/news/tata-power-data-leak-what-makes-hive-one-of-the-top-5-ransomware-groups-operating-today/95120970
  10. IRELAND HSE
  11. Singapore HSE
  12. Ice cream discussion shutdown
  13. Costa Rica
    1. 27 institutions
    2. Conti – Eastern Europe – IRELAND health services
    3. IRELAND
    4. Conti – Through Emotet botnet
    5. Last 2 months
  14. MGM
    1. https://bluoceancyber.com/insights/hackers-shut-down-mgm-in-a-10-min-phone-call
  15. Orange – https://therecord.media/orange-espana-outage-hacker-internet-ripe-bgp-rpki

Cybercrime

  1. Hansa market shutdown
    1. https://therecord.media/hansa-market-takedown-dutch-national-police

Ransomware families

  1. https://www.malwarebytes.com/blog/news/2021/06/clop-stopped-ransomware-gang-loses-tesla-and-other-treasures-in-police-raid

ARTIFACTS

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/

CLOP – https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop

DRILLS CASE STUDIES
Israel case

HEALTHCARE COMPANIES

  1. Sun Pharma – ALPHV (Ransomware)
    1. https://www.youtube.com/watch?v=ChO-JFSiB0g
  2. Dr. Reddys
  3. Lupen
  4. https://therecord.media/philippines-state-health-insurer-struggles-with-ransomware

Insolvency 

https://therecord.media/knp-logistics-ransomware-insolvency-uk?utm_medium=email&_hsmi=275872933&_hsenc=p2ANqtz-9B4Mq5i-ZPyQUep4nBcPYSR6Davxa5K6PdhraKUDtA1GLu69uefpYFNCLnLUlOF84HVsJRVP3pKJowA_x79CC2eRktpA&utm_content=275876509&utm_source=hs_email

Hosting companies

https://www.bleepingcomputer.com/news/security/hosting-firm-says-it-lost-all-customer-data-after-ransomware-attack/

Rackspace – https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/  PLAY

2023 TOP RANSOMWARE FAMILIES

https://securitybrief.com.au/story/ncc-group-reveals-cl0p-ransomware-attack-continues-to-dominate

TO THE CORE

The DFIR Report – Real Intrusions by Real Attackers, The Truth Behind the Intrusion