Practical Incident Response

EduardoChavarroOvalleGiovanniCruzForero

Who are we ?

CSIETEisaprivate,neutral,nonprofitcompany,thatresearches,offersspecialservicesandgivetrainingindigitalsecurity,toenterprises,communi@esandcivilians.

Summary • Whytotriage?

•  LATAMriskassessment•  Globaltrend

• Prac@calIncidentResponse–howto.

•  TriageforRansomware,¿isitnecessary?

•  IncidentResponse/DigitalForensic

•  MalwareTriage•  Amalwarereversinghistory

•  Adynamic/sta@canalysisshow

•  Sowhat’sthebest,¿whoandwhen?

Incident Response / Digital Forensics Mul@disciplinary profession that focuses on iden@fying, inves@ga@ng, andremedia@ngcomputernetworkexploita@on.Thiscantakevariedformsandinvolvesawidevarietyofskills,kindsofaSackers,andkindsoftargets.

You’llneedthefollowingtraits(notall,butatleastamajorityofthem):

•  Curiosity•  ASen@ontoDetail•  ANeedforVariety• WorkingwithPeople•  AnAffinityforStress

Sco$J.Roberts,"Introduc4ontoDFIR"

A malware reversing history

•  Lexsisecurityhub• AbusingbugsintheLockyransomwaretocreateavaccine•  Locky,anaggressivevic@mshuntercampaignallaroundtheglobe.• Update1,update2,butnotenough.

Abusing bugs in the Locky ransomware to create a vaccine

Lockychecksthesystemlanguageanddoesn’tinfectthoseconfiguredinRussian

SylvainSarméjeanne,march2016,LexsisecurityHub

Abusing bugs in the Locky ransomware to create a vaccine

LockytriestocreatetheHKCU\Soeware\Lockyregistrykey;ifthatfailsforanyreason,Lockyimmediatelyterminates.

SylvainSarméjeanne,march2016,LexsisecurityHub

Abusing bugs in the Locky ransomware to create a vaccine

SylvainSarméjeanne,march2016,LexsisecurityHub

Abusing bugs in the Locky ransomware to create a vaccine

SylvainSarméjeanne,march2016,LexsisecurityHub

¿When to reverse?

• APTiden@fied•  0dayorespecialdeploymentsystem•  Sharedkeyembeddedintothecodeorencryp@ngfunc@onreversible.

• Whenyoucandoit.

SylvainSarméjeanne,march2016,LexsisecurityHub

A dymanic / static analysis show

• Online,hostbasedtools.• Malwareanalysisdistribu@ons.•  Easierthanreversing.• Notallbutmaybeenough.• Complementarytools.

So, what’s the best (who / when)

• WhoReversing:Exploiter/Reverseengineer.Securityconsultant,researchers.D/Sanalysis:*.*

• When:Reversing:APTadver@sed,0dayusedtodeploy/privilegescala@on,targetedaSack.D/Sanalysis:*.*

Why to Triage • Determinetherisk,exposureandcontrols.

• Becauseyouhaveto:•  Malwaresamples:Easiertocreatethanever

•  Spreadingfast:Lessthan2minutesfromreleasetoinfec@on

•  Newmalware:Exploi@ngoldvulnerabili@es,speciallySE.

Trendmicro:june/2015Malware:1millionnewthreatsemergingdaily

LATAM Risk Management

Global Trend

Global Trend

Practical Incident Response – How To

Triage for Ransomware, ¿is it necessary?

ONDREJKUBOVIČ,“BeyondTeslaCrypt:Crysisfamilylaysclaimtopartsofitsterritory”,June2016.

Triage for Ransomware, ¿is it necessary?

But,justincase,thisisthewaywea0endRansomwareIncidents:

•  Isolatetheaffecteddevice.•  Iden@fyprincipalsamplesrelatedtothemalware:

•  RansomNote•  SampleEncryptedFile•  Origina@ngmalware

•  Iden@fytheransomware•  Analyzethemostofthefiles,tobesurewhichtypeofransomwarehasaffectedyoursystem.

•  Lookforpossibleransomwaredecryp@ngtools

•  Crossyourfingersandcheckthetools.•  Remembertheredlineswhenwetoldyou"Prevent,don'treact"?,wellmaybeis@metodoit.

"Prevent,don'treact":•  Investinsecuritytools:

AV/An@malware.•  Createsecurebackups,

andsavetheminexternalstoragesystems.Rememberbackupyourdatainregularperiods.

•  Educateusersinyourorganiza@on.

Muito Obrigado Prac@calIncidentResponseinfo@csiete.org