Speaker: Christian Kollee
Conference: Elbsides light 2023
Ransomware attacks are an ever-present menace for companies of all sizes. But they are especially devastating for small and medium-sized businesses. However, ransomware attacks typically consistently proceed similarly. The techniques used differ depending on the grouping and the infrastructure attacked.
Looking at the Incident Response cycle, many companies omit the first phase at least partially: preparation. On the one hand, the preparation phase includes preventive measures, i.e., measures to reduce the likelihood of an incident. On the other hand, since preventive measures can fail, companies must also implement steps for when an incident does occur. Missing these preparations will lead to problems and delays during an incident.
While responding to an incident, handling two different work streams is necessary. The first stream is the recovery of the company network. In the best case, the company can manage this stream independently. The second workstream is the forensics analysis of the incident. Usually, small and medium-sized businesses lack the necessary knowledge and require a specialized service provider. This stream is essential to understand how the attackers entered the environment, how they moved around, and what backdoors they placed that they could use to return. Forensic analysis is also required to decide which systems the company needs to replace, which they need to clean up, and which they can continue to use. The less precise the forensic results, the more conservative the rebuild has to be.
You can do a lot before an actual incident; some to make it less likely to get hit and some to make it easier to recover. There are also some recommendations to ensure that you handle the incident response as well as possible. In this talk, I’ll
tell a story of an exemplary incident response based on what I saw during the last five years,
show general tips that reduce the likelihood of such an attack,
provide preparation steps to ease the response in case of an incident,
and give some hints on how to handle the response.
elbsides.eu/2023/#you-are-not-prepared---a-ransomware-story