Incident Response

Case Study

CISOSHARE Incident Response Team quickly triages incident and

implements improvements to client security environment.
Executive Summary
“Today, incident response is about
communication and organization as it is
For privacy reasons, we cannot disclose client names. References
about digital forensics and reverse are available upon service agreement.
engineering files. The new privacy and
regulatory requirements mean After a company’s clinic management software is hit by a crypto-
management needs to quickly and
ransomware attack, the CISOSHARE team responds quickly using
repeatably be informed as an incidents
progress. It’s beyond knowing if your
best practices and a proven methodology. The incident response
systems are up. It’s asking questions team determined and met the client’s main objectives, which
such as; what is the sales and marketing included identifying the root cause, conducting malware forensics,
impact? How will it be communicated to and confirming that no sensitive data was exfiltrated from the
the public, partners, clients, etc. Are there
environment. During the investigation, the CISOSHARE team
internal resource damages and cultural
impacts? Often these questions need to
also quickly restored daily operation and remediated the client’s
be answered before or during the overall security environment.
technical analysis” – Adam Couch, Vice
President of Professional Services at
CISOSHARE

www.cisoshare.com | [email protected] | +1-800-203-3817

Attack Timeline
Following the introductory meetings, the CISOSHARE team
The attack on the clinic brought down the conducted several discovery meetings to identify critical
initial firewall, at which point all traffic was information. Through these meetings, the team identified the initial
immediately directed through their point of entry, received the malware sample identified by the client’s
secondary firewall. Unfortunately, this internal response team, and received a snapshot of the disk image
firewall was misconfigured and had no of the compromised machine. The CISOSHARE team established
restrictions on their RDP (remote desktop their operating protocol, the formal roles of the team, and the three
protocol) that allowed for the lateral goals that the client wanted to meet:
movement between machines and servers.
1. To identify the root cause of the incident and understand the
Logs later revealed 40,000 attempts to login
initial point of compromise.
using admin credentials, after which the
2. To conduct malware forensics and understand how the
malware entered the client system and
malware works.
encrypted specific files on a single end
3. To confirm that no sensitive data was exfiltrated.
user’s machine.
The incident response team utilized the provided disk image of the
The day that the attack occurred, a user
compromised machine to build a timeline analysis of the attack and
attempting to use the client’s services found
discovered the malware that the attacker used.
suspiciously-labeled files. After bringing this
to the attention of the onsite IT team, the
Using the data from this machine and the client’s available firewall
machine was taken off the network but not
logs, the team was able to determine that the attack occurred after
turned off for the sake of preserving the disk
the initial firewall had failed. Traffic was automatically routed to a
image of the RAM (random-access
secondary firewall, but this was misconfigured, allowing the
memory).
attacker to exploit the RDP and plant the malware and encrypt
client files.
It was at this point that the client contacted
CISOSHARE to assess and remediate the
Approximately two hours passed between encryption and the
incident.
discovery of the incident and the isolation of the compromised
machine.

Response Timeline
The CISOSHARE Incident Response Team
completed the entire engagement through a
fully remote process to save on the overall
customer cost and lasted for a total of 45
days from the beginning of the engagement
to the completion of the client’s goals and
providing recommendations for recovery and
improvement.
The team began with an initial set of
meetings to introduce the team and the
methodology, as well as identify the goals
the client wanted to meet and understand
the background of their security
environment.
Once the malware sample was taken from the machine, the
CISOSHARE team worked to develop a signature of the malware to
hunt and eradicate any persistent versions of it living in the client
network.
The team utilized a tool to establish a malware signature, which
was then used to hunt for any traces of it that existed in the
network. No additional malware instances were discovered,
although the team monitored the network for 2 weeks and checked
IPs that were hardcoded in the malware instance to ensure that
there were no open connections or committed control servers in the
memory. No data was exfiltrated from the system.

www.cisoshare.com | [email protected] | +1-800-203-3817

Recovery and Improvements Results
During the investigation, the team noted The CISOSHARE’s incident response team was successful in
gaps in logging and monitoring, as well as eradicating and validating the eradication of remaining malware
other areas for improvement in the client samples in the environment, including malware samples that had
network that were identified, recorded, and
the potential to steal resources for bitcoin mining and
included in the go-forward plan.
compromise regulated patient records. The team was
The team discovered that, along with the successfully able to consider the business risk and impact in all
improperly-configured restrictions on RDP on the actions that the client requested in response to the incident.
the second firewall, their firewalls overall
were not retaining sufficient logs. These Statistics
firewall logs were only retained for 2-week
time periods, meaning the initial attack that Ponemon 2018 Study
brought the firewall down was not captured.
The client increased the life of their logs The research also recommends putting in place an incident
based on our team recommendation. response team. This, according to the study, can decrease the cost
of a data breach by up to $14 per compromised record from the
During the investigation, the team also noted $148 average per-capita cost.
a lack of lateral segmentation and latency in
moving between the servers, as well as tie-
ins to different parts of the network that
should have been more restricted.

As the incident response team conducted

their investigation, we also ensured that their
business was fully operational within a week
of the start of our engagement. Based on the
findings in the environment, the team gave
strategic recommendations including
compliance with certain best practices in
NIST 800-62.
IBM Security and Ponemon Institute 2018 Report

Specific recommendations included creating

a policy to rotate and change admin names Conclusion
and passwords with an identity management
program, a more complete security Based on the data from the 2018 cost of a data breach study,
architecture program to help understand and being able to contain a breach in less than 30 days will save you
properly monitor logs, as well as lateral more than USD 1 million compared to a company that does not.
segmentation to prevent access to prevent
unrestricted access across different areas of
the environment.

www.cisoshare.com | [email protected] | +1-800-203-3817