Kemar Williams presented cyber incident response strategies including preparation, detection, analysis, and prevention of ransomware attacks. The presentation outlined organizing an incident response team and equipping them. It discussed monitoring for increased file renaming to detect attacks and using sacrificial network shares. Analysis involves determining the ransomware strain and scope of infection. Prevention strategies included email scanning, network segmentation, patching, and user training. Recovery involves restoring from backups and additional training.

1. Cyber Incident Response Proposed Strategies
Presented by:
Kemar Williams
Information Security Incident Response Management
University of Technology, Jamaica
September 23, 2017

2. www.opensecurityalliance.orgRGIT, Mumbai 02/24
IRP - Strategies
 IR Preparation
 Identify Attack Vectors
 How is the Attack Deployed
 Detection Strategies
 Analysis Strategies
 Prevention Strategies
 Email
 Network
 End User
 Recovery & Review

3. www.opensecurityalliance.orgRGIT, Mumbai 02/24
Incident Preparation
 Organize IR Operation Centre.
 Have end users and IR team members trained in responding to a ransomware.
 Prepare incident response contact list.
 Provide backup storage
 Provide supplies in the event od an incident:
 Notebooks & pens
 Laptops, Multifunction Printer, backup UPS and batteries
 Provide Software to:
• Perform Computer Analysis (anti-virus, anti-malware etc.)
• Recover data from infected hard drives.
• Recover password for locked computers
 Equip IR operation center with rations and petty cash
 Provide law enforcement contact numbers

4. www.opensecurityalliance.orgRGIT, Mumbai 02/24
Identifying The Attack Vectors
Fig. 1 Attack Vectors

5. How is The Attack Deployed
• Comes as an
email
attachment
• Often very
generic but
could include a
real vendor
name or even
your company
name.
• Once open,
ransomware
silently begins
encrypting all
the files it can
without any user
interaction or
notification
• Locks the user
screen
displaying a
ransom
notification with
an expiry date
• Payment is
usually in
bitcoins
• Paying ransom
increase risk of
future attacks

6. www.opensecurityalliance.orgRGIT, Mumbai 02/24
Detection Strategies
Detection:
 Setup a file activity monitoring application such as LANGuardian to:
 Detect both a real time and historical record of all file and folder activity the
network file shares.
 Monitor increase in file renames - When Ransomware strikes, it will result in
a massive increase in file renames as your data gets encrypted.
 Update Intrusion Detection System systems with exploit kit detection rules
 Create a sacrificial network share Drive
 When Ransomware strikes, it typically looks for local files first and then
moves onto network share drives.
 A sacrificial network share can act as an early warning system and also
delay the Ransomware from getting to your critical data
 Use client based anti-ransomware agents

7. Analysis and Documentation Strategies
After the detection of a ransomware infection the next step is the gathering information on
the incident by analyzing the scope of the attack. Depending on the type of ransomware
variant the following will be conducted:
 Disconnect and Quarantine infected computer(s)
 Determine the Scope of the Infection, Check the Following for Signs of Encryption
a. Mapped or shared drives
b. Mapped or shared folders from other computers
c. Network storage devices of any kind
d. External Hard Drives
e. USB storage devices of any kind (USB sticks, memory sticks, attached
phones/cameras)
f. Cloud-based storage: Drobox, Google Drive, OneDrive etc.
 Determine Ransomware Strain
a. What strain/type of ransomware? For example: CryptoWall, Teslacrypt etc.
 Determine Response
a. Now that you know the scope of your encrypted files as well as the strain of
ransomware you are dealing with, you can make a more informed decision as to
what your next action will be.

8. www.opensecurityalliance.orgRGIT, Mumbai 02/24
Analysis and Documentation Strategies – Cont’d
.
Emron Technologies Inc. Incident Reporting Form
LOCATION: NAME OF DEPT./DIVISION:
Employee Name: Ext No: E-MAIL ADDRESS:
Date of Incident: Time of Incident:
Who Notified: Time of Notification:
Brief Description of Incident:
No. Of Host Infected: ____________
Host IP Address: ____________
Operating system: ____________
Impact Level:
Severe
7
6
Major
5
4
3
Minor
2
1
Negligible 0
Reporting Staff Name: _________________ Signature: ___________________ Date: ______________
CISO Name: ________________ Signature: ___________________ Date: ______________

9. Prevention Strategies
Prevention – Email:
 Enable strong spam filters to prevent phishing emails from reaching the end
users and authenticate inbound email using
 Scan all incoming and outgoing emails to detect threats and filter executable files
from reaching end users.
 Scan and filter all downloads

10. Prevention Strategies – Cont’d
Prevention – Network:
 Segment the Network by creating VLANS
 This will contain the ransomware infection and slow down its propagation.
 Configure firewall to block access to known malicious IP addresses
 Patch operating systems, application software, and update firmware on network
devices. Consider using a centralized patch management system.
 Configure enterprise security suite to perform daily scans of the network and
endpoints automatically.
 Virtualize servers
 Maintain offsite backup of crucial key servers and data.

11. Prevention Strategies – Cont’d
Prevention – Network: Sacrificial Network

12. Prevention Strategies – Cont’d
Prevention – End User:
 Install anti-virus/antimalware software
 Recommend the use of google chrome instead of internet explorer.
 Disabling execution of scripts running in the browser
 Download and install Microsoft windows/security updates.
 Disable the use of thumb drives

13. Recovery and Review
Restore from backup (if possible)
 Now that you’ve contained the infection and put the rest of your users on guard, the
best way to fix your user’s computer without paying the ransom is to restore it from
your backup. Before you wipe the computer, however, make sure your backup is up-
to-date and that you have a good copy of that data. You don’t want to hit the nuke
button and realize your last backup was two months ago.
Training:
 Conduct training or existing and new employees to raise awareness of the risks of
ransomware attack vectors. Remind employees never to click on unsolicited links or
attachments. Emails from unknown sources should be treated with suspicion.

14. THE END