Posts tagged ‘incident response’

Ransomware: The race you don’t want to lose

September 9, 2016

In the race to detect and contain ransomware on their networks, many organizations fail before they are out of the gate.  The reason has very little to do with technology, and more so a great deal to do with process.

“But we bought all the good tools!”, such organizations protest. Good security technologies implemented and optimized properly are certainly one piece of the puzzle, however organizations, with large or small budgets, can use good processes and procedures to narrow their attack surfaces.

As discussed in a blog written by Sean Mason of Cisco Security, organizations can be rated on their overall Threat Management Maturity by what level of capabilities they have in the categories of People, Process and Technology.  Without documented processes and procedures, IT departments frequently rely on tribal knowledge and react to incidents in an ad-hoc fashion. Time to remediation is longer due to lack of assigned roles and responsibilities, and little or no pre-written and rehearsed action plans.  In the case of ransomware, the time to remediation for some organizations can be the difference between being in business and going under.

The question then is, how best to prepare for ransomware infections that are becoming a daily occurrence for a majority of organizations? The answer is a Runbook, which is focused specifically on detecting, containing and remediating ransomware. At its simplest, a runbook is a series of steps to undertake when a specific incident occurs. This is considerably less complicated than developing a full Incident Response Plan (which doesn’t necessarily tackle the heart of the incident) and there are a number of good resources on the Internet to assist with the development of one.

To be effective, a ransomware runbook should address the following:


The ways in which a ransomware incursion could be identified on a network. For less mature organizations, this is usually an end-user notifying the helpdesk or local IT support person.  It may also include IT team members recognizing an abnormal condition on a system they are responsible for. As organizations mature, this may also include alerts produced via security technologies, or via centralized monitoring platforms (e.g.: SIEM).


Ransomware comes in a wide variety of types these days. To effectively contain a ransomware threat, it is imperative that it be identified properly. Actions in this section of the runbook would address the attributes of the suspected infection (e.g.: file extension, infection vector, files created, file owner). While time is of the essence during a hunt for patient zero in a ransomware investigation, improper identification can lead to incorrect containment steps.


This is commonly referred to as “stopping the bleeding” and involves making sure the active infection is contained or terminated so damage to network systems is halted. In the case of ransomware, ensuring the executable responsible for encrypting files is no longer able to run or communicate out are common containment steps. The runbook should consider both host-based and network containment steps.

Analysis & Remediation

The inclusion and level of analysis in a runbook will largely depend on the level of capability an organization has. While full forensic analysis on a host is possible for some organizations, many do not have the skill set or time to engage in this level of investigation. Once containment has been validated, analysis may be as simple as running additional anti-virus or anti-malware scans on a host. Indeed, analysis may not even occur and the remediation step may simply be a re-image of the affected host.  A runbook should also include host and network remediation steps that address the initial infection vector, as well as how the malware was able to run on the host in the first place.

A ransomware runbook, like any other runbook written to address a specific and known threat, should be written with the organization’s actual capabilities in mind. It should also be reviewed frequently and updated based on new tactics, techniques and procedures that attacker may use as ransomware continues to evolve. A runbook will not stop all ransomware attacks, however it will enhance an organization’s ability to respond and remediate faster and more efficiently.

The following is a list of prevention, mitigation and safeguards that organizations can take to reduce their impact to Ransomware based threats and incorporate into existing process, procedures and architecture.

Ransomware Prevention, Mitigation and Safeguards

  • LAYERED HOST AND NETWORK-BASED SECURITY DEFENSES – Each system should be protected with DNS layer protections to prevent devices from connecting to sites hosting ransomware and endpoint protection for detecting and preventing the latest ransomware variants. At an organizational level, strong email and web threat protections in addition to network security (Intrusion Prevention Systems and Next-Generation Firewalls) should be utilized in also detecting and preventing the latest ransomware variants.
  • PATCHING LIFE CYCLE– A patching level cycle should be utilize to deploy updates to all systems for known Common Vulnerabilities and Exposures (CVE) in commonly used software such as but not limited to: Adobe Flash, Adobe Acrobat, Microsoft Silverlight, Oracle Java, Microsoft Internet Explorer, and Microsoft Office; where exploits can take advantage of programmatic errors and unsecure code.
  • REMEDIATION/UPGRADE PLAN FOR UNSUPPORTED OS (Operating Systems)- Develop a remediation/upgrade plan for unsupported and unpatched OS, such as: Windows XP, Windows 2000 and 2003 systems or consider the use of application white listing.
  • BACKUPS/CONTINGENCY PLANNING- A backup policy/contingency plan, procedure, and technology for systems should be developed and utilized in the event that the loss of data on a system occurs


This blog post was originally written for the Cisco Security Blog and was co-authored by Aaron Varrone.

SANS DFIR Summit 2014 Slides

June 12, 2014

Here is a pdf of the deck I presented at the SANS DFIR Summit 2014 in Austin last week.

Check out all the great presentations from the Summit here.

The Road to Lethality

February 25, 2013

My job is a busy one; much like everyone else I know. I work for a good company, have a very supportive boss and my team is amazing. But I would like more.

I work as an operational security analyst. That means that while my job includes Incident Response and a little bit of Digital Forensics, a great portion of it doesn’t. So how to I get better at DFIR? How do I learn new tools, get better at ones I already use and become the competent DFIR practitioner I want to be? These are a few ideas that I have and am using to get there.

Social Media

This was new to me until early 2012. I have generally shunned social media for several years now and I am fairly certain I’m one of the only people in the world without a Facebook profile. I created a Twitter account last year and started “listening” to the feeds of some big names I had heard of in the DFIR field. Then I attended a conference and began following folks I met there. This led me to follow more people recommended or re-tweeted by them, and, like the shampoo commercial, so on and so on.

So aside from the social aspect, since you will be shocked to discover social media is not always used for pure research pursuits, Twitter has afforded me the opportunity to pick up on new tools being released or older ones being updated, ask questions of the Twitterverse if I run into a “learning opportunity” I can’t resolve myself, or find links to blogs, articles or news items that enhance my knowledge. Which leads me to…

Industry/Peer Blogs

I started with some of the “biggies” (Bruce Schneier, Richard Bejtlich, Brian Krebs). These should be considered a must on a DFIR analyst’s daily or weekly reading list. Good big picture overviews (and frequently ALOT more) of what is happening in our field by voices with the street-cred to back up their opinions. Next, I found some amazing blogs by DFIR community members who are either building new tools as they find a need for them (check out the amazing peeps behind Volatility, Plaso and Cuckoo) or writing posts about how they use existing tools in the course of their work. I’ve been helped out more than once by reading a step-by-step guide someone wrote that I was able to apply to work I was doing (System Forensics – Patrick Olsen or JIIR – Corey Harrell). I have lofty ambitions that one day my own blogging will be considered requisite reading for newbies to the field but I have miles to go before then, and several thousand tools to try out.

Virtualization and Open Source Tools

I might have said this before, but it bears repeating: I have a great and incredibly supportive boss.

I am currently building out a small but very functional security lab at my office (this may become a future blog) to help my team in our day to day work, but also to allow us to “play” with tools and technologies to become better than we are now.

I will be using virtual environments to make the most of the hardware we have, and taking advantage of the multitude of Open Source tools out there as our budget doesn’t stretch to commercial DFIR software (and besides, I like some of the Open Source stuff better).

But what about if you don’t have a great boss like me, you say? Well, the Open Source stuff is still the same price at home as it is when you use it in the lab at work. (Although we should try and support the creators of these tools if and when we can!) Secondhand hardware and a little ingenuity can a great little forensic workstation make. I turned my old Dell box at home into a virtual server which I run several virtual clients on. I also regularly acquire old hard drives from friends that may or may not have malware and run tools on them just for the learning of it (but please don’t tell my wife that the box labelled “car parts” in the garage is actually full of hard drives).

So you’re forensicating in your basement, and reading and blogging about your experiences but how else can you gain more exposure to the goodness that is DFIR?

Conferences and Volunteering

Training budgets are limited in any organization. We are lucky to receive any money at all some years, and most years we are limited to one training event or conference. So how do I get my boss to say yes? By taking advantage of the many volunteer or speaker opportunities that are available every year. Last year, I attended a 6-day course and the 2-day summit at the SANS DFIR Summit in Austin, TX. as I was lucky enough to be selected as a facilitator for both events. It was a tremendous experience and with all the great speakers I heard, I was inspired this year to look for opportunities to actually present at a conference. As we speak, I am flying down to attend the RSA Conference 2013 in San Francisco. This is a pretty big conference, and I wasn’t sure I actually had something presentation worthy to talk about as yet. However, I did have some questions I was curious about so I wrote a proposal for a Peer2Peer (P2P) session that was subsequently accepted and now I’m on my way to SFO with a full delegate pass in my hot little hands! I figure this is a great way to experience a (very) large conference at a price my boss couldn’t say no to, get my “presenting” feet wet by facilitating a P2P and take my next steps on the road to DFIR lethality.

To sum this up, there are quite a few articles written by folks smarter than me about how to break into the field and this post is just my take on my journey so far. If you liked it, let me know. If you have some ideas for me to take my journey farther, I’m all ears. If you want to meet my boss… BACK OFF AND GET YOUR OWN COOL BOSS!