Checklist A

Cyber Extortion Response

Here is a quick, high-level checklist for responding to a cyber extortion incident. The steps are meant as a guide; specific response needs will vary from case to case. Tasks in this checklist often occur simultaneously and should not be taken as a linear process. Immediately following each item on the checklist, you’ll find the section number (in parentheses) where you can find more detailed information. Note that this checklist will evolve over time; see the authors’ website for the latest version.

The Crisis Begins

The following activities are normally initiated immediately after an incident is discovered.

  • Images Activate incident response processes. (4.2)

  • Images Involve the appropriate people and appoint an incident manager who will maintain responsibility for oversight of the response, communication, and status. (4.3)

  • Images Conduct triage to evaluate and assess the current state, understand the victim’s recovery objectives, and determine appropriate next steps. (4.4)

  • Images Assess your resources, including budget, insurance coverage, sources of evidence, staff, technology, and documentation. (4.5)

  • Images Develop an initial response strategy, a living document that will guide your process. (4.6)

    • Establish goals that are realistic and aligned with the organization’s priorities. (4.6.1)

    • Create an action plan, by enumerating key milestones and tasks. (4.6.2)

    • Assign responsibilities for each task in the action plan. (4.6.3)

    • Estimate timing, work effort, and costs and share these with the leadership team. (4.6.4)

  • Images Communicate with stakeholders including the response team, affected parties, and the public. (4.7)

Containment

During the containment phase, responders need to halt malicious activities and ensure the adversary is locked out of the environment as quickly as possible. Here are common actions taken during the containment process:

  • Images Gain access to the environment, either through physical means or carefully restricted remote access.

  • Images Halt malicious encryption/data deletion.

    • Change file access permissions. (5.3.2.1)

    • Remove power from the impacted hosts. (5.3.2.2)

    • Kill the malicious processes. (5.3.2.3)

  • Images Disable persistence mechanisms such as monitoring processes, scheduled tasks, and automatic startup scripts. (5.4)

  • Images Halt data exfiltration. (5.5)

    • Check alerts, logs, and outbound network traffic for signs of suspicious outbound communications.

    • Block suspicious outbound network traffic at the perimeter firewall, or an intermediary internal firewall if available.

    • Block access to any cloud services or file-sharing sites used by the adversary to transfer data.

    • Disallow the use of utilities such as FTP applications, PowerShell, and Win-SCP if not necessary.

    • Restrict data repository access by modifying permissions, roles, and application configurations as appropriate.

    • Remove any email forwarding rules that were created by an adversary.

    • Consider cutting off all network traffic as a temporary measure.

    • Take other steps to block data exfiltration as appropriate.

  • Images Resolve denial-of-service attacks. (5.6)

  • Images Lock out the hackers. (5.7)

    • Kill remote connection services. (5.7.1)

    • Reset passwords for local and cloud accounts. (5.7.3)

    • Audit and remove any newly created accounts. (5.7.3)

    • Roll out multifactor authentication. (5.7.4)

    • Restrict perimeter communications. (5.7.5)

    • Minimize third-party access. (5.7.6)

    • Mitigate risks of compromised software. (5.7.7)

  • Images Hunt for threats. (5.8)

    • Use threat hunting tools such as endpoint detection and response (EDR), security information and event management (SIEM), and vulnerability scanners to hunt for signs of suspicious activity.

    • Remove suspicious hosts or virtual machines (VMs) from the environment.

    • Deactivate unexplained or malicious user accounts.

    • Disable newly installed or suspicious software applications.

    • Eradicate any other sources of potential threats.

    • Generate signature data for any identified threats and update security solutions to leverage new information.

Investigation

“Investigation” refers to the process of systematically uncovering facts about the incident, so as to inform response processes, reduce risk, and ensure that the victim meets obligations. In cyber extortion cases, this typically includes the following tasks:

  • Images Research the adversary to gather actionable intelligence that may guide the response. (6.1)

  • Images Scope the incident to understand the full extent and impact; document your findings for use by the team and third parties involved in the response. (6.2)

  • Images Determine if a formal breach investigation will be required, based on legal, regulatory, and contractual obligations. (6.3)

  • Images Preserve evidence from sources such as security software and devices, ransom notes, system artifacts, and authentication logs. (6.4)

Negotiation

Victims might decide to communicate with the adversary in an effort to reduce ransom amounts, buy time to recover data, reveal information about the adversary, and bring the extortion attack to a resolution. Here is a guide to the negotiation process, along with tips for the negotiator:

  • Images Establish negotiation goals before you start so that communications are aligned with your budget, timeline, and information security needs. (7.2)

  • Images Consider possible outcomes and how you would respond to each. (7.3)

  • Images Identify and prepare the communication medium(s) you will be using, based on the information shared by the adversary. (7.4)

  • Images Understand common pressure tactics and prepare stakeholders for possible communications from the adversary outside of normal channels. (7.5)

  • Images Choose an experienced negotiator who understands the importance of tone, timeliness, and trust. (7.6)

  • Images Make first contact with the adversary. (7.7)

  • Images Identify which information the victim will (and will not) share with the adversary. (7.8)

  • Images Review and avoid common mistakes. (7.9)

  • Images Obtain “proof of life” that demonstrates the adversary is able to deliver on their promises. (7.10)

  • Images Ask for discounts (respectfully). Most cyber extortionists expect to haggle over the price. (7.11)

  • Images Close the deal, by agreeing on a price, form of payment, timing, and deliverables received in return. (7.12)

Images

TIP: Tips for Cyber Extortion Negotiators

  • Maintain a neutral professional tone throughout all communications.

  • Provide brief but factual information.

  • Require “proof of life.”

  • Don’t pretend the victim is someone they are not.

  • Don’t try to trick the adversary.

  • Don’t respond with anger or blame.

  • Don’t make unrealistic promises.

Payment

If the victim considers making a payment, here is a general overview of the process:

  • Images Decide whether to pay, considering the pros and cons of both. (8.1)

  • Images Notify the appropriate parties of a potential ransom payment, such as the victim’s insurance company, and identify any requirements or constraints. (8.1)

  • Images Understand the forms of payment accepted by the adversary, as well as any surcharges for nonpreferred currency types. (8.2)

  • Images Ensure payment is not prohibited. Conduct due diligence to determine whether the recipient is associated with a sanctions nexus, and document carefully. (8.3)

  • Images Engage a payment intermediary to facilitate the ransom payment. (8.4)

  • Images Be aware of common timing issues, including funds transfer delays, insurance approval hurdles, and fluctuating cryptocurrency prices. Plan carefully to minimize the risk of timing impacts. (8.5)

  • Images After the payment is made, confirm receipt, request the promised deliverables, notify government agencies or other parties as appropriate, and properly account for the payment. (8.6)

Recovery

As the victim restores their environment, it’s important to follow a carefully planned process to prevent permanent loss of data or reinfection. These steps are a guide to work toward fully restored operations:

  • Images Back up important data, such as configuration files and data repositories (including encrypted data in ransomware cases). (9.1)

  • Images Build your recovery environment using a segmented network to avoid cross-contamination. (9.2)

  • Images Set up monitoring and logging to ensure that you have visibility to detect signs of malicious activity, both during the recovery process and long term. (9.3)

  • Images Establish your process for restoring individual computers, making sure to address evidence preservation, restoration of functionality, malware eradication, risk mitigation, and monitoring. (9.4)

  • Images Restore the production environment based on a prioritized plan. (9.5)

  • Images Restore data (carefully), whether from backups, collection from production systems, re-creation, or decrypted files. (9.6)

  • Images Decrypt encrypted data if necessary, using a methodical process designed to minimize risk. (9.7)

  • Images Maintain an effective response on a long-term basis as needed, to address lawsuits, regulatory investigations, public relations needs, and other chronic effects. (9.8)

  • Images Adapt by conducting a postmortem, updating documentation, and improving the cybersecurity program. (9.9)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset