9.2.1 Network Segments

Typically, the recovery environment requires at least three separate, isolated network segments:

• Clean network: Where the new, production environment will ultimately live. When you set up your “clean” network, make sure to minimize the attack surface by keeping services off and ports closed until they are needed. Never connect a potentially compromised system directly to your “clean” network.

• Dirty network: Where responders initially connect potentially compromised systems and/or data repositories that may contain malware. The “dirty” network should be fully isolated to the greatest extent possible. If you connect a compromised system to the Internet, an adversary may continue to siphon off data or add additional malware. To the greatest extent that you can, keep the dirty network contained. Assume that everything on it is compromised. If possible, systems on the “dirty” network should not be allowed to communicate with each other.

• Transition network: An intermediary subnet used for transferring data/systems between the clean and dirty networks. The transition network should be heavily instrumented and monitored, so that you can detect any unexpected malware or signs of residual compromise that may have been missed when the system was cleaned.

The precise architecture of your recovery environment will depend on your unique environment, resources, and needs. If you have the ability to segment your environment using separate virtual LANs (VLANs), this is an easy and effective approach. Recovering a cloud environment such as Azure or Amazon Web Services (AWS) can be surprisingly straightforward, since VLAN segmentation options are built in natively. At other times, it is necessary to put hands on cables and segment a network using IP addressing.

Often remote access is configured early on to support IT effort. In such a case, the access must be highly restricted and filtered, to minimize the risk of additional compromise and data exposure.

Whatever your strategy, take the time to think it through and document your setup before beginning the restoration process. Make sure to use a minimum of three separate environments, as outlined earlier: one for “dirty” systems, a transition environment for monitoring, and the final “clean” network.

9.2.2 Network Devices

The recovery environment can be much simpler than a full-scale production network. As a result, responders typically need only a few network devices to get it up and running.

If you are reusing network devices from the victim’s existing infrastructure, make sure to perform these actions:

• Back up the configuration and logs from each device prior to making changes.

• Simplify the configuration as much as possible to support the recovery environment only. Most of the time, you will want to erase the existing configuration (after backing it up) so that you start with a clean slate.

• Change any usernames/passwords or access strings. Make sure to select strong new credentials and store them securely.

• Configure the devices to support your recovery needs (i.e., three segments with limited Internet access). It is wise to start by denying all access between segments and to the Internet, and then grant access on a case-by-case basis. You will also want to configure support for detailed logging/monitoring.

Later, responders will update the network configuration to support a more complex architecture. For now, in the recovery phase, the primary goal is to create a secure, clean environment that will minimize the risk of reinfection or ongoing adversary access during the recovery process.

9.3.1 Goals of Monitoring

The importance of implementing an effective monitoring program quickly cannot be overstated. Without it, the victim may suffer additional compromises that could have been avoided by implementing appropriate detection capabilities. Monitoring is important both for short-term and long-term reasons:

• Short term: During the recovery process, responders aim to detect malware and other signs of compromise on the dirty network and the transition network, to ensure that they have effectively removed any threats from systems before they are moved to the clean network. This will reduce the risk of reinfection during recovery.

• Long term: An effective, ongoing monitoring program will reduce the risk of future compromise. This is especially important because, as previously discussed, after falling victim to a major cyber extortion event, the organization will typically remain at an elevated risk.

Quite often, the victim’s monitoring capabilities prior to the compromise were inadequate, which contributes to the risk. When that is the case, it is important to allocate additional budget and resources to design and implement effective monitoring.

9.3.2 Timing

Monitoring capabilities should be implemented as early as possible during the recovery process. The good news is that the beginning of the recovery process is often an ideal time to make major changes to the monitoring architecture, which might otherwise require scheduled downtime. For example, while network devices are being configured, responders have the opportunity to add logging and monitoring capabilities. There may even be a need to purchase some new network hardware, which can be carefully chosen to better support an integrated monitoring program. Since the environment is usually down during this time already, changes can be quickly tested without concern for impacting ongoing operations.

Likewise, as workstations and servers are rebuilt, the response team should consider adding or upgrading endpoint monitoring software so that it is consistently deployed and configured throughout the environment.

9.3.3 Components

An effective monitoring architecture relies on an integrated selection of complementary tools, which have been carefully chosen to provide visibility throughout the technology environment. The following areas typically should be monitored:

• Individual workstations and servers

• Network (internal and perimeter)

• Cloud

• Mobile devices

Here are some important components to include in a robust monitoring program:

• Antivirus software: Make sure that effective, properly licensed antivirus software is installed on all endpoint systems. This should include both signature- and behavior-based detection methods. Ensure that antivirus software runs regularly, updates frequently, and reports back to a central location.

• Flow records: These summaries of network traffic are typically already generated by network equipment, but not always collected. Flow records can be extremely useful for tracking malicious activity, identifying attempted lateral movements, and determining whether an adversary exfiltrated data.

• Intrusion detection/prevention system (IDS/IPS): These security products automatically detect and prevent threats. Host-based IDS/IPS are installed on endpoints, whereas network-based IDS/IPS are designed to monitor network traffic (network). To be effective, these tools typically need to be carefully tuned to detect threats relevant to the local environment and reduce false positives.

• Endpoint detection and response (EDR) software: EDR tools are designed for use by an experienced professional to hunt for malicious activity that can evade automated antivirus software. They are especially useful during the recovery process, as a means to identify more subtle malware on the dirty network and transition network, and to monitor the clean network carefully in the days and weeks following the recovery. The victim may or may not choose to integrate EDR and similar software into their environment on a long-term basis.

• Logs (including firewall logs, application logs, workstation logs, and cloud systems): All modern network devices, operating systems, and major applications are designed to output activity logs, which can be extremely useful for scoping security incidents. These can include authentication logs, records of privileged use, and even logs of specific commands. Make sure that you enable appropriate logging for your environment and collect logs in one central location to facilitate quick access.

• Centralized long-term storage and analysis: A centralized platform can be used to aggregate and analyze monitoring information from many sources, including all the sources just listed. Traditionally this is implemented as a SIEM or syslog server. Responders can access the centralized platform to obtain historical telemetry data and/or real-time, actionable intelligence regarding potential network threats and activities.

When selecting monitoring components, responders should consider both the immediate, short-term needs of the recovery process and the organization’s longer-term monitoring processes. Whenever possible, components should be selected to support the recovery process as well as the organization’s long-term needs, so as to minimize waste and use resources as efficiently as possible.

9.3.4 Detection and Response Processes

Setting up a monitoring program isn’t enough: Humans need to actively review alerts and investigate suspicious activity. All too often, organizations invest heavily in monitoring tools, only to skimp on the human resources required to actually analyze the intelligence and respond.

Monitoring needs to be maintained at all steps during the recovery—and beyond. It is critical during the first days and weeks, when the likelihood of an ongoing malware infection or compromise is high. Even after the recovery phase has passed, monitoring must continue as part of the daily hygiene of the technology environment. It is a new normal. (See Section 10.3.4 for more details about establishing continuous monitoring processes on a long-term basis.)

9.5.1 Domain Controllers

It’s usually a good idea to start by recovering the DCs. They must be up and running if you are to properly manage your users, permissions, devices, policies, access controls, and more.

Unfortunately, because DCs are so critical, they are often targeted by the adversary. Access to a DC gives hackers the keys to the kingdom—access to all user settings, all access controls, and more. If there is any system that can traverse individual VLANs, it is the DC.

Responders must balance two competing interests: the need to get the DCs up and running fast and the risk that they may be compromised. It is wise to assume your DCs are compromised unless you have very strong evidence to the contrary. If you restore an infected DC, you will almost certainly have to rebuild the network again a second time. Play it safe and do not trust the integrity of your DCs.

Here are steps to restore a DC that may be compromised:

1. Preserve evidence. Image the whole operating system if you can. That way, you can check carefully for signs of compromise and trace the adversary’s access after the fact. Capture RAM and other volatile evidence, if possible.

2. Export data. Extract key data from the old DC, including users, groups, group policies, and any other items that your specific domain configuration will require.

3. Audit the configuration. Adversaries often add user accounts or leverage misconfiguration/lax permissions. Carefully review all accounts and remove any that are unnecessary or suspicious. Tighten permissions and align them with a zero-trust model whenever practical.

4. Change all passwords. Adversaries often steal passwords with the aim of breaking into the environment or moving laterally. A full, immediate, system-wide password reset is the safest approach. This includes every account, from system administrators to users. Ensure that old passwords cannot be reused.

5. Do a Kerberos reset. Adversaries will frequently compromise Kerberos tokens to elevate their privileges and maintain persistence. Responders should include a full Kerberos reset and the revocation of active access tokens. This can be done via PowerShell from the DC.

6. Build the new system. If possible, use new hard drives for high-priority systems to speed the recovery. Otherwise, wipe and reinstall the operating system to ensure that no malware remains. Then import key data from the old DC, after it has been carefully audited and updated.

7. Restore key network services. If your DC will be responsible for DNS or WINS services, begin configuration of the services so that servers and workstations in the following steps can connect to each other without requiring a static IP address.

Start by following these steps for your primary DC, and then replicate this process to build your secondary DCs. It is a time-consuming process—but far less time-consuming than dealing with a reinfection.

If the victim chooses not to fully rebuild the DC and instead opts to restore using the existing software:

• Follow the steps from Section 9.4 to minimize risk of a residual infection on the system.

• Audit the configuration and change passwords, as described in this section.

• Perform a double Kerberos reset from the DC to avoid a “golden ticket” attack.²

  2. Mike Pilkington, “Kerberos in the Crosshairs: Golden Tickets, Silver Tickets, MITM, and More,” SANS (blog), November 24, 2014, www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/.

9.5.2 High-Value Servers

The next step is to connect the victim’s high-value servers to the domain. These are the key devices and applications that the organization needs to operate. They will be different for each organization, but typically include the following servers:

• Database servers

• Application servers

• Other peripheral servers

Take a measured and planned approach. Start by identifying high-value servers, and then recover as discussed in Section 9.4. Ensure that high-value servers are restored in a hardened, secure configuration, so as to minimize risk.

In many cases, the system may include complex dependencies that are not well documented. For example, the database server may need to be brought online first, before an application server is brought online. Review any existing documentation prior to attempting restoration, so as to minimize roadblocks. If a full map of connected servers, their dependencies, and overall network connections is not available, now is a great time to create one that can be referred to later if problems present themselves.

9.5.3 Network Architecture

Up to this point, the recovery process has been conducted using a simple skeleton network designed specifically to facilitate restoration, with multiple segments that support monitoring and isolate potentially compromised systems. Once the core servers have been brought online and verified to be clean, it is typically a good time to fully restore the overall enterprise network that will support normal operations. This includes adding segments for workstations and servers, implementing port forwarding, establishing internal NAT, setting up VPNs, and so on.

When bringing the network online, most responders reuse existing hardware, though they may supplement it with additional purchases as needed to support upgrades. The first decision to make is whether network devices need to be fully rebuilt or simply audited and updated. For expediency, the less you need to fully rebuild, the better. However, this convenience always needs to be balanced with risk. If there is a risk that a network device was subjected to unauthorized access, you may want to do a factory reset and reconfigure the device.

Whichever you choose:

• Back up the device configuration. This is important for two reasons: (1) It can help you revert changes as needed and (2) it is important evidence that can be later used to support the investigation. See Chapter 5 for more details.

• Collect any logs that may reside locally on the device.

• Change device passwords and access strings to minimize the risk of ongoing compromise.

• Check the configuration to identify any suspicious rules.

• Configure the new device. If you are reusing existing configurations, audit them carefully to identify any suspicious rules or insecure configurations and update as needed.

Take a zero-trust approach whenever possible. As you design and configure the network, consider the scenario in which an adversary has access to a compromised workstation or server. A well-designed network architecture can limit the spread of compromise, slow down the attacker, and facilitate early detection.

9.5.4 Workstations

The victim’s fleet of workstations is normally the last part of the infrastructure to fully come back online. Up to this point, only the workstations needed to configure essential services and collect evidence have been available. Now it’s time to bring the remaining devices back online—a process that presents unique challenges due to the number of new devices that need to be cleaned and transferred. This is where the rubber hits the road.

If possible, it’s best for responders to create new workstations using a “golden” image installed on a completely formatted hard drive. It might be tempting to just start plugging in the workstations that were already on the network, but spending appropriate time here greatly reduces the chances of a follow-on infection. Computers that were potentially exposed to malicious activity during the cybersecurity incident may have undiscovered malware, backdoors, vulnerable configuration, outdated patches, and other security risks. The golden image created to build new systems should already be up-to-date on security patches, have antivirus software preinstalled, and be hardened against exploitation.

If the victim opts to bring previously active workstations back on to the network without installing a fresh operating system, make sure to install and run updated antivirus and monitoring software prior to connecting the workstations to the production network.

It’s a good idea to bring workstations online in stages. Connecting too many simultaneously can overwhelm your monitoring capabilities and malicious activity might be missed. Here is a sample order for prioritizing your workstation recovery:

1. Mission-critical personnel: Workstations used by critical IT and support staff. These members of the organization may be responsible for additional network and server configurations, technical support, or other essential tasks.

2. Executives: High-level members of the executive staff, who need to take priority. These members of the organization are responsible for maintaining business operations, making high-impact decisions, and guiding the overall direction of the organization. This step also takes pressure off IT staff members, who have undoubtedly been bombarded with questions from executives about when their workstations will be back online.

3. Secondary IT staff: Members of the organization who are responsible for lower-level user support. These users will need to be in place and ready when the primary workforce comes online so issues with performance and configuration can be addressed without removing resources from the response team.

4. Other mid/high-level staff members: Members of the organization who are necessary for maintaining day-to-day operations. This group will typically include departmental managers, service dispatchers, administrative support staff, and others who require system access to maintain organizational flow.

5. Everyone else: The remaining members of the organization, who may not require full access to the network as a part of their job duties. These users rely on the system only for tasks like email, general communication, and other tasks that can either be completed without network access or are not time sensitive.

Breaking the workstation recovery into these stages enables responders to test, maintain, and correct monitoring issues, antivirus alerts, connection issues, and other potential network problems. Any workstations that show indications of malicious activity need to be immediately removed from the production network and quarantined. If malware is discovered, antivirus and monitoring software can be configured with updated signatures to prevent further activity. The isolated workstation should be given to responders for evidence preservation, formatting, and installation of a new operating system.

9.6.1 Transferring Data

Data recovered from a “dirty” (or potentially compromised) system needs to be tested and verified before it is restored to the production environment. This careful transfer is accomplished in different ways depending on where the data in the dirty system is located. Data is commonly transferred using one of the following methods:

• Physical data transfer: Data contained on physical devices in the network can be moved by transferring the data to external media (e.g., USB-connected storage) or by physically moving the drives containing data to the transition network.

• Virtual device storage: Virtual hard drives containing data can be moved to a transition segment within the virtual environment by disconnecting them from their virtual host and attaching them to a scanning system. Do not move live virtual machines out of the dirty network if possible.

• Cloud storage: Data contained within cloud archives can be downloaded to the transition network for scanning and verification. The data can be uploaded again after scanning is complete.

The separation between the transition environment and the clean environment should be maintained at all times. After data is scanned on the transition network, it can be moved to the clean network, assuming that no malicious items were detected. The clean network should then be monitored closely to ensure that no indicators of malicious activity are present. Make every effort possible to avoid cross-contamination.

The way data is reintroduced to the production network needs to be planned for the purposes of efficiency, as well as risk reduction. Responders will potentially be moving terabytes of data into the new environment, and just starting a top-to-bottom copy operation can take a significant amount of time. Prioritize data that has high value or is necessary for business operations first. Items such as older archived files, backup data, or other elements of the filesystem that are not immediately needed can be placed at the back of the line.

9.6.2 Restoring from Backups

If backup files are available and intact, then restoring from backups is typically the preferred approach. This is normally done right after evidence is collected.

Unfortunately, restoring from backups is not always a quick process. If your network is virtualized and you can just roll back to a previous snapshot, this will often take significantly less time than a bare-metal restoration—but it will still take time. If you have cloud-based backups, the time needed to download those backups must be factored into the recovery timeline. Some backups may be very large and will take time to prep. Responders also need media with enough space to house the files during this process.

Another consideration is the integrity of the backups. It is always wise to assume that the victim’s backups may be infected, even if responders are relatively sure they date from a time prior to the system’s compromise. An adversary could have been accessing the environment for months before deciding to pull the trigger on their extortion plot, so the backups may be laced with malware or otherwise compromised. Restoring the environment to a compromised state opens the door for a follow-on infection and the negation of all the progress made to this point.

Finally, the age and frequency of the backups need to be evaluated. In almost any restoration from backups, some data loss will be encountered. Responders need to decide if the amount of data lost is significant enough to trigger a change in the recovery strategy.

9.6.3 Current Production Systems

In some cases, data may still be intact on segments of your network. If the adversary was unable to fully access systems, or for whatever reason did not destroy everything, the victim may be able to simply collect the data from various sources. This does not mean you can just plug unencrypted data repositories back into the production environment, however.

This data needs to be evaluated for the presence of malicious files, as well as for integrity and completeness. Remember, any data being transferred from the dirty environment to the clean production environment should be treated as if it is potentially infected.

A data inventory should always be part of your overall response program. If data was corrupted, deleted, or otherwise compromised, responders should document any missing items and adjust the recovery plan accordingly.

9.6.4 Re-creating Data

An often-overlooked method of data recovery is the manual reentry and re-creation of data. In organizations that maintain paper copies of sensitive data, such as hospitals, the opportunity may exist to add this data back to the digital storage in the network by hand. This data may be recovered from multiple sources:

• Paper files

• Archive media (CDs, DVDs)

• Interviews with users/clients

• Other sources (e.g., does a patient have records on file at a different nearby hospital?)

This can be a very long and tedious process. If your intention is to re-create your data in this manner, consider hiring a data entry firm to do the job for you. It may cost your organization money to hire them, but your staff will be free to do their normal jobs and the time it takes to complete the process will likely be much shorter.

9.7.1 Overview of the Decryption Process

The decryption process can be divided into an easy-to-follow series of subtasks, with each providing its own unique benefit and potential tripping point. Responders need to pay close attention at each phase to make sure that appropriate steps are being taken. A missed item on the response checklist can cause delays, issues with data integrity, and other much worse issues. Overall, the steps for decryption can be broken down like this:

1. Obtain a decryptor.

2. Test the decryptor.

3. Decrypt! (Use an isolated dirty network.)

4. Transfer data to the transition network.

5. Verify integrity.

6. Check for malware.

7. Transfer data to the production network.

In Section 9.2.1, the concept of separated networks was introduced as a key aspect of the recovery environment. The dirty, clean, and transition components described in that section are the primary network segments that will be used to facilitate decryption, file verification, and final transfer to the clean network. Responders need to keep the following principles in mind throughout the process:

• The decryptor should never touch the clean network.

• Data decrypted from the dirty network should not move directly to the clean network.

• Data types extracted from the dirty network after decryption should not include executable applications unless new versions of the application cannot be installed.

• Data from the transition network should not move to the clean network prior to completion of multiple passes of virus and malware scanning and verification.

• No network communication should exist between any of the three network segments. All data should be transferred through the use of removable media such as external hard drives.

9.7.2 Types of Decryption Tools

Decryption tools can come from a variety of sources, including the adversary, antivirus or anti-malware vendors, other victims, or law enforcement. However, not all tools can be trusted. Here is a look at the different types that may be available.

9.7.3 Risks of Decryption Tools

If you do obtain a decryption tool from an adversary and intend to use it, keep in mind that there are no guarantees that it will work correctly. In fact, the tool may be deliberately designed not to work as advertised. You’ll need to take precautions to ensure that you don’t accidentally make a bad situation worse.

Here are some potential risks to consider when using an adversary’s decryption tool:

• Secondary infection

• Data corruption

• Delays

9.7.4 Test the Decryptor

Before using the decryptor on real data, responders should thoroughly test and analyze the software. This step is necessary to ensure that any potential adverse effects associated with the software can be identified and compensated for prior to making any changes to essential files within the infected network. Failure to complete this step can lead to severely adverse effects, including potential malware reinfection and data corruption.

Testing the decryptor involves two steps:

1. Check for malicious or unexpected behavior.

2. Test functionality in an isolated environment.

If the decryptor does not function as expected, responders can take steps to modify the decryptor, or simply change tactics. In some cases, a skilled programmer may be able to decompile and remove the malicious components of the software. A more likely outcome will be that you as the responder need to be aware of the behavior and compensate for it by blocking outbound traffic to a suspicious IP address or taking other steps to neutralize the malicious activity.

9.7.5 Decrypt!

Stage the data to be decrypted on a host within the dirty network. This data can consist of complete computer systems or simply subsets of data that are deemed to be a priority for recovery efforts. Backed-up data should not be connected. The data to be decrypted should be a copy of the original.

Next, execute the decryptor and observe its activities. It should be obvious within a few seconds if the decryptor is functioning as intended. If files are not decrypting, stop the utility and verify that the environment is configured correctly and the proper decryptor for the specific target data is being used (if more than one decryptor has been provided). Significant time can be saved by troubleshooting early instead of waiting for a full decryption cycle to complete before identifying issues.

Decryption is not particularly difficult, but it can be time consuming. It is important that proper expectations are set with management and tech staff on the amount of time it will take to complete decryption.

Remember, while an adversary may provide you with the software to decrypt your files, they have likely not put much time into optimizing this software. Plan your decryption efforts around critical data first, then move on to less important items.

9.7.6 Verify Integrity

Make sure the files you’ve recovered are complete and accurate. In most cases, changes made to files during the encryption process cannot be fully identified before the files are decrypted. That means the adversary responsible for encrypting the files could have potentially altered the contents of impacted files or planted malicious software in the file structure prior to encryption.

If the original file listing from the impacted hosts is available, verify that filenames, sizes, and any other pieces of metadata that can be identified are accurate. If these data points are not available, you will need to open the files and inspect them. If they have decrypted properly, standard file viewers should open the file contents without issue. Test a random assortment of files and file types to verify, to the greatest extent possible, that they are usable.

Be aware that custom file types, large files, database files, and other items may not decrypt correctly. Some ransomware variants will add padding or other data to files during the encryption process that may cause issues with proper recovery after decryption. If files are encountered that do not properly decrypt, copy the encrypted versions from your data backup and attempt decryption again. If the files are still not usable, you may need to contact the vendor that created the software for assistance.

9.7.7 Check for Malware

First, transfer the decrypted data to the transition network. This task is essential to maintain the integrity of the clean network. For physical networks, this may involve copying the data to external media for transfer and scanning. For virtual networks, a responder can copy the data to a mounted drive, disconnect the drive from the dirty host, and reconnect the drive to the transition host as an additional disk. This also gives the responder the opportunity to select only the data that is necessary for reintroduction to the clean network. This can greatly speed up the recovery process by eliminating unnecessary file transfer and scanning time. If the data is not needed, leave it on the dirty system and move on.

Much like decryption software, any data that has been impacted by a ransomware attack should be treated as a potential point of reinfection. The risk of infection from non-executable programs is low, but significant enough that additional verification is needed. Connect the decrypted data to the transition network and scan it with multiple antivirus software applications. If available, scan the data with both signature- and behavior-based antivirus software. The transition network should also be monitored closely at this point to determine if any malicious activity has managed to escape the dirty network.

9.7.8 Transfer Data to the Production Network

Once the data has been scanned and tested, you can begin moving the data to your production network. This process should follow the steps for transferring data to the transition network outlined in Section 9.7.7. Once data has been returned, continue monitoring for any signs of malicious activity. Malware can be very good at avoiding detection when observation times are short.

Step 1: Build Your Victim

Choose one characteristic from each of the three columns to describe your victim’s organization:

Step 2: Choose Your Incident Scenario

Select from one of the following incident scenarios:

Step 3: Discussion Time

Your victim organization must recover from their extortion event. Given what you know about the victim and the scenario, answer the following questions:

1. What are four types of activities commonly included in the cyber extortion recovery process?

2. Describe one reason why responders might want to back up critical configuration files and data before making changes in this situation.

3. How long should the victim monitor their environment to ensure that it is secure?

4. Describe two potential long-term effects of the incident, along with ways that the victim can address them.

5. Name one topic that you recommend the victim organization discuss during a postmortem analysis.