Advisory Published - October 2021

 Important Advisory/Best Practices - Sept 2021

Date:10/18/2021 >>  BlackMatter Ransomware

Recommandation:

• Use multi-factor authentication.
• Implement Detection Signatures
• Use Strong Passwords
• Patch and Update Systems
• Limit Access to Resources over the Network
• Implement Network Segmentation and Traversal Monitoring
• Use Admin Disabling Tools to Support Identity and Privileged Access Management
• Implement and Enforce Backup and Restoration Policies and Procedures

Critical Security Vulnerability Summary - October 2021

Critical List:

Date:10/04/2021 >> CVE-2021-41773 | Apache HTTP Server | Version Impacted: 2.4.49 and 2.4.50 | Vulnerability | Active Exploitation | PoC

Date:10/12/2021 >> CVE-2021-40449 | Windows | Vulnerability | Active Exploitation | PoC

Advisory Published - September 2021

Important Advisory/Best Practices - Sept 2021

Date:09/28/2021 >> Selecting and Hardening Remote Access VPNs

Recommandation: 

• Configuring strong cryptography and authentication
• Running only strictly necessary features
• Protecting and monitoring access to and from the VPN

Date:09/22/2021 >>  Conti Ransomware Advisory

Recommandation:

• Use multi-factor authentication.
• Implement network segmentation and filter traffic.
• Scan for vulnerabilities and keep software updated.
• Remove unnecessary applications and apply controls.
• Implement endpoint and detection response tools.
• Limit access to resources over the network, especially by restricting RDP.
• Secure user accounts.
• Backups

Critical Security Vulnerability Summary - September 2021

Critical List:

Date:09/23/2021 >> CVE-2021-20034 | SonicWall SMA100 series | BUG | NO Active Exploitation

Date:09/21/2021 >> CVE-2021-22005 | VMware vCenter Server/Cloud Foundation | Version Impacted 7.0, 6.7 | BUG | Active Exploitation 

Incident Response (IR) Guidelines

"IR planning is the key element on taking necessary actions when an incident is triggered for security breach. This can assist in faster remediation and recovering from a security threat."

Incident Response Cycle

Preparation

Policy Creation

• Policy should contain statements that provide authority for incident response, assign responsibility to the IR team, and describe the role of individual users and state organizational priorities.

Building PPP (Plan/Process/Procedures)

• The Plan is needed to organized things, meet requirements and improve coordination.
• Process will streamline the incident handling and escalations to correct the team/department.
• Develop a procedure (playbook) that describe the steps that individuals will follow in the event of a specific type of cybersecurity incident.

Communication

• List on correct individuals to be reach out during the incident (can be also based on severity)
• Internal: within the organization
• External
• Customers
• Public Relations/Media
• ISP/Vendors
• Law Enforcement/Regulatory requirements

Technical

• Building strong cybersecurity defenses to reduce the likelihood and impact of future incidents. 
• Backup running
• Network Equipment (FW)
• AV Installed
• Logs collection/retention
• Packet capture
• Permissions
• NTP
• SIEM

Testing/Training

• Security Awareness and security programs to non-technical staff
• Technical Certification /Courses /learning provided to IT professionals.
• Practice makes perfect (testing). Simulates live conditions.

Documentation

• Everything needs to be recorded so that it can be referenced.

Detection & Analysis

24x7 Monitoring and Alerting

• SIEM - Logs (Physical & Cloud)
• Network Traffic (IDS/IPS)
• Antivirus

Vulnerabilities

• Internal/External Scans

People

• Insider Threat

Incident Investigation 

 “Analysis is often more art than science and is very difficult work.”

• Finding odd behaviour/anomalies and documenting all the related information.
• Reverse Engineering
• Note all the actions taken on the incident findings.
• Determine Severity Level Classification.
• Next steps base on the incident severity/impact and investigation outcomes.
• Notification (As per preparation phase - communication)

Containment, Eradication, & Recovery

Isolation/Segmentation

• Shut down a system, disconnect it from a network, disable certain functions.
• Recommend to Isolation/Contain - to learn the behaviour and keeping the evidence intact.
• Sinkhole and redirecting malicious network traffic to sandbox segment.

Please Note: Plan on Evidence gathering after Isolation/Containment - it can be necessary for various purposes depending on impact/severity (For example: snapshots of the system)

Removal

• Scan/Manually delete malware/completely removed/disable accounts

Sanitization/Reconstruction/Backup

• Rebuild - know-good state
• Patching
• Permission reviews
• Restoration of services and verification of logging

Documentation

• Confirmation all the infected hosts are in know-good state

Post-Incident Activity

Lesson Learned

• Recommendations
• Improving security measures/incident handling process
• Using Collected Incident Data
• Risk Assessment
• Controls/implementations
• Actual Root Cause
• Rewrite policies and procedures
• Damage

Evidence Retention/Incident Data

• NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response, for additional information on preserving evidence. 

Checklist

• List for Verification /Review /Confirmation (Table format)

Report

• Summary Report

Information Sharing

• Co-ordination /level on information (technical/non-technical)

References

[1] Comptia CySA+ Study Guide (CS0-002)
[2] NIST - Computer Security Incident Handling Guide - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf