Information for IT staff: First aid in the event of a serious IT security incident

Note

In January 2020, the German Federal Office for Information Security (BSI) published a working paper describing the orderly handling of a serious security incident by the responsible IT personnel.

This information is aimed at IT personnel, not end users.

The original publication can be found here: Ransomware First Aid.pdf The document comprises 28 pages.

Please note: in the event of an IT emergency, please always inform the CIO of TU Braunschweig and the Gauß-IT-Zentrum at the e-mail address informationssicherheit(at)tu-braunschweig.de and/or the IT Service Desk by telephone (0531-391-)555555.

Introduction

From the foreword:

The catalog of measures for emergency management is primarily aimed at managing directors and IT managers in small and medium-sized companies - regardless of the level of existing IT expertise. You can use this help to get started with emergency management. Additional resources and contact options are pointed out at suitable points - also in the event that you need support for dealing with IT emergencies.

Comprehensive emergency management is not limited to the failure of information technology (IT) resources, but also considers the failure of personnel, infrastructure (e.g. buildings and facilities) and service providers. The catalog of measures focuses on IT emergencies and divides the selected measures into four phases: preparation, preparedness, management and follow-up. All points are formulated in an action-oriented manner

Content

In January 2020, the German Federal Office for Information Security (BSI) published a working paper describing the orderly handling of a serious security incident by the responsible IT personnel.

This information is aimed at IT personnel, not end users.

The original publication can be found here: Ransomware First Aid.pdf 

The document comprises 28 pages.

Measures

  • Keep calm and do not act hastily.
  • Set up a crisis team (or a project group).
  • Regularly clarify the following questions:
    • Who will do what by when?
    • Which daily tasks can be left to deal with the incident?
    • Who makes the relevant decisions?
    • Should systems be set up again quickly or traces secured?
    • Who communicates what to whom and when?
    • Do you want to press charges?
  • Think about reporting obligations.
  • Get external support at an early stage if necessary.
  • Data that is important for emergency operations at short notice may also be located at remote offices or on the systems of employees on vacation who are not (yet) affected.
  • Top rule: Under no circumstances should privileged user accounts (administrator accounts) be used to log on to a potentially infected system while the system is still in the internal production network or connected to the Internet!
  • Potentially infected systems should be isolated from the network immediately to prevent further spread of the malware in the network through lateral movement.
    • To do this, unplug the network cable.
    • Do not shut down or switch off the device.
    • If necessary, create a forensic backup including a memory image for later analysis (own, by service providers or law enforcement authorities).
  • Identify the malicious program(s). For ransomware, you can use the sites “No More Ransom” and “ID Ransomware”. If there are already decryption tools for the ransomware, this will be displayed there - however, the probability of this is low.
  • In some cases, the name of the ransomware is also included in the ransom note that is usually displayed or is added to the encrypted files as a file name extension.
  • You can then find information on known ransomware using common search engines.
  • The malware programs sometimes make far-reaching (security-relevant) changes to the infected local system that cannot simply be undone.
  • The BSI therefore generally recommends that infected local systems be considered completely compromised and reinstalled.
  • Advanced malware variants such as Trickbot can spread laterally in the network using leaked access data for user accounts (possibly with administrative rights).
    • Be aware of the problem of a “golden ticket” and compromises of domain controllers and server systems (reset Active Directory and all domain-joined systems).
    • If this is not possible quickly, the password of the built-in Key Distribution Service Account (KRBTGT) must be reset twice. This will invalidate all golden tickets created with the previously stolen KRBTGT hash and all other Kerberos tickets Kerberos_Golden_Ticket_Protection.pdf - especially chapter 3.2.
  • All access data stored on affected systems or entered after the infection should be considered compromised and the passwords changed.
  • This includes web browsers, email clients, RDP/VNC connections and other applications such as PuTTY, FileZilla, WinSCP, etc.
  • Block any non-essential remote connection, monitor network traffic and run anti-virus scans to rule out further infections and perpetrator access.
  • Check whether you have clean, integer backups.
  • If encryption has already taken place, you should not respond to the blackmail and not pay a ransom. Instead, the data should be restored to a clean network of backups.
  • The persistence of malware in the BIOS or even the hardware is very rare and has not yet been used by widely distributed malware.
  • In order to prevent the perpetrators from gaining further access to the internal network in the future and to prevent malware from spreading again, the network should be completely rebuilt if the AD is compromised. After a quick clean-up, this may also be possible in the long term after ensuring operational capability.