Aftermath Review for BSI Ransomware.pptx

The Aftermath Post Incident Analysis and Evaluation

Step #1 Learn from Global Experiences Confidential Adopted from an article: Why Financial Services Ransomware Is Dangerous By Tracy Rock, Director of Marketing @ INVENIO IT 24/06/2023 1

SOPHOS Ransomware Report, 2022 Confidential 24/06/2023 2 55% affected at least one time 51% successful encryption 52% paid the ransom 96% paid by insurance 99% get some of the data back 10% get full data restored 62% recovered within a week $1.6 million average damage cost Source: The State of Ransomware in Financial Services 2022

SOC Radar Threat Landscape Report, 2022 Confidential Source: Around 50 Ransomware Attacks Targeting Financial Institutions 24/06/2023 3 Possible state-sponsored APT Groups against Finance Industry

Lesson learn: how to prevent Confidential Cybersecurity training : Phishing is one of the three most common attack vectors for ransomware. With proper training, businesses can empower employees with the skills they need to identify suspicious messages and URLs, reducing the risk of this particular form of attack. File-access restrictions : Businesses sometimes give too many users access to files that they don’t need, which places a higher quantity of data at risk should an infection occur. Only grant each user access to the files that they require for their day-to-day responsibilities. Firewalls, filters, and anti-malware : These systems should do the heavy lifting of preventing ransomware and other threats from entering your network. If a malicious file manages to sneak its way into your system, a strong anti-malware solution can stop the threat in its tracks. Patches and updates : Outdated or unpatched systems serve as welcome mats for ransomware attacks. Even systems that are viewed as more secure are vulnerable to threats like Linux ransomware if they are not regularly patched and updated. 24/06/2023 4

Lesson learn: how to response Confidential Avoid paying the ransom : The Federal Bureau of Investigation (FBI) strongly recommends that businesses not make ransom payments because there is no guarantee that data will be restored and it encourages further attacks. Ransom payments can also have other negative effects, including sanctions and increased cyber insurance rates. Report the attack : Businesses in the financial sector are under strict regulations related to data privacy and can face severe fines if they do not report an attack when it occurs. Make sure quickly notify the proper authorities if your system is breached. Rely on robust disaster recovery solutions : An effective Business Continuity and Disaster Recovery (BCDR) system is essential for businesses to recover from a ransomware attack. BCDR solutions with features like backup virtualization and Rapid Rollback can help minimize downtime and data loss. Smaller businesses unit with limited resources can implement cost-saving solutions alternatives with smaller storage capacities to achieve equal levels of protection. 24/06/2023 5

Step #2 Review Previous Action Confidential Adopted from an article: The Ransomware Problem: How Financial Institutions Can Mitigate Reputational Risk By Jamie Singer, Senior Vice President, Advisory, Chicago 24/06/2023 6

Is it your internal communication effective? Confidential Communicating in a timely and consistent manner with employees must be an immediate priority in the aftermath of a ransomware incident, because they are likely to be affected the most. Workers may not be able to do their jobs if they cannot log into their workstations or access files or email via mobile devices. Specifically, employees will need prompt instructions on whether to remain off the corporate network, turn in their devices for scanning, or work remotely, rather than coming into the office . And, if the attack impacts customers and vendors, employees likely will be the first ones to be asked what they should do. Simply reaching employees will be a challenge if corporate email is down. That means leadership will need to deploy a safe and efficient alternative channel as soon as possible . Consider to established DRP facilities with Cold Site ready. To shorten any blackout time, companies should work proactively to set up and test an off-network means of communicating with employees, including the incident response team , which cannot afford to be left in the dark. 24/06/2023 7

Did you thoughtfully communicate with impacted stakeholders as soon as possible? Confidential Depending on the scope of attack and how long it will take to restore normal operations, organizations should think twice about how much information they should share . If a financial firm’s email system is locked down, but the firm is still able to process transactions and communicate with customers via phone, it could “ break itself into jail ” by publicly communicating about the incident. Institutions are advised to communicate proactively with those impacted by the incident if: (i) they are legally required to (if personal or sensitive data has been compromised); (ii) there is a significant impact on operations that could affect customers ; and (iii) they are receiving a significant volume of inquiries or complaints from external stakeholders (media, customers and investors). In these cases, it is important to inform stakeholders – particularly those directly impacted – to demonstrate accountability and control the public narrative . 24/06/2023 8

Did your incident response team, legal, forensic, operations and PR work together in lockstep? Confidential As with the response to any data security incident, a company that has been crippled by an attack must ensure its various internal functions are working together . One mistake is not looping the communications team in on critical restoration or investigatory updates. Another happens when the other internal functions block the communications team from releasing timely information. Providing the communications team with insight into the legal, forensic and operational sides of the incident response will ensure that all messaging is accurate and minimizes legal and reputational risk for the company . It is also imperative that organizations evaluate all legal, IT, operational and reputational ramifications when weighing whether to pay a ransomware extortionist. For instance, if the attack is likely to prevent a firm’s ability to conduct business for an extended period of time, payment may be the best option to ensure customer trust, especially if the cost is covered by the organization’s cyber insurance policy . At the same time, paying the ransom may embolden the attackers to hold out for more. 24/06/2023 9

Do you have a plan with possible outcomes? Confidential Entities hit by an ransomware attack are often put in the uncomfortable position of having to communicate publicly about the incident before understanding its full scope and impact . There are typically several unknowns in the immediate aftermath of detecting a ransomware incident, including: ( i ) whether personal and sensitive data is impacted or exfiltrated ; (ii) whether the organisation will be able to negotiate and reach agreement with the hackers ; and (iii) how long it will take to restore operations either by restarting and then securing the impacted system or switching over to a backup system . To be better prepared, organizations should scenario an incident response plan for these various outcomes , including developing internal and external communications strategies. 24/06/2023 10

Did you take the bait? Confidential Ransomware attacks tend to incite public concern. The primary objective for FIs is to allay these worries and restore trust . While firms will be asked whether they paid a ransom – and if so, how much – FIs should think carefully before publicly discussing what the firm paid or did not. If a company discloses that it chose not to pay , customers might be upset to learn the firm did not take every step to minimize the impact of the business disruption on them . Conversely, law enforcement and industry peers may be upset if a firm gives in and pays because it could incentivize future attacks on the industry (media also tend to paint ransom payments in a negative light). 24/06/2023 11

Are you covered with insurance protection? Confidential Many stakeholders, including investors, may not understand the role of cyber insurance in covering a ransom payment liability . Instead of talking about the ransom demand, the company should keep its message to remediating the problem as quickly as possible and the steps it is taking to reduce any disruption to employees, customers and other stakeholders. 24/06/2023 12

Beware of recurring events! Confidential Conduct surface of attack analysis thoroughly to find point of attack and to ensure complete eradication of the attack vector leftovers . Have a more sophisticated threat intel and monitoring system for better visibility, reassure BCDR and backup system in place. Successful attack will lead to another threat in the near future. Experts predict that ransomware attacks will continue to rise. Ransomware attacks actually becoming more high-profile too. Future attacks are getting more sophisticated – and automated. Prepare Incident Response Plan test it before inevitably occurs . 24/06/2023 13

Other assessment to be done Confidential Attack Surface Assessment in addition with Vulnerability Assessment and periodic mandatory Penetration Testing. Ransomware Risk Assessment in addition with periodic BCDR system and Incident Response Plan preparedness test. 24/06/2023 14

Step #3 Attack Surface Management Confidential Adopted from an article: Attack Surface Management (ASM): The Definitive Guide By Randori, an IBM Company 24/06/2023 15

Quote Confidential “ Failure to manage the attack surface results in data breaches and leaks that will affect a company’s operations and reputation. This is why deploying Attack Surface Management is critical as it can help security teams to identify, prioritize, and monitor assets that truly matter to a company .” 24/06/2023 16

What is Attack Surface Management? Confidential 24/06/2023 17 Attack Surface Management (ASM) is the continuous discovery, inventory, classification, prioritization, and monitoring of an organization’s attack surface from an external attacker’s perspective. This emerging technology helps organizations to identify internet and attacker-exposed IT assets as well as to monitor them for unexpected changes and vulnerabilities (i.e., blind spots, misconfigurations, process failures) that increase the risk of attacks. With the external attacker’s perspective, it’s easy for security teams to prioritize those assets for remediation based on their level of attack ability—the attractiveness of an asset to an attacker. The increasing ransomware and supply chain attacks along with recommendations by analysts like Gartner have made ASM one of the top cybersecurity priorities for CISOs and security teams in recent times.

What is an attack surface? Confidential The attack surface—also known as external attack surface or digital attack surface—is the sum of all internet-accessible hardware, software, SaaS, and cloud assets that an adversary could discover, attack, and use to breach a company. Known Assets - Assets that are inventoried and managed by an organization. Examples include servers and websites. Unknown Assets – Un-inventoried assets like shadow IT or orphaned IT that are located beyond a security team’s purview. Examples include forgotten microsites and unsanctioned applications. Vendor Assets - IT infrastructure by third-party vendors or partners. An example is a compromised third-party code installed on a company website. Subsidiary Assets - Assets that are in the networks of a subsidiary company following merger and acquisition (M&A). They could be one or a combination of the preceding types of assets explained above 24/06/2023 18

Factors affecting attack surface Confidential 24/06/2023 19 Unknown Assets – Since deploying assets like SaaS applications is simply plug and play, the attack surface grows constantly. New Vulnerabilities – More assets deployed means more vulnerabilities such as outdated components and insecure default settings, especially for assets that are unsanctioned by security teams. Cloud Adoption – With the rapid rise in cloud computing and transition to work from home, more assets than ever are exposed to external threats, increasing the attack surface.

Benefit of ASM Confidential 24/06/2023 20 Find Unknowns and Prioritize Top Targets – With an ever-changing attack surface, it’s impractical to keep track of all targets. External ASM allows the security team to focus on assets that can be weaponized by attackers, reducing operational noise. Harden and Reduce Your Attack Surface – Knowing what’s exposed to threats also enables the security team to secure the top assets; hence, successfully hardening and reducing the attack surface in line with the company’s security best practices. Strengthen Your Cybersecurity Posture – With ASM continuously monitoring the attack surface for new changes and vulnerabilities, the security team and company will get better at predicting and preventing cyber threats.

ASM compares to other solutions Confidential 24/06/2023 21 ASM vs. Asset Management Asset Management is a foundational capability, but it only shows you the assets that you already know. If you want to know what you’re missing, you need the external perspective that ASM provides. ASM vs. Vulnerability Management Vulnerability Management solutions usually consider the number and severity of vulnerabilities through a scoring system. Leverage an ASM solution if you want to evaluate the attackability of assets and how you should prioritize your remediation efforts.

ASM compares to other solutions Confidential 24/06/2023 22 ASM vs. Penetration Testing Also known as pen testing, this approach works well if you’re specifically looking for known vulnerabilities and weaknesses at a single “point in time.” You can also integrate this solution with an external ASM solution to continuously discover assets and risks. ASM vs. Breach and Attack Simulation (BAS) Breach and Attack Simulation (BAS) solutions use choreographed and predefined sets of operations and assumptions to see how well your cybersecurity program holds up against simulated attacks. This is also perfect for performing QA of your security tools. That said, you can still stretch its potential by incorporating ASM since this will show your organization’s real-world threats.

ASM compares to other solutions Confidential ASM vs. Security Rating Services (SRS) Security Rating Services (SRS) are fairly basic risk assessment systems that provide a scorecard-like rating on an organization based on publicly available information. You can get quick and simple insights into the public cyber profile of other parties like partners, suppliers, customers, and prospects. You can also combine that with ASM to get an in-depth analysis of security risks. 24/06/2023 23

References Confidential OKTA What is an Attack Surface? (And How to Reduce It) INFORMER How to Perform Attack Surface Analysis (ASA) COMPARITECH How to Perform an Attack Surface Analysis OWASP Series Attack Surface Analysis Cheat Sheet MICROSOFT Anatomy of a Modern Attack Surface FINCEN Advisory Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments [PDF] 24/06/2023 24

Step #4 Standardize and Enhance Incident Management Confidential 24/06/2023 25

Planning Phase Confidential Short Term – incident handling: lessons learned, quick win, situation awareness. Mid Term – security monitoring, threat and attack visibility, people, process, technology. Long Term – capacity building, HR development, including technical assistance, periodic cyber drill, full spectrum cyber exercise. 24/06/2023 26

1st phase Confidential Enhance Incident Management cycle. Refer to TTP LOCKBIT by MITRE Attack. Identify which IOC LOCKBIT identification cannot be obtained and performing gap analysis / monitoring. 24/06/2023 27

Confidential 6/24/2023 28

2nd phase Confidential Implementation based on 1st phase assessment and monitoring result and recommendation. 24/06/2023 29

References Confidential NIST Cyber Security Framework v1.1 NISTIR 8374 Ransomware Risk Management: A Cybersecurity Framework Profile NIST SP-1800 25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events NIST SP-1800 26 Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events NIST SP-1800 11 Data Integrity: Recovering from Ransomware and Other Destructive Events 24/06/2023 30

References Confidential ISO 27035-1:2023 Information Security Incident Management – Part 1: Principles and Process ISO 27035-2:2023 Information Security Incident Management – Part 2: Guidelines to Plan and Prepare for Incident Response ISO 27035-3:2020 Information Security Incident Management – Part 3: Guidelines for ICT Incident Response Operations ISO 27035-4 (draft) Information Security Incident Management – Part 4: Coordination NIST SP-800 61 Incident Handling 24/06/2023 31

The Team Confidential BISYRON WAHYUDI – Deputy of CIP and Resilience CSIRT.ID M.S. MANGGALANNY – Deputy of Operation CSIRT.ID ANDIKA TRIWIDADA – Head of Cyber Security ID-CERT IRWIN DAY – Security Specialist DUDI G. K. – Security Specialist HAMDAN – Forensic Specialist TAUFIK – Business and Solutions 24/06/2023 32

CSIRT.ID Indonesia Cyber Security Independent Resilience Team Confidential 24/06/2023 33 Email Address Author: [email protected] General inquiry: [email protected] Incident report: [email protected] Postal Address MULA by GALERIA – The CILANDAK Town Square TB SIMATUPANG Highway – (KAVLING) Lot 17 Jakarta Selatan, DKI Jakarta 12770 – Indonesia Phone and Facsimile +62 21-7592-0274

Aftermath Review for BSI Ransomware.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Aftermath Review for BSI Ransomware.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx