How occult ransomware gangs will sacrifice your domain admin

Greetings. Can you hear me? Awesome. So I don't like about you, but personally I'm really into occultism and stuff, conspiracy theories. So you know when the time comes that I'm able to face such things, I like to make things interesting. So a few things about me. I've been in Tallinn, this is my fifth time. Previously I started my career here as an intern in NATO CCD COE. I don't know if we have anyone from the center here. Do we? Oh, it's too... Ah, okay. Maybe we can chat later. So, I'm an instant response expert. To be honest, I hate the term expert. No one of us can be an expert in anything in life. So, at some point, I think I'm going to

scratch that from my title. Still, I'm an instant responder. I love doing forensics and instant response. This is my main focus of research. So, tonight, we're going to talk about ransomware. I don't want to bore you with numbers, how big threat it is. I'm pretty sure that most of you understand by now that no matter which industry you are, if it's public sector or private sector, if you are, for example, in manufacturing, in finance or whatever, it's a prevalent threat. So there are many things that you should be able to understand. In terms of risk, if you are like a manager, a CISO, an executive, but also as a defender or an administrator, because you

need to understand how to properly configure your organization, how to be able to stand against these threats and mitigate the risk when an incident comes.

So, the most interesting part about modern-day ransomware is about using the double extortion method, as we call it. So it's either you pay the ransom or you don't. If you pay the ransom, the gang claims that, okay, we're going to unlock your files, we're going to decrypt it with the key we're going to give you, and we're not going to publish anything online. But here's the thing. There is no honor among thieves, and you should definitely consider that before going and pay them. Because it's one thing going to your finance officer and say, hey, we need to secure some funding to unlock our files, because it's important. But think about the following. If you keep on funneling money, to a ransomware gang, it's most likely that they're going

to use it to further the research. So you're becoming a benefactor for future campaigns. But if you don't pay the ransom, of course you're not going to get your files encrypted, plus they claim that they're going to publish your files online. And this is back for you. There is no global standard about how to mitigate this risk, which option to take, either pay or not. My personal opinion is like, I wouldn't like to pay, but what if you are, for example, a hospital and you don't have backup? All your records are either going to be online or you will not be able to treat patients. Personally, I would love to lose one million dollars or whatever rather than losing one person's life. So always remember

that maybe us as cyber security professionals we're mitigating the cyber aspect of a threat. But if the threat becomes the human life, you should definitely consider that. There has been a case in Germany where a patient died during a transit between two hospitals. The one hospital was infected by ransomware, so they had to take him to the other one. And in the in-transit, unfortunately, he died. So, let's go and see some more things about ransomware as a service. As you understand, this is a very prolific market for everybody. involved. So you should definitely think about these three, let's say, steps that the attacker is going to make. First is the access. It's a... Not of us is expert in every field, right? So why should the

cyber criminals be? It's like a business. So you have one department that is really good at coding, at evading stuff. Then you have like the PR, you have the guys that negotiate. It's not like one guy behind the scene. There are many, many teams that maybe they're not from the same gang. So, someone who specializes the intrusion, let's say, is going to make the initial payload, as we call it. Maybe the next one is going to make the ransomware for the impact. You don't just deploy ransomware when you enter an organization. You wait later to deploy. So, remember that. So, the collaboration, as I said, is a really important aspect. We have seen cases where in online forums, they sell access to compromised networks.

Or there are gangs or code writers are saying, okay, please come buy my ransomware, it's a new stuff, it goes unnoticed by most EDRs. And here's the thing, for them it's easier to collaborate instead of, you know, they're selling, they're going to sell the profit. Because if you're not good at something, why don't you hire someone to help you? So you switch your campaign and some of the money go, for example, to the guy that runs the ransomware or the other way. You enter the organization but you need to monetize. In my opinion, and I think most of you would agree, we have seen rare cases right now that hackers are doing it only for fun. Of course there are activists, of

course there are people that need to come and make their point public. about some sort of political cause, let's say, but always remind to yourself that, in the end of the day, it's about money. That's why it's a business. So, as you understand, you've seen very, very different variants each month. So you can never know which the attackers tend to get creative when it comes to naming. My favorite personally is Hentai Onits and Ransomware. And imagine your organization getting hacked by such a group. What are you going to say to your boss? We have a rogue entire ransomware group encrypting our files. This is one slight problem. And here comes Egregor. Actually, Egregor has its roots from the

Greek word Egregorcy. I'm pretty sure you won't understand it. But it's like being a whole group together, and they're doing stuff quickly. And because they're able to multiply this effect, that's why they're so successful. So they used the... This was the... Oop, no. I don't know how to use it. I think I have it. So it was a logo. It was a variant of the Sekhmet ransomware. It first appeared in September 2020. And our incident, the one we faced, that we're going to see next, we faced it at the end of September. So it was like... one of the most new cases that we were able to see. The funny thing with Gregory is that they appeared shortly after the Maze downfall. I don't know if

you've heard about it, but Maze was one of the most successful ransomware to this date. They were able to infiltrate a lot of organizations, they made quite a profit, and all of a sudden, in one day, they said that, you know what? We're going to stop. Why? Because we're seeing that no matter how many ransomware there are going to be out there, the security posture of the organization is going to stay the same. So it was kind of a tricky, let's say, statement, because they're considered to be criminals, right? But coming out and saying that we're doing to prove our point that everybody is vulnerable, and that's why we're stopping right now, because we're seeing

that you're not taking us seriously, it was really weird. And as it was proven, some of the gang's, the member gang's of Maze

moved to Egregore. Gregor was really successful. It managed to actually, in a short time actually, its operation seized in late February, I think, 2021, this year. But it got at least 70, claimed at least 70 victims. And they published online their files. As you can see on the right, you see the portal that was waiting for them. I had made the public since right now it's been seized. and on the left screen you can see the typical ransom node. So at the end, you should have the live chat with the operators trying to negotiate either to lower the price because maybe you don't have the money, you don't want your files to get encrypted, of course. So this is the thing with

Gregor. They claimed at least $4 million. They requested in Bitcoin. and it was by far one of the biggest ransoms ever demanded. But compared to latest attacks, I'm pretty sure you've heard about the Darkside ransomware or Conti ransomware, where they claim way more money. For example, in the Colonial Pipeline incident, it was a huge amount of money that was requested due to the criticality of these systems affected. So this is what I'm telling you. It's a very, very prolific business for them. And they know that according to each organization, they're going to infect, they know what money to request back. So, let's see some points about the incident we faced. As I told you, you don't actually have to make the access

yourself. You can either buy it from someone, or let's say collaborate with others. For us, in this case, it was part of an emoted global campaign that used to compromise the organization. The thing is that, at first, the victim clicked a weaponized Word document. It was on Thursday afternoon when we observed the first connection through the firewall logs, and then on Sunday morning, the ransomware was deployed. Considering that, I have to say that it was a really, really quick deployment of ransomware. So I guess the attacker was really able to get all the stuff they really wanted about it, and then deploy the ransomware and do maximum damage. So what I would like to focus is Oop,

not again. Back. I would like to focus on the campaign. As you can see, typically, we start with a spear phishing or phishing campaign. We use a weaponized document that may have VBA code inside to execute either with Sparcial, with WMI, whatever. But here is the thing. You don't directly deploy the malware. You break your campaign into two different parts. The downloader, which means the malicious weaponized file will download the middleman, and then the middleman will download the actual malware. And this is where we have the proper C2 communication. C2 stands for Command and Control, meaning it's the back channel for the attackers, for the attack infrastructure. And here's the thing, it's way easier to go

unnoticed, because if you deploy your your malware instantly, it's going to make the detection much easier. Consider the following. You're going to have a process of a word file spawning a network connection directly. And this is going to cause at least a weird look to the defenders. The detection engineers, the responders, the analysts are going to say, oh, why is the word process communicating with the internet? It shouldn't. It's not downloading something. So why does it do? But if you have, because you know, Everybody loves macro, right? And especially accountants, they use macros all the time. So if you see a Word file spawning a macro, no big deal. But if you consider from the attacker's point

of view, this is a great opportunity for them. Let's talk a few seconds about Temotet. It was first observed in 2014, this is the fun stuff. It went down for like a few years, and then it came back last year. came back and it was part of a huge campaign. I don't know if the organization was a victim of it. It was very, very popular, at least in Greece. We have observed a continuous campaign for like three weeks. Every day, we were receiving emails from clients, from third parties saying that, hey, we received this sort of malicious email, can you please analyze it? And as the weeks went by, we've seen that the samples we analyzed were a little bit different. So the campaign at first

was really simple to detect, but for an organization of a bad security posture, it was easy to infiltrate. So the attackers knew that, and they said, why deploy the big guns when with a simple attack I can infiltrate? And this is true, and remember that. you will not always deploy your best malware at first. So be careful about when defending and when responding to an incident. At some point, you might think, hey, I caught the guy. They are right in front of me. But should I turn his access off? Maybe I should take a step back and monitor the situation to understand his true motives. So maybe your boss doesn't like it because once you've seen an intruder inside, you want to kick him

out. But what if you stay You monitor properly, and when, for example, a critical system is accessed, then you perform your kill switch. So this is a nice thought that you can keep in mind. So, I would like to present you what I am pretty sure that most of you, if you've worked in a blue team, for example, you have seen it before. It's a pretty standard weaponized document. It's pretending to click the enable editing, the enable content, as you've seen this. This is funny because from a forensic standpoint, it creates a specific artifact called trusted records. So it means that if you click on this ribbon, this is when the attack happens. For us defenders,

instant responders and forensic investigators, if you go and look for trusted records on the registry of the victim, you can definitely say what time and what document and that the user actually interacted with it. So you can verify the infection. And for us, it's really, really important, because most of the times, think about it. You have a person that gets hacked, he doesn't want to admit it at first. To an organization, not admitting your problem might be, let's say, problematic later, because it's one point, you know, you have to understand that I've been compromised. But it's easy to see if I have been compromised with a ransomware, right? You're seeing that your computer has been

infected, that you can do nothing, but if the ransomware was not deployed, you would never understand it. So the attacker was inside, like I told you. It was Thursday afternoon, on Saturday, because they knew, of course, that everybody was not online, they deployed their ransomware. So keep that in mind. Have an open and transparent way in your organization to submit incidents and not make the users be afraid to admit their failure to understand proper, let's say, security principles. It's not everybody's business, let's say, to know how to use a computer. as security professionals, we should be able to provide them the means to properly submit and report incidents. And it's really, really important to make it clear and transparent for them. But it's not a

big problem if you click on it, just tell us quickly enough so we can respond. Because we don't want the infection to spread. And as we can see here, we can see actually the macro that was behind this specific document. But this is not the thing. This is just from... static analysis. So it means that if you don't actually open the document, you're going to see just like that. But if you open the document and start to analyze the bit, gather telemetry or from memory analysis, you're going to see the actual code that is written to the system. It's human readable actually. If you start typing out the pluses and stuff, after 10 minutes, you will be able to gather the

the dropper files, and the dropper sites. So, if you like tweaking a bit, you can either script it, but it's difficult, I'm telling you, I try to do that, because at some point, imagine receiving five emails every day with different sample, at some point you say, there's no way I'm gonna do that by hand only. I have to do a more smarter way, right? But here's the thing, you cannot always, at least due to parcels, in case insensitive, It's not easy to play with regex and have a proper Yara rule or whatever to be able to understand and detect it. So you should keep that in mind when it comes to creating defensive mechanism. So,

right now we're going to present you some of the TTPs we face. TTP stands for Tactics, Techniques, Procedures. It's the most common term that we use to characterize the attacker's behavior. And I'm pretty sure this is the reason why you came for this evening. But before going to the TTPs, I'm going to share you some of my experience and some of, let's say, my own tips when it comes to investigation. So these are some things that you should always keep in mind. So I consider that DFIR, Digital Forensics Incident Response, is a huge digital puzzle, right? At some point, you have to start creating the frame around and then go piece by piece make the picture that you want to have. But of course, for

a jigsaw puzzle, it's easy, because you know what you have to create. So maybe you're trying to categorize all your pieces by color, by shape, whatever. But it's rarely the case for us, and this is the hardest thing. So the first thing that you should always do is do proper scoping. How many computers are infected? How many users? are infected. It will help you to properly understand and properly prepare for the mitigation techniques that you're going to propose and implement. So it's really, really important. At the same time, if you know that, for example, you have Windows servers, you should search for specific artifacts. If you have Linux machines that are infected, if your Kubernetes infrastructure is infected, we'll have different

artifacts. So consider that. Proper scoping is the key. to analyze an incident and provide correct recommendations. The next are the tactics. What are the tactics? You'll have to try to understand what the adversary tries to achieve through his attack. As I told you before, he's not just for fun inside your network. There are specific things that he's trying to achieve. Thanks for Mitre, the attack framework, I'm pretty sure you've heard of it. They have properly organized the matrix, and we know how to properly categorize its aspect. And then we have the technique, meaning it's like the most technical way to represent an attack. And we're going to focus on the techniques. Of course, having the hacker mindset is really, really important.

If you think like an attacker, it's going to be easier for you to think as a defender. Because if you go into the attacker's shoes, then later it's going to be easier for you to do the scoping, like we've been discussing. So it's a very, very important, let's say, trait to have. But, like I told you, this is the hard reality. I'm presenting the order of the techniques that the attacker used, but as you can see, they're not in the correct order. And I've highlighted with bold the things that we have observed. We started out by having understood the impact because we found out the ransomware. But we never found initially the initial access. So if you think about the defender, you know about

the technique. Which technique is going to use for the impact? He used the ransomware. We're going to see about it later. But what about initial access? How did the attacker gain access to the organization? Even worse, why did the malware spread to the whole organization? Right? And when it comes to exfiltration, I'm pretty sure that, at least for the European Union, we have the GDPR regulation. And you will always have this question from your client, from an executive saying, have my files been exfiltrated? This is a key question. But as an instant responder, I've had trouble sometimes answering. Because, again, it's a matter of logging. If you don't have proper logs to... To investigate, you won't be

able to, let's say, come to a conclusion. It's easy to say that, okay, I'm going through the firewall logs, I'm going through the proxy logs, and I'm seeing connections to OneDrive. Big deal. OneDrive is being used by most of the organizations that have Microsoft. If you're using WeTransfer, for example, MegaNZ, then you have to go through the whole administration stuff and go, hey guys, do you use MegaNZ? Maybe they don't, but maybe a user does. So consider, this is a very nice trick, consider blacklisting or whitelisting on the specific applications that you use for file sharing. This is really, really important for you. You don't want your files to go outside of your organization. If you're using cloud, maybe there is much logging to understand the user

that accessed the logs. But if you don't, then it's going to be a problem for you. So without further delay, Let's go and see some of the TTPs. So, lateral movement. I'm pretty sure we have guys that have performed red teaming before. And my favorite one, this was one of my favorite techniques, to be honest, because they used bitchadmin. Bitchadmin is an internal Windows tool that has been used to transfer tools, transfer whatever file between computers. It can be used for legitimate reasons, for example, download updates, but can be used from the attacker to spread the infected file. In this case, the file that was transferred was .doc.dll, and I have blacked out the system that was used. In fact, this system was the

file server of the company, and it was a key point in our investigation, because first we found out that domain control has been compromised by ransomware. We didn't know about the initial infection, right? but in order to go from a workstation, because most likely it's going to happen from an endpoint, a user endpoint. And then we have to find the missing link in between. You can never, of course, if you have a Windows domain, let's say, even with proper configuration, go from the workstation to the domain admin. There should have been something in between. And this something turned out to be our file server. So it was key to our recommendation that we gave. Defense invasion. This is the way

that the attacker was able to bypass the defensive mechanism of the organization. The guys use, most of you probably know it, DLL32. It's a Microsoft native tool to run DLLs. So the malware was a DLL file. It was run through run DLL32. And here's the thing that we found with some reverse engineering and online search that "-p", password, classified, 13-mine is the password of the file. Because in order to evade the defense mechanism, they had it obfuscated and encrypted. So it was a smart move that typical signature antivirus would not catch it. And we're going to talk about it later. And of course, we have our favorite tool, Cobalt Strike. How many of you know Cobalt Strike? Nice. Quite the people, nice. Oh no!

Oh no, it's always about the demo. The demo gods are not with us today. Yeah, there appears to be some problem. Anyway, so what does Cobalt Strike is an advanced tool that is being used for retim operations. It's being used by malware gangs, cyber criminals, APTs, advanced persistent threats. It's very, very common out there. The one... In the incident that we faced, we've seen that the malware was fileless, meaning that it was injected directly to memory. So it didn't leave an artifact on disk. What it did, though, is it left artifacts on logs. So you should always remember that, that even if you don't have...

the malware doesn't touch, let's say, the disk, doesn't make any operations on the disk, then your logging mechanism It may be your EDR, it may be your log files, Sysmon, whatever. It may be able to catch a snip of the attack. And it's really important. So, we're going to talk about named pipes. Again, the format. Anyway, standard Cobalt Strike payloads that use named pipes have the following, let's say, syntax. It's not actually syntax, it's the same structure. So, for example, for a post-exploitation tools like screenshot, keylog, whatever, you're going to have a name pipe, pipe-pipe post-ex. So this is a nice technique to have as a defender, to properly be able to catch, let's say, the

script-hiddies, the ones that downloaded a cracked version of Cobalt Strike, and they didn't change the name in the beacon configuration. It's a very smart move that you can do to minimize the impact. My personal favorite is the MSC server, because it's the artifact in binary. It means that you can create your own payloads and then ship it through Cobalt Strike and have a lot of fun. So we're going to talk about the beacons. The beacon is

the best functionality that Cobalt Strike offers, let's say. It's really, really popular. And as we can see, the beacon, although it was fileless, our logging mechanism was able to catch the attack. This is a snip of the log that we observed. In fact, this is the service executable, as the Cobalt Strike calls it. So as a defender, always check installed services. They may be used for persistence, and they may be used by Cobalt Strike for beacons. So at first you see that we have a Base64 command that we decoded But as you go through it, you see, oh my god, even more Base64. Then you have to reiterate and to go and see, I don't know if you guys in the back can see

it. In order to properly get the beacon, you have to XOR it with the value 35. If I'm not correct, it's binary XOR 35. So the beacon was installed, as all you like, the service executable. Always remember that a proper login configuration should include monitoring and logging of persistent mechanisms like services, scheduled tasks, auto-runs are the places that each one of us, for example, have steam going on when I start my computer. Everything that runs on boot is potentially a threat and can be used by an attacker to gain persistence. And this is our Beacon's final format. As you can see, the name Pipe has this format. The attackers never went through the trouble to change it. So although the attack was really

well crafted, we can see that in the details, because the devil is in the details, right? They kind of missed it. So for us, it was important to understand what was this functionality. So as you can see, it was PS exec. And we're going to see about it later. Yeah, there it is. PS exec. So it's really important to connect the pieces together. The one piece will stage for the next one. It's really important to understand how the attack happened and make it through a timeline with logical explanation to your boss because all that stuff is really, really technical. An executive does need to understand why it happened, but you should be able properly articulate your technical knowledge to the administrators and the security

engineers of your client or your own organization to make them secure. This is a really important, at least from my point of view, step in order to make the organization better. We should always talk the same language, whether someone is way too technical or not. In the end of the day, we care about our organization and its safety. Okay, really, really important. So again, you can see that it was a service installed. Keep in mind.

So, I'm going to talk about some of the problems we faced, because during an instant response engagement, it rarely goes the way you want it to go. Maybe something happens, most of the times, at least in my experience, something happens, and you won't be able to have a clear picture. And if it creates a logic gap, for example, consider a forensic investigation. If you have a logic gap, it's easier for the defense to go on coordinate shape, it doesn't stand, it's not valid, because the analyst is not able to explain to us why there is a logic gap. So it's really, really important for all of us to understand our technical capacity, our logging capacity,

because at the end of the day, if we don't have logs, we can't investigate, right? It's something really, really important. So, because the ransomware was deployed, we could not dump the implants or the DLL, but we were able to dump it through memory. Memory analysis, which we're going to talk about later. This is one of my favorite steps, and it goes to show how crucial it is to always remember to dump volatile artifacts from a computer. The recovery. Unfortunately, we could not acquire the file server because they started the restoration before we arrived. And consider the following. For an organization that wants to go back to normal, back in business, They're going to restore two things first. One

would be the mail server, because they're not going to lose communication, either with clients, either with organizations, third party, whatever, or inside. It's really, really important to properly communicate to your client, to your administration, that before going to recovery, previous steps should be followed. NIST has defined the instant response process as preparation, detection analysis, containment, recovery, eradication and recovery. First you eradicate the threat, then you recover from it. Because otherwise, if you don't eradicate the threat, he will come back. Because you will restore from a point that was not secure, that's why the incident happened, and the attacker will gain access again. So in the end of the day, you did nothing. So always consider that. And of course, time. We have...

saying in instant response that axe incidents will happen always in the afternoon, maybe around five o'clock, because the attackers know that everybody will leave for home on Friday and they're not going to open their computers, right? So it's like the perfect timing for them and worse for us, because we lose time with our friends, with our loved ones, our mental health is at stake. So it's something that If you are a manager or whatever, keep that in mind. You don't want to stress your instant responder because he's the one that's going to pick up the phone and come rescue you from the situation you've been to. So I'd like to talk about memory analysis. This

is my favorite thing to do. When I first started in university, I fell in love immediately with memory, and I said, you know what, I'm going to do it for the rest of my life, even if it's good for my health or not. So why memory? It's volatile information. It means that if you close your computer, you lose everything. So you should always dump the memory of the infected system first. Why? It's our best shot to identify malware. Why? Because it's very easy for us to find running processes that shouldn't be running. If you see, for example, a suspicious name executable, directly through memory you can identify it. You might find network connection that shouldn't be. Loaded kernel drivers. We had a talk

before about drivers, so if you're able, you know, to find a new driver on your system that shouldn't, then bingo. That's why baselining sometimes is really important. If you know that this computer can only have this specific libraries executable inside, then you know you have directly find the needle in the haystack, right? You can also find the command line from terminal. Because if you open CMD, for example, and you type a command and then you close it, you will not be able to see it through a typical, let's say, Task Explorer, right? But through memory, every operation will leave a NASCII or a Unicode trace behind. And for us, it's really, really important. Like I told you before, we use memory analysis to dump files

that we couldn't because the computer was encrypted. So, here's the thing. We couldn't find and download dog.dll. So it was, in the evening I was so stressed out, I'm saying, hmm, you know what? I'm going to do traditional grep. I'm going to search for dog.dll. Maybe something happens. And bingo. It was Christmas for me. I was very happy because we found something that looked like a hash at first, as you can see here. So we used the hash later. We searched online databases and we found it. We downloaded it and we were able to perform our own analysis. So it goes to show that even if you will not be able to carry out your plan perfectly, there might be something

inside that will help you. So do not get stressed at first. Think clearly. Use all the weapons you have in your arsenal. For us it was memory and clever thinking. And we're able to find ransomware. Because at first, like I told you, we don't have all the pieces together. You can't tell the client, your client or your organization, hmm, you have been infected by the ransomware, but at this stage, I can't tell you which one it is because I have all your files encrypted. How am I going to tell you which one was it? It's not easy, but it was a clever trick and worked out perfectly. So, here is one thing you should always keep in mind.

It's what I call the ADR, Imposter Syndrome. the attack was detected twice. So, why did it happen? The organization had, at least audit-wise, they had, you know, EDR installed, check. So for them, they were compliant, right? They had EDR, so what could go wrong?

We were able to see that through the logs, it found out that it was Cobalt Strike. And at first, it was able to delete it. It was actually the first step of the attacker, was found by the EDR. It was deleted, but then they came back because they understood which EDR. I have, of course, the... I'm not going to tell you which one was it.

But it was caught by the EDR. And going through memory, again, we found that it was submitted for analysis. Remember the following, though, that it was the first days of a global campaign. Even if you analyze something totally new with just signature, it's not going to work. We've seen before that in order to execute .dll, you have to provide a password. So what happens if you don't have the password? Even if you submit it to a sandbox, you will never be able to find what's inside. And that's why it came to this state. It is so fun to understand that people sleep at night saying, hmm, I have everything in place. I have bot-e-dr, I

have policies in place. I'm safe. What could possibly go wrong? So, I'm presenting here why it happened. I'm telling you, the ransomware should never have been deployed to the domain controller. But because they had SMB version 1 enabled, it happened. And this is why we were able to see the SMB beacons. SMB version 1 was found to be exploited during the Vault 7 leaks back in 2017, if I'm not mistaken. We had exploits like EternalBlue and BlueKip, and the first ransomware that made public wanna cry was using SMB v1 to spread around. And it was in like 2020, three years after, The global community knew about it. But as you can see, without proper administration, without

proper policy inside, because it's just a policy. It's just a policy for the domain controller to disable SMB version 1. They didn't. They had everything on stock. Of course, cobalt strike implants can be elusive. It's not easy, even for a defender, let alone a forensic investigator to find, right? But... The antivirus identified the initial threat. So, as I'm telling next, the poor security posture of the organization, because there was no proper logging. There was no proper logging, there was no proper monitoring. For us, it was really crucial to understand if other computers were accessed inside, because we can never tell

if a computer was logged in remotely or if credentials were dumped. We had no logins, we had no proof about that. And even worse, your EDR actually managed to find the attack. If they were centralizing their logs, they would be able to at least stop the attack. They would have the impact, of course they would have the impact, but it would be less significant than the ones we observed. And this is one of your key points. You should always, always, always remember that. Please, log your... Gather everything, gather your logs, to a centralized repository, it's easier, not only for compliance and going back through history and saying, hmm, something happened. Because in this case, as we've seen, it was only for three days. What

if it was a state-sponsored actor? They go inside a network and they go and notice for two years. If something happens, when do you know when the first infection happened? It's really important to answer these questions. So logging is the key, not only to detect, but to properly respond, because otherwise you can't do a proper analysis. So, I'm going to present some of the closing thoughts about practitioners, about each one of us, that it's his job in our everyday life, whether you're an engineer, an instant responder, and I think it's even for the guys in the red team, because you see how easy it is to do it easy. It's not easy, actually, but it

gives us, the defenders, a proper... a proper place to look. So consider that incident response, digital forensics is like the opposite side of the coin that is called pentesting or red teaming. We're the same thing in the coin, right? But from a different side. So it's really important to host as we call them purple teaming session. It means blue team guys, red team teams go together, they have a proper workshop, we talk together about how I'm gonna hack you, how I'm gonna be able to find you. So it's really important, so you should hold it in your organization as well. It's going to give you a lot of knowledge. We're not, let's say, opponents. Blue teams and red teams should not be opponents.

They should work together to enhance the posture of an organization. Anyway, proper administration is the key to stop a serious impact, like we've seen. If S&P1 was disabled, it will have this sort of magnitude. Do not always rely on your tools. Don't go to sleep at night saying, nice, I have bought my DR, I have deployed across my organization, nothing's going to happen now. No, proper configuration is the key. And of course, monitoring, because if you're buying a software to detect something for you and you're not even looking at it, then why did you buy it, right? And of course, it's really important to have skillful people to be able to to understand and see it. Because I've been hearing a lot of talks about,

but with artificial intelligence and stuff, we're going to have even better security posture. No, it's not the case. The human eye is really, in my opinion at least, right? In this point. In like 10 years, maybe things will be different. But at this point, the human eye, the human intelligence, the human mindset is really important going through that logs. Proper kill switches are really important as well. Consider deploying honeypots across your organization, for example. you can deploy a machine that has SMB v1 open. So if you see a connection to it from a machine, you can pinpoint and say, hmm, this is illegitimate because I have disabled SMB v1 in every other machine. So why do I have a ping on this one? So it

can give you, you know, honeypots are really a good place for all defenders. Of course, sacrificial ceremonies will not help you if you get stuck. That's why I'm telling you. think outside of the box, think clearly, and use all the tools you have, right? And of course, because we've seen about VTRs, this is the same thing with firewalls. A firewall is going to tell you only an incoming-outcoming connection, and this is not going to help you determine proper data exfiltration. So you should always combine it with maybe a load balancer, proxy logs. If you are on cloud, it's even better, because you have proper logging. But again, Logging without monitoring is useless. And of course, we have our favorite managers. So you should always assume, as we've

seen before, you will get compromised at one point. So that's why it's really important for you to get prepared for that. Create your incident response plan. Do not wait until the last moment. It's really important when an incident comes to be able to properly respond to it, quickly and efficiently, have proper roles, Communication channels, who's doing what and when, at what time. It's really, really important. Restoration is different for each organization, according to its needs. Maybe you're, let's say, a factory. Maybe you're a hospital. So it's really different from the one or the other. The risk, though, stays the same. That's why I'm telling you, consider your downtime. Would you rather suffer from downtime, or do you want to rebuild from scratch? Only you

can answer this question, not me. Your risk is your own and you should probably be able to mitigate. So, Aita? Aita?