BSides Rochester 2017: Adam Dean: Real Security Incidents, Unusual Situations

my name is Evan Deena I'm also very cal security I'm not going to tell you to not go into incentive response because and I'd love to have you full disclosure I'm pretty bad with PowerPoint stuff throughout this presentation you're gonna see random transitions that I felt where we're appropriate so so like I said I'm with AB team with Greg how secure you primarily work with small medium-sized businesses now I'm fairly new to the IR game I've been doing it for two to three years now so the corporate sector is quite the interesting place when it comes to Incident Response most people don't really know what they're doing if you get called for an incident nine times out of ten they

don't even know what really incident response is and and I actually I invented it see I'm getting better at PowerPoint those are all actually the same client which will be the first incident I don't know if anybody was here for the last I did this last year the first one is gonna be the same because I have new information that just came in recently that uh that was super fun to deal with but generally generally like I said the corporate sector of Incident Response it's rare to see someone who's who's good at security has you know standardized policies and procedures and the biggest the biggest thing I'm seeing now is like insurance agencies law firms

trying to get into the technical side of Incident Response even though I don't know very many you know very technical lawyers that would so I'll uh I'll save my opinions so so basically this presentation I'm gonna go over three incidents that happened within the last year besides his first one which because again again of information on that were that kind of went sideways that you know scope was changed in the middle of it or stuff that I just found interesting you're funny really may be a better title so the first incident it's very small healthcare clinic about 20 employees around I want to say 3,000 patients total so very pretty small they are not tech savvy people

whatsoever and they they don't really know the technical center the HIPAA regulations so they called us saying that seven records have been you know accessible from the air and some patient called him saying I'm able to Google my name so so what we found was you know there was an FTP server that that allowed these scanning you know was just accessible from the internet seven records so that's kind of a key part here it's also important to know if I'm sure a lot of you are somewhat familiar with HIPAA when it comes to breaches 500 is the magical number if you're below 500 it's not considered a HIPAA breach or it's a different level but if you're above 500 then then it's a

bigger deal so the very next day the owner of the company got a email from a guy named Johnny who who said that he downloaded the entire FTP site I mean he claimed you know he wanted $50,000 for the risk of handling hippo related information he also kept saying Romanian hacker form which was I don't okay and and he emailed the owner from it's a legitimate company apparently from you know the organization's email address at that point the FBI we got involved in they're pretty interested at least I think I don't never really know so so what we found through looking at logs is that he actually downloaded around 1,500 records not seven and I was able to tell us him because I

just simply pinged the domain on the email address and when searching in logs like a one out of a million it just happened to work because of his email the lawyer that we were working with thought it might be considered extortion I don't think anything ever came of that because the FBI took over from there but he also going to knew the patient that initially reported that she found her record online and the IT vendor who misconfigured this ftp server to allow anonymous access from the Internet conspiracy time so so I'm a little bit yeah so so I actually what I did is I just just to show the client I took access to the server it is grafted out and Johnny

is kind of off the screen but he's up there and this is from 2013 so this FTP server wasn't open for quite some time so I could have been patched patient past patient records who around this FTP server that are now just gone and you know you're not gonna really know which one it is so by looking at the logs we obviously saw like I said was from 2013 to 2016 that it was accessible from the internet the documents were just named doc one doc two and their images you know they can't Google Images you know or you know text within images I guess so certainly certainly really interesting so so in terms of you know

the scope now that seven record turned into 1500 and it's above the magical 500 number so it's a much bigger deal I'm not a hundred percent positive on this but I think within States it could be you have to report the breach within 98 days it might be 60 might be 30 and Penn State HIPAA it is 15 and at this point we were at like day 13 so so yeah I was definitely uh [Music] definitely had a whole couple all-nighters and then the contacts there were they were like just going crazy they didn't know what to do again because they didn't even know really what what happened just because they don't really understand it

and then they they they were really focusing out putting blame on the IT vendor and taking to court or whatever then actually just fixing the issue they they certainly didn't want to place a substitute notification on their website for addresses that couldn't be found when you actually notify the affected individuals they just didn't want to be compliant at all and then they I don't know the actual cost but I'm estimating they did some math yesterday it's somewhere around forty thousand dollars so then so then the new information comes in so they took the IT vendor to court and they just shut down their practice because of this

it was kind of one of those IT vendors like I'm an IT vendor and just you know it's just one guy yeah I shouldn't even say fender it was a guy yeah yeah um the the whole court thing it kind of went on for a while on the the IT guy he apparently was you know he was trying to what's the term here represent himself during the whole court process and he just he knew that the client they he knew them pretty well so he knew that you know they don't want to spend a lot of money so he just dragged on the whole thing and eventually I guess the client won but then they were just kind of done

and they just shut their doors because again they're freaking out during this whole process so so the remaining question is this which I'd love to know but I'm not the FBI unfortunately is how the patient googled her name I looked at the dockets there's no way that is just simply Googler name unless someone like parsed out through the documents and put it somewhere else and that I didn't see and then and then I'm thinking I teeth under the patient and Johnny and you all knew each other in my little conspiracy all work together that's gonna the conclusion of that one definitely probably top three weirdest weirdest incidents because everybody was just freaking out the entire time and it was 1500 people

still kind of a small scale reach it's not really that big I guess it might be big for a smaller practice but still they're kind of all very reasons yeah so so going out to incident number two I got back from Puerto Rico wanted to try out some new Spanish that I learned so so about this client I put a lot more transitions than I thought I did well he should so about the client it doesn't really matter and it's a but it's a medium-sized manufacturing but the it doesn't really matter too much in terms of this incident so so there was an employee who quit and he just deleted all his data on his

computers and iPhones before he left some of this data was critical data that they needed a couple patent-pending documents something that they're looking for um so they needed some data recovery and they typically asked him for date ranges and China something to limit the scope of the data that they want recovered but it's but it's somewhat you know as you can see they kind of asked for a lot so so it was it was somewhat you know the client very are I mean the employee rarely used disk computers so so it was actually easier to recover even though it was on a solid-state drive which makes a lot harder to recover data I always like comparing it to an

etch-a-sketch

and again he really used his computer so it was kind of easy to get the data back he basically he just deleted the data I didn't do any secure erase or wiped the whole job or anything like that so it was fairly easy so so we did find the critical data we also found about 50 50 thousand selfies and by selfies I don't I don't mean I don't mean stuff you find on Facebook so so that kind of changed the whole the whole game of this they were no longer concerned about the critical data they were more concerned about making this guy look bad in a courtroom setting so it was no longer ya no longer about

you know recovering the actual data even though they got it still more about you know making the guys look bad so the the employee leaves leaves in the client settles of Kate case and and they they finally implement any acceptable use policy was great so final one incident number three the virus so this was a fairly large public school district I wouldn't put more pitchers like reg but I've had no internet access I wish I had more pictures so you get transitions so a fairly large public school district they from from them calling us we could tell that they're just bad at managing what they have and keeping it up-to-date so and by managing what they have

actually like you know leaking working as well they just have the kind of servers laying over here that are they don't even remember their um so so the initial call so the client discovered these tests on their Microsoft Windows server I don't know what year that they were just kind of incremented tags tasks and it went to this update that DLL which they figured malicious and this is 2016 that's gonna be really important so the whole purpose what we were there to do is find out what happened what happened how it happened how to stop it from happening so just you know we took the VMDK it was a VMware server and then we kind of went

on the hunt for this dll and to find out you know when this actually occurred we found Symantec logs in the system which again it's gonna be important so so screw up before even knowing what happened they they put on their website that the virus was found on a server hosting a bunch of confidential information again probably shouldn't do that I mean I can understand you know the substitute notice but but they don't know what was happening so nothing was found dll doesn't exist anymore and the tasks appear to be older so when the DLL doesn't exist and it's it's a not ransomware that typically means well it could mean them a lot of things but so

basically I was trying to find out when this happened other ways other than the DLL so so what we found was this is actually an infection back from 2011 that semantic removed and log from the SQL Server that went back that far they have like some application that kind of had custom logs I showed you know what access xql server I didn't didn't show anything odd the logging was somewhat vague so but again 2011 you're not gonna see any like information on the system itself to actually point you in that direction why are you doing this

so so basically they notified the public because of something that happened or that didn't happened five years ago yeah so they you know news is all over and then they're not goups no nevermind and that that is generally it so but the corporate I mean the corporate side of incident response the corporate side of incident response it's it's not I again I might be stereotyping a little bit here but the government the government sector seems to be much more process oriented and standardized at least probably a lot of departments within okay we're where we deal with you know some pretty small businesses that you know what's a computer so so it definitely gets a little bit odd even the medium

size or larger businesses some of them are just a complete mess they don't they don't have like a solid security program somehow you know what's a risk assessment never done one of those before so so it's definitely it varies quite a bit it is quite rare to find a program that when you get there they already like have this stuff for you one client particularly had a timeline of events that was listed out so the best stuff super awesome dad but yes it varies quite a bit yes Tyler

so I don't know too much information because that's more on the legal side but I believe the employee brought brought them to court because he felt like he was being pushed out because he's being a minority there's something like that yeah yeah so so to make to make him look you know where's that guests I don't I don't quite know the details on the legal side of it I don't know I'm gonna have to talk to that yeah

I don't know yes yeah I mean I kind of wish you know I was in that side of ever I could just steal people's computers and look around and see what they're doing but nope

yes so the resolution for us is making sure they can get food back to an operating state in terms of like those kind of incentives or is just a breach of you know confidential information um I wasn't too concerned about Johnny and Johnny and gang because uh I had the FBI has a covered there would be not much I can do but in terms of is it frustrating I mean I would love to know but I don't I don't lose sleep over it I guess

um I understand at times yeah I mean I mean you know in all reality if I'm brought in at all it's too late

yeah yeah yeah that one was a big old false positive they basically called us in the second they saw the tasks they didn't really do any investigation which is good because if they didn't they you know screwed up a bunch of stuff and made it much harder for me than makes it harder for me um but but yeah that was probably the biggest false positive because they just put it everywhere

yeah so ransomware is my full-time job and other incidents is like my part-time job almost but ransomware is super I mean it can get pretty interesting but it's pretty boring at the same time especially if it's you know you're just trying to find out how it happened so they can stop it from happening so it's typically a computer maybe some file shares oh yeah oh you certainly seen some massive massive attacks where where domain admin downloaded an attachment and um we typically know so so most of ransomware cases we see is locky or variants of like that where you're not going to find a decryption method but but we also have never had a client who

paid the ransom which is I guess good so we can able back though right yeah yeah luckily luckily everyone who we've dealt with had back

right

but months of years you can understand why people would pay yeah

yeah yeah I mean I mean yes I've definitely try to talk people down paying the ransom because they're just overwhelmed especially if it's a massive ransomware attack where it affects everything talking them down is kind of a big part only because you're playing the 50/50 game and they know they know that you're willing to pay so let's to say you won't pay again so I never ever recommend it hi Tyler yeah three or four times they weren't smaller they're small organizations

ransomware on a computer and then you know received the payment and then actually followed through and decrypted the data as a way for like making a name for themselves so that more people would pay that ransom so so you do probably 70% of the time it will be decrypted somewhere around there cuz you got to realize if if they're known to not decrypt data after you pay then nobody's gonna pay what's that

[Applause]

[Music]