What We Learned Key Takeaways from the 2018 Ransomware Attack on Colorado Department of Transportation February – March 2018
Topics Ø How It Happened Ø What It Did Ø Timeline Ø How We Responded § Business Response § Cyber Incident Response § Emergency Response Ø The Cyber Players Ø What We’d Do Differently Ø Key Takeaways
Incident Handling Process
Prepare
Brute force attack began the day the server was brought online. Over How It Happened 40,000 brute force password attempts were made. System was compromised CDOT brought a virtual server on to test a new business process Nothing wrong with that, right? Virtual server connected to the CDOT network Nothing wrong with that, right? within 48 hours Virtual server also connected the internet U m m , n o t h i n g w r o n g w i t h t h a t , r i g h t ? ? ? It was a test system , so it didn’t have standard security controls U h - o It was established as domain administrator account h OH #$%&
Identify
What It Did Ø Equipment § 1274 laptops (39%) and 427 desktops (81%) § 339 servers § 158 databases § 154 software applications § All VoIP phones Ø Consider: § How do you pay employees & contractors without the payroll software application? § How do you communicate with internal and external stakeholders without email/conference call? § What do you tell external contractors when you disconnect them from your network?
Containment
Timeline
How We Responded Ø Business Response Ø Cyber Incident Response § Continuity of Operations § Secure the State Network • Internal - employees • Contain the attack • External – customers • Secure the Colorado State Network § Recovery Priorities § Recovery Priorities • Operate Financial Systems • Eradicate the malware • Protection of Traffic Control Systems • Secure CDOT • Back to Business • Rebuilt (Sustainment) CDOT networks Ø Emergency Response § Understand the Problem Sets § Understand the Stakeholder interests § Develop common priorities Blocks 3 & 4 of ICS 202 § Create unity of effort Incident Action Plan § Referee
Eradicate
The Cyber Players (as designed(ish)) Gov’s • Office of Information Office Technology Unified • Venders Malware • National Guard Team Coordination • DHS Hunt & Incident Group Response Team • Office of Information Technology Network • Venders Team • National Guard State Chief Information Security Officer CDOT • Office of Information & Endpoint ICP Technology Cyber Incident Response Team • Venders Team
The Cyber Players (what really happened(ish) Vender Gov’s HQs & Office PMs • Office of Information Unified Technology CDOT Coordination • Venders Malware • National Guard Team Group CDO • DHS Hunt & Incident Response Team T ICP FEMA • Office of Information Technology Network • Venders Team State Chief Information Dept of • National Guard Security Officer Homeland & Cyber Incident Response Security Team • Office of Information Endpoint Technology Team • Venders
Recovery
What We’d Do Differently Ø Deploy Incident Command (Unified Command Group) sooner Ø Define lanes and organized by tasks sooner Ø Clarify lanes and roles with vendors sooner Ø Synchronize the operational rhythms sooner (CDOT, Cyber Response, UCG) Ø Stop chasing the bad guy sooner
Key Takeaways Ø Define your Cyber Incident Response Team § Exactly who does exactly what?? • Network team • Malware team • Endpoint team § Rehearse (no really – rehearse…) Ø Seriously address Cyber in your COOP § Wholestic approach - not just an IT problem § What’s at risk? What will you do? § CDOT Senior Executive “Our COOP was better suited for a meteor hit than a cyber attack” Ø Do cyber response exercises that include Cyber Emergency Management and Business responses Ø Mitigate. You mitigate for other risks, so do it for this one § Secure backup = mitigation Ø It’s an incident – act like it! § P.S. don’t freak out – it’s an incident, you've done this before Ø Public Information Officers matter!
Incident Handling Process
Lesson Learned
Recommend
More recommend