Information for IT staff: First aid in the event of a serious IT security incident

In January 2020, the German Federal Office for Information Security (BSI) published a working paper describing the orderly handling of a serious security incident by the responsible IT personnel.

This information is aimed at IT personnel, not end users.

The original publication can be found here: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Themen/Ransomware_Erste-Hilfe-IT-Sicherheitsvorfall.pdf?__blob=publicationFile&v=3

The document comprises 28 pages.

Here is a brief summary of the most important points:

First of all: in case of a serious IT security incident, please inform the CISO of the TU Braunschweig and the Gauss IT Centre at the e-mail address informationssicherheit@tu-braunschweig.de and/or the IT Service Desk at telephone (0531-391-)555555.

Abstract

  • Stay calm and do not act hastily.
  • Set up a crisis team (or a project group).
  • Regularly clarify the following questions:
    • Who will do what by when?
    • Which daily tasks can be left for dealing with the incident?
    • Who makes the relevant decisions?
    • Should systems be quickly put back in place or traces secured?
    • Who communicates what to whom and when?
    • Do you want to file charges?
    • Think about reporting obligations.
  • If necessary, get external support at an early stage.
  • Data that is important for emergency operations in the short term may also be located in remote offices or on
  • systems of employees on leave who are not (yet) affected.

  • First rule: Under no circumstances should a login with privileged user accounts (administrator accounts) be made on a potentially infected system while the system is still in the internal productive network or connected to the Internet!
  • Potentially infected systems should be isolated from the network immediately to prevent further spread of the malware in the network through lateral movement.
    • To do this, disconnect the network cable.
    • Do not shut down or switch off the device.
    • If necessary, create a forensic backup incl. memory image for later analyses (own, by service providers or law enforcement agencies).
  • Identify the malicious programme(s). For ransomware, you can use the sites “No More Ransom” https://www.nomoreransom.org/ and “ID Ransomware” https://id-ransomware.malwarehunterteam.com/. If there are already decryption tools for the ransomware, this will be indicated there – but the probability of this is low.
    In some cases, the name of the ransomware is also included in the usually displayed extortion letter or is added to the encrypted files as a file name extension.
    You can then find information on a known ransomware with the help of common search engines.
  • The malware sometimes makes profound (security-relevant) changes to the infected local system that cannot simply be undone.
    The BSI therefore generally recommends that infected local systems be considered completely compromised and rebuilt.
  • Advanced malware variants such as Trickbot can spread laterally in the network with spied-out access data for user accounts (possibly with administrative rights).
    Note the problem of a “golden ticket” and compromises of domain controllers and server systems (reset Active Directory and all domain-joined systems).
    If this cannot be done quickly, the password of the built-in Key Distribution Service Account (KRBTGT) must be reset twice. This will invalidate all Golden Tickets created with the previously stolen KRBTGT hash and all other Kerberos tickets http://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf – especially chapter 3.2.
  • All credentials stored on affected systems or entered after the infection should be considered compromised and passwords changed.
    This includes, but is not limited to, web browsers, email clients, RDP/VNC connections and other applications such as PuTTY, FileZilla, WinSCP, etc.
  • Block any remote connection that is not absolutely necessary, monitor network traffic and run anti-virus scans to rule out further infections and perpetrator access.
  • Check that you have clean backups with integrity.
  • In the case of an encryption that has already taken place, you should generally not respond to the extortion and not pay a ransom. Instead, the data should be restored to a clean network of backups.
  • A persistence of malware in the BIOS or even the hardware is very rare and has not been used by widely distributed malware so far.
  • In order to exclude future further access by the perpetrators to the internal network and a renewed spread of malware, the network should definitely be completely rebuilt in the event that the AD is compromised. This can be done after a quick clean-up, possibly also in the long term after ensuring operational capability.