Tag Archive for: responders

Outrageous Stories From Three Cyber Incident Responders


Working in cyber incident response can certainly make life interesting. Experiences typically run the gamut from exciting, dull, fun, repetitive and challenging.

IBM Security commissioned a study from Morning Consult that surveyed over 1,100 cybersecurity incident responders across ten countries. Unsurprisingly, over two-thirds of respondents experienced daily stress or anxiety due to the pressures of responding to a cyber incident. Despite the challenges, responders are willing to take on the IR role because of their exemplary sense of duty.

But perhaps one of the underrated perks of working in incident response is the ability to tell outrageous true stories. We spoke with three incident responders about some of the most exciting experiences they’ve had working in the field. 

Shadow IT: Ransomware Gone Wild

Michael Clark, Director of Threat Research at Sysdig, was on an IR engagement in which a workstation was connected to both a cable modem and the internal network.

“We traced through countless machines back to a lab system no one knew about,” Clark said. “It was dual-homed (two network cards), one connected to the corporate network, the other to a cable modem on the Internet.”

Clark also responded to an incident where malware was spreading using a Windows vulnerability, and the client couldn’t patch their systems quickly.

“We had to deploy EDR to isolate infected systems while also not bringing down the whole network until they could green-light a patch,” he said.

The network was compromised with worm-like ransomware, so it would constantly traverse the network looking for new systems to compromise.

“What made this one interesting was the vulnerability exploited couldn’t be easily patched, and it affected the Active Directory infrastructure,” he said. “A new gold image had to be made and tested first because if you brought up a clean server without the patch, it would just be compromised again. So we had to keep as much isolated as we could with the network still operational while the new image was made. It was a bit of a balancing act.”

Punked by a Third-Party

Eric Florence is a cybersecurity consultant for securitytech.org and a former incident…

Source…

Hunting the hunters: How Russian hackers targeted US cyber first responders in SolarWinds breach


Over the course of a few months, as US officials remained unaware of the breach, hackers identified a handful of key cyber security officials and analysts who would be among the first to respond once the hack was detected, so-called ‘threat hunters,’ and attempted to access their email accounts, according to two sources familiar with the matter.

While it is unclear if any of those accounts were compromised, sources say the fact that the hackers knew which working-level cybersecurity analysts at the Department of Homeland Security to go after suggests they were able to develop a much deeper understanding of US cyberdefenses than was previously known.

“It appears as if the Russian SolarWinds hackers possess granular information on personnel and who among them is likely to be involved in investigating the SolarWinds hack,” said Cedric Leighton, a former NSA official and CNN military analyst. “This could mean that networks have been penetrated to a degree we’ve not known before. If that’s true, we need a complete housecleaning of all our defensive cyberoperations.”

The assessment that hackers deliberately targeted DHS threat hunters, which has not been previously reported, underscores how the SolarWinds attack was among the most sophisticated cyberoperations ever conducted against the US, according to current and former officials.

By keeping tabs on these cyber first responders, sources and experts tell CNN the hackers could have been able to monitor in real-time as US officials began to discover the attack, allowing them to tailor their actions accordingly and remain hidden for as long as possible.

Biden says Putin 'will pay a price' for Russian efforts to undermine the 2020 US election

“What this does is it shows a level of sophistication in terms of targeting those who are working actively to prevent the attacks from either occurring or expanding. And so that is different than what you’re seeing in past cyberattacks,” former acting DHS acting undersecretary Chris Cummiskey told CNN.

“The level of sophistication is problematic because they’re actually going after people that they see as more valuable, so it shows a sense of prioritization,” he added.

While emails belonging to the senior-most cyber officials, including Chris Krebs, the former director of the Cybersecurity…

Source…

In-vehicle wireless devices are endangering emergency first responders

Enlarge (credit: Emergency Vehicles)

In late 2016, security researcher Justin Shattuck was on assignment for an organization that was under a crippling denial-of-service attack by a large number of devices, some of which appeared to be hosted inside the network of a large European airport. As he scanned the airport’s network from the Internet—and later, with the airport operators’ permission, from inside the network—he was eventually able to confirm that the devices were indeed part of several previously unseen botnets that were delivering record-setting denial-of-service attacks on websites.

One of the infected devices was a wireless gateway from Sierra Wireless. Authorized IT administrators used it to connect to the airport network in the event that primary connection methods failed. Surprised that such a sensitive piece of equipment could become a foot soldier in a denial-of-service attack, Shattuck began to investigate. What he found shocked him. Not only did an Internet scan show that 40,000 such gateways were running in other networks, but a large percentage of them were exposing a staggering amount of sensitive data about the networks they were connected to.

Affecting human life

Worse still, it turned out that many of the unsecured gateways were installed in police cars, ambulances, and other emergency vehicles. Not only were the devices openly broadcasting the locations of these first responders, but they were also exposing configurations that could be used to take control of the devices and, from there, possibly control dash cameras, in-vehicle computers, and other devices that relied on the wireless gateways for Internet connections.

Read 12 remaining paragraphs | Comments

Biz & IT – Ars Technica

This mobile security app could have aided responders in Paris – Geektime


Geektime

This mobile security app could have aided responders in Paris
Geektime
In the aftermath of the attacks that rocked the city of Paris on Friday night, claiming the lives of nearly 130 people and grievously wounding hundreds more, many people are already asking how the chaotic situation could have been handled differently.

“mobile security” – read more