InfraGard Indiana Members Alliance, Communication Sector Conference - Ransomware & the Cyberpocalyse

--- --- # Infragard Intro - You can join Infragard online - Partnership between FBI and private sector - SSRP - sector chiefs can organize events around critical infrastructure sectors - You can assist sector chiefs - Chapter site: secure indiana .org # Ransomware & Cyberpocalyse - Steve Long - CEO and President - Hancock Regional - Steve Long - Why talk about it - learn to prepare ## Hancock Regional - 1400 employees - 3 or 4 campuses - East Central Indiana ## The Response - Figure out how to establish a command center if the network gets locked down - How to communicate with customers and employees - Used diagnotes to communicate - Have paper processes planned in case of failure - Test large scale - Will you be able to use preferred firms? - Establish call cadence - Forensics investigation - identify, contain, eradicate, remediate - Log review: - Malware through vendor RDP access credentials - Limited amount of access time - Pure ransom...no exfiltration or persisitence - SamSam variant - All came down to bad password hygenics - To pay or not to pay - deterrent - don't pay - Do you have backups? - CBA - Paying makes you a big target - They may ask for more money - They paid - Takes hours to get bitcoin - Have to go on dark web - a lot cheaper than these days - 56k - Legal analysis - Exfiltration is a huge deal with HIPPA - Prove it didn't occur - HOWEVER, now it's an incident if encryption occurred. ## Preparation - IR plan - tabletop time - Ensure coverage for preferred list of vendors - Lots of caveats - Ensure liability for vendors if they are the one to blame for an attack - Basic controls: - risk assessment - remediation plan - patching - Hospital uses KECE for patching - MFA - Vendor management - pentests - workforce training - behavior-based EDR - Cylance to SentinelOne - TV can affect optics during an incident ## Post Attack Attack (another attack) - AI-based protection and tons of improvements - 2 months ago - Gootloader into CobaltStrike - Usually people clicking on stuff ## Other Takeaways - Evolved to include data extortion - Use burner emails during incident # How the FBI Can Help - Communications Sector Threats ## Threats - Nation state want PII - BGP attacks? - Examples: - T-Mobile 2018 and 2019 - Operation Soft Cell - Attack against telecom - Wireless - SIM swaps still - Nation state: - Supply chain attacks - Surveillance - Incident Response - give themTTPs and IOCs - They can tell you what the attacker usually does and what to looker for ## Planning - Out of band communications - Offsite/offline backups - Phishing as always - OFAC - Federal organization that requires you to have attorney or negotiator to get permission to pay - Office of foreign asset control - Banks fill out SARs, those go to FINSIM??, then to OFAC - ## Reporting - BEC - IC3.gov, tips.fbi.gov - Rapid - IC3 command post 24/7 - Rapid Asset Recovery Team - They don't need wait on subpoenas - They have connections to banks # Threats and Resources from CISA - They protect .gov websites - Voluntary agency - .mil is not under FISMA - DISA oversees those instead - Advisor program - Random lead when you call FBI - First to answer gets the incident - Don't be repeat customer - CISA regions (10) with separate emails - Great partnerships with our region (region 5) - Mothership - 27 buildings in D.C area - Joseph Henry - supervisor over 4 other advisors in illinois - Shetrice - another advisor from McCordsville ## Cyber Performance Goals (CPGs) - high-impact fundamentals - basic guidelines and activities that you could perform - Both IT and OT/ICS - Also provide justification for expenditure ## Some Services - Quick Nessus Scans - Cyber Resilience Review - External Dependencies Mgmt - Tabletop Exercises - Training - Vuln Warning Pilot Program - at least 12 a week right now - They'll call you and start telling you warning signs and you just write it down ## Cyber Information Sharing - cybersecurity advisories ## Response Numbers - IOT (infdiana office of tech) - CISA number of email - FBI field office ## Vuln Catalog - known exploited vulns ## What about phone calls - IC3 fraud hotline ## FBI vs CISA - CISA is asset response - If you want to protect or save your stuff - FBI is threat response - If you want to put someone in jail ## Utilities - Regulated energy?? - Wabash energy??? - NERDVERC? ## Reporting Benefits - Report when you can because it gets into the database - ## Other Takeaways - Lots of times they go for smaller organizations first and just sell access as "access brokers" - You're going to just burn down the network after you pay anyway - Oldsmar breach - Trisis Saudi Eramco - Darknet Diaries - Smishing and SMS and SIM and phone attacks are complex and controls are immature or not fully realized large scale across the industry