What We Learned Key Takeaways from the 2018 Ransomware Attack on - - PowerPoint PPT Presentation
What We Learned Key Takeaways from the 2018 Ransomware Attack on Colorado Department of Transportation February March 2018 Topics How It Happened What It Did Timeline How We Responded Business Response Cyber Incident
Key Takeaways from the 2018 Ransomware Attack on Colorado Department of Transportation February – March 2018
Ø How It Happened Ø What It Did Ø Timeline Ø How We Responded
§ Business Response § Cyber Incident Response § Emergency Response
Ø The Cyber Players Ø What We’d Do Differently Ø Key Takeaways
CDOT brought a virtual server on to test a new business process Virtual server connected to the CDOT network
Nothing wrong with that, right? Nothing wrong with that, right?
Virtual server also connected the internet
U m m , n
h i n g w r
g w i t h t h a t , r i g h t ? ? ?
It was a test system , so it didn’t have standard security controls U h
It was established as domain administrator account
OH #$%&
Ø Equipment
§ 1274 laptops (39%) and 427 desktops (81%) § 339 servers § 158 databases § 154 software applications § All VoIP phones
Ø Consider:
§ How do you pay employees & contractors without the payroll software application? § How do you communicate with internal and external stakeholders without email/conference call? § What do you tell external contractors when you disconnect them from your network?
Ø Business Response
§ Continuity of Operations
§ Recovery Priorities
Ø Cyber Incident Response
§ Secure the State Network
§ Recovery Priorities
Ø Emergency Response
§ Understand the Problem Sets § Understand the Stakeholder interests § Develop common priorities § Create unity of effort § Referee
Blocks 3 & 4 of ICS 202 Incident Action Plan
Malware Team
Technology
Response Team
Network Team
Technology
Endpoint Team
Technology
State Chief Information Security Officer & Cyber Incident Response Team
Unified Coordination Group CDOT ICP Gov’s Office
FEMA
State Chief Information Security Officer & Cyber Incident Response Team
CDOT Gov’s Office Unified Coordination Group Dept of Homeland Security CDO T ICP
Malware Team
Technology
Response Team
Network Team
Technology
Endpoint Team
Technology
Vender HQs & PMs
Ø Deploy Incident Command (Unified Command Group) sooner Ø Define lanes and organized by tasks sooner Ø Clarify lanes and roles with vendors sooner Ø Synchronize the operational rhythms sooner (CDOT, Cyber Response, UCG) Ø Stop chasing the bad guy sooner
Ø Define your Cyber Incident Response Team
§ Exactly who does exactly what??
§ Rehearse (no really – rehearse…)
Ø Seriously address Cyber in your COOP
§ Wholestic approach - not just an IT problem § What’s at risk? What will you do? § CDOT Senior Executive “Our COOP was better suited for a meteor hit than a cyber attack”
Ø Do cyber response exercises that include Cyber Emergency Management and Business responses Ø Mitigate. You mitigate for other risks, so do it for this one
§ Secure backup = mitigation
Ø It’s an incident – act like it!
§ P.S. don’t freak out – it’s an incident, you've done this before
Ø Public Information Officers matter!