The Need for Crowdstrike

Alexa225 · May 16, 2021, 6:48am

Ireland’s health service has been subjected to a serious ransomware attack. This was discovered in the early hours of Friday morning and the issues are still being worked through. The impact on health services has been devastating, with many appointments cancelled next week.

https://news.sky.com/story/irelands-health-service-shuts-dow…

Apparently this was a “Day 0” attack, i.e. of a type never seen before. This brings into sharp focus just how crucial Crowdstrike’s services are, how sticky they are and just how large its TAM is.

Alex

BizKikr · May 16, 2021, 8:42am

This is not a zero day attack. It’s Conti Ransomware.

A zero day attack refers to a computer intrusion whose exploit is a previously un-disclosed vulnerability. Furthermore, ransomware isn’t a zero day, it drops the payload after pivoting off a vulnerability, typically through a Business Email Compromise. From there, a command and control (C2) server is setup to establish persistence. Attacks then focus on gaining root access at the Domain Controller to coordinate the encryption execution. Recent ransomware techniques include exfil of data to further extort and compel a victim to pay the ransom. Once exfil is done, the process to encrypt backups, domain controllers, file servers and identified pertinent company files begin but only after full compromise of these system to ensure maximum effect.

To combat this you only have 2 basic choices. Restore from backup or pay the ransom. The 1st choice requires executing an Incident Response plan and a Disaster Response plan.

3rd parties like CRWD can assist in both. In addition, the victim will want to share the following with law enforcement for additional follow up:

Indicator’s of Compromise (IOC’s): These details ID the ransomware variant, the actor IP’s and other evidence such as malware files…like DLL’s.

Tools, Techniques, and Procedures (TTP’s): Keep in mind, ransomware is the payload! Not the genesis of the compromise. How did the actor’s gain access to your system is crucial to identify what vulnerability they exploited to drop ransomware. Perhaps it was a vulnerability they could use Metaspolit after scanning the system with Nmap. Perhaps they did OSINT to recognize certain people that work in IT for the organization that could fall victim to a BEC while logged in as a Domain Admin?

Furthermore, the victim should provide the bitcoin address to authorities if the ransom is paid to follow the transactions.

To prevent ransomware, the organization needs to perform a cyber hygiene assessment to see where they stand. Next requires building a robust incident response and disaster plan.

Finally, cyber security isn’t a case of spending X amount and you are done. NO!!! It’s recognizing you WILL have an incident and are you prepared to triage? It’s a constant process that evolves as the actors evolve.

CRWD is unique positioned to answer this NEED but I just wanted to explain to everyone some fundamentals about ransomware.

~Bizkikr

Alexa225 · May 16, 2021, 11:08am

I’m not an expert in cybersecurity and am merely passing on the facts as reported in Ireland. As you can see from the link below, this was reported as a “zero day” attack. My post was purely intended as an illustration of the ever increasing need for cybersecurity.

https://www.dublinlive.ie/news/dublin-news/hse-attack-major-…

Alex