Our firm performed an incident response engagement for a Fortune 80 client that was impacted by the NotPetya ransomware. The client had over 60,000 impacted systems (endpoints and servers) that required remediation. As one of the day-one responders to the incident, my duties included being a member of a three-man investigative team that supported the multi-month investigation of the incident including reviewing logs to determine the original point of compromise, identifying points of lateral movement and proliferation through the environment, and subsequently producing a report to brief the C-Suite/Board of Directors on the summary of events.
Roles and Responsibilities:
- Root Cause Analysis via Splunk – Splunk was leveraged in tracking the ransomware’s lateral movement through the environment to determine endpoints of interest. Prior to the incident, Windows event logs were actively being forwarded Splunk and thus authentication events were backtraced to determine the original endpoint that was impacted (root cause analysis).
- Windows Event Log Analysis – In order to trace the ransomware traversal in the environment, Windows Event Logs in Splunk were analyzed to determine the authentication methods used by the ransomware and the behavior on the endpoint once the ransomware gained access. Windows Event IDs related to the incident were collected and cross-referenced with the threat intelligence/malware analysis produced by our firm and other vendors such as Cisco Talos, Crowdstrike, and Dell SecureWorks.
- Windows Active Directory HomeLab – Little was known of the NotPetya ransomware at the time of the engagement as it was a novel ransomware variant. To gain additional insight on the ransomware, I created an Active Directory (AD) homelab environment to mimic different scenarios to observe the ransomware’s behavior. These observations were then used to help us further in our investigative efforts of the unknown ransomware.
- Daily Briefs with Directors/CISO – During the engagement, there were daily briefs with numerous directors in the organization as well as the CISO. The daily briefs provided an opportunity to provide an update on the investigative efforts as well as disclosure of endpoint(s) of interest.
- Final Investigative Report – Our investigative efforts were compiled into a 30+ page report that provided extensive detail regarding the background of the ransomware, how the ransomware incident occurred, a detailed minute-by-minute breakdown of the ransomware’s progression in the environment, whether the organization was targeted or not, whether data was exfiltrated or not, and preliminary recommendations to improve the organization’s cybersecurity posture to avoid a similar attack in the future. This report was prepared in co-ordination with the legal counsel of the client and reviewed by our firm’s leadership team. The report was subsequently presented to the Board of Directors/C-Suite and was used as a business case for increased spending toward Cybersecurity Resiliency.
