Issue link: http://psai.uberflip.com/i/1280285
ASSOCIATIONINSIGHT Portable Sanitation Association International News BIWEEKLY EDITION AUGUST 19, 2020 Page 13 Cyber Security Issues Continue…continued from page 3 Continued on page 14 The image at left shows what happens then. The Case of ABC Company In the late spring of 2020, a nonoperator member of the PSAI was attacked by ransomware. The company is willing to share its experience, but for various reasons asks that we not use their name. This is "ABC" company's story in their own words. ABC's security posture before the attack: In early 2020, ABC experienced a significant security event. Most of the company's servers and the data they contain were encrypted by malicious actors who held the decryption key ransom. Before this incident, ABC believed it had many layers of security that protected our systems. These included email security systems that blocked malicious attachments and banned sending servers that were repeatedly detected. ABC also used two different anti-virus products on our desktop computers and servers. Access to disk-based backup storage was limited to only certain accounts. Despite ABC's preventative efforts, the malicious actors were able to get a foothold within network. When it was over, we embarked on a lengthy forensic investigation and were able to gain some insight into what took place, although some uncertainty still remains, since system and network logs only go back so far. During the investigation, we found that one of our users had clicked a phishing email and let the threat in. This same user's machine had been repeatedly attacked. The anti-virus software showed nearly a dozen attempts by Dridex to install on the machine, but thankfully, the anti-virus software was doing its job. The anti-virus software thwarted it each time until a newer zero-day variant of Dridex was able to make its way onto the machine. The person who used that system opened a malicious attachment or clicked a link to a malicious site, and malware was installed on the system. Since even a standard user has some permission within the network, the "bad guys" were able to begin a discovery process and learn the topology of the network. Soon, they laid a trap in the system that would run their code when any administrator logged in, which eventually happened. This allowed them to perform additional tasks on other systems on the network, now that they were running with the highest privilege. Because of this privilege, they could even log in interactively (like Remote Desktop) to servers. Eventually, they deployed software to all systems on the network, and this software encrypted the file system when commanded to. As a result, it took ABC's tech team nine days to restore access to all critical systems. It then took a few weeks to restore nearly all services. ABC's actions since the attack: Immediately after discovering what had happened, ABC began to see this as an opportunity disguised as a catastrophe.