LIFARS Post Ransomware Threat Hunting Services

Post Ransomware Threat Hunting Services

LIFARS is offering new and innovative service for the victims of ransomware attacks. Find out if your infrastructure is still controlled by adversaries after you contained the imminent ransomware threat.

Post Ransomware Threat Hunting Services

Based on warning from the EMR-ISAC and from experience of LIFARS security professionals, the threat actors operating ransomware do not always leave the organization computers and networks after they hold the data hostage until the ransom is paid. Instead, the adversary still lurks in the infrastructure, to reinfect the systems and ask for additional ransom or to steal data that will be leveraged for blackmail. Perhaps it will be sold on the Dark Web as well. This behavior was observed throughout several instances of various ransomware incidents by the Ryuk, Revil and Maze operators.

This means that once ransomware has been removed from the network, a second “race” starts: making sure that the threat actor has been completely rooted out of the network, and that there is no backdoor still communicating back to the Command and Control servers.

Request FREE Consultation From LIFARS

A typical project is provided below

Days 1 – 2
A member of LIFARS DFIR/CSIRT team discusses with you the availability of a central logging system or a SIEM, the level of auditing configured on your systems, the availability of a network security monitoring, and whether indicators of compromise have been collected during or after the ransomware attack.

Day 3
LIFARS’ CSIRT examines the results from the discussions and formulates recommendations and suggestions such as servers to install, parameters to adapt, and log settings to configure.

Days 4 – 5
We assist your teams as needed to implement the approved recommendations.

Days 6 – 40
LIFARS’ CSIRT team performs a daily checkpoint (Monday thru Friday, Saturday & Sunday as an extension) and determines if there is an indication of the threat actor’s presence on the network. If so, our CSIRT team intervenes to contain and eradicate the threat.

Days 41 – 42
We compile the results of our checkpoints into a recommendations summary that we review with you. We also pass the tools to your teams for your internal security operations.

To detect the presence of the attacker LIFARS will perform the following:

Log analysis

LIFARS searches the logs for known indicators of compromise (“IOC”), both for the case at hand and from previously investigated cases.
LIFARS recommends collecting the logs from all servers on a central logging server. This includes the logs from the Microsoft Active Directory Domain Controllers, file servers, database servers, and web servers.
In addition to the server logs, the network logs, including firewalls, routers, IDS and IPS, should be sent to the central logging server.
If your company does not have a server for central log collection or a SIEM, LIFARS will help you install one, determine the right level for the log and audit messages generation, as configure the shipping of these logs to the server.

Endpoint threat hunt

If collecting the logs from all servers is feasible, collecting the logs for all devices might not be.
Should you not yet have a system at the device level, LIFARS will assist you in the installation of a system to interrogate the endpoints’ logs to search for indications of the presence of the threat actor.
Learn more: What are Managed Security Services?

Network security monitoring

LIFARS also recommends the installation of a network security monitoring system ideally at all major locations, and at least at the egress points. These systems work by capturing the traffic, looking for indicators of compromise, running the captured traffic against signatures indicative of malware and adverse activities, reconstructing the sessions as well as analyzing them.
This enables a security analyst to examine the traffic for abnormalities such as large transfers during off hours or periodic connections to unlikely destinations.

Dark web searches

Often times, there will be chatter and noise on the dark web. The threat actor will publish lists of systems, usernames, or networks, excerpts from configurations, screenshots from systems. Finding this is a good indication that something is afoot, and that elevated vigilance is required.
LIFARS will monitor the dark web for these indicators and will immediately alert you of any impending threat.