Crypsis … periodically | July 2017

Ransomware Keeps the Spotlight

Following the high-profile WannaCry attack in May, last month saw the emergence of Petya as the latest ransomware to grab world headlines. Apparently originating in a software update in Ukraine, the Petya malware spread through large firms in Europe, including the advertiser WPP, food company Mondelez, and Danish shipping and transport firm Maersk. Once again, Crypsis experts were called upon by the media to explain what was going on, as in this Axios article featuring our CEO Bret Padres. As nationally recognized experts in ransomware, how to combat it, and how to recover from it, our consulting team is busy assisting a broad range of clients in this new era of heightened alert regarding malware-based intrusions. Read more about our services related to ransomware investigation and recovery in this data sheet. And check out an on-demand webinar on the subject from last autumn, when Crypsis Group experts joined Wells Fargo to discuss how ransomware incidents were occurring with increasing frequency.


OfNote@Crypsis

Crypsis has hired a new Vice President. Alexander Gross comes to us from the cyber security firm Stroz Friedberg, where he served as VP Sales and was responsible for establishing the brand and positioning the Firm’s full portfolio of cyber resilience, digital forensics, and investigative services directly to enterprise clients, law firms, and insurance companies.  Prior to that, Alexander was a Director at Kroll, where he headed up business development efforts focusing on incident response, information risk assessments, digital forensics, and e-discovery services.  He began his legal career and developed his passion for leading investigations as an Assistant District Attorney in Brooklyn, NY.

Also joining our team as senior consultant at our Tyson’s Corner, VA headquarters is Mark Kealiher, who has nearly 15 years of experience in cyber security and holds a half-dozen certifications in computer forensics, incident handling, enterprise defense and operating systems.  Mark comes to us from the U.S. Department of Homeland Security, where he served as a lead in the government’s Digital Forensics Group and a member of the Hunt and Incident Response Team.  Among his duties were working with federal law enforcement agencies in defending the Federal Civilian Network.  Prior to joining DHS in 2012, Mark worked for six years with General Dynamics as a contractor to the agency, where he performed cyber forensic analyses on digital media and dynamic analysis of suspicious binary files and anomalous cyber activity.  Previously he worked for Telos/Xacta as a contractor to the Defense Department.  Early in his career, as a Master Sergeant in the Oklahoma Air National Guard, Mark was activated to serve full-time in the Guard and participated in Operations Noble Eagle, Southern Watch, and Enduring Freedom.

We also recently added another consultant to The Crypsis Group’s Chicago office. He is Kallan Wade, a cyber forensic investigator with nearly a decade of professional experience addressing the security challenges of Fortune 500 companies and other organizations in both the public and private sectors. Kallan is a GIAC Certified Forensic Analyst with expertise in advanced persistent threat (APT) identification and analysis, live memory acquisition and forensics, hard drive and mobile forensics, and evidence management. For the past two years, Kallan worked at Accenture, where he served on the firm’s Cyber Incident Response Team (CIRT). Notre Dame football fans might recognize his name as a former defensive end and outside linebacker for the Fighting Irish.


What We’re Reading …

Ransomware Is Evolutionary, Not Revolutionary – An article in Federal Technology Insider covering a recent webinar that highlighted the unsophisticated nature of recent high-profile ransomware attacks – and how such attacks can still be successful when there are so many unpatched systems out there.  As we have noted previously, the emergence of ransomware-as-a-service (RaaS) is making these attacks likelier, as these turnkey ransomware solutions make it possible for almost anyone to launch an attack.  Read the article.


On-Demand Webinars

In our webinar series “Tales from the Crypsis,” our experts discuss the latest in cyber security challenges.  All of these webinars are archived and can be streamed on demand – you can find a complete listing and links on our website.  Here are some of the latest we have posted…

Interesting Stuff We’ve Found – During this on-demand session, Matt Ahrens and Jason Rebholz talk about some of the more interesting measures bad actors have used to access and compromise victim networks, gain and maintain footholds in these networks, and steal sensitive data. We’ll talk about the ways we thwarted these attempts to resolve and remediate these breaches and get our clients back to business as usual.

xDedic Threat Profile – During this 30 minute, on-demand webinar, Crypsis Group consultants give a history of the xDedic marketplace, share some information about attacks we have seen using tools available via the marketplace, and share suggestions for steps victims can take to protect themselves against these kinds of attacks.

They Did What with My Data?  – The Crypsis Group’s Jason Rebholz and Matt Ahrens discuss some of the interesting ways we are seeing attackers operationalize data stolen during cyber attacks, and they provide tips for how your organization can better detect and respond to targeted attacks.


Best Practice of the Month

Keep close track of your service accounts and know the consequences of changing their passwords. In many of our investigations, Crypsis experts have seen threat actors leverage service accounts to move throughout an organization’s network. The reason they target these accounts is that the passwords are typically static and do not expire. When a threat actor compromises a service account, remediation requires changing the service account’s password, which can be a challenge for the organization itself since it’s often unknown what applications or systems rely on the account. A sudden password change to a service account without fully evaluating what relies upon it may lead to the downtime of a vital application and an ultimate impact to business operations. This is why Crypsis recommends that organizations keep an inventory of service accounts and what applications or systems rely on them. This inventory greatly increases the speed of the remediation of an incident and minimizes its impact to business operations.


Crypsis on the Road …

On November 14, Crypsis Vice President Jason Rebholz will appear on a panel entitled ShakedownStreet: Cyber Extortion, Data Breach and the Dirty Business of Bitcoin at the ANA/ABA 39th Marketing Law Conference in Chicago.  Panelists will help participants understand the legal, privacy and security challenges that companies face when going through various types of cyber attacks and intrusions. How do you pay? When do you pay? Who are you paying? What happens if you don’t pay? And then, of course, there’s Bitcoin. The ANA – the Association of National Advertisers – is the nation’s premier marketing and advertising organization.