Areas of action after the attack on January 13-14


By Pakurity on Sat Jan 15 2022

According to the CERT.GOV.UA, on the night of January 13-14, 2022, a hacker attack was carried out on a number of websites of state bodies of Ukraine. Provocative messages were posted on the main pages of these sites. According to preliminary information, the content of the sites has not been changed and there was no information leakage. In the table below, we provide recommendations for the leadership of the affected organization to eliminate the consequences and prevent similar incidents in the future.

1Forensics and threat huntingObtain and save (including offline) the following data on affected systems: - Web application access and error logs, debug logs (if any); - Operating system logs, related components databases (virtualization, message queues, orchestration, etc.); - Hard disk images of virtual machines (containers); - Images of memory (RAM) of virtual machines (containers); - Logs of network screens, reversible proxies, WAF that provided access to components; - NetFlow logs to server connections; - Intermediate system access logs used to administer affected systems (SSH / RDP / VPN).
2Forensics and threat huntingFrom the collected data, build a chronology of attacks (timeline) and the corresponding threat identifiers. If necessary, search for deleted data on disks, anomalous processes in memory images, reverse engineering of hacker tools, correlation of network connections.
Forensics and threat huntingOrganize the search and monitoring of the appearance of threat identifiers for the rest of the infrastructure components. If necessary, implement additional measures to collect logs, monitor file integrity, enable auditing of security events, deploy live forensics/incident response agents.
3Application and system protection1. Identify the mechanism of the attack and security holes in the program code; 2. Check QA for these holes; 3. Receive and apply patches from a vendor; 4. Verify on QA+ by penetration testing the effectiveness of the patch (no holes); 5. Audit the code for similar errors in other systems from the same manufacturer; 6. Make IDS / WAF rules to detect attempts to operate security holes.
4Application and system protection1. Understand if a security hole was actually known in broken systems; 2. Organize tracking of vulnerabilities in components (dependencies, packages) that make up broken (and other) systems (security management in dependencies). Use automated tools to track such vulnerabilities; 3. Organize regular scanning of web applications by dynamic vulnerability analyzers (when choosing a scanner, take into account the one that shows the presence of a vulnerable version of a component), 4. Organize penetration testing systems
5Interaction with the supplierImplementation of security requirements (OWASP-TOP10/OWASP ASVS/ISO27001) in the supplier contract. Obtain assurance (for example, through an independent audit) that the vendor has implemented a secure development cycle (for example, based on OWASP SAMM), including: - regular employee training on secure coding; - source code audits; - dependency security management; - providing mechanisms for checking the integrity of system components (geshes of files, digital signature).
6Administrative arrangementsConduct an official (disciplinary or other) investigation in the organization. Find out who is responsible : - protection of systems, including detection and elimination of vulnerabilities; - detection of attacks, tracking of security events, coordination of security incidents. If certain duties were not performed or performed inefficiently, hold accountable. If responsibilities have not been assigned, hold managers/supervisors of the appropriate level accountable. In case of a high risk of compromise of personal and other sensitive data, inform their owners about the risk.
7General security measures- Isolate vulnerable systems on separate networks with minimal network access rights; - Reinstall compromised systems from safe images; - Implement secure access for contractors and administrators (through intermediate servers and VPN) with IP address binding and multi-factor authentication. Close access to admin panels from the Internet.; - Change all potentially compromised passwords and keys; - Practice backup and restore procedures.
By Pakurity on Sat Jan 15 2022

Featured Articles

This website uses cookies to give you the best experience. Terms & Conditions