FIRST Fortaleza 2023.

Created in October 05, 2023

2023   ·   First   ·   Events

I’m sharing my recent participation in the FIRST (Forum of Incident Response and Security Teams) Regional Symposium Latin America & Caribbean, hosted by LACNIC, which took place on October 4th and 5th in Fortaleza, Brazil.

This event was a true immersion in cybersecurity, a forum for sharing information about vulnerabilities, incidents, tools, and all other issues that affect the operation of security and incident response teams, providing two days of intense and inspiring learning.

I participated in an Incident Response (IR) training for Ransomware, where our task was to protect a machine against ransomware attacks and keep its services running.

Each team received a Linux virtual machine for simulation. During the lab, we faced several challenging situations and participated in heated discussions. However, with limited time to protect the machine, our VM was eventually compromised, and our web services became unavailable. (This part was expected in the lab).

It was a critical moment, but the training scenario evolved, and now we faced the challenge of recovering the encrypted files. Through the analysis of logs, we managed to identify the possible perpetrator of the attack. We discovered that the compromised user had executed a binary, and this binary was still present on the machine.

After several attempts, a surprising suggestion arose: check the binary’s manual. To our surprise, we found that the same program responsible for encrypting the files also contained a decryption function.

We successfully decrypted the files and restored the services. In the second part of the lab, we had to write a comprehensive public report about the events.

The experience was remarkably realistic, as we received the machine without any prior information, except that we would be dealing with a ransomware incident. Although our team was formed on the spot, we quickly managed to divide the roles. While one part focused on hardening, the other actively looked for potential indicators of compromise.

We deepened our analysis beyond the challenge’s expectations and identified that the tool used in the exercise was https://github.com/hazcod/ransomwhere, a Ransomware Proof of Concept.

In the end, we not only recovered the compromised machine but also produced a comprehensive report documenting all the actions taken, the lessons learned, and the strategies implemented. This experience highlighted the importance of preparedness and effective collaboration in cybersecurity situations.


    Enjoy Reading This Article?

    Here are some more articles you might like to read next:

  • CyberDefenders Qradar101 Write up.
  • Exposing Local Applications with FNLocalCloud.
  • APTs or UAPs?
  • Script for enabling Windows Audit and Sysmon.
  • FnStegoCrypt - Encrypted Data in Images
  • Detection CVE-2024-35250
    • to select to navigate esc to close move to parent