Tighten formatting on ransomware playbook.

Remove a bunch of newlines to tighten whitespace.
counteractive · Oct 4, 2019 · 82fa40f · 82fa40f
1 parent c59da44
commit 82fa40f
Showing 1 changed file with 8 additions and 45 deletions.
diff --git a/playbooks/playbook-ransomware.md b/playbooks/playbook-ransomware.md
@@ -8,24 +8,22 @@ Assign steps to individuals or teams to work concurrently, when possible; this p
 
 `TODO: Expand investigation steps, including key questions and strategies, for ransomware.`
 
-1. Determine the type of ransomware (_i.e.,_ what is the family, variant, or flavor?)[<sup>[1]</sup>](#ransomware-playbook-ref-1)
-    1. Analyze any messages.  Check:
+1. **Determine the type** of ransomware (_i.e.,_ what is the family, variant, or flavor?)[<sup>[1]</sup>](#ransomware-playbook-ref-1)
+    1. Find any related messages.  Check:
         * graphical user interfaces (GUIs) for the malware itself
         * text or html files, sometimes opened automatically after encryption
         * image files, often as wallpaper on infected systems
         * contact emails in encrypted file extensions
         * pop-ups after trying to open an encrypted file
         * voice messages
-
-        Look for:
+    1. Analyze the messages looking for clues to the ransomware type:
         * ransomware name
         * language, structure, phrases, artwork
         * contact email
         * format of the user id
         * ransom demand specifics (_e.g._, digital currency, gift cards)
         * payment address in case of digital currency
         * support chat or support page
-
     1. Analyze affected and/or new files.  Check:
         * file renaming scheme of encrypted files including extension (_e.g._, `.crypt`, `.cry`, `.locked`) and base name
         * file corruption vs encryption
@@ -34,35 +32,25 @@ Assign steps to individuals or teams to work concurrently, when possible; this p
         * icon for encrypted files
         * file markers
         * existence of file listings, key files or other data files
-
     1. Analyze affected software or system types.  Some ransomware variants only affect certain tools (_e.g._, [databases](https://www.bleepingcomputer.com/news/security/mongodb-apocalypse-professional-ransomware-group-gets-involved-infections-reach-28k-servers/)) or platforms (_e.g._, [NAS products](https://forum.synology.com/enu/viewtopic.php?f=3&t=88716))
-
     1. Upload indicators to automated categorization services like [Crypto Sheriff](https://www.nomoreransom.org/crypto-sheriff.php), [ID Ransomware](https://id-ransomware.malwarehunterteam.com/), or similar.
-
-1. Determine the scope:
+1. **Determine the scope:**
     1. Which systems are affected? `TODO: Specify tool(s) and procedure`
         * Scan for concrete indicators of compromise (IOCs) such as files/hashes, processes, network connections, etc.  Use [endpoint protection/EDR](#TODO-link-to-actual-resource), [endpoint telemetry](#TODO-link-to-actual-resource), [system logs](#TODO-link-to-actual-resource), etc.
         * Check similar systems for infection (_e.g._, similar users, groups, data, tools, department,configuration, patch status): check [IAM tools](#TODO-link-to-actual-resource), [permissions management tools](#TODO-link-to-actual-resource), [directory services](#TODO-link-to-actual-resource), _etc._
         * Find external command and control (C2), if present, and find other systems connecting to it: check [firewall or IDS logs](#TODO-link-to-actual-resource), [system logs/EDR](#TODO-link-to-actual-resource), [DNS logs](#TODO-link-to-actual-resource), [netflow or router logs](#TODO-link-to-actual-resource), _etc._
-
     1. What data is affected? (_e.g._, file types, department or group, affected software) `TODO: Specify tool(s) and procedure`
         * Find anomalous changes to file metadata such as mass changes to creation or modification times.  Check [file metadata search tools](#TODO-link-to-actual-resource)
         * Find changes to normally-stable or critical data files.  Check [file integrity monitoring](#TODO-link-to-actual-resource) tools
-
-1. Assess the impact to prioritize and motivate resources
+1. **Assess the impact** to prioritize and motivate resources
     1. Assess functional impact: impact to business or mission.
-
         * How much money is lost or at risk?
         * How many (and which) missions are degraded or at risk?
-
     1. Assess information impact: impact to confidentiality, integrity, and availability of data.
-
         * How critical is the data to the business/mission?
         * How sensitive is the data? (_e.g._, trade secrets)
         * What is the regulatory status of data (_e.g._, PII, PHI)
-
-1. Find infection vector.  Check the tactics captured in the [Initial Access tactic](https://attack.mitre.org/tactics/TA0001/) of MITRE ATT&CK[<sup>[4]</sup>](#ransomware-playbook-ref-4).  Common specifics and data sources include:
-
+1. **Find the infection vector.**  Check the tactics captured in the [Initial Access tactic](https://attack.mitre.org/tactics/TA0001/) of MITRE ATT&CK[<sup>[4]</sup>](#ransomware-playbook-ref-4).  Common specifics and data sources include:
     * email attachment: check [email logs](#TODO-link-to-actual-resource), [email security appliances and services](#TODO-link-to-actual-resource), [e-discovery tools](#TODO-link-to-actual-resource), _etc._
     * insecure remote desktop protocol (RDP): check [vulnerability scanning results](#TODO-link-to-actual-resource), [firewall configurations](#TODO-link-to-actual-resource), _etc._
     * self-propagation (worm or virus) (check [host telemetry/EDR](#TODO-link-to-actual-resource), [system logs](#TODO-link-to-actual-resource), [forensic analysis](#TODO-link-to-actual-resource), _etc._)
@@ -71,9 +59,8 @@ Assign steps to individuals or teams to work concurrently, when possible; this p
 
 ### Remediate
 
-**Consider the timing and tradeoffs of remediation actions: your response has consequences.**
-
-Plan "remediation events" where these steps are launched together (or in coordinated fashion), with appropriate teams ready to respond to any disruption.
+* **Plan remediation events** where these steps are launched together (or in coordinated fashion), with appropriate teams ready to respond to any disruption.
+* **Consider the timing and tradeoffs** of remediation actions: your response has consequences.
 
 #### Contain
 
@@ -118,31 +105,23 @@ Quarantines (logical, physical, or both) prevent spread _from_ infected systems
 `TODO: Specify tools and procedures (including who must be involved) for each step, below, or refer to overall plan.`
 
 1. Escalate incident and communicate with leadership per procedure
-
 1. Document incident per procedure
-
 1. Communicate with internal and external legal counsel per procedure, including discussions of compliance, risk exposure, liability, law enforcement contact, _etc._
-
 1. Communicate with users (internal)
     1. Communicate incident response updates per procedure
     1. Communicate impact of incident **and** incident response actions (e.g., containment: "why is the file share down?"), which can be more intrusive/disruptive during ransomware incidents
     1. Communicate requirements: "what should users do and not do?"  See "Reference: User Actions for Suspected Ransomware," below
-
 1. Communicate with customers
     1. Focus particularly on those whose data was affected
     1. Generate required notifications based on applicable regulations (particularly those that may consider ransomware a data breach or otherwise requires notifications (_e.g._, [HHS/HIPAA](https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf))) `TODO: Expand notification requirements and procedures for applicable regulations`
-
 1. Contact insurance provider(s)
     1. Discuss what resources they can make available, what tools and vendors they support and will pay for, _etc._
     1. Comply with reporting and claims requirements to protect eligibility
-
 1. Communicate with regulators, including a discussion of what resources they can make available (not just boilerplate notification: many can actively assist)
-
 1. Consider notifying and involving [law enforcement](https://www.nomoreransom.org/en/report-a-crime.html)
     1. [Local law enforcement](#TODO-link-to-actual-resource)
     1. [State or regional law enforcement](#TODO-link-to-actual-resource)
     1. [Federal or national law enforcement](#TODO-link-to-actual-resource)
-
 1. Communicate with security and IT vendors
     1. Notify and collaborate with [managed providers](#TODO-link-to-actual-resource) per procedure
     1. Notify and collaborate with [incident response consultants](#TODO-link-to-actual-resource) per procedure
@@ -156,13 +135,10 @@ Quarantines (logical, physical, or both) prevent spread _from_ infected systems
 > **We do not recommend paying the ransom:** it does not guarantee a solution to the problem. It can go wrong (_e.g._, bugs could make data unrecoverable even with the key).  Also, paying proves ransomware works and could increase attacks against you or other groups.[<sup>[2, paraphrased]</sup>](#ransomware-playbook-ref-2)
 
 1. Launch business continuity/disaster recovery plan(s): _e.g._, consider migration to alternate operating locations, fail-over sites, backup systems.
-
 1. Recover data from known-clean backups to known-clean, patched, monitored systems (post-eradication), in accordance with our [well-tested backup strategy](#TODO-link-to-actual-resource).
     * Check backups for indicators of compromise
     * Consider partial recovery and backup integrity testing
-
 1. Find and try known decryptors for the variant(s) discovered using resources like the No More Ransom! Project's [Decryption Tools page](https://www.nomoreransom.org/en/decryption-tools.html).
-
 1. Consider paying the ransom for irrecoverable critical assets/data, in accordance with policy `TODO: Expand and socialize this decision matrix`
     * Consider ramifications with appropriate stakeholders
     * Understand finance implications and budget
@@ -176,11 +152,8 @@ Quarantines (logical, physical, or both) prevent spread _from_ infected systems
 `TODO: Customize steps for users dealing with suspected ransomware`
 
 1. Stay calm, take a deep breath.
-
 1. Disconnect your system from the network `TODO: include detailed steps with screenshots, a pre-installed tool or script to make this easy ("break in case of emergency"), consider hardware network cut-off switches`
-
 1. Take pictures of your screen using your smartphone showing the things you noticed: ransom messages, encrypted files, system error messages, _etc._
-
 1. Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper.  Every little bit helps!  Document the following:
     1. What did you notice?
     1. Why did you think it was a problem?
@@ -191,21 +164,16 @@ Quarantines (logical, physical, or both) prevent spread _from_ infected systems
     1. What account were you using?
     1. What data do you typically access?
     1. Who else have you contacted about this incident, and what did you tell them?
-
 1. Contact the [help desk](#TODO-link-to-actual-resource) and be as helpful as possible
-
 1. Be patient: the response may be disruptive, but you are protecting your team and the organization!  **Thank you.**
 
 #### Reference: Help Desk Actions for Suspected Ransomware
 
 `TODO: Customize steps for help desk personnel dealing with suspected ransomware`
 
 1. Stay calm, take a deep breath.
-
 1. Open a ticket to document the incident, per procedure `TODO: Customize template with key questions (see below) and follow-on workflow`
-
 1. Ask the user to take pictures of their screen using their smartphone showing the things they noticed: ransom messages, encrypted files, system error messages, _etc._  If this is something you noticed directly, do the same yourself.
-
 1. Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper.  If this is a user report, ask detailed questions, including:
     1. What did you notice?
     1. Why did you think it was a problem?
@@ -217,15 +185,10 @@ Quarantines (logical, physical, or both) prevent spread _from_ infected systems
     1. What users and accounts are involved? (active directory, SaaS, SSO, service accounts, _etc._)
     1. What data do the involved users typically access?
     1. Who else have you contacted about this incident, and what did you tell them?
-
 1. Ask follow-up questions as necessary.  **You are an incident responder, we are counting on you.**
-
 1. Get detailed contact information from the user (home, office, mobile), if applicable
-
 1. Record all information in the ticket, including hand-written and voice notes
-
 1. Quarantine affected users and systems `TODO: Customize containment steps, automate as much as possible`
-
 1. Contact the [security team](#TODO-link-to-actual-resource) and stand by to participate in the response as directed: investigation, remediation, communication, and recovery
 
 #### Additional Information