Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ransomware Playbook

From: John Ives <jives () SECURITY BERKELEY EDU>
Date: Fri, 15 Nov 2019 17:10:44 -0800
John,

I know this is probably a dead thread for you, but subsequent to this
discussion, I was tasked with formalizing and in some cases creating
playbooks for our environment and would be interested in any that you
have available.

Yours,

John Ives

On 10/4/19 4:43 AM, John Ramsey wrote:

Everybody,

 

The interest in playbooks, especially ransomware, is great to see (as
playbooks are time consuming to create and there aren’t enough hours in
the day as it is).  I’ve been through a few ransomware incidents, so the
playbook is battle ready.  However, as some have pointed out, you’ll
want to customize to your organization where applicable.  When my team
creates playbooks, our goal is to keep it simple and flexible and easy
to follow (versus flipping back and forth as you might in a plan.)  The
first page is almost always how to easily and quickly contain and then
triage.  Once that is done, the rest is post event activities.  If you
have any questions, please don’t hesitate to ask me.  Since the NSC is a
third-party service provider for most of you, I’m happy to share what
we’re doing in order to further gain your confidence in our processes to
protect your data.  At the end of the day, we’re one team!

 

We also have other playbooks that I’m happy to share (maybe it makes
sense for Educause or REN-ISAC or both to post what all of us are
willing to share amongst ourselves.  Then we’ll have a pretty robust set
to select from and modify as appropriate).  Here are some others that we
have finalized:

 

 1. Notifications and Escalations Playbook.  This walks through the
    first six hours of an incident in 30-minute increments indicating
    what each stakeholder is doing as well as what message gets
    communicated and to whom.
 2. DDOS Playbook.  Being one of the top attacks in the Education
    industry, this was one of the first ones we did.  Internet 2 was
    kind enough to provide some guidance on the playbook (which we
    incorporated.)
 3. Foreign Travel Playbook.  Actions we take when somebody travels
    overseas and has the requirement to take a company device.
 4. Incident Handling Checklists/Chains of Custody forms.
 5. Network Compromise Playbook.
 6. Spoofed URL Playbook.  

 

John

 

*John Ramsey*, Chief Information Security Officer, *National Student
Clearinghouse*

Certified:  CISSP, CISM, PMP, CSSLP, CRISC, CGEIT
2300 Dulles Station Blvd., Suite 220, Herndon, VA 20171

P: 703.742.4428  |   http://www.studentclearinghouse.org
<http://www.studentclearinghouse.org/>

Read the *Clearinghouse Today Blog* <https://nscblog.org/>*

**/Winner “2016 When Work Works” & “Excellence in Work-Life Balance”/*

 

*From:*The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *John Ruggirello
*Sent:* Friday, October 4, 2019 7:15 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Ransomware Playbook

 

I too am interested.

 

*From:*The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
*On Behalf Of *Jonathon Poling
*Sent:* Thursday, October 03, 2019 5:17 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
*Subject:* Re: [SECURITY] Ransomware Playbook

 

CAUTION: This email originated from outside your organization. Exercise
caution when opening attachments or clicking links, especially from
unknown senders.

A ransomware playbook, especially a prescriptive one, is going to be
HIGHLY specific to your environment and PPT (People, Process, Tooling)
and thus will require substantial (and unique) development and
refinement for your specific organization. There's a reason so many
org's (and entire counties/systems) fall victim to just paying the
ransom, even when it's an inordinate amount of money. There is a lot to
it, completely aside from properly testing and restoring backups. I only
say this all because I've built a lot of specific playbooks running the
gamut for a lot of clients in a variety of verticals over the years.
This is definitely one of our most involved playbooks we help people
build, as it involves a lot of non-technical preparation that is not
readily apparent unless you've gone through it.

 

This is one of those things you don't want to skimp on or necessarily
even copy from what others are doing, as a lot of org's aren't building
the comprehensive set of processes and procedures needed for properly
protecting against, operating amidst, and recovering from such attacks. 

 

At any rate, just sharing my experience and hopefully some (useful) food
for thought, whichever route you end up going.

 

Jonathon

 

On Thu, Oct 3, 2019 at 2:15 PM King, Ronald A. <raking () nsu edu
<mailto:raking () nsu edu>> wrote:

    Me too, please.

     

    *Ronald King*

    /Chief Information Security Officer/

     

    *Office of Information Technology*

    (757) 823-2916 (Office)

    raking () nsu edu <mailto:raking () nsu edu>

    www.nsu.edu
    
<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Cjramsey%40studentclearinghouse.org%7Cb84a5ab9c2f0479c98b308d748bc2ce7%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637057845359772015&sdata=RfaDlVk2fD8bNzsbI%2FA1iSe2FB0wmRiw7ZKGSdAKSKM%3D&reserved=0>

    @NSUCISO (Twitter)

    NSU_logo_horiz_tag_4c - Smaller

     

    *From:*The EDUCAUSE Security Community Group Listserv
    <SECURITY () LISTSERV EDUCAUSE EDU
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>> *On Behalf Of *Joey Rego
    *Sent:* Thursday, October 3, 2019 5:13 PM
    *To:* SECURITY () LISTSERV EDUCAUSE EDU
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    *Subject:* Re: [SECURITY] Ransomware Playbook

     

    I am interested as well.  Thank you.  

     

    Joey Rego

    Associate Director of Information Security

    Information Technology

    Lynn University

    3601 N Military Trail

    Boca Raton, FL 33462

    561-237-7982

    www.lynn.edu
    
<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lynn.edu&data=02%7C01%7Cjramsey%40studentclearinghouse.org%7Cb84a5ab9c2f0479c98b308d748bc2ce7%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637057845359782007&sdata=oVMfZAhat8SOqkhYxSvZK2GZmu86ByS6BnALluH8BUs%3D&reserved=0>

    ------------------------------------------------------------------------

    *From:*The EDUCAUSE Security Community Group Listserv
    <SECURITY () LISTSERV EDUCAUSE EDU
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of John Ramsey
    <jramsey () STUDENTCLEARINGHOUSE ORG
    <mailto:jramsey () STUDENTCLEARINGHOUSE ORG>>
    *Sent:* Thursday, October 3, 2019 4:50:20 PM
    *To:* SECURITY () LISTSERV EDUCAUSE EDU
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
    *Subject:* Re: [SECURITY] Ransomware Playbook

     

    I have one and am happy to share!

    Sent from my Verizon, Samsung Galaxy smartphone

    Get Outlook for Android
    
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__aka.ms_ghei36%26d%3DDwMFAg%26c%3DtSGu_Pc6mPnB6zIYTZr3Sw%26r%3DPTnT2JXctjp4MTPziGqcrg%26m%3DSynK17bceWMbt_dooTOo-leAVssO48qPL8MzLnn_EXI%26s%3DwPjf0flvlyR164RzC6qod76IJztI6nHPHP-lEfY7Df4%26e%3D&data=02%7C01%7Cjramsey%40studentclearinghouse.org%7Cb84a5ab9c2f0479c98b308d748bc2ce7%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637057845359782007&sdata=N4fZN947B6P0sUqE2EC53z7SIAN0UfBfB9n00wcgsiY%3D&reserved=0>

     

    ------------------------------------------------------------------------

    *From:*The EDUCAUSE Security Community Group Listserv
    <SECURITY () LISTSERV EDUCAUSE EDU
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Kip Bates
    <kbates () HOUSING UCSB EDU <mailto:kbates () HOUSING UCSB EDU>>
    *Sent:* Thursday, October 3, 2019 4:34:08 PM
    *To:* SECURITY () LISTSERV EDUCAUSE EDU
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
    *Subject:* [SECURITY] Ransomware Playbook

     

    Colleagues:

    I am hoping that I can find someone or someplace that has made an
    effort to develop a Ransomware Response playbook that they would not
    mind sharing. I understand all the preparation that needs to occur
    prior to an attack but I am looking for something that we can
    provide users, help desk folks, technicians and such on what actions
    to take if (when) they experience a ransomware attack. I have found
    a few on the web and I was wondering if someone has adapted one of
    these for their institution or have developed one that they think is
    particularly good.

    Feel free to comment here or off-list.  

     


    Kip Bates

    Associate Chief Information Security Officer

    University of California, Santa Barbara

     

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire
    community list. If you want to reply only to the person who sent the
    message, copy and paste their email address and forward the email
    reply. Additional participation and subscription information can be
    found at https://www.educause.edu/community
    
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D02-257C01-257Cjramsey-2540studentclearinghouse.org-257Ceeb9effb345442318b0a08d748429912-257C8cc02fea054043a688b6069d3eac0119-257C0-257C1-257C637057323178918904-26sdata-3DjUWrk2Wt4Gr-252BBW9ZZXxvxCnl0II1IpaYOvaKgjB5XWY-253D-26reserved-3D0%26d%3DDwMFAg%26c%3DtSGu_Pc6mPnB6zIYTZr3Sw%26r%3DPTnT2JXctjp4MTPziGqcrg%26m%3DSynK17bceWMbt_dooTOo-leAVssO48qPL8MzLnn_EXI%26s%3DwRiqkwHXt6Jf5tWQ1QiT68gVcu1m5m3M9X1VAYqNvJ4%26e%3D&data=02%7C01%7Cjramsey%40studentclearinghouse.org%7Cb84a5ab9c2f0479c98b308d748bc2ce7%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637057845359792000&sdata=5gRPejm49x8%2Fh%2Bxxg3Y2JwPXQeAMAptRGUr%2FlcUSi3w%3D&reserved=0>


    =======================================================

    This message has been analyzed by Deep Discovery Email Inspector.

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire
    community list. If you want to reply only to the person who sent the
    message, copy and paste their email address and forward the email
    reply. Additional participation and subscription information can be
    found at https://www.educause.edu/community
    
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DtSGu_Pc6mPnB6zIYTZr3Sw%26r%3DPTnT2JXctjp4MTPziGqcrg%26m%3DSynK17bceWMbt_dooTOo-leAVssO48qPL8MzLnn_EXI%26s%3DfKkuKv3i6k7W-LRIBSa1iIePP8_8E9PyJhCtYBo-r1U%26e%3D&data=02%7C01%7Cjramsey%40studentclearinghouse.org%7Cb84a5ab9c2f0479c98b308d748bc2ce7%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637057845359802009&sdata=z2soQEKnQTRf1xJtbut376Ol92hyZOelR73jRebiVLc%3D&reserved=0>


    This email is intended for the designated recipient only, and may be
    confidential, non-public, proprietary, protected by the
    attorney/client or other privilege. Unauthorized reading,
    distribution, copying or other use of this communication is
    prohibited and may be unlawful. Receipt by anyone other than the
    intended recipients should not be deemed a waiver of any privilege
    or protection. If you are not the intended recipient or if you
    believe that you have received this email in error, please notify
    the sender immediately and delete all copies from your computer
    system without reading, saving, or using it in any manner. Although
    it has been checked for viruses and other malicious software,
    malware, we do not warrant, represent or guarantee in any way that
    this communication is free of malware or potentially damaging
    defects. All liability for any actual or alleged loss, damage, or
    injury arising out of or resulting in any way from the receipt,
    opening or use of this email is expressly disclaimed.

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire
    community list. If you want to reply only to the person who sent the
    message, copy and paste their email address and forward the email
    reply. Additional participation and subscription information can be
    found at https://www.educause.edu/community
    
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjramsey%40studentclearinghouse.org%7Cb84a5ab9c2f0479c98b308d748bc2ce7%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637057845359811999&sdata=PFGHYx7laeLxG6nTak10%2FbREvJIpX0yEPsaiO%2F%2BjcvY%3D&reserved=0>


    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire
    community list. If you want to reply only to the person who sent the
    message, copy and paste their email address and forward the email
    reply. Additional participation and subscription information can be
    found at https://www.educause.edu/community
    
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjramsey%40studentclearinghouse.org%7Cb84a5ab9c2f0479c98b308d748bc2ce7%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637057845359811999&sdata=PFGHYx7laeLxG6nTak10%2FbREvJIpX0yEPsaiO%2F%2BjcvY%3D&reserved=0>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjramsey%40studentclearinghouse.org%7Cb84a5ab9c2f0479c98b308d748bc2ce7%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637057845359821994&sdata=a2iPFtLaL%2Ffblqw6HTGtJSnPfAxoE5u5Y3%2BL0TbfEUk%3D&reserved=0>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjramsey%40studentclearinghouse.org%7Cb84a5ab9c2f0479c98b308d748bc2ce7%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637057845359831984&sdata=VmKqymm%2BOwqOp69xX6T%2FwWDqDn0jlCacQDU2haOMkng%3D&reserved=0>


=======================================================

This message has been analyzed by Deep Discovery Email Inspector.

 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community



-- 
------------------------------------------------------------------------
John Ives
Information Security Office                         Phone (510) 229-8676
University of California, Berkeley
------------------------------------------------------------------------


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: