{"id":385,"date":"2023-12-02T19:48:42","date_gmt":"2023-12-02T19:48:42","guid":{"rendered":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/?p=385"},"modified":"2023-12-02T19:48:42","modified_gmt":"2023-12-02T19:48:42","slug":"incident-response-summary","status":"publish","type":"post","link":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/2023\/12\/02\/incident-response-summary\/","title":{"rendered":"Incident Response Summary"},"content":{"rendered":"\n<p><strong><u>Incident Report Summary \u2013 IMSI Vendor Compromise<\/u><\/strong><\/p>\n\n\n\n<p>This report reviews events associated the ransomware attack against Tower third-party vendor <em>IMSI<\/em> that holds sensitive information of several members and employees of Tower, specifically 70,000 credit cards. <em>IMSI<\/em>\u2019s cloud provider, <em>IMS Cloud<\/em>, was subject to a ransomware attack. <strong><em>There is no evidence that data was ex-filtrated from the IMS Cloud environment, including IMSI and other IMS Cloud customers.<\/em><\/strong> The attack did suspend Tower\u2019s use of IMSI \u201copt-in\u201d services for approximately two weeks.<\/p>\n\n\n\n<p>Tower\u2019s <em>Incident Response and Handling Plan<\/em> defines five phases to respond and handle security incidents (addressed sequentially here):<\/p>\n\n\n\n<p><strong>1) &nbsp; Identification (Discovery): <\/strong>On Tuesday, July 11, 2023, at 11:21 AM Hannah Abraham (IMSI Customer Relations Manager) informed Carol Brown (Tower Manager of Debit Card Operations) of a security incident within IMSI. Brown subsequently at 11:28 AM informed Alvin Smith (SVP of Member Services), who at 11:36 AM alerted Executive Leadership and Senior Management including VP\/Director and ISO Phil Mellinger.<\/p>\n\n\n\n<p>IMS Cloud (Host Provider of IMSI) discovered a ransomware note within their environment on July 9<sup>th<\/sup>, 2023. The earliest evidence of compromise is unauthorized access to an unused IMS Cloud server with legitimate credentials from an unknown IP address. IMS concluded that the compromise potentially started as early as July 2<sup>nd<\/sup>, 2023, when service issues were first reported to IMS Cloud. IMSI experienced multiple service outages on July 7<sup>th<\/sup>, 2023.<\/p>\n\n\n\n<p><strong>2) &nbsp; Containment: <\/strong>IMSI initiated their incident response plan notifying cyber insurance, engaging breach counsel and incident response team, informing the FBI, while also issuing statements to all IMSI customers including Richard Stafford (Tower President &amp; CEO). Explaining, <em>\u201c<\/em>While the investigation into this matter is ongoing, at this time, there is no evidence that anyone\u2019s personal data has been misused in anyway.\u201d To substantiate that, IMS Cloud later documented, \u201call consumer related data was segmented by IMS Cloud and secured in a multi-tenant fashion from other client and client environments.\u201d<\/p>\n\n\n\n<p>IMSI shared Security Incident Review Slides to keep all customers informed of what was affected, notable occurrences leading up to July 9<sup>th<\/sup>, details of their incident response plan, current impact to their systems, and steps to recovery.<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Progent confirms, \u201cBackups were stored in an immutable Rubrik\u2019s cluster by IMS Cloud and were not part of the security incident.\u201d Additionally, \u201cthere is no evidence of unauthorized access to the clusters at any time. IMSI confirms that all data was password protected and <strong>some<\/strong> Personal Identifiable Info<a>rmation is encrypted at rest<\/a><\/p>\n\n\n\n<p><strong>3) &nbsp; Eradicate: <\/strong>The deployment of Sentinel 1 on IMSI individual endpoints identified and blocked malicious activity and malware including Trojans, ransomware, lateral movement, viruses, malicious Microsoft Office documents, rootkits, backdoors, and hack tools. <a><\/a><\/p>\n\n\n\n<p><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Progent<\/em>, contracted by IMS Cloud to review and certify their internal infrastructure has concluded that the Sentinel One Agent killed and quarantined all identified alerts.<\/p>\n\n\n\n<p>Additionally, Progent turned down all VPN connections, IPSEC tunnels, and outside interfaces on all devices and completed a review\/analysis of additional network infrastructure targeting the following:<\/p>\n\n\n\n<ol type=\"a\">\n<li>All object tables<\/li>\n\n\n\n<li>All policies<\/li>\n\n\n\n<li>All NAT<\/li>\n\n\n\n<li>All IPSEC and Tunnel connections<\/li>\n\n\n\n<li>All VPN connections<\/li>\n\n\n\n<li>All routes<\/li>\n\n\n\n<li>All configurations<\/li>\n\n\n\n<li>All user accounts<\/li>\n\n\n\n<li>All access policies and rules<\/li>\n<\/ol>\n\n\n\n<p><strong>4) &nbsp; Recovery: <\/strong>IMSI <strong>COMPLETED<\/strong> the following steps toward recovery and remediation:<\/p>\n\n\n\n<ol type=\"a\">\n<li>Identified and isolated all devices containing malware.<\/li>\n\n\n\n<li>Enhanced firewall rules to restrict inbound\/outbound traffic.<\/li>\n\n\n\n<li>Installed Sentinel 1 End Point Detection and Response (EDR).<\/li>\n\n\n\n<li>Applied 24\/7 monitoring of all endpoints using EDR.<\/li>\n\n\n\n<li>Applied 24\/7 SOC monitoring of the network using SIEM.<\/li>\n\n\n\n<li>Rebuilt all infected infrastructure.<\/li>\n\n\n\n<li>Certified and cleansed all files moved to One Drive.<\/li>\n\n\n\n<li>Reset all administrative credentials.<\/li>\n\n\n\n<li>Reset all user credentials to IMSI network.<\/li>\n\n\n\n<li>Reset all user credentials.<\/li>\n<\/ol>\n\n\n\n<p><a>IMSI is actively reviewing the following areas to allow full recovery from the incident:<\/a><\/p>\n\n\n\n<ol>\n<li>Cleaning and restoring all servers and workstations<\/li>\n\n\n\n<li>Enable multi-factor authentication on all platforms.<\/li>\n\n\n\n<li>Enable multi-factor authentication on VPN, and Email \u2013 Office 365 Environment.<\/li>\n<\/ol>\n\n\n\n<ol type=\"a\"><\/ol>\n\n\n\n<p>Cloud service provider\u2019s infrastructure is now operational and validated security. Several (<strong>not all<\/strong>) IMSI servers have been restored and security has been validated by <em>Progent<\/em>. After that is completed, IMSI will reconfigure and validate systems as needed. IMSI has also taken additional steps so that going forward there are even more layers of protection of its consumer data.<\/p>\n\n\n\n<p><a><strong>5) Follow-up (Lessons Learned): <\/strong><\/a>Vetting Vendor\u2019s Security Management:<\/p>\n\n\n\n<ol type=\"a\">\n<li>MFA must be configured on all accounts\/platforms.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Incident Report Summary \u2013 IMSI Vendor Compromise This report reviews events associated the ransomware attack against Tower third-party vendor IMSI that holds sensitive information of several members and employees of Tower, specifically 70,000 credit cards. IMSI\u2019s cloud provider, IMS Cloud, was subject to a ransomware attack. There is no evidence that data was ex-filtrated from&#8230; <\/p>\n<div class=\"link-more\"><a href=\"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/2023\/12\/02\/incident-response-summary\/\">Read More<\/a><\/div>\n","protected":false},"author":24907,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","wds_primary_category":0},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/wp-json\/wp\/v2\/posts\/385"}],"collection":[{"href":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/wp-json\/wp\/v2\/users\/24907"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/wp-json\/wp\/v2\/comments?post=385"}],"version-history":[{"count":1,"href":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/wp-json\/wp\/v2\/posts\/385\/revisions"}],"predecessor-version":[{"id":386,"href":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/wp-json\/wp\/v2\/posts\/385\/revisions\/386"}],"wp:attachment":[{"href":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/wp-json\/wp\/v2\/media?parent=385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/wp-json\/wp\/v2\/categories?post=385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/nicholasmalley1\/wp-json\/wp\/v2\/tags?post=385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}