An incident of infection occurred at UCL over several days in June 2017. On the first day, suspicious activity was detected and access to shared drives was disabled. Over subsequent days, forensic analysis was performed to identify infected files and devices. Additional malicious sites were discovered and blocked. By the sixth day, all drives had write access restored after affected user accounts were reset. Lessons were learned around enhanced antivirus, patch management, and intelligence sharing to prevent future incidents.
3. Day One – 14/6/17
10:54
First timestamp
of infection
11:40
Initial report of
potential infection
14:00
Access to shares
disabled
15:35
Last infected file
on shared drives
16:00
Critical Incident
meeting
16:13
Last infected file
on home drives
16:35
Drives made
Read Only
5. Day Two – 15/6/17
06:00
IP address
information
received
09:00
Start of forensic
analysis
10:00
Interviews start
with affected users
17:00
Additional
malicious site
identified
20:00
Exploit kit
information
received
23:00
Dropped payload
located
6. Day Three – 16/6/17
08:00
RPZ & FW blocks
updated
09:00
Further analysis of
infected device
09:30
Additional site
blocked
14:00
Write access restored
to unaffected drives
15:00
Affected user
accounts reset
and reinstated
7. Day Six – 19/6/17
09:00
Write access restored
to all drives
09:30
All remaining users have
share access restored
18:00
Critical Incident
closed
14. > Bad stuff happens
> Preparation will help you deal with it when it does
> Despite that, things will still go wrong
> Feed those back into preparation for next time!
Conclusion
15. >Astrum/Stegano Expoit Kit write up –
http://bit.ly/
>ProofPoint write up of ransomware -
http://bit.ly/2tyeVp8
More info…
16. Ian Carter
Senior information security officer, UCL
Ian.Carter@ucl.ac.uk
I have been…
https://www.ucl.ac.uk/informationsecurity