University of Twente Student Theses
How can the eradication phase of incident response for ransomware incidents be improved based on previous ransomware incidents?
Dijkstra, R.S. (2022) How can the eradication phase of incident response for ransomware incidents be improved based on previous ransomware incidents?
PDF
5MB |
Abstract: | In recent years, an increase in ransomware incidents against critical infrastructure has been observed globally [1]. Computer Emergency Response Teams (CERTs) are asked for help to recover from these ransomware incidents. Their goal is to get a victim back to business as securely and fast as possible and do this by performing incident response. During this process, they investigate the incident’s root cause and try to eradicate the ransomware attack’s remnants. However, the current guidelines for eradication do not provide enough guidance. For example, the NIST SP 800-61 standard does not describe the eradication process, and MITRE provides too much information, which can lead to overhead. This overhead can slows down the eradication process. This leads to the victim getting back to business slower, which is not wanted. In this research, we created a method that uses the data gathered by a CERT to improve the eradication phase of ransomware by generating mappings which will give guidance based on previous ransomware incidents. First, we use the information gathered by a CERT and store it in the open-source threat intel-sharing platform MISP [2]. Then, we map the information in MISP onto the MITRE ATT&CK framework [3], which is is a knowledge base of adversary Tactics and Techniques based on real-world observations. Next, we generate mappings with the information about the Techniques used during previous ransomware incidents. We used 18 reports provided by the Northwave CERT to generate mappings. Due to the limited time and data, the impact of our model could not be validated, but we think the mappings show great potential. The mappings give insight into previous ransomware incidents and can be used to make informed decisions about how to quickly and securely eradicate a ransomware incident and get a company back to business. This will be the guidance given, and we believe this will improve the eradication phase of ransomware incidents. |
Item Type: | Essay (Master) |
Faculty: | EEMCS: Electrical Engineering, Mathematics and Computer Science |
Programme: | Computer Science MSc (60300) |
Link to this item: | https://purl.utwente.nl/essays/93905 |
Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Repository Staff Only: item control page