By Betta Lyon Delsordo   /   Aug 10th, 2021

Memorable Hacks and the Takeaways For Your Incident Response Strategy

Incident Response Strategy Lessons LearnedAt LMG Security, our focus is providing our clients with outstanding cybersecurity and digital forensics services that help you develop robust incident response strategies. Hackers are always getting smarter, and part of our job is to test our client’s cybersecurity infrastructure with real-world attacks, so our clients are prepared for the worst. Though a lot of us think we’re 100% prepared for the worst-case scenario, the truth is that a good incident response strategy takes time and practice to perfect. Throughout the course of our work, we have come across all kinds of cyber incidents (and simulated many ourselves) which have resulted from gaps in security awareness. We hope these interesting stories will provide you with some takeaways for your incident response strategy.

Incident Response: An ounce of prevention is worth a pound of a cure

Alex Ammons, Incident Response Team Manager:

“One unfortunate incident response hack that comes to mind was when we saw the ‘threat actors’ methodically go through and uninstall all the anti-ransomware and antivirus on a Domain Controller before they detonated their ransomware. It was unfortunate to see that a client cared enough to try and implement those services, but didn’t lock accounts down so the hacker couldn’t just hijack an admin account through a brute force attack and then uninstall safeguards on a network.”

Moral of the Story:

“Make sure your defenses are ironclad. A weak admin password shouldn’t be all that’s standing between some hacker and uninstalling all your awesome defenses… it’s time to look at security more holistically.”

It’s always better to work out issues with your security posture before an incident occurs. LMG Security’s ransomware risk assessments can help your organization take the preventative actions you need to stay secure and perfect your incident response strategy.

Incident Response Strategy: We have backups, right?

Madison Iler, Chief Strategy Officer:

“I regularly assist clients by facilitating incident response tabletop exercises, where the consultant presents an incident scenario and encourages the client participants to walk through response actions and decisions to test response preparedness. During one incident response testing exercise, we found one organization had an unusually short back-up retention period – less than a week! We were not the only ones surprised; the management team was under the impression that their retention periods were longer and followed best practices. Discussion during the exercise identified limited storage capacity as the problem and led to budgeting to support additional capacity.”

Moral of the Story:

“Test your incident response strategy regularly (annually is a good rule of thumb) to avoid unpleasant surprises when you experience a real incident. Also, be sure to encourage a security-conscious culture by asking all employees to report any known or suspected vulnerabilities or gaps in your organization’s security controls for investigation and remediation.”

Simulating an attack scenario is a good way to find the holes in your incident response strategy, without the stakes of a real breach. LMG’s security experts can walk your team through a tabletop exercise to get to the bottom of any shortfalls.

Penetration Testing: Avoiding the worst-case scenario

Ben Kast, Senior Security Consultant for Penetration Testing and Advisory:

“On a wireless network penetration test for a Fortune 500 manufacturing company, I set up an evil twin attack and tricked an IT user into attempting to login to my rogue access point. This provided me with the user’s Active Directory credentials. I then used these credentials to escalate privileges to domain administrator and successfully attacked a domain controller. This enabled me to pull all the user information and password hashes it contained. It was literally the type of attack a malicious actor could perform from their car while parked across the street from the organization’s headquarters.”

Moral of the Story:  

“If you use a WPA Enterprise wireless network, require client-side certificates for authentication to reduce the risk of evil twin attacks succeeding.”

Our experienced consultants can help test your wireless infrastructure in a penetration test, so that we find your security weakness before an attacker does.

Vishing: Trust no one

Betta Lyon Delsordo, Associate Security Consultant:

“I was tasked with creating a vishing scenario where LMG consultants would call the client’s employees and try to social engineer them into giving up their account passwords. Inspired by LMG’s work with ransomware cases, I wrote a scenario where the callers would pose as an IT manager who was trying to stop a ransomware attack, and needed to reset the target’s password by phone, since their email could be compromised. It ended up being quite a successful scenario for our callers. On my second call, a very concerned employee worked with me to ‘change his password’ and promised to wait to use his computer until I ‘called him back.’  I hope he’s not still waiting!”

Moral of the Story:

“Train employees to never give out their credentials by phone and to contact their supervisor if they receive any suspicious calls. It’s also important to only communicate with IT staff using internal methods, since it is very easy to spoof phone numbers.”

Don’t let this be one of your employees! LMG provides a suite of training resources, from webinars to on-demands security awareness training videos, to ensure that employees receive the preparation they need for all kinds of social engineering attacks, and to help them develop a sound incident response strategy.

Social Engineering: Prepare for the unexpected

An Anonymous LMG Security Consultant:

“I social engineered my way up to an investment firm on Park Avenue using the service entrance and service elevator. Then I had to hide in the bathrooms for some time, and finally gained open access throughout their offices, which had an impressive modern art collection.”

Moral of the Story: 

“For fellow hackers:  when you are hiding out in the bathrooms, it is a good move to bring an extra pair of shoes to swap out every once in a while.”

LMG’s consultants are trained to think outside of the box – just like hackers. A social engineering test can help identify and eliminate security risks caused by human error.

Lessons Learned

Though we’d all like to think our own cyber safety practices are top-notch, the truth is that many organizations overestimate the strength of their own cybersecurity infrastructure. To stay ahead of malicious actors, it’s important to prepare for the worst-case scenario, and test your incident response strategy with the methodologies used by real hackers.

LMG Security has been helping organizations prepare for the challenges of ransomware attacks, technical security testing, and developing incident response strategies for 12 years. Contact us if you need help.

About the Author

Betta Lyon Delsordo

Betta Lyon Delsordo is a senior at the University of Montana, studying Computer Science and Spanish, with Certificates in Cybersecurity and Global Leadership.  She is passionate about increasing the number of women in technology fields, and has mentored girls in the Technovation Challenge competition for five years.  Betta also loves to travel, and has lived with host families on five continents while working as a freelance web developer.  She also enjoys ethical hacking and plans to pursue an advanced degree in cybersecurity.  In her free time, Betta enjoys swing dancing, kayaking and reading mythologies.