Professional Documents
Culture Documents
Borang Kosong Zakat MAIPs v5
Borang Kosong Zakat MAIPs v5
1
17th May 2023 Ransomware Attack Compromise Assessment (CA) & Digital
Forensic Incident Response (DFIR) Recap
1. 327 asset identified for CA, only 189 was analysed due to
a. Asset not accessible, due to fully compromised by ransomware
b. Installed CrowdStrike agent not able to connect to CrowdStrike Endpoint Detection and Response (EDR) console
c. Findings, 3 High Category (H), 1 Medium Category (M), 3 Low Category (L)
2. DFIR sampled 8 assets/evidence including VM servers, firewall (FW) logs, VM host servers, workstations,
AD VM server.
a. Finding indicates, an initial Remote Desktop Protocol (RDP) event from SERD Exchange VM server to SERD AD VM
server on 17th May 2023. This is based on available and provided logs to FIRMUS.
b. SERD VM exchange server and FW logs, 1-2 months prior to 17th May 2023 is required for further investigation.
Possibly to find out actual point of attack.
Compromise Assessment (CA) Findings Summary
FIRMUS CA & DFIR Exercise Limitation Summary
FIRMUS Recommendation & Next Action Plan
Scope Definition
a. Networks
1
b. Systems/Applications
c. Data
5 Assessment Timeline