April 8, 2024

How to Run an Effective Cybersecurity Fire Drill Simulation Based on the ConnectWise ScreenConnect Attacks

Introduction

On February 23, 2024, Sophos published an article detailing multiple attacks that exploited vulnerabilities in ConnectWise ScreenConnect to deliver various malware payloads into business environments. This article will guide you in planning and executing a fire drill simulation based on this incident. You can find the original article at https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/.

Who Is This For?

This cybersecurity fire drill exercise is relevant for:

  • Businesses using ConnectWise ScreenConnect or similar remote access tools
  • IT and security teams responsible for managing and securing these tools
  • Incident response teams preparing for potential attacks via remote access software
  • Managed Service Providers (MSPs) using ScreenConnect to service their clients

Simulation Start Points

Consider the following starting points for your cybersecurity fire drill simulation:

  • An employee reports unusual activity on their machine after a remote support session
  • Your security monitoring detects an unauthorized new user account on a ScreenConnect server
  • Suspicious PowerShell commands are executed from a ScreenConnect client process
  • Endpoint protection alerts indicate attempted malware execution from ScreenConnect temp folders

Cybersecurity Fire Drill Simulation Phases

Walk through these incident response phases during the simulation:

  1. Detection and Analysis
    • Investigate alerts related to ScreenConnect processes and identify indicators of compromise
    • Analyze network traffic for communications with suspicious IP addresses or domains
  2. Containment
    • Isolate affected systems and disable ScreenConnect clients until servers are patched
    • Block malicious IP addresses and domains at the network perimeter
  3. Eradication
    • Remove any malware, unauthorized accounts, or persistence mechanisms
    • Patch ScreenConnect servers to the latest secure version
  4. Recovery
    • Restore systems from clean backups where necessary
    • Implement additional security controls around remote access tools
  5. Post-Incident Activity
    • Conduct a root cause analysis and document lessons learned
    • Update incident playbooks and security awareness training

Inject Ideas

Consider adding these injects to make the simulation more challenging:

  • The attacker uses ScreenConnect to deploy ransomware that encrypts critical servers
  • Investigation reveals the attack originated from a compromised MSP with ScreenConnect access
  • Sensitive data is exfiltrated through the ScreenConnect tunnel before the breach is contained
  • The attacker uses ScreenConnect to pivot to other parts of the network and establish persistence

MITRE ATT&CK Techniques

The following MITRE ATT&CK techniques may be relevant to this attack scenario:

  • T1133 - External Remote Services
  • T1068 - Exploitation for Privilege Escalation
  • T1570 - Lateral Tool Transfer
  • T1021.002 - Remote Services: SMB/Windows Admin Shares

Consider how the attackers might leverage these techniques and include relevant actions in your simulation.

Get a FREE Trial

ChaosTrack is a platform that combines the best of tabletops and trainings to run ripped-from-the-headlines cybersecurity fire drills against your whole company.

©2024, ChaosTrack, Inc. All Rights Reserved. Privacy Policy.