The second meetup of the Cyber Security Essentials training program dwelled into security operations and log analysis, instructed by Flavia Koskivaara and Antti Ollila from Nixu. The free training program is organized by Future Female and HelSec, and it is intended for women who are interested in working in cybersecurity or gaining more in-depth technical knowledge. Nixu is hosting the meetups to support diversity in cybersecurity.

Do the names Industroyer/CrashOverride, Stuxnet, Blackenergy 2, Havex and Triton ring a bell? These are the names of malware targeted to Industrial Control Systems (ICS). Targets were electric grid operators, Iran’s nuclear facilities and Saudi Arabian petrochemical plants . But even non-ICS targeted malware, like Petya , may have an impact on industrial control systems. NotPetya ransomware wreaked havoc at Maersk’s APM Terminal in Rotterdam. IT related crime has already infiltrated ICS. What can we do to protect existing systems without causing downtime?

The Nixu Digital Forensics and Incident Response team has received a bunch of cases related to the wide-spread exploitation of the Citrix CVE-2019-19781 vulnerability after the proof-of-concept exploit code was published. Our team started looking into possibilities to perform memory forensics on the specific version of FreeBSD that the virtual appliance uses. Here is a brief description of how we managed to do Netscaler forensics with Volatility.