Embed Size (px)
Citation preview
Virtual Roundtable Series
Ransomware
PE
AK
RE
SO
UR
CE
S
Email us at [email protected]
Paul WatsonCTO
Matt ManesSecurity Sales Director
Gene BallardSecurity SE
Alyson GoodmanProject Manager
Today’s Panel
[email protected] [email protected]@peakresources.com [email protected]
Brian BlackDeep Instinct
2
PE
AK
RE
SO
UR
CE
S
Anatomy of a Ransomware Attack 10 minutes
Best Practices 13 minutes
Open Forum Q&A 15 minutes
Future Thought 15 minutes
• This session is being recorded
• You will get a PDF copy of the slides
• Use the Q&A function to ask a question before we go live for the open forum
• Keep an eye out for other’s questions and upvote those you would like answered!
Today’s Agenda
3
PE
AK
RE
SO
UR
CE
S
Ransomware: The Problem Statement... 4
• Virus' have been around since the late 1980s and here to stay!
• Ransomware is Malware - Malicious software that encrypts and holds
data/systems hostage for a ransom payment.
• Organizations will use Bitcoin or other methods for ransom payment that are
practically impossible to trace.
• Pay to prevent embarrassment – if publicized can have negative effect on
companies’ reputation, stock price, etc.
• PEAK is seeing multiple industries/verticals specifically targeted.
• PEAK is seeing that many companies don’t have sufficient controls in place to
effectively detect/respond to or recover from a Ransomware attack, let
alone prevent it.
• Are your backups alone a 'good enough' strategy?
RansomwareAnatomy of an Attack
PE
AK
RE
SO
UR
CE
S
Stages of A Ransomware Attack
Stage 1: Campaign
Stage 2: Infection
Stage 3: Staging
Stage 4: Scanning
Stage 5: Encryption
Stage 6: Payday
6
PE
AK
RE
SO
UR
CE
S
Stage 1: Campaign7
• Attack Vectors− Phishing (Attachments, URLs)
− Vulnerable Websites (Exploit Kits, Trojans)
− Compromised USB Drives
− Vulnerable Systems (RDP/Gateways/VPN, Endpoints, Applications)
− Credential Scraping
− Brute Force (RDP, Dictionary Attacks)
• Reconnaissance− Intruder selects target, researches it, and attempts to identify vulnerabilities in the target
network
• Weaponization− Intruder creates remote access malware weapon, such as a virus or worm, tailored to one
or more vulnerabilities
• Delivery− Intruder transmits weapon to target
PE
AK
RE
SO
UR
CE
S
Stage 2: Infection8
• Exploitation- Malware weapon's program code triggers, which
takes action on target network to exploit vulnerability
• Installation- Malware weapon installs access point (e.g.,
"backdoor") usable by intruder
• Command and Control - Malware enables intruder to have "hands on the
keyboard" persistent access to target network
• Actions on Objective- Intruder takes action to achieve their goals, such as
data exfiltration, data destruction, or delivery or ransomware, etc
PE
AK
RE
SO
UR
CE
S
Stage 3: Staging9
• Ransomware-Specific Stage of Infection− Initial Dropper or Infection Process has been terminated
− Ransomware Payload has been delivered/executed
− Recon of local permissions
− C2C Communication for Key Exchange
− C2C Communication for any Exfil Activities
• Housekeeping− Moves itself to new folders/processes
− Cleans up original footprint
− Sets to run upon reboot
− Delete local Shadow Copy files (Windows)
PE
AK
RE
SO
UR
CE
S
Stage 4: Scanning10
• Targets for Encryption− Local files, Filesystems, Drives/MBR, etc
− Network file share locations - SMB/CIFS, NFS, mapped drives, etc
− Cloud - SaaS, IaaS, synced folders, etc
• Timing & Frequency− Varies by type & variant - seconds/minutes to hours
− Local/cloud scanning often quick
− Network scanning often delayed / set to a schedule
− Hide from controls
PE
AK
RE
SO
UR
CE
S
Stage 5: Encryption11
PE
AK
RE
SO
UR
CE
S
Stage 6: Payday12
• Facts− 96 percent of organizations that paid the ransom received a decryption tool from the hackers.
(Source: Coveware)− Decryption success depends on the type of virus. Dharma variants were often unreliable after
paying the ransom, compared to GrandGrab TOR which almost always delivered a successful decryption tool after a ransom was paid. (Source: Coveware)
− Bitcoin was the primary method of payment for ransomware. Around 98 percent of payments were made in Bitcoin. (Source: Coveware)
• Demands− Timed for a date that will have the most
impact− Typically demands are well thought out an
provide a painful, but easy out for those under attack
− IBM study - A quarter of executives would be willing to pay between $20K and $50K to regain access to encrypted data.
PE
AK
RE
SO
UR
CE
S
Stage 6: Payday13
To Pay or Not To Pay?
− Are you able to restore from back-up
− How critical is the data
− Business impact
Advantages Disadvantages− Reduce Disruption - No Guarantees
− Cheaper - Decryptor may not work
− Insurance may help - May be targeted again
− May save your business - Ethical and future Implications
RansomwareBest Practices
PE
AK
RE
SO
UR
CE
S
Ransomware: Best Practices
Vulnerability/Patch Management
Network Security
Identity Access Management
Endpoint Security
Data Protection
Security User and Awareness Training
Continuous Monitoring
Security Policies/Plans
15
PE
AK
RE
SO
UR
CE
S
Best Practice: Vulnerability/Patch Management
• Scan regularly
• Prioritize vulnerability remediation
• Patch, patch, patch
− OS (Critical and Security related)
− Common apps (Adobe, Java, Office, browsers, etc)
− Services (IIS, Apache, SQL, PostgreSQL, MySQL, etc)
• Disable/remove unnecessary services
16
PE
AK
RE
SO
UR
CE
S
Best Practice: Network Security
• Network segmentation/filtering
• Network access control
• NGFW
• Explicit firewall rules
• Email threat prevention
• IDS/IPS
• Traffic analysis – source of truth!!
17
PE
AK
RE
SO
UR
CE
S
Best Practice: Identity & Access Management
• Identity− Federated Identity - One Identity
− Single Identity Policy
− RBAC Easier
• Access Control− Ensure Least Privilege Access
− Privileged Access Management (PAM)
− ACLs
18
PE
AK
RE
SO
UR
CE
S
Best Practice: Endpoint Security
• Deploy an Effective Prevention Solution
• Effective Enterprise EDR Solution
• Detecting & Responding to Advanced Threats/Attacks at
Scale in Real-Time
• Detecting & Responding to Malicious System Activity
− %APPDATA% , %TEMP%, etc.
− PowerShell, WMI, SSH, VSS, Memory, etc.
− Pre-Execution, On-Execution, Post-Execution
19
PE
AK
RE
SO
UR
CE
S
Best Practice: Data Protection
• Regular Backups
− Know your critical data
− Understand RTO/RPO requirements
• Protect Your Backups
− Multiple copies / immutable
− Backup data analytics
• Make Time to Test Your Backups – Restore, Restore !!
20
PE
AK
RE
SO
UR
CE
S
Best Practice: Security User & Awareness Training
• Conduct Ongoing Security Awareness
Training/Campaigns
− e.g. Quarterly internal phishing campaigns
− Newsletters, posters, regular security awareness
communications
• Conduct Ongoing User Training
− Regular shaping of user behavior and knowledge of
corporate policies
− More than the once a year “Check the Box” approach
− e.g. Brown Bag Lunch & Learn
21
PE
AK
RE
SO
UR
CE
S
Best Practice: Continuous Monitoring
• Formally Define an InfoSec Continuous Monitoring Plan
− Roles, responsibilities, communications, metrics, etc
• Common Monitoring Sources
− EDR, IDS, NGFW, SIEM, user behavioral analytics, threat analytics, network traffic
analysis
− Monitor the network, endpoint, cloud, and user
− Monitor for brute force attempts, account lockouts, clearing of logs, deletion of
critical files, unexpected alteration of critical files, etc
− Implement deceptive technologies
22
PE
AK
RE
SO
UR
CE
S
Best Practice: Security Policies/Plans
• Administrative Controls Dictate Operational Controls
• Formally Define/Document InfoSec Policies
− Organization infosec policy, risk management, incident response, vulnerability/patch
management, endpoint security, access control (systems, network), continuous
monitoring, security awareness and user training, etc
• e.g. Incident Response, DR/BC, and Risk Management
− IR policy, plan, procedure specific to ransomware, regular tabletop exercises, etc
− DR/BC policy, plan
− Risk management policy, plan/assessment… insurance?
23
PE
AK
RE
SO
UR
CE
S
Q & A
Do you have a more individual question?
Please email us at [email protected]
Type a question into the Q & A box in Zoom below.
Questions can be submitted and upvoted anonymously.
24
RansomwareFuture Thought
with Brian Black of Deep Instinct
Facing Future Threats
Brian Black - Technology Evangelist / DSE
2020
Private and confidential
WHAT IS DEEP LEARNING ?
Private and confidential
28The World of Artificial Intelligence (AI)
Artificial Intelligence | 1950
Private and confidential
29The World of Artificial Intelligence (AI)
Artificial Intelligence | 1950
Optimization Method
Logic
Planning
Probabilistic Reasoning
Language Processing
Perception
Robotics
Expert Systems
Search Methods Recommendation
Machine learning | 1980
Private and confidential
30The World of Artificial Intelligence (AI)
Machine learning | 1980
Artificial Intelligence | 1950
Optimization Method
Logic
Planning
Probabilistic Reasoning
Language Processing
Perception
Robotics
Expert Systems
Deep learning | 2010
Multi-Layered Perceptron
Decision Trees
Regression
Support Vector Machines
Nearest Neighbor
Bayesian Models
Evolutionary Computation
Swarm Intelligence
Reinforcement Learning
Search Methods Recommendation
Private and confidential
31
CLASSICAL MACHINE LEARNING
Private and confidential
32Machine Learning Approach
Label = cat Label = dog Label = dog Label = cat
Label = cat Label = dog Label = catLabel = dog
Label = dogLabel = dog Label = cat Label = cat
Label = dog Label = dog Label = dog Label = cat
InferenceModel
Label = cat Label = dog Label = catLabel = cat
Labeldog
Private and confidential
33
CLASSICAL MACHINE LEARNING – HAND CRAFTED FEATURES
Ear = 9cm
Nose = 11.42cm
Eyes = 4.2cm
Private and confidential
34Misleading Features
Private and confidential
35Misleading Features
Dogs Cats
Private and confidential
36Noise
Original Images
Noisy Input
Private and confidential
37Deep Learning Vs. Machine Learning: No Feature Engineering
Mac
hine
Lea
rnin
gDe
ep L
earn
ing
Manual feature engineering
Machine learningVector of featuresRaw data
0.51.8-6.42.3
.
.
.N
Deep learningRaw data
<2% of the data
100% of the data
Private and confidential
Thank you
PE
AK
RE
SO
UR
CE
S
39
PE
AK
RE
SO
UR
CE
S
Closing Statements
Please email us at [email protected]
Thank you to Brian Black and Deep Instinct!
You can reach Brian at [email protected]
40
Thank you for joining today’s session
303-934-12001-800-925-PEAK
www.peakresources.com
![ShieldFS: The Last Word In Ransomware Resilient Filesystems · Ransomware [20] is a class of malware that encrypts valuable files found on the victim’s machine and asks for a ransom](https://img.pdfslide.net/doc/110x75/5ed4642c0308953e905b6b2e/shieldfs-the-last-word-in-ransomware-resilient-filesystems-ransomware-20-is-a.jpg)
