Initial draft for community review Mike.Davis.SD@gmail.com 1

Ransomware - Risk Posture

Introduction - Have you been asked, “Are we cyber safe yet?” Or questions from a more discerning and risk aware leadership, like “what’s our risk

posture?” (Of course you then ask them what their risk appetite is!). Even better when the Board of Directors (BoD) asks, “How will we recover from

a Ransomware attack?” as then they get that it’s not IF, but when! So how do you start to structurally answer those questions, especially the last one?

Provide an estimate of the residual risks posed by Ransomware, even as that can be a fairly complex equation with many moving factors. Then

provide a methodology to minimize the impact and likelihood of a Ransomware attack within the company. Given the current industry Ransomware

statistics, where it is the worst year ever and the negative impact is growing very quickly, our collective approach must be to assume we will have an

attack and that the hackers are likely inside our network. Thus also demonstrating the critical need for an effective incident response process to

control and reduce data and resource losses.

Once the Security team has assessed the organization’s relative risk posture for any vulnerability, then the operative challenge is communicating the

residual risk in a common format, using familiar vernacular, especially to the C-Suite / BoD. This community paper provides a methodical approach

in considering the major factors, heuristically quantifying each element’s relative risk, then aggregating that into a notional, overall risk level. We

then provide prioritized mitigation suggestions and recommend a ‘risk heat map’ format to distill that information into one type of a communication

medium – using standard risk management vernacular – where your mileage may vary!

Summary – The Company is not currently in any known, obvious risk state for a Ransomware attack. Ransomware poses data loss (inability to access

it) and possible blackmail (going public) risks and all the negative business ramifications that go with those risks. For the current Company security

posture, the overall aggregate risk for Ransomware is estimated as MEDIUM, as quantified later. The risk compilation and enumeration can be

complex for a multifunctional risk element like Ransomware that is both non-linear and holistic, as well as complex with interdependent variables;

thus resulting in relative, notional residual risk estimates. That said, this risk based process facilitates mitigation prioritization. Even as the key risks

we found in our structured methodology are most likely common to all organizations, we offer this overall risk assessment approach so anyone can

tailor it to their organization; thus providing a set of prioritized mitigations to yield a minimum risk posture and best risk value.

So, what’s the answer (so I don’t have to read this whole paper)? Well, as usual “it depends” on your security environment and managed baseline

posture. We summarize the major factors below, where this paper also provides a Ransomware background, key threats, best practices, risk

formulations (especially in nondeterministic environments), recommended mitigations, etc. The outcome of this risk assessment is what most already

know, that the major mitigations are still effective: (A) verified ‘secure’ backup approach, (B) enterprise malware identification, detection and

prevention (NGAV), (C) enforced access controls / IAM, (D) cyber hygiene / vulnerability management (patching, CMDB, etc), and (E) Firewall and

Application control rule sets. (BTW, cyber awareness training will make the top risk list for many as phishing is a huge threat vector; whereas in our

notional security environment we assessed that as adequately effective (e.g., had a medium risk and was all we could support at the time)(and it only

takes one user clicking one link); thus we mainly focused on technical controls. (IF already attacked; then go to https://www.nomoreransom.org/ )

Still, no surprises here, these risks and related mitigation activities are the hallmarks of an effective risk based security strategy, be that Ransomware

risk minimization, data breach risk reduction, or any other threat vectors and associated security vulnerabilities and risks! The effectiveness of these

methods and key mitigations therein also need to be assessed within the techniques threat actors can use to bypass them or render them partially

ineffective, as suggested in the right most column below. Then the challenging task is to determine which of these 17 methods need attention in your

Initial draft for community review Mike.Davis.SD@gmail.com 2

environment given the possibility of being rendered less effective to start with. We later examine the major vulnerability areas (e.g., the “methods /

weaknesses” column listed below) associated with the utility of each mitigation given the effectiveness of the threat actors’ tactics, and then distill the

residual risk into the risk heat map (that is assessed and captured later in Table 2.0).

Table 1.0

Methods / Weaknesses Mitigations Vulnerabilities / Threat Actor Techniques

1. Secure Backup / not effective

(or partially in place)

All devices covered. Backups stored offline (onsite and

offsite). Periodically test restore. Automatic back-up validated

that it does not contain malware

Backup images poisoned (malware already installed);

backup credentials stored on endpoint; backups stored in

cloud, but if entire enterprise is encrypted, cloud backup

is infeasible

2. Phishing training / high click

rate or no enforcement

Use digital signatures for assured identities of senders. User

behavior modification through periodic exercises and targeted

training. Consequences for those who fail exercises.

Sophisticated messages with specific content related to

victim; spoofed email addresses that appear legitimate;

zipped or encrypted attachments to bypass scanners

3. Patching effectiveness / weak

or ad hoc ITAM / CMDB

Automated / virtual patching. Vulnerability prioritization.

Effective CMDB / release management. Actively monitor

threat intel for 0-day malware and prioritize patching.

Ransomware will leverage entry vectors that 0/1-days

have, or don’t rely on vulnerability exploits to begin with.

4. FW and APPs rule sets / not

implemented or poorly managed

Firewall (FW) whitelisting / URL and egress filtering.

Application (APP) whitelisting (and limit exceptions) – where

code signing greatly complements Apps WL.

Depending on implementation, whitelisting can be

ineffective, as some environments are too dynamic.

Malware moves laterally, executes commands, etc

5. IAM, users and PAM / weak

process or ineffective monitoring

Limit local admins (all types), tightly control exceptions, block

local executables install. No user boot bypass. Strictly manage

privileged users. Log activity for changes to service accounts.

Using local backup administrators’ accounts and service

accounts are increasingly being used by adversaries, and

these cannot be removed without breaking their

respective service(s).

6. Email Server & exchange /

weakly or partially enabled

Employ all scan & block capabilities, including blocking

JavaScript and executables. Continue to use sender policy

framework (SPF); DomainKeys identified mail (DKIM); and

domain-based message authentication, reporting, and

conformance (DMARC) to reduce spoofed inbound email.

Unable to keep up with the pace of evasive ransomware

campaigns that easily detect when they are in a virtual

machine. An adversary can bypass detonation chamber

technology.

7. Next Gen AV / not effective

or weakly integrated

Use both host and network AV. Use behavior (and reputation)

based AV as primary tool, versus only signature based AV

(which is hard to keep up-to-date). Integrate with SIEM and

SOC.

Ransomware markets and RaaS ensure every piece of

ransomware ever launched in a campaign has a 1-off

unique signature/hash. Heuristic and behavior (including

detonation chambers) are bypassable via evasion and

persistence techniques routinely used by malware.

8. Client / PC controls set-up / no

profile is managed

Strictly manage client security profile (restrict / disable settings

& controls – see appendix, Table 4.0)).

Ransomware may still execute successfully, even if client

security policies are enabled.

Initial draft for community review Mike.Davis.SD@gmail.com 3

Table 1.0

Methods / Weaknesses Mitigations Vulnerabilities / Threat Actor Techniques

9. Internet browser controls / not

defined or managed

Develop a minimum security baseline for browser. Block

general “Tor” browser use. Provide tighter controls (file

sharing, wireless, powershell, etc.), minimize active code

(JavaScript, ActiveX, etc.)

Blocking TOR may prevent users from visiting the “dark

net,” but won’t fully stop ransomware, except the ability

to pay the ransom.

10. Password policy & operations

/ not audited or enforced

Password & privileged account management (PAM) policy

with automated monitoring supporting enforcement. Conduct

periodic audits. Use MultiFactor Authentication (MFA) for

sensitive devices (e.g., IT & Security ‘crown jewels’)

MFA/2FA is a solid recommendation when it comes to

confidentiality, but does not prevent an end-user from

authenticating to an email application then opening an

attachment or clicking on a malicious link and becoming

infected via that vector.

11. Security Monitoring /

inadequate or not integrated

Defense in depth monitoring, SIEM & SOC integrated, bi-

directional monitoring, fine-tuned filtering, prioritized alerts

for specific use cases; consider improving cloud security and

monitoring therein with ‘CASB’ (cloud access security broker)

‘Alert Fatigue’ from organizations collecting data on

almost everything; SIEMs are routinely either ‘turned-on’

but doing little and not being operationalized, or else they

are over-fed by 10s thousands of alerts per day; attackers

benefit from the tremendous noise by burying the signal

of their activities.

12. IDS or IPS / not used or poor

placement or not properly

configured

Actually have one (or more) – with well-placed sensors on key

network segments. Sandbox. Located at the perimeter, used to

decrypt most web and email traffic, and be application aware;

used in conjunction with Web Application Firewall (WAF) or

application gateway firewall (for client-server apps)

It is often the IDS alerts that create so much of the SIEM

noise that has paralyzed organizations. Adversaries

routinely use IDS/IPS as weapons of distraction in order

to send analysts down rabbit holes.

13. Adobe Flash (Reader) / not

replaced or kept patched

Do not use flash if at all possible. If required, diligently update

the many patches per week. Most should consider another

reader such as “unity web player” or GNU Gnash (and/or

choose an overall PDF reader replacement:

https://www.foxitsoftware.com/products/pdf-reader/ )

This will work for Locky and a few other variants /

campaigns; there are many ways to get ransomware on

the victim machine, and it really depends on whether they

are opportunistic or targeted threats.

14. Mobile Security / weak policy,

inadequate MDM, NAC

Enforced Mobile / BYOD policy. Manage devices and apps

using Mobile Device Management(MDM), Mobile Application

Management (MAM) and Network Access Controls (NAC)

TTPs for Mobile are slightly different – adversaries

probably won’t use encryption, but exfiltrate data and

hold it for ransom with threat of public release; may also

steal financial information from mobile devices to get into

bank accounts.

15. Microsoft “macros” /

ineffective identify and removal

Malware includes macros and scripts that must be scanned for

in Email, Office, security tools; use GPO to globally disable

macros by default; limit user’s ability to enable macros

Macros are used pervasively now to spread ransomware;

disabling macros is one way to mitigate this; however,

users are able to enable them on a per-use basis.

Initial draft for community review Mike.Davis.SD@gmail.com 4

Table 1.0

Methods / Weaknesses Mitigations Vulnerabilities / Threat Actor Techniques

16. Application controls / no

policy, no V&V, no S-SDLC

Formal “Secure-SDLC” approach, Apps whitelisting, along

wit code signing, scan for dated / unlicensed software,

minimize poor software development (SQL injections, etc)

using “Secure SDLC”

Removing common software security errors is always

good business, it won’t mitigate a ransomware campaign

from occurring, because the attack vector is not aimed at

application vulnerabilities. adversaries may try to embed

malware into known applications to bypass whitelisting.

17. Block Malware’s Command

and Control / not done

Use Server Black Hole DNS Sinkhole approach - This blocks

the command and control (C2) of malware from “phoning

home” for the key, etc.

Adversaries now use algorithms to set up and tear down

domains at cyclical rates; C2 can be carried out over

many channels now as well (e.g., embedded in the images

via steganography); more recent forms of malware do not

need to retrieve the key like CryptoWall used to, and

instead have the key already embedded in the binary code

and purposely do not rely upon any C2

Assumptions & Limitations – No security system is ever close to 100% effective; thus there is always some residual risk. The optimum security

environment has proven, effective protection controls in place, using a defense in depth / breath approach, complemented by security continuous

monitoring, effective security education, and periodic audits. The residual risk of any capability is then assessed within this environment using a

combination of mitigation factors from policy, process, people, and product (technology). The major Ransomware factors were proposed in the table,

whereas the effectiveness of this risk reduction journey must be supported collaboratively within the entire IMS/Operations/IT Security department as

a priority. Thus, we strongly recommend that the department take a dedicated risk team, working group approach to Ransomware prevention, to

maximize the overall company protection state, using collective and limited resources, to then offer the best value risk posture.

The appendix provides more information on risk conditions, best practices, and detailed client technical controls. These are a few additional

references and sources of interest (in this paper, we liberally excerpt the key recommendations therein):

1. http://www.ebulletinsresources.com/hubfs/D1/KnowBe4/Ransomware-Hostage-Rescue-Manual.pdf Detailed overview and response checklists.

2. https://www.csiac.org/podcast/ransomware/ Educational video on the topic

3. https://www.nomoreransom.org/ +++ Offers a one-stop shop resource for battling Ransomware infections. +++

4. http://www.ebulletinsresources.com/hubfs/D1/Eset/Ransomware.pdf Ransomware Best practices.

5. https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf great overview and high level mitigations steps!

Couple of recent articles to note:

http://www.healthcare-informatics.com/article/cybersecurity/cost-ransomware-attacks-can-reach-far-beyond-ransom-payment-itself

http://www.securityweek.com/cybereason-unveils-free-ransomware-protection-tool

http://essentials.code42.com/rs/760-OMU-478/images/Ransomware%20roadmap-%20where%20cybercriminals%20will%20attack%20next.pdf

Initial draft for community review Mike.Davis.SD@gmail.com 5

The sample risk heat map below depicts the risks in # 1 – 17 methods above. The outcome of this risk assessment suggests that the major mitigations

are to accommodate effective : (A) –Secure backup (the failure of, #1); (B) –Next Generation AV/malware prevention (#7); (C) –IAM / access

controls (weak or unenforced policy, #5); (D) –vulnerability management (poor patching / CMDB, #3); and (E) – FW and APPs rule sets (#4). (NOTE – Notional values used for illustration purposes only – they do not represent actual values, rather the likely key risks to consider - use your numbers when tailoring this paper)

Initial draft for community review Mike.Davis.SD@gmail.com 6

Methods – We first propose a set of methods for a Ransomware risk reduction approach within the Company’s cyber posture from which the residual

risk is then estimated. The risk likelihood and consequences are initially heuristically estimated for each major method which then is weighted in the

aggregate to provide a notional residual risk level. Residual risk, like reliability, safety, etc is complex and generally not a linear function where some

factors variables are weighted more than others. Risk is also relative in any environment (the impacts they cause); thus all risk factors must be taken

in context. Whereas if all risk is quantified in the same manner, those outputs tend to be naturally normalized and it’s easier to show the higher

relative risk factors. The overall “risk heat map” result approach used herein is one method to prioritize mitigations where limited resources are used

to minimize the company’s overall risk posture. (Note – this general risk approach does not go into the “Return on Investment (RoI)” of security,

using annualized loss expectancy (ALE) or other cost methods, to determine the ‘value’ of each protection measure in reducing risk). Complex

vulnerabilities residual risk must be viewed and assessed from several perspectives to obtain an aggregated and weighted notional risk determination.

In highly interrelated system relationships, the actual risk interdependencies have many unknowns and typically behave in a nondeterministic manner.

Therefore to try to quantify an absolute level of risk for each element and then aggregate those into an overall residual risk with any degree of

certainty, becomes quite costly to even approximate the level of risk for little value added. In addition, all risk has an associated confidence factor

which takes into account the fidelity, quality and assurance level of the estimate. Given the nature of a complex aggregated risk determination, and

within a holistic and nondeterministic environment, the law of diminishing returns is usually reached early on in obtaining a high confidence factor

for any risk estimate. That is, once a nominal risk estimate is developed with general department concurrence, resources are better used in prioritizing

the risk mitigations themselves versus trying to increase confidence factors. Ideally the key department managers and stakeholders agree on an

acceptable confidence level in advance of estimating the nominal risk level.

Discussion – Ransomware is malware that can encrypt a device contents in order to extort money from the owner in return for restoring access to

those resources. This kind of malware can also have a built-in timer with a payment deadline that must be met, otherwise the price for unlocking the

data and hardware will grow – or the information will ultimately be rendered permanently inaccessible. Among the well-known examples of

Ransomware affecting desktop computers are Reveton, CryptoLocker, CryptoWall, TeslaCrypt and Locky (to name a few); and on mobile platforms

Simplocker and LockerPin. The most recent top two variants are Teslacrypt (58%) and CTB-Locker (24%) which are all spread mainly through spam

email with malicious attachments or links to infected webpages. Industry studies and analyses show that Ransomware has emerged as a very popular

form of malware for cybercriminals, and that its use has been rising for many years, targeting both privately owned as well as business devices.

Windows and Android are currently the most commonly targeted operating systems, but recent attacks show that even Linux and OS X are not

exempt from Ransomware. Companies need to mitigate the risks of Ransomware infection, by focusing on frequently used attack vectors, then

provide guidance on how to effectively protect company devices and their contents, as well as recommend available options when devices or files

have already been taken hostage.

Increasingly Sophisticated Variants Are Emerging

Ransomware is evolving using increasingly sophisticated tactics, techniques, and procedures (TTPs) to execute attacks, including:

--- RAA is javascript masquerading as a Word file with a .DOC file extension to avoid binary detection. Once launched, it seeks to disable the

restoration of backups by deleting the Microsoft Volume Shadow Copy Service (VSS). RAA also employs a Trojan horse feature by dropping Pony, a

password stealing Trojan, for future hacking.

Initial draft for community review Mike.Davis.SD@gmail.com 7

--- Unlike variants with an end-user and endpoint focus, SamSam targets servers via a JBoss vulnerability from which it moves laterally to infect and

encrypt data on other Windows systems. In the same family of server-side Ransomware, MakTub is a variant that will compress files to speed the

encryption process.

--- Hackers are even operationalizing Ransomware. Jigsaw is a newer variant that includes a chat feature to coordinate the ransom payment between

victim and hacker.

--- The major Ransomware threat vectors are: email attachments, web download & email links.

Additionally, we suggest the answer to the most pressing question that victims of Ransomware attack have to answer “Should I pay what the

cybercriminals demand?” is NO. In general that is what the FBI recommends, yet in addition there is no guarantee that you will get the encryption

key and they could also resort to releasing the data publically, infect other devices, etc. To be confident with not paying the ransom, a company must

provide a due diligence level of security protection against this threat; whereas the notionally assessed organizational residual risk should ideally be

LOW/MED or at most MEDIUM.

Ransomware prevention can be a relatively complex endeavor with many moving parts requiring interdepartmental collaboration to maximize the

cyber performance for the entire company. In most cases, if one of the major risk factors described in the following table is not effectively managed to

an adequate level of risk, then the overall Ransomware risk will likely be directly increased in proportion. Yet the reverse is not generally true; that is

spending a lot more resources to minimally reduce one type of risk, likely will not correspond to an overall risk reduction. The major factors in a

Ransomware risk are assessed in the following discussions and listed in table 2.0, including one table with best practice mitigations recommendations

(in the appendix).

Sources on minimizing a Ransomware impact are numerous, whereas any well-known resource is adequate, we highlight ESET’s top 11 (ref #4):

1. Back up important data regularly – ‘securely’ (storing offline) and periodically verify restore.

2. Patch & update your software routinely – using a disciplined process (e.g., ITAM/CMDB/Release Management).

3. Pay attention to your employees' security training (and conduct periodic phishing attacks).

4. Show hidden file-extensions (many malware related executables as PDF, DOC, etc.).

5. Filter executable attachments in email, use anti-spam filters, categorize subject lines, etc.

6. Disable files running from AppData/LocalAppData folders.

7. Minimize the use of shared folders, provide compartmentalization as much as possible, as malware can spread.

8. Disable RDP - a Windows utility that allows others to access desktops remotely.

9. Use a reputable security suite – including capable firewall, AV on host and network, whitelisting, etc.

10. Use System Restore to get back to a known-clean state.

11. Always use a standard account wherever possible, versus one with administrator privileges.

Initial draft for community review Mike.Davis.SD@gmail.com 8

Recommendations - For table 2.0 that follows, the major Ransomware risk causal factors are listed as ‘methods’ since they contain the typical mix

of policy, process, people and product elements. To start the risk estimation journey, especially for those who have only a general awareness of the

security methods, we first start with a proposed high level sense of the security ‘posture.’ This state is estimated first to frame each method’s general

effectiveness posture (e.g., provide an initial, relative, qualitative ‘goodness’ measure such as: good, average, marginal or poor) to provide a general

sense of the capabilities operational status. The common ‘weak areas / exposure’ column in the table then provides a high level view of the key

residual problem areas of that method, which can also help link to the relationship, dependencies and potential impacts in the other methods. The

posture and exposure columns then helps frame the numerical risk columns. The relative posture level and numeric risk value estimates for each

method then provide a proposed potential for reducing the vulnerabilities risk level, given the defense in depth status of the system architecture as a

whole (the dependencies, hierarchy, inheritance, etc. at play). For example, mitigating a method’s vulnerabilities which has a good posture and lower

risk level will likely have less overall risk reduction effect than mitigating a below average posture (all other factors remaining the same).

When prioritizing mitigations overall to put resources toward, these two columns (posture and risk) can help provide a relative weight for that

method’s residual weaknesses and also help factor the method into follow on risk calculations. We use Likelihood (1-5) and Consequence (1-5) in a

“5 by 5” risk matrix; where overall risk is then ranked 1 – 25 and also color coded as green, yellow, orange and red – lowest to highest. See your

company risk management plan for further definitions, steps and processes therein.

---Likelihood

(1) Low = 0 - 20%

(2) Low-to-Medium = 21 – 40%

(3) Medium = 41 – 60%

(4) Medium-to-High = 61 – 80%

(5) High = 81-99.9%

---Consequence

(Consequence = Effects for Risk and a Program’s CSP (cost / schedule / performance) changes

(1) Low = No to minimal CSP impacts or added risk

(2) Low-to-Medium = Minor reduction, tolerable CSP impacts, with some added risks,

(3) Medium = Moderate increase in CSP impacts causing execution adjustment, with high added risks,

(4) Medium-to-High = Major degradation in CSP, critical shortfalls experienced, with severe added risks

(5) High = Significant degradation in CSP, likely program default, with critical added risks.

How to calculate the risk numbers - using your current security environment’s state of the method under assessment, plus factoring in the potential

reduced effectiveness effect of the hacker bypass techniques listed in the first table, estimate the approximate levels between 1 and 5.

Calculating likelihood – Each method’s level will involve different factors with varying weights. The mitigations themselves will also have varying

effectiveness levels along with the countering effects of the hacker evasion techniques. Thus the guidance provided for estimating the likelihood can’t

be exact or definitively provided herein as the variables are once again wide ranging and generally nonlinear as well. Suffice to suggest that one can

use the posture and general sense of your environment’s status along with the method’s mitigation effectiveness to then roughly estimate the

probability of occurrence. This risk assessment process proposal is after all an ‘approximately correct’ methodology to help prioritize the major

impact reducing mitigations and not an absolute risk level determination thereof. The discussion on level of confidence factor applies here as well, the

intent to have a relatively simple risk model that is applied uniformly to arrive at an overall organizational risk reduction, value-added way forward.

Initial draft for community review Mike.Davis.SD@gmail.com 9

Calculating consequence - Just as in estimating likelihood was a ‘best effort’ given the complexity of the variables involved, so too is consequence.

Here the major difficulty is that it is hard to quantify a method’s specific impact whereas in the end they all can lead to a data loss and public

exposure. So given the estimated posture for that method and having a sense of the other, more directly related method’s postures (again a fuzzy,

empirical determination), as well as the evasion techniques influence, one provides a relative, heuristic risk level. Again, it’s the relative risk

outcomes of the methods that are the objective; thus providing a structured method to prioritize mitigations therein, not assess absolute impacts, etc.

The Likelihood and Consequence values are typically notional, heuristic, best holistic estimates, based on a general sense of the residual risk

potential. Due to the complexity and non-linear aspects of the Ransomware risk equation, the risk values below assume the other 16 risk methods are

held constant and assumed adequate for that point in time to simplify that method’s risk determination. (NOTE - This evaluation method estimates

the methods at a snapshot in time, with each method being estimated individually. Since internal and external factors change over time, impacting the

methods in varying degrees, the risk process must be iterative, where the next evaluation/estimation effort will include the changes in the inter-

relationships.) (Again - the posture and risks are notional values to illustrate the process, not actual values of any company… insert yours here!)

Table 2.0

Methods - weaknesses Posture Common weak areas / exposure

Lik

elih

oo

d

Co

nse

qu

en

ce

Risk Comments (Mitigations)

1. Secure Backup - failure Average Malware embedded. No “Secure” verification and

validation (V&V), minimal / ineffective restore testing

4 5 20 Back-up process is effective, regularly

tested.

2. Phishing training -

effectiveness

Average Weak compliance (no enforcement), infrequent

exercises, low user retention.

3 4 12 More / targeted exercises will raise

efficiency. Add digital signatures.

3. patching (ITAM/CMDB) -

effectiveness

Average Unpatched vulnerabilities, many are known. Weak

vulnerability management process feeding CMDB and

release management

4 4 16 Weight / rank vulnerabilities; then patch

critical ones asap, starting with external

items. Establish a CMDB

4. FW and APPs rule sets -

effectiveness

Marginal Firewall (FW) rules lax / open, minimal black or white

listing not used nor URL filtering. APPs whitelist not

in place or ineffective, allows too many exceptions

4 4 16 Improve FW rules / URL filtering.

Implement architecture changes that

affect the rule sets optimization

5. IAM, users and PAM -

coverage / effectiveness

Average Minimal control local admins – too many excepted

users. Weak privileged account management.(PAM)

4 4 16 Local admin’s and “PAM” better

monitored. Some SW runs w/o install.

6. Email Server / exchange -

set-up inadequate

Average Email scans / categorization so-so, some sandboxing,

not using digital signatures, not blocking JavaScript

3 3 9 Make fake emails easy to spot. Better

SPAM filters. Block scripts.

7. Next Gen AV product -

effectiveness

Good Need to assess AV effectiveness, gaps - including

script use. Incorporate Linux.

4 5 20 Assess effectiveness, integrate into SIEM

8. Client / PC controls set-up -

effectiveness

Average Unclear status, no risk assessment done. Need to

periodically verify Client security profile.

3 3 9 Verify the client posture; restrict / disable

settings (see appendix, table 4.0)

Initial draft for community review Mike.Davis.SD@gmail.com 10

Methods - weaknesses Posture Common weak areas / exposure

Lik

elih

oo

d

Co

nse

qu

en

ce

Risk Comments (Mitigations)

9. Internet browser control -

effectiveness

Marginal Need to assess status and develop a minimum security

baseline (MSB) on allowed plugins and overall

security controls. Block “Tor” use.

3 3 9 Tighter controls (file sharing, wireless,

powershell, etc.), minimize active code

(JavaScript, ActiveX, etc.)

10. Password policy -

enforcement

Marginal Weak / dated password policy. No Audit /

enforcement. Likely used in several systems.

3 4 12 Enforced PW policy, conduct baseline

audit, strictly manage accounts!

11. Security Monitoring –

effectiveness

Good Defense in depth monitoring needed, SIEM & SOC not

current / integrated, use bi-directional monitoring

2 3 6 Update SIEM & SOC. Integrate other

tools. Consider MS’ Log Analytics?

12. IDS / IPS - effectiveness Average IDS minimally effective, nor integrated with AV 2 3 6 Integrate with AV / SIEM, position better

13. Adobe Flash – in use Average Flash software has the most security flaws / patches of

any product, thus not worth using.

2 3 6 IF used, diligently update the many

patches. Otherwise use sites with

HTML5, other alteratives

14. Mobile Security – not

managed

Average Policy needs to cover BYOD. Manage phones access

(device & Apps), use MDM for NAC

3 3 9 Policy update. Enforce mobile controls,

configure MDM for NAC & Apps.

15. MS “macro’ - not filtered Good Better effective filtering set-up/CM, in general the

Microsoft & security tools are not fully effective

2 3 6 Verify security products sandbox

documents and effectively clean them

16. Application controls – not

used

Marginal Need “Secure-SDLC” approach, some whitelisting

done, need audit / V&V process

3 4 12 Use a formal Secure-SDLC process,

expand Apps WL, scan for illegal SW

17. Domain Blocking – not used Poor Not using Server Black Hole DNS Sinkhole approach

(which blocks malware C2 comms)

3 4 12 Install blocking services, prevents

‘phoning home’ for the key, etc.

– Overall risk assessment

As mentioned earlier, risk aggregation in a complex, multifaceted environment is usually non-linear and typically acts as a heuristic function within a

nondeterministic equation to then integrate into an overall risk value. Due to their inter-related functions and interfaces (e.g., defense-in-depth,

inheritance, dependencies, etc.) – as well as many other holistic effects, each of the posture, likelihood, and consequences values are themselves also

best effort estimates; thus ‘approximate’ in nature as well. Suffice to say, an aggregated risk score of a complex risk is essentially a “ROM” (rough

order of magnitude) estimate that is best used in a relative manner amongst other environment risks, versus an absolute measure. As mentioned

earlier, adding more assessment resources does not necessarily increase the risk confidence factor due to the nonlinear and nondeterministic behaviors

in a complex ecosphere.

Initial draft for community review Mike.Davis.SD@gmail.com 11

For Ransomware overall, we suggest each organization decide which risk factors are more relevant, then sum and average them (even as they are not

linear, as mentioned) for an approximate risk level. Such a nominal risk weighting approach might focus on secure backup as a major factor, then pick

a few others as secondary effects. For example, using security awareness training in general and patching effectiveness as lessor influencing elements.

Given the risk estimates in the table above, the overall aggregated risk is then estimated as MEDIUM.

From a more heuristic aggregation of all the various risk elements overall, we can also generalize the risk to be:

Likelihood – Med (3) – Even as some elements have an overall higher risk, within our complex defense in depth environment, the general likelihood

is medium, especially as a major factor is NGAV, which in this use case example is well covered (e.g., a ‘good’ posture).

Consequence – Med (4) – Again, given our overall defense in depth effectiveness, security tools, and effective backup methods, the impact of data

loss (hostile encryption) is assessed as Medium.

Risk – L x C = 12 = MEDIUM.

– Prioritize mitigations

Now that we have a general sense of each method’s residual risk that makes up our overall risk map level, we need to take actions that mitigate the

highest risk factors to obtain an overall minimal company risk posture. That is, how do we prioritize the mitigations proposed in table two to provide

the highest risk value in a temporal manner – mitigations planned in a time phased, resource constrained environment. No risk map is complete until

we both explicitly quantify the most critical mitigations and then plan their implementation, given limited resources and competing business

objectives. We provide several mitigation activities for each method (where many are a combination of policy, process (and services), people and

product (technology)). The ranking proposed and actions needed will vary with the specific environment and company culture. Yet the results will

still provide a traceable output from the requirements (methods and risks) to actions needed (the prioritized mitigations). Regardless of the

organization or industry, this structured assessment process still yields useful results, mapped back to a quantified basis and methodology (even as it

is heuristic / holistic in nature).

The outcome of this risk assessment suggests that the major mitigations are to accommodate: (A) – Effective Secure backup (failure of, #1); (B) –

Effective IAM (weak or unenforced policy, #5); C) – Effective Next Generation AV (NGAV)/malware prevention (#7); (D) – effective vulnerability

management (poor patching / CMDB, #3); and (E) – FW and APPs whitelisting (#4). (We again note that cyber awareness training is likely on most

folks top five risk heat map, depending on how you score the risks in the previous table, your top risks will change from this nominal example!)

So what’s next?

We need to tell our risk story to leadership in their language and make the point directly. So how do we distill the many complex factors, discussions

and recommended mitigations (and costs therein) above and develop a leadership level risk view for Ransomware? While the risk determination for

all the methods tend to have complex and holistic effects, presenting that aggregate risk to leadership has to be clear and obvious. We suggest a ‘risk

heat map’ format, covering the major risk factors / vulnerabilities. This risk approach is especially useful when a briefer has minimal time to quickly

inform a non-technical audience about the status of the problem and your approach, while then following that slide with the next steps and solicit any

support needed. Heat maps can be several formats, types, etc; whereas the intent is conveying critical information quickly, showing both before and

after views when key mitigations are put in place. All your risks will then have the same visual impact too!

Initial draft for community review Mike.Davis.SD@gmail.com 12

So how to now tell the overall risk story to leadership?

We use the previous key risks and develop the heat map (the lowest level you present is dependent on the company’s risk appetite, as you can’t

overwhelm them with everything security wants to address)! If you have several top ‘red / critical’ risks, pick the top several to start the conversation,

where some method’s risks may be combined where strongly related. For this paper, we picked the methods below to demonstrate the risk heat map

process.

---The problem statement and impact

Data is any company’s greatest asset both from a competitive advantage business value and a risk exposure reduction impact. Thus any company

should specifically assess, monitor and track Ransomware risks and required remediations to obtain the best risk value (impact reduction versus

resources). One Ransomware attack can negatively impact the business, including potential lost clients, reduced productivity and fines for inadequate

compliance measures (and possibly law suits or punitive damages from lack of due diligence).

---Risk mitigation high level status:

Take the major ‘methods’ in the table, with higher residual risks (start with medium or above 13) and call them out here. We use the top five;

A - 1 – Secure Backup failure . “Red” (4 x 5)

B - 7 – Next Gen AV / malware protection “Red” (4 x 5)

C - 5 – Identity and Access Management (IAM) “Red” (4 x 4)

D - 3 – Patching effectiveness - ITAM/CMDB “Red” (4 x 4)

E – 4 - FW and APPs whitelisting “Red” (4 x 4)

Then add a couple of specific concerns for each risk called out in the heat map slide (note, sometimes it’s more direct to just state the actual

vulnerability). We believe that it’s useful to indicate (using the circle) risks that could cause brand / reputation damage as especially critical to the

organizations long term financial health. In this example, lack of a secure backup can potentially cause that sort of damage. These concerns and

vulnerabilities will need to be followed by a slide with the key mitigation / remediation activates needed to minimize the risk to some affordable, ‘risk

value’ level (proposed using the blue (or greyed out) levels in the heat map). Which assumes the mitigations are resourced adequately – including

personnel, time and funding; whereas the major mitigation tasks will most likely need to be formalized in some level of a project to track the usual

“C/S/P” elements (cost / schedule / performance), especially considering the competing organizational business priorities.

Initial draft for community review Mike.Davis.SD@gmail.com 13

Initial draft for community review Mike.Davis.SD@gmail.com 14

Major remediation activities and key deliverables schedule (with any added costs highlighted):

Now that you told your leadership what the top risks are, what mitigation changes are needed to get them to their planned residual risk state? We

suggest listing your top two mitigations actions for each risk, so as not to overwhelm management with details, and to take the opportunity to let

leadership know where resources (money and people) are required. Illustrate how your security strategy tasks are focused on risk reduction - given

requested resources availability and overall department priority assigned (e.g., requiring current funding level and any added cost while also

potentially using existing personnel in other prioritized tasks that compete for their time in the department).

Table 3.0 Task Steps / activities Deliverables (example)

A1 – Verify ‘secure’ storage in place Update requirements; assess as-is state & provide gaps, remediate risks, update processes Plans Q1, Implement Q2

A2 – Periodic testing, audit controls Schedule restores periodically, assess for malware, use V&V processes, and check for covert

channels. Ensure effective data at rest encryption is in place (minimizes theft, public disclosure)

Plans Q1, Implement Q2

B1 – Effectiveness of NGAV Malware prevention is the top technical protection; it will help minimize the risk in many other

methods - thus assess the product status; including all OSes and devices using them.

Plans Q1, Implement Q2

B2 – Enterprise holistic coverage It’s not just the end-point protection, assess the overall environment’s malware lifecycle; include

security tools, integrate into SIEM and SOC efforts, etc.

Plans Q1, Implement Q2

C1 – IAM Policy and processes Update IAM policy, include users, insider threat aspects, PAM (including local admin rights),

etc. Translate policy into IAM execution processes, use run books, etc. (require $$$ for tool)

Plans Q1, Implement Q2

C2 – Monitor & Audit IAM activities Formalize an IAM audit / V&V process. Can’t manage what you don’t measure applies to risk as

well. Integrate inputs from major sources: AD, Windows files, scans, security tools, etc.

Plans Q1, Remediate Q2

D1 – Vulnerability Management SoP Within an overall Threat & Vulnerability Management (VM) strategy, integrate and correlate the

many VM sources to establish a vulnerability prioritization schema that feeds “D2.”

Plans Q1, Implement Q2

D2 – ITAM / CMDB / release

management

Develop an IMS CMDB process that integrates IT/OPS and SEC capability attributes and

configuration items (CIs) that prioritizes patching for release management – that includes V&V.

Plans Q1, implement Q2

E1 – Firewall rule sets Develop FW requirements; FW white listing and URL & egress filtering, iterate the rule set

(build the white list, URL by URL as needed (keep the black list too as needed))

Plans Q1, Implement Q2

E2 – Application rule sets Develop APPs requirements; Apps white listing plan (start with monitor mode, limit exceptions),

ideally use code signing to enforce rules. Develop PPSM rules for both Apps & FW

Plans Q1, implement Q2

Initial draft for community review Mike.Davis.SD@gmail.com 15

--Appendix---

Added support information, two tables below:

(Again - the status and exposure items are notional values to illustrate the process, not actual values of any company… insert yours here!)

Detailed client controls Table 4.0

Methods Status Weak areas / exposure Comments / mitigations

Use HIPS (re: a host IPS) no Network IDS / security tools not optimally configured Use a host IPS to complement network IPS, at least

on critical systems

Use Anti-Exploitation Features no Addressed by other AV – Cylance, Carbon Black, etc. Consider enabling MS’ EMET

“Boot-Proof” Logon yes Don’t allow users to bypass log-on scripts, start-up

programs

Use BIOS to prevent booting from other than hard-

drive & PW protect BIOS

Show file extensions yes Allows user to see if a file is an executable Continue to block executables as email attachments

Consider disabling vssaexe no This disables system restore and file versioning restore, if you disable this feature, consider another form of system restore to do

backups

Develop alternatives, show risk levels / utility for

each

Windows FW is on yes Windows FW is on for Public and Private connections

(but not domain connections, would suggest turning on

FW for all connection types)

Test in development environment, develop residual

risk level with options, then deploy

Disable Windows Script Host no This would require testing, could impact applications Test in development environment, develop residual

risk level with options, then deploy

Disable Windows PowerShell no PS should be disabled, only a small percentage of the

Company uses PS

Test in development environment, develop residual

risk level with options, then deploy

Switch off unused wireless no This would require some user education if we did disable

unused wireless. Some systems have physical switches

and others can be disabled via software

Minimizes remote connections unless user actively

turns them on; provide user training on process for

activating a wireless connection

Deactivate AutoPlay yes disabled due to a previous autorun attack Validate if setting is still disabled (new systems may

have it enabled)

Monitor for host profile changes some Use Microsoft’s SCCM host profile compliance feature Actively monitor centralized host logging files

GPO settings some mitigate stealing passwords from memory (mimikatz) Updating to Windows 8 or 10 makes this much

more effective

Windows remote desktop

protocol (RDP) – lock down

Server

only

For example, Crysis malware is using compromised

credentials for RDP computers

A common threat vector, strictly identify uses and

control in your environment

Initial draft for community review Mike.Davis.SD@gmail.com 16

Methods Status Weak areas / exposure Comments / mitigations

Limit shared folders some Compartmentalize as much as possible. Disable files

running from AppData/LocalAppData folders.

Minimizes the spread of malware, especially

network drives

Minimum security baseline

(MSB)

In

work

Quantifies the security configuration items to set and

manage a client profile (includes the above items as a

start, & others as tailored for your environment

Documented MSB for PC, laptops, etc., including

Windows and Linux. Use to develop client profile

which is then periodically assessed.

Additional client secure set up references:

https://www.gov.uk/government/publications/end-user-devices-security-guidance-windows-81/end-user-devices-security-guidance-windows-81

http://www.dss.mil/documents/odaa/ODAA_Baseline_Tech_Security_Configurations_Win7-2K8.pdf

http://www.asd.gov.au/publications/protect/Hardening_Win8.pdf

http://iasecontent.disa.mil/stigs/zip/July2015/U_MicrosoftOfficeSystem2010_V1R10_STIG.zip

https://www.sans.org/reading-room/whitepapers/basics/managing-desktop-security-520

http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/

Risk Conditions – mitigation methods Table 5.0

Methods Best practices

Secure Backup https://blogs.mcafee.com/business/security-connected/backup-security-best-practices/

http://www.zmanda.com/backup-security.html

http://www.oracle.com/technetwork/products/secure-backup/overview/osb-openworld2012-1930151.pdf

Phishing training https://dsimg.ubm-

us.net/envelope/357963/374353/1429543955_Best_Practices_for_Dealing_with_Phishing_and_NextGeneration_Malware_ThreatTrack_Security.pdf

http://docs.apwg.org/sponsors_technical_papers/Anti-Phishing_Best_Practices_for_Institutions_Consumer0904.pdf

Patching /

ITAM/CMDB

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf

https://www.sans.org/reading-room/whitepapers/bestprac/practical-methodology-implementing-patch-management-process-1206

IP / APPs

whitelisting

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf

http://mobile.esecurityplanet.com/malware/whitelisting-why-and-how-it-works.html

http://resources.infosecinstitute.com/top-10-common-misconceptions-application-whitelisting/

IAM - Lock down

end user devices

http://www.pcworld.com/article/114727/article.html

http://www.pcworld.com/article/2025897/a-road-warriors-guide-to-locking-down-your-laptop.html

http://windowsitpro.com/security/10-steps-lock-down-desktops

Email Server /

exchange

https://technet.microsoft.com/en-us/library/bb691338(v=exchg.141).aspx

https://support.rackspace.com/white-paper/email-security-best-practices-and-avoiding-downtime/

Initial draft for community review Mike.Davis.SD@gmail.com 17

Methods Best practices

Effective Next Gen

anti-virus product

Use both a client and network product, different vendors. One should be anomaly vs signatures based (or both combined). Consider cloud based AV

File Reputation Services… http://www.pcmag.com/article2/0,2817,2372364,00.asp

http://www.pcworld.com/article/2974465/software-security/the-quick-and-easy-way-to-find-the-best-antivirus-software.html

https://isc.sans.edu/forums/diary/Using+File+Entropy+to+Identify+Ransomwared+Files/21351/

Client / PC controls

set-up

See appendix on detailed client controls above

Internet browser

control

https://heimdalsecurity.com/blog/ultimate-guide-secure-online-browsing/ https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/380013/Browser_Security_Guidance_-_Microsoft_Internet_Explorer.pdf

https://isc.sans.edu/forums/diary/Controlling+JavaScript+Malware+Before+it+Runs/21171/

PW policy and

enforcement

https://www.sans.org/security-resources/policies/general/pdf/password-protection-policy

http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf (note - dated / retired, but still a good reference)

Security Monitoring Use a SIEM to detect abnormal events & behaviors –

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24830/en_US/siem_best_practices_guide.pdf

https://www.sans.org/reading-room/whitepapers/auditing/successful-siem-log-management-strategies-audit-compliance-33528

Using an IPS https://www.sans.org/reading-room/whitepapers/intrusion/network-ids-ips-deployment-strategies-2143

http://www.cisco.com/c/dam/en/us/products/collateral/security/ios-intrusion-prevention-system-ips/IOS_IPS_Best_Practices.pdf

https://www.wickhill.com/products/vendors/download/657/Best-practices-for-deploying-IPS

Adobe Flash/Reader https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/Acrobat_Enhanced_Security_FAQ.pdf

Mobile Security See mobile security paper, recommended controls (items A – F at the end)

http://www.sciap.org/blog1/wp-content/uploads/Mobile-Security-paper-draft.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf

MS “macro” /

hardening

http://www.asd.gov.au/publications/protect/Hardening_MS_Office_2013.pdf

Note that Office 2016 has much more granular group policy controls – O2016 can apply different controls to your personal files, your corporations files

Application controls https://isc.sans.edu/forums/diary/A+Wall+Against+Cryptowall+Some+Tips+for+Preventing+Ransomware/20821/

Domain Blocking (Black Hole DNS Sinkhole) http://www.malwaredomains.com/?cat=6 http://mirror1.malwaredomains.com/files/BOOT