Upload
amazon-web-services
View
174
Download
3
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
John Fokker - Digital Team Coordinator, NHTCU
Raj Samani, Intel
Ben Potter – Security Consultant, AWS
November 30, 2016
SAC327
No More Ransom!How Europol, the Dutch Police, and AWS
Are Helping Millions Deal with Cybercrime
What to Expect from the Session
1. Better understanding of the threat to our digital society
2. How the No More Ransom initiative can help you
3. Architecting a website for scale and security
Healthcare – Ransomware Attacks
• Hospital’s network down for more than a week
• Systems for CT scans and others impacted
• Email, patient files, and other data encrypted
• Staff went back to fax machines for communication
• Hospital pays $17,000 USD ransom to get data back
• They were not the only hospital hit by ransomware
The following slides contain strong language
How it Often Starts….
And then….
Ransom negotiations
Please send me the key. I have a small business.
This way I go bankrupt……..
I won't contact the police. You have till tonight 0:00.
After that I will turn to Interpol.
So win-win send me the decryption key.
Victim:
Criminal: LOL
we can do 0.3 bitcoins if you agree no reason
we don’t target specific people
we don’t bow to threats
we can do 0.3 btc lowest
Ransom negotiations
I lost six years of photos of my children and
all documents of my study
OK, just pay 0,6 bitcoin and you’ll get your
files.
Victim:
Criminal:
May your children be cursed and i hope they
have deceases in there miserable lives.
Victim:
OKCriminal:
Police reports
• 49 campaign code identifiers
• 406,887 attempted infections of CryptoWall version 3
• Estimated $631 million (USD) in damages
• 4,046 malware samples
• 839 command and control URLs
• 5 second-tier IP addresses used for command and control
CyberThreat Alliance
Fightback Begins
Demystifying the Problem
Take Down Pipeline
15
July 25, 2016: Shade ransomware
July 28, 2016: Chimera ransomware
August 23, 2016: Wildfire ransomware
So far so good.
Another New Option
16
Option A – Pay the bad guys
Option B – Lose your data
Option C – _______
Decryption Tools
Healthcare Targeted
17
January February
2016
Titus Med Care
Texas, USA
Alphacrypt Ransomware
Berkshire HS Massachusetts,
USA
Ransomware
Multiple Hospitals
North Rhine, Germany
Ransomware
Two Hospitals Melbourne,
Australia
Obot & Ransomware
Royal Berkshire Hospital
United Kingdom
Ransomware
Whanganui Hospital Korea
Locky Ransomware
Systematic
Fightback Continues
• 45.00 BTC
• 40.00 BTC
• 21.94 BTC
• 22.00 BTC
• 22.00 BTC
• 40.00 BTC
$100,000.00
so far…...
Details of case: https://blogs.mcafee.com/mcafee-labs/targeted-ransomware-no-longer-future-threat/
Analysis of Bitcoin Wallets
Prevention
• Quickly install security updates
• Ensure updated security software is installed
• Implement a robust backup and recovery strategy
• Conduct employee training
Let AWS Handle the IT Infrastructure
AWS Marketplace: quickly provision the resources needed –Tasked with setting up a highly visible and targeted web portal in roughly two weeks.
Security – AWS cloud infrastructure architected to be one of the most secure cloud environments available today.
Elasticity – Instantly scale up or down based on demand.
– Before launch – Best guess of number of visitors: 12,000/day
– Day of launch – 2.6 m visitors
NoMoreRansom.Org Edge Architecture
Amazon S3
Content Hosting
Amazon
CloudFront
Failover Site
AWS WAF
Amazon
Route 53
Failover health check
The Internet
Amazon
CloudFront
Primary Site
Amazon S3
Content Hosting
AWS WAF
Amazon
Route 53
Latency Routing
Multiple Regions
Barracuda
Firewall
Amazon
EC2
Amazon
VPC
NoMoreRansom.Org Regional Architecture
Barracuda
WAF
AWS
Lambda
Functions
Amazon
Redshift
Data Warehouse
Amazon
Elasticsearch Service
Log Analytics
Edge LocationsElastic Load
Balancing
Elastic Load
BalancingAWS
Elastic Beanstalk
Amazon
API Gateway
Security
• 51K attacks reported by Barracuda post-launch
• Range from standard DDOS assaults to more exotic attacks
on portions of the infrastructure
• 1 Million+ attack requests went through VPN systems
to mask their true origin
• NoMoreRansom.org is still up and operating well, it has
never been brought down by attackers
Recommendations
• Review the scale-up time of AMIs
• Review the impact of technical choices: look for ways to automate
• Explore scenarios thoroughly with your client to ensure happiness
• Build a trusted relationship with your partners
Take Away: Complexity
• Strive for simplicity
• De-couple technology dependencies
• The most complicated aspect of the solution is the log parsing and
analytics system, which is being fine tuned
• The second most complex aspect is global co-ordination or multiple
stakeholders and technical staff
Take Away: Reduce Attack Surface of Web Application
• Not every system can or should use server-less architecture
• Every system needs to maintain a high security stance
• Regardless of the type of request, return a success message
programmatically to fool automated attack systems
The Journey Begins Here
Unauthorized packets are sent
Malware created in car as
communication gateway
Exposes OBU ad starts sending many
bad packets
Creates malware on the ADAS
Sends a super-packet
The car is destroyed
OBU
Home Enterprise Web OEM Roadside
Audio/Video TelematicsDiagnostics ADAS
Thank you!
Visit the Barracuda Booth and
request AWS Credits to Start a
FREE Trial on AWS Marketplace
Twitter: @Raj_Samani