Upload
eduardo-chavarro
View
496
Download
0
Embed Size (px)
Citation preview
Who are we ?
CSIETEisaprivate,neutral,nonprofitcompany,thatresearches,offersspecialservicesandgivetrainingindigitalsecurity,toenterprises,communi@esandcivilians.
Summary • Whytotriage?
• LATAMriskassessment• Globaltrend
• Prac@calIncidentResponse–howto.
• TriageforRansomware,¿isitnecessary?
• IncidentResponse/DigitalForensic
• MalwareTriage• Amalwarereversinghistory
• Adynamic/sta@canalysisshow
• Sowhat’sthebest,¿whoandwhen?
Incident Response / Digital Forensics Mul@disciplinary profession that focuses on iden@fying, inves@ga@ng, andremedia@ngcomputernetworkexploita@on.Thiscantakevariedformsandinvolvesawidevarietyofskills,kindsofaSackers,andkindsoftargets.
You’llneedthefollowingtraits(notall,butatleastamajorityofthem):
• Curiosity• ASen@ontoDetail• ANeedforVariety• WorkingwithPeople• AnAffinityforStress
Sco$J.Roberts,"Introduc4ontoDFIR"
A malware reversing history
• Lexsisecurityhub• AbusingbugsintheLockyransomwaretocreateavaccine• Locky,anaggressivevic@mshuntercampaignallaroundtheglobe.• Update1,update2,butnotenough.
Abusing bugs in the Locky ransomware to create a vaccine
Lockychecksthesystemlanguageanddoesn’tinfectthoseconfiguredinRussian
SylvainSarméjeanne,march2016,LexsisecurityHub
Abusing bugs in the Locky ransomware to create a vaccine
LockytriestocreatetheHKCU\Soeware\Lockyregistrykey;ifthatfailsforanyreason,Lockyimmediatelyterminates.
SylvainSarméjeanne,march2016,LexsisecurityHub
Abusing bugs in the Locky ransomware to create a vaccine
SylvainSarméjeanne,march2016,LexsisecurityHub
Abusing bugs in the Locky ransomware to create a vaccine
SylvainSarméjeanne,march2016,LexsisecurityHub
¿When to reverse?
• APTiden@fied• 0dayorespecialdeploymentsystem• Sharedkeyembeddedintothecodeorencryp@ngfunc@onreversible.
• Whenyoucandoit.
SylvainSarméjeanne,march2016,LexsisecurityHub
A dymanic / static analysis show
• Online,hostbasedtools.• Malwareanalysisdistribu@ons.• Easierthanreversing.• Notallbutmaybeenough.• Complementarytools.
So, what’s the best (who / when)
• WhoReversing:Exploiter/Reverseengineer.Securityconsultant,researchers.D/Sanalysis:*.*
• When:Reversing:APTadver@sed,0dayusedtodeploy/privilegescala@on,targetedaSack.D/Sanalysis:*.*
Why to Triage • Determinetherisk,exposureandcontrols.
• Becauseyouhaveto:• Malwaresamples:Easiertocreatethanever
• Spreadingfast:Lessthan2minutesfromreleasetoinfec@on
• Newmalware:Exploi@ngoldvulnerabili@es,speciallySE.
Trendmicro:june/2015Malware:1millionnewthreatsemergingdaily
Triage for Ransomware, ¿is it necessary?
ONDREJKUBOVIČ,“BeyondTeslaCrypt:Crysisfamilylaysclaimtopartsofitsterritory”,June2016.
Triage for Ransomware, ¿is it necessary?
But,justincase,thisisthewaywea0endRansomwareIncidents:
• Isolatetheaffecteddevice.• Iden@fyprincipalsamplesrelatedtothemalware:
• RansomNote• SampleEncryptedFile• Origina@ngmalware
• Iden@fytheransomware• Analyzethemostofthefiles,tobesurewhichtypeofransomwarehasaffectedyoursystem.
• Lookforpossibleransomwaredecryp@ngtools
• Crossyourfingersandcheckthetools.• Remembertheredlineswhenwetoldyou"Prevent,don'treact"?,wellmaybeis@metodoit.
"Prevent,don'treact":• Investinsecuritytools:
AV/An@malware.• Createsecurebackups,
andsavetheminexternalstoragesystems.Rememberbackupyourdatainregularperiods.
• Educateusersinyourorganiza@on.
Muito Obrigado Prac@[email protected]