lift off 2017: ransomware and ir overview
TRANSCRIPT
Ismael Valenzuela Global Director of Foundstone Consulting/Incident Response, Intel
Security
.
2
.Ismael Valenzuela, GSE #132 – Global Director, Foundstone Consulting Services
Prediction 2017: I survived a ransomware attack in my cloud! www.mcafee.com/ransomware
.
33
Fast Forward To Sometime Later this Year…
.
4
A Hypothetical ScenarioTargeted Ransomware Attacks in the Cloud
Cloud ServicesLocal Data Center
Watering Hole Victim
.
5
Today’s Questions…Are we really far from this?
How can we pre-empt, contain and mitigate
these attacks?
What can we learn from the trenches and how can we apply it to cloud based attacks?
?
.
6
I don't know who you are. I don't know what you want.
If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills…
…skills that make me a nightmare
for people like you.Taken (2008)
.
7
A Day in the Life of a Cyber Incident Responder
.
8
My 15+ year Career in CyberSecurity
8
Twitter: @aboutsecurity
Computer Geek(Linux User)
PenTester(Shell Rockstar)
Forensicator, IR & Threat Researcher(Sleep Deprivation)
Intel Security Speaker & SANS Instructor
(lots of Photoshop)
.
9
We’ve Been on a Few of These…Hundreds of cases involved in the last few years, many involving ransomware
.
1010
The threat landscape keeps evolving, over and over again…
How Would You Run Your Organization Without Computers?What the media is not telling you:
– Attackers have been burning down the house as they walked out of the door
• Saudi Aramco (2012)• South Korea (2013)• Sony (2014)• Many other unpublicized ones in 2014 & 2015
• What has been the trend in the last year?• And more importantly, what can we expect going forward?
.
1111
Targeted Ransomware• First campaign observed by Intel Security
against the financial sector of a particular country
• Early in 2016 we observed a new widespread campaign affecting healthcare organizations. This time with a new modus operandi…• Attackers exploited vulnerable Internet
facing servers through an unpatched vulnerability
• Used Sysinternals and open-source tools to harvest AD details and move laterally
• Executed malicious payload (samsam.exe) manually on multiple Windows systems, deleting original files and backups
https://blogs.mcafee.com/mcafee-labs/targeted-ransomware-no-longer-future-threat/
No Longer a Future Threat
.
12
Why Ransomware?
.
13
Why Has Ransomware Such a Strong Growth?
• Explosive growth in unique samples
• Rootkit programs make it easy for amateurs to create malware and earn extra money
• Source code for ransomware publically available
• Polymorphic techniques leads to obfuscation and hard to recognize signatures for detection
2010 2013 2016
.
14
CryptoWall v3CyberThreat Alliance
Drag picture to placeholder or click icon to add. You must use a full bleed image to fill this entire space.
• 49 campaign code identifiers• 406,887 attempted infections of
CryptoWall version 3• Estimated $631 million (USD) in
damages
• 4,046 malware samples• 839 command and control URLs• 5 second-tier IP addresses used for
command and control
.
15
Wannabee Affiliate Organized Crime
Who’s Behind Ransomware Attacks?
.
16
What is The Impact of a Ransomware Attack?February 5, 2016: Media reports that Hollywood Presbyterian Medical Center has become victim to a ransomware attack. Original reports state that staff cannot access the network and that a large ransom is required to regain access to their system.
16
.
17
What is The Impact of a Ransomware Attack?February 16, 2016: After days without access to their electronic medical records, email and other systems, Hollywood Presbyterian Medical Center pays $17,000 to hackers.
17
.
18
Where Next?You are in Canada? I have been researching about ransomware some, and I had the impression it all came from Russia. Interesting. Is this your main source of income? Midnight on 24th by what time zone?
So I can handle it, and you don’t have any more issues. As far as your income question … I don’t even know how you got it. We are hired by corporation to cyber disrupt day-to-day business of their competition. Never have we done anything in Finland, and, since you seem like an individual that got the wrong email to open, I am trying to keep it at the minimum.
Interesting. So that’s why the ransom is so low—because you are already getting paid by the corporation, so you are mostly interested in disrupting the business rather than making a lot of money off the ransom? That’s crazy. Is it like a legitimate corporation, and is it well-known? I will try to find an open R-Kioski or Siwa, although it might be tough with the holiday weekend. Paysafe seems like the easiest way for me.
.
19
Why Cloud?
.
20
IT’s Top Challenges for Hybrid Datacenter SecurityLack of visibility to all computing resources on-premises and off-premises• Incomplete visibility to all workloads and data due to Shadow IT and the growth of
public and private clouds
Difficulty detecting breaches and remediating any damage that may have occurred• IT needs to assume that hackers do get through
Lack of unified management and reporting across entire infrastructure
and data• Cloud infrastructure which isn’t owned nor managed by the business • Workloads and corporate data in the public cloud
.
21
Ransomware & Cloud Services• “Children In Film” case
(reported by Brian Krebs in Jan 2016)*
• Company’s operations run off of application cloud services, from QuickBooks to Microsoft Office and Outlook.
• Employees use Citrix to connect to the cloud, mapping the cloud drive as a local disk.
• One email, and 30 mins later, +4,000 files encrypted
* http://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-too/
.
22
Top Exposures Resulting in Cloud Tenant Breaches
22
1. Internet Exposed RDP or SSH Endpoints
2. Virtual Machine Missing Security Patches
3. Web Application Vulnerability4. Weak Admin/Co-Admin Credentials5. Unrestricted SQL Endpoint6. Storage Key Disclosure7. Insufficient Security MonitoringMark Russinovich (CTO, Microsoft Azure): https://twitter.com/markrussinovich/status/591277863644434432
.
2323
What If The Target is Not the Tenant, but The Host
Take advantage of a vulnerability in the provider’s platform/infrastructure, encrypt and hold hostage of data for 2,000 customers?
What if an attacker is able to compromise the cloud service provider?
.
24
Is This a Lost Battle?
.
25
It’s time to REDEFINE the game
25
Adversaries are dominant, and this will not change• And they are already IN, in case you didn’t notice
it
Therefore, winning requires a ‘new definition’, a new security paradigm, focused on preventing attacker’s successYes, YOU WIN every time you prevent the attacker from achieving their goal, whatever this is: data exfiltration, holding hostage, etc.New game RULES
1. Detecting attacker activity toward end goal2. Preventing their success
If they don’t win, YOU WIN!
.
26
“The Upstream Story”
.
27
Root Cause: Going UpstreamVictims had flat networks for the most part (no segmentation/segregation), and many open sharesNo whitelisting / application controlDeployed security technology is mostly ‘preventive’ and in default mode (block & forget)Little or no capabilities to automate the responseNo ability to ‘hunt’ for indicators of compromise or indicators of attack (IOCs / IOAs)Unpatched and legacy systems, including Internet-facing systems on DMZLittle or no IR plans in place (never tested/rehearsed)
27
Lessons Learnt from the Trenches
.
28
Effective Strategies to Fight Ransomware
www.mcafee.com/ransomware
.
29
Consider the Cloud an extension of your Data Center
Identify your Crown Jewels and Focus on ImpactDo you know where attackers will attempt to pivot?Start with something actionable: • Create a list of prioritized defended assets:
domain controllers, mail servers, network infrastructure devices, databases..
• Once you have identified your crown jewels, try to determine who should access them and how.
• Associate pre-approved IR actions on them: blocking ports, blackhole traffic, disable accounts, isolate the system, scan for vulnerabilities, etc.
• Focus not only prevention but also on detecting and reacting against critical assets
.
30
Adaptive Security Model
Adapting: Turning Information into Actionable Intelligence!Applied integration, automation, and intelligence
Detect – Identify anomalous, outlier behavior, integrate network and endpoint detection, use sandboxes to inspect “grey” files
Protect – Patch management, tune endpoint access protection rules, leverage cloud intelligence for signatures and reputation, limit unknown processes
Adapt - Apply insights immediately throughout a collaborative infrastructure
Correct – Automate triage and response to provide prioritization and fluid investigation, frequent (tested) backups
30
.
31
Understand Your Responsibility
.
32
Understand Your Responsibility
.
33
Cloud Security To-Do List Implement whitelisting on your
critical servers * and access protection rules on endpoints
Enforce segmentation (security 101)
Use Cloud Access Security Brokers (CASB) in proxy or API mode
Hunt for Indicators Of Compromise (IOCs) and Indicators of Attack (IOAs)
Consume actionable Threat Intelligence
Test your backup plan. Can you meet your Recovery Time Objective?
Define expectations before-hand (SLAs)
What is my Maximum Tolerable Downtime? My Recovery Time Objective? (BCM)
Identify responsibilities across teams/vendors
Don’t assume you have the logs you need. Ask and demand MORE!
Bring your cloud based logs into your SIEM (IDS, network flows, IDS, etc.)
Run vulnerability assessments, pentest & red teaming exercises regularly
Be Prepared, Increase Visibility, Access Control and Be Proactive!
Strategies to Mitigate Targeted Cyber Intrusions by the Australian Government - http://www.asd.gov.au/publications/Mitigation_Strategies_2014.pdf
.
34
Maturity requires experience, which comes with exposure to real worldEvaluate and Rehearse your IR Program
Rehearse and coordinate an emergency response across all business units: legal, HR, PR, office of CIO, CEO, etc.. including LE, vendors, and cloud providers.Incorporate lessons learnt in your program
Many of the organizations we meet with have IR plans, but they’re not rehearsed against real-world scenarios.Use table top exercises, red team / blue team, and dry runs to test your IR plans.
.
35
You CAN survive a Ransomware attack!
Matt AnthonyVP Incident Response, Herjavec Group
Let’s Talk Incident Response
The first 24 hours The first few days Answering some tough questions – or
not. Are you ready? What Does Ready Mean? How to be less vulnerable and more
resilient
The IR Lifecycle
MSS – Monitoring & Detection
Managed Services and Monitoring LIVE here.
WHY is important!
WHY you ask?
Most incidents could have been prevented!
Bad Luck
Technical Controls
Process Deficiencies
Thinking About Threats
Commodity Hackers/
Scripters/Malware
Highly skilled and focused
attacks (like Sony or
Sands)
Accidents, errors, staff “just
trying to do a job”
Evil insiders – people with an
axe to grind
Incr
easi
ng S
kill
Increasing Malice or Focus
Why Did A Breach Happen?
Errors and AccidentsUser Action
Malicious insider or near insider threats
Ransomware or MalwareCommercially tooled criminals
Highly skilled criminals with custom tools
It CAN Happen
× Vulnerabilities× Bad Admin Passwords× Phishing schemes× Unpatched…
everythingToday’s lesson is brought to you by the letter U.
UNDERPREPARED
Hiding In The Herd Doesn’t Work
There Are A Lot Of Lions
A Case Study
Day 1 – The Notice
45 Machines 150%
A Case Study
Day 1 Continues
45 Machines +20 Machines
A Case Study
Day 1 Continues
60 + Machines
A Case Study
Day 2- Incident Response – Scoping
A Case Study
Day 2- Incident Response
What Happens Next? Decision Time!•Do we pay?•Should the Internet be disabled?•Should the police be engaged?• What statements of assurance can be made to the ELT, board, stakeholders, staff?
Questions To Be Addressed
•Why this breach? •Why were we vulnerable?•Why were the controls weak? •Why were those elements missing? •Why wasn’t there any responsibility assigned?
Looking For Causes
•No plan/process• Little local expertise•Unpatched systems•Weak security metrics• Poor measurement• Lack of management commitment
• Limited resources• Unclear
accountability/responsibility
• Weak identity and access management
• Decentralized IT• Poor or No
Logging/Monitoring• Warnings are missed
Outrun The Lions
Start Running…
Get meaningful info about risks/threatsMeasure and report info sec risks outside of IT
Report risks in business termsDevelop & present metricsDon’t sugar coat itEducate executives every chance you get
Cover The Basics
Harden Endpoints
Identity & Access Management
Patch
Time To Do More
Segment Networks Deploy SIEMs Update your Asset Database Next Generation Endpoint Tools If you don’t have expertise, buy it
Agility Is Key
Thank You