the best ways to stop malware and ransomware that no …

The Best Ways to Stop Malware and Ransomware That No One Else Will Tell YouRoger A. GrimesData-Driven Security Evangelist [email protected]

Roger A. GrimesData-Driven Defense Evangelist

KnowBe4, Inc.

Twitter: @RogerAGrimesLinkedIn: https://www.linkedin.com/in/rogeragrimes/

• 30 years plus in computer security

• Expertise in host and network security, IdM, crypto, PKI, APT, honeypot, cloud security

• Consultant to world’s largest companies and militaries for decades

• Previous worked for Foundstone, McAfee, Microsoft

• Written 12 books and over 1,000 magazine articles

• InfoWorld and CSO weekly security columnist 2005 -2019

• Frequently interviewed by magazines (e.g. Newsweek) and radio shows (e.g. NPR’s All Things Considered)

About Roger

Certification exams passed include:

• CPA• CISSP• CISM, CISA• MCSE: Security, MCP, MVP• CEH, TISCA, Security+, CHFI• yada, yada

3

Roger’s Books

4

KnowBe4, Inc.• The world’s most popular integrated Security Awareness

Training and Simulated Phishing platform

• Based in Tampa Bay, Florida, founded in 2010

• CEO & employees are ex-antivirus, IT Security pros

• 200% growth year over year

• We help tens of thousands of organizations manage the problem of social engineering

5

Agenda• Two Best Ways to Stop Malware• Step-by-Step Instructions• Live Malware & Defense Demonstration

6

• Detect and Mitigate How Malware is Breaking In• Detect How Long Malware is Dwelling and Where

• How/Why/Where/How Long?• Early detection of it all

• No anti-malware defense is going to tell you this

Two Best Ways

7

• Officially known as the initial root cause exploit• You cannot stop malware if you don’t stop how it is breaking in

• You must focus on root causes as much or more than what breaks in or their names!

• Malware and hackers can break in using 10 different methods

How Malware Is Breaking In

8

Initial Root Cause Exploits

• 8/18/20

?

?

?What’s the number one root cause threat in your environment?• Programming Bug (patch available or not available)• Social Engineering• Authentication Attack• Human Error/Misconfiguration• Eavesdropping/MitM• Data/Network Traffic Malformation• Insider Attack• 3rd Party Reliance Issue (vendor/dependency/watering hole)• Physical Attack• Brand New Attack Vector (w/o current/default mitigation)

Ask Yourself 3 Key Questions:1. Can your team correctly answer what is the top root cause? 2. Is the answer consistent across all stakeholders? 3. Do you have data to back up the right answer?

The Data-Driven Defenders Approach

Risk Ranked Threat Perceptions: • Focuses on root causes• Local experience and data is highly valued• Relevance is a big deciding factor

Risk Ranked Defenses:• Mitigates root causes, not individual threats• More efficient resource utilization• Allows clearer cost/benefit considerations

#2Most Impactful

ExploitRoot Cause

Threat

Vendors#1

Most ImpactfulExploit

Root CauseThreat

MediumThreat

#3Most Impactful

ExploitRoot Cause

Threat

SmallThreat

MediumThreat

MediumThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

DefensesAgainst

#2 Most ImpactfulExploited Root

CauseThreat

Vendors

DefensesAgainst

#1Most Impactful

ExploitRoot Cause

Threat

MediumMitigation

Defenses Against

#3 Most ImpactfulExploited

Root CauseThreat

SmallThreat

MediumMitigation

MediumMitigation

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

SmallThreat

May decide that the cost of defending against small threats is not a good business decision

• Social Engineering

• Unpatched Software

• But don’t trust me,

measure your own risk

Biggest Initial Breach Root Causes for Most Companies

https://blog.knowbe4.com/70-to-90-of-all-malicious-breaches-are-due-to-social-engineering-and-phishing-attacks

Social engineering is responsible for 70% - 90% of all malicious data breaches

Social Engineering Methods

• Email

• Compromised Web Sites/Banner Ads

• SMS

• Instant Messaging

• Vishing (voice call phishing)

• In-Person

Social Engineering & Phishing

Social Engineering Methods

• Malicious URLs

• How to Spot Rogue URLs

• Article - https://blog.knowbe4.com/top-12-most-common-

rogue-url-tricks

• Webinar - https://info.knowbe4.com/rogue-urls

Social Engineering & Phishing

Top Exploited SoftwareUsually less than a handful of threats compromise the vast majority of real risk

Most attacked unpatched software is usually, Internet-facing/accessing and:Clients• Browser Add-Ons• Network-advertising Services/Daemons• OS• Productivity apps (Microsoft Office, etc.)Servers• Web server software• OS• Database• Mgmt software

What are your top unpatched threats?

Top Exploited SoftwareUsually less than a handful of threats compromise the vast majority of real risk

Most attacked unpatched software is usually, Internet-facing/accessing and:Clients• Browser Add-Ons• Network-advertising Serices/Daemons• OS• Productivity apps (Microsoft Office, etc.)Servers• Web server software• OS• Database• Mgmt software

What are your top unpatched threats?

15

Determining How Malware Breaks In• Antivirus/antimalware/EDR software might tell if it blocks and alerts during the

initial act of exploitation…but you usually don’t know where in the malware lifecycle detection happened, so:

• Know that most malware only breaks in using one method• Create/use a way of detecting or tracking first execution and where• Look at your logs• Do a little research• End-user may be able to tell you• Last resort: track by inventory


16

Determining How Malware Breaks In

• Most malware only breaks in using one method• Most malware is installed using:

• Social engineering (email and compromised web sites)• Unpatched Internet-facing software• Password guessing

• Malware exploit kits only use a few basic exploits each year


17

Determining How Malware Breaks InIf nothing else, do a little research• Review your daily/monthly anti-malware report• Research the exploitation vectors for the top 10 identified malware programs• You can use AV vendor reports, but your own information is better


18

Determining How Malware Breaks InDo a little research (example)

CheckPoint Top 10 Report

But let’s assume this is yourpersonal AV monthly report


19

Determining How Malware Breaks InDo a little research (example percentages shown for an example report)• Agent Tesla – 37%• Phorpiex – 24%• XMRig – 21%• Dridex – 9%• Trickbot – 3%• Ramnit – 3%• Emotet – 1%

98%


20

Determining How Malware Breaks InDo a little research (example)• Agent Tesla• Phorpiex• XMRig• Dridex• Trickbot• Ramnit• Emotet


21

Determining How Malware Breaks InDo a little research (example)• Agent Tesla – social engineering/unpatched Microsoft Office• Phorpiex• XMRig• Dridex• Trickbot• Ramnit• Emotet


22

Determining How Malware Breaks InDo a little research (example)• Agent Tesla – social engineering/unpatched Microsoft Office• Phorpiex – spam/social engineering, IM/Skype, removable media drives• XMRig – unpatched web server software• Dridex – spam/email attachment/social engineering• Trickbot – social engineering, unpatched software, network file shares• Ramnit – (we will say unknown just for this example)• Emotet – macro virus in email attachment/social engineering


23

Determining How Malware Breaks InDo a little research (example)

• Based on the percentages, if you are fully patched, then it means:

• 74% related to social engineering one way or another• Plus possibly some removable media exploits and network share issues

• 3% - 5% unknown

• If you are not fully patched, attribute up to 48% of the risk to unpatched software depending on what you find


3 x 3 Security Control Pillars

3 x 3 Security Control Pillars - https://www.linkedin.com/pulse/3-x-security-control-pillars-roger-grimes

For every high-risk threat you want to mitigate, create 3 x 3 controls

25

Determining How Malware Breaks InDo a little research (example)• Took me 45 minutes of research and simple math to determine• Use your own anti-malware reports• Try your best to determine root cause exploit based on evidence• Research what you can’t find or determine• Otherwise: Your top two root causes are likely to be social engineering and

unpatched software• But maybe one month it becomes unpatched video cameras (e.g. MVPower

exploit) or USB keys…so track each month and over time


26

The KnowBe4 Security Awareness Program WORKSBaseline TestingUse simulated phishing to baseline assess the Phish-prone™ percentage of your users.

Train Your UsersThe world's largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters. Automated training campaigns with scheduled reminder emails.

Phish Your UsersBest-in-class, fully automated simulated phishing attacks, hundreds of templates with unlimited usage, and community phishing templates.

See the ResultsEnterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI!

27

Security Awareness Training Program That Works

• Drawn from a data set of over four million users

• Over 17K organizations• Over 9.1M Simulated Phishing

Campaigns

• Segmented by industry type and organization size

https://info.knowbe4.com/phishing-by-industry-benchmarking-report

28

Determining How Long Malware Dwells and WhereSummary• Use an application control program in monitor/audit-only mode• Create a snapshot rule baseline from a clean image• Detect and report on newly executed programs• Copy new execution log events to centralized database• Whenever AV detects and removes malware, compare removal time to

origination time• Create reports and security workflows from this info

How Long and Where Malware Is

29

Determining How Long Malware Dwells and WhereApplication Control Programs• Allows you to whitelist and blacklist executables and other programs• Most allow monitoring/audit-only modes versus blocking/enforcement modes• Most can build rules by “snapshotting” a system• Most write events to security logs when new executions not on baseline occur


30

Determining How Long Malware Dwells and WhereApplication Control Program Examples• AppLocker and Windows Defender Application Control on Microsoft Windows• Most major AV programs have a version• Commercial versions: Beyond Trust, Carbon Black, Tripwire, Cisco, Ivanti• Open source versions: SE Linux, AppArmor, Fapolicyd• NIST SP 800-167 “Guide to Application Whitelisting”


31

Example Application Control Program DeploymentAppLocker• Been in Microsoft Windows enterprise versions since Windows 7/Windows

Server 2008• Early related Windows feature was Software Restriction Policies• Windows Defender Application Control (WDAC), released in Windows 10• WDAC is a far more serious application control program than AppLocker and takes much

more planning and administration to run• AppLocker does not promise a true security boundary, WDAC does• For our purposes, AppLocker is good enough

• Stand-alone, Group Policy, MDM (e.g. InTune, etc.)


32

Example Application Control Program DeploymentAppLocker• Run Gpedit.msc• Computer Configuration\Windows Settings\Security Settings\• Application Control Policies


33

Example Application Control Program DeploymentAppLockerAppLocker Rule Categories:• Executable Rules• Windows Installer Rules• Script Rules• Packaged app Rules (Modern apps)

Each can be enabled separately


34

Example Application Control Program DeploymentAppLocker


35



36



37



Note: If you enabled enforcement mode you might want to say Yes here.

38



39

Example Application Control Program DeploymentAppLocker – Start Application Identity (AppID) service


40

Example Application Control Program DeploymentAppLockerEvent Viewer


0 logged events

Any execution exceptions to AppLocker’s policy will be logged as 8003 events

41

Example Application Control Program DeploymentAppLockerMalshare.com Example


42

Example Application Control Program DeploymentAppLockerMalshare.com Example- Search for “ransomware”


43

Example Application Control Program DeploymentAppLockerMalshare Example


44



45

Example Application Control Program DeploymentAppLockerMalshare Example – When It Executes


46



47

Example Application Control Program DeploymentAppLockerPull all 8003 events toa centralized database


48

Example Application Control Program DeploymentPull all AV detection log events tosame centralized database


AV programlogs

AppLocker8003 events

Final Steps

Every time malware is detected:

• Compare AV detection date/time to app control first

execution date/time

• Create malware dwell time aging reports

• Develop security workflows


Final Steps

Security workflows

• Automate emails to victims notifying them of how long

the malware dwelled and what they need to do

• What applications did they logon to while exploited?

• What personal logons did they use while exploited?


Final StepsHow Long and Where Malware Is

Final Steps

Create reports and alerts of:

• Long dwell times

• Even minor dwell times on high-risk or high value assets

• Growing average dwell times


Final Steps

Security workflows

• Tie back to how malware got in to modify your training

and defenses


Demo -AppLocker and Live Malware Detection


55

Resources

» Learn More at www.KnowBe4.com/Resources «

12+ Ways to Hack Two-Factor AuthenticationAll multi-factor authentication (MFA) mechanisms can be compromised, and in some cases, it's as simple as sending a traditional phishing email. Want to know how to defend against MFA hacks? This whitepaper covers over a dozen different ways to hack various types of MFA and how to defend against those attacks.

Ransomware Hostage Rescue ManualGet the most complete Ransomware Manual packed with actionable info that you need to have to prevent infections, and what to do when you are hit with ransomware.

CEO Fraud Prevention ManualCEO fraud is responsible for over $3 billion in losses. Don’t be next. The CEO Fraud Prevention Manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.

Questions?

Tel: 855-KNOWBE4 (566-9234) | www.KnowBe4.com | [email protected]

Roger A. Grimes– Data-Driven Defense Evangelist, [email protected]: @rogeragrimes

https://www.linkedin.com/in/rogeragrimes/

the best ways to stop malware and ransomware that no …

Documents