SlideShare uma empresa Scribd logo

Ransomware Resistance

F
Florian Roth

Protective Measures with Low Effort and High Impact

Tecnologia
1 de 23
Baixar para ler offline
Ransomware Resistance Protective Measures with Low Effort and High Impact
§ Florian Roth § Head of Research @ Nextron Systems § IT Sec since 2000, Nation State Cyber Attacks since 2012 § THOR Scanner § Twitter @cyb3rops § Open Source Projects: § Sigma (Generic SIEM Rule Format) § LOKI (Open Source Scanner) § APT Groups and Operations Mapping § Antivirus Event Analysis Cheat Sheet § ... About Me
Ransomware Overview Spreadsheet – Prevention Tab § Public Google Document https://docs.google.com/spreadsheets/d/1TWS238xacAto- fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
Protection the preservation from injury or harm Resistance the ability not to be affected by something, especially adversely Resilience the capacity to recover quickly from difficulties; toughness
Protection (implies previous Detection) Antivirus, Sandboxes and EDRs to detect and avert threats Resistance basic methods of separation and blocking to protect from new and unknown threats Resilience fast and easy recovery from occurred incidents
Ransomware Kill Chain Delivery Infection Propagation Methods Phishing Emails Vulnerabilities (SMBv1) Brute Force (RDP) Malicious Document Dropper/Downloader Network Scanning Extracted Credentials Protection Security Awareness Tranings Multi-Factor-Authentication Antivirus EDR IPS Detection Security Monitoring Antivirus EDR Security Monitoring NSM IDS Resistance Firewalling Email Filters Patch Management Policies Execution Prevention Firewalling (OS level) Network Segregation User Account Segregation
Ransomware Kill Chain – Industry Focus Delivery Infection Propagation Methods Phishing Emails Vulnerabilities (SMBv1) Brute Force (RDP) Malicious Document Dropper/Downloader Network Scanning Extracted Credentials Protection Security Awareness Tranings Multi-Factor-Authentication Antivirus EDR IPS Detection Security Monitoring Antivirus EDR Security Monitoring NSM IDS Resistance Firewalling Email Filters Patch Management Policies Execution Prevention Firewalling (OS level) Network Segregation User Account Segregation This is what we’ll look atIndustry Focus
1. Backup and Restore Process 2. Windows Defender Ransomware Protection 3. Block Macros 4. Block Windows Binary Access to Internet 5. Filter Attachments Level 1 6. Filter Attachments Level 2 7. Use Web Proxies 8. Block Executable Downloads 9. Enforce UAC Prompt 10. Remove Admin Privileges 11. Restrict Workstation Communication 12. Sandboxing Email Input 13. Execution Prevention 14. Change Default "Open With" to Notepad 15. Restrict program execution 16. Sysmon 17. VSSAdmin Rename 18. Disable WSH 19. Folder Redirection 20. Remove Backup Server from Domain 21. Multi-Factor-Authentication (MFA) Protective Measures 80% 20% Low Complexity Measures 80% 20% EffectEffort
Low Complexity Measures Measures that have a low complexity of implementation, minimal influence on business critical processes and don’t require a lot of previous research or expertise
High Complexity Measures Examples
High Complexity: Filter Attachments § Where can I get a good and curated list of problematic extensions? § Do we have critical business processes that depend on one or more of these extensions? § How and where can we block them?
High Complexity: Block program executions § Which programs should we white-list? § Is there a list of legitimate programs that we use in our organisation? § Who maintains that list? § Where do we apply the restrictions? (Workstations, Admin Workstations, Systems of Support Staff, Servers, Admin Jump Server)
1. Backup and Restore Process 2. Windows Defender Ransomware Protection 3. Block Macros 4. Block Windows Binary Access to Internet 5. Filter Attachments Level 1 6. Filter Attachments Level 2 7. Use Web Proxies 8. Block Executable Downloads 9. Enforce UAC Prompt 10. Remove Admin Privileges 11.Restrict Workstation Communication 12. Sandboxing Email Input 13. Execution Prevention 14. Change Default "Open With" to Notepad 15. Restrict program execution 16. Sysmon 17. VSSAdmin Rename 18. Disable WSH 19. Folder Redirection 20. Remove Backup Server from Domain 21.Multi-Factor-Authentication (MFA) Low Complexity Measures Communication Restrictions
“Worst” Practice Communication InternetIntranet
Best Practice Communication InternetIntranet Proxy No Workstation to Workstation Communication Executable Filter
Resistance 1 – Block Executable Downloads InternetIntranet Proxy Mal Doc Cannot retrieve second stage Blocks EXE from uncategorized domain
Resistance 2 – Enforce Web Proxy InternetIntranet Proxy Mal Doc Can retrieve 2nd stage Allows EXE from categorized domain 2nd stage 2nd stage has no proxy support and cannot communicate with C2 server
Resistance 3 – Block Workstation to Workstation Communication InternetIntranet Proxy Mal Doc Can retrieve 2nd stage Allows EXE from categorized domain 2nd stage 2nd stage has proxy support and can communicate with C2 server Cannot spread to other Workstations
§ Enforce Web Proxies § Level 1: from workstations on which humans open emails § Level 2: from all internal systems § Block Executable Downloads § Level 1: from domains known as malicious (not recommended) § Level 2: Instead of blocking, show a splash page for downloads from uncategorized domains (recommended) § Level 3: from uncategorized domains § Block Workstation to Workstation Communication § Network segragation is a requirement (allow connections to server segments, proxy, disallow to other client networks) § You can use the integrated Windows Firewall Resistence Measures in Details
§ Block Executable Downloads (from uncategorized domains) § Enforce Web Proxies § Block Workstation to Workstation Communication Resistence Measures Effects averts ~90 percent* averts ~60 percent* greatly reduces impact* *of attacks
§ I am not alone with that opinion § Other experts in the industry have made the same experiences Many Experts Share My View
§ Many remote workers, especially due to the global pandemic § Bandwidth problems with VPN & corporate proxies § A solid asset management is a requirement § You can’t control / restict / defend what you don’t know § Affected systems are often the neglected and forgotten ones (embedded systems, POS devices, display systems, print servers etc.) Challenges
Ransomware Resistance Protective Measures with Low Effort and High Impact

Recomendados

Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 

Recomendados

Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilitiesKrishna Gehlot
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 

Mais conteúdo relacionado

Mais procurados

Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 

Mais procurados (20)

Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 

Semelhante a Ransomware Resistance

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Week3Project Part 1-Task 2 – Risk Assessment.docx
Week3Project Part 1-Task 2 – Risk Assessment.docxWeek3Project Part 1-Task 2 – Risk Assessment.docx
Week3Project Part 1-Task 2 – Risk Assessment.docxhelzerpatrina
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network securitySreerag Gopinath
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityLumension
 
Network security chapter 1,2
Network security chapter 1,2Network security chapter 1,2
Network security chapter 1,2Education
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and ITKomalah Nair
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
Computing safety
Computing safetyComputing safety
Computing safetyBrulius
 
Mitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksMitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksErdem Erdogan
 

Semelhante a Ransomware Resistance (20)

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Week3Project Part 1-Task 2 – Risk Assessment.docx
Week3Project Part 1-Task 2 – Risk Assessment.docxWeek3Project Part 1-Task 2 – Risk Assessment.docx
Week3Project Part 1-Task 2 – Risk Assessment.docx
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat Management
 
Active Testing
Active TestingActive Testing
Active Testing
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
 
Network security chapter 1,2
Network security chapter 1,2Network security chapter 1,2
Network security chapter 1,2
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and IT
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
 
Computing safety
Computing safetyComputing safety
Computing safety
 
Mitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksMitigating Rapid Cyberattacks
Mitigating Rapid Cyberattacks
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 

Último

Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Último (20)

Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Ransomware Resistance

  • 1. Ransomware Resistance Protective Measures with Low Effort and High Impact
  • 2. § Florian Roth § Head of Research @ Nextron Systems § IT Sec since 2000, Nation State Cyber Attacks since 2012 § THOR Scanner § Twitter @cyb3rops § Open Source Projects: § Sigma (Generic SIEM Rule Format) § LOKI (Open Source Scanner) § APT Groups and Operations Mapping § Antivirus Event Analysis Cheat Sheet § ... About Me
  • 3. Ransomware Overview Spreadsheet – Prevention Tab § Public Google Document https://docs.google.com/spreadsheets/d/1TWS238xacAto- fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
  • 4. Protection the preservation from injury or harm Resistance the ability not to be affected by something, especially adversely Resilience the capacity to recover quickly from difficulties; toughness
  • 5. Protection (implies previous Detection) Antivirus, Sandboxes and EDRs to detect and avert threats Resistance basic methods of separation and blocking to protect from new and unknown threats Resilience fast and easy recovery from occurred incidents
  • 6. Ransomware Kill Chain Delivery Infection Propagation Methods Phishing Emails Vulnerabilities (SMBv1) Brute Force (RDP) Malicious Document Dropper/Downloader Network Scanning Extracted Credentials Protection Security Awareness Tranings Multi-Factor-Authentication Antivirus EDR IPS Detection Security Monitoring Antivirus EDR Security Monitoring NSM IDS Resistance Firewalling Email Filters Patch Management Policies Execution Prevention Firewalling (OS level) Network Segregation User Account Segregation
  • 7. Ransomware Kill Chain – Industry Focus Delivery Infection Propagation Methods Phishing Emails Vulnerabilities (SMBv1) Brute Force (RDP) Malicious Document Dropper/Downloader Network Scanning Extracted Credentials Protection Security Awareness Tranings Multi-Factor-Authentication Antivirus EDR IPS Detection Security Monitoring Antivirus EDR Security Monitoring NSM IDS Resistance Firewalling Email Filters Patch Management Policies Execution Prevention Firewalling (OS level) Network Segregation User Account Segregation This is what we’ll look atIndustry Focus
  • 8. 1. Backup and Restore Process 2. Windows Defender Ransomware Protection 3. Block Macros 4. Block Windows Binary Access to Internet 5. Filter Attachments Level 1 6. Filter Attachments Level 2 7. Use Web Proxies 8. Block Executable Downloads 9. Enforce UAC Prompt 10. Remove Admin Privileges 11. Restrict Workstation Communication 12. Sandboxing Email Input 13. Execution Prevention 14. Change Default "Open With" to Notepad 15. Restrict program execution 16. Sysmon 17. VSSAdmin Rename 18. Disable WSH 19. Folder Redirection 20. Remove Backup Server from Domain 21. Multi-Factor-Authentication (MFA) Protective Measures 80% 20% Low Complexity Measures 80% 20% EffectEffort
  • 9. Low Complexity Measures Measures that have a low complexity of implementation, minimal influence on business critical processes and don’t require a lot of previous research or expertise
  • 11. High Complexity: Filter Attachments § Where can I get a good and curated list of problematic extensions? § Do we have critical business processes that depend on one or more of these extensions? § How and where can we block them?
  • 12. High Complexity: Block program executions § Which programs should we white-list? § Is there a list of legitimate programs that we use in our organisation? § Who maintains that list? § Where do we apply the restrictions? (Workstations, Admin Workstations, Systems of Support Staff, Servers, Admin Jump Server)
  • 13. 1. Backup and Restore Process 2. Windows Defender Ransomware Protection 3. Block Macros 4. Block Windows Binary Access to Internet 5. Filter Attachments Level 1 6. Filter Attachments Level 2 7. Use Web Proxies 8. Block Executable Downloads 9. Enforce UAC Prompt 10. Remove Admin Privileges 11.Restrict Workstation Communication 12. Sandboxing Email Input 13. Execution Prevention 14. Change Default "Open With" to Notepad 15. Restrict program execution 16. Sysmon 17. VSSAdmin Rename 18. Disable WSH 19. Folder Redirection 20. Remove Backup Server from Domain 21.Multi-Factor-Authentication (MFA) Low Complexity Measures Communication Restrictions
  • 15. Best Practice Communication InternetIntranet Proxy No Workstation to Workstation Communication Executable Filter
  • 16. Resistance 1 – Block Executable Downloads InternetIntranet Proxy Mal Doc Cannot retrieve second stage Blocks EXE from uncategorized domain
  • 17. Resistance 2 – Enforce Web Proxy InternetIntranet Proxy Mal Doc Can retrieve 2nd stage Allows EXE from categorized domain 2nd stage 2nd stage has no proxy support and cannot communicate with C2 server
  • 18. Resistance 3 – Block Workstation to Workstation Communication InternetIntranet Proxy Mal Doc Can retrieve 2nd stage Allows EXE from categorized domain 2nd stage 2nd stage has proxy support and can communicate with C2 server Cannot spread to other Workstations
  • 19. § Enforce Web Proxies § Level 1: from workstations on which humans open emails § Level 2: from all internal systems § Block Executable Downloads § Level 1: from domains known as malicious (not recommended) § Level 2: Instead of blocking, show a splash page for downloads from uncategorized domains (recommended) § Level 3: from uncategorized domains § Block Workstation to Workstation Communication § Network segragation is a requirement (allow connections to server segments, proxy, disallow to other client networks) § You can use the integrated Windows Firewall Resistence Measures in Details
  • 20. § Block Executable Downloads (from uncategorized domains) § Enforce Web Proxies § Block Workstation to Workstation Communication Resistence Measures Effects averts ~90 percent* averts ~60 percent* greatly reduces impact* *of attacks
  • 21. § I am not alone with that opinion § Other experts in the industry have made the same experiences Many Experts Share My View
  • 22. § Many remote workers, especially due to the global pandemic § Bandwidth problems with VPN & corporate proxies § A solid asset management is a requirement § You can’t control / restict / defend what you don’t know § Affected systems are often the neglected and forgotten ones (embedded systems, POS devices, display systems, print servers etc.) Challenges
  • 23. Ransomware Resistance Protective Measures with Low Effort and High Impact