SlideShare uma empresa Scribd logo

LIFT OFF 2017: Ransomware and IR Overview

Transferir como PPTX, PDF
Robert Herjavec
Robert Herjavec

Presentation by Ismael Valenzuela from Intel Security about ransomware and how enterprises can design their IR responses to mitigate ransomware threats.

Tecnologia
1 de 60
Ismael Valenzuela Global Director of Foundstone Consulting/Incident Response, Intel Security
. 2 . Ismael Valenzuela, GSE #132 – Global Director, Foundstone Consulting Services Prediction 2017: I survived a ransomware attack in my cloud! www.mcafee.com/ransomware
. 33 Fast Forward To Sometime Later this Year…
. 4 A Hypothetical Scenario Targeted Ransomware Attacks in the Cloud Cloud Services Local Data Center Watering Hole Victim
. 5 Today’s Questions… Are we really far from this? How can we pre-empt, contain and mitigate these attacks? What can we learn from the trenches and how can we apply it to cloud based attacks?
. 6 I don't know who you are. I don't know what you want. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills… …skills that make me a nightmare for people like you. Taken (2008)
. 7 A Day in the Life of a Cyber Incident Responder
. 8 My 15+ year Career in CyberSecurity 8 Twitter: @aboutsecurity Computer Geek (Linux User) PenTester (Shell Rockstar) Forensicator, IR & Threat Researcher (Sleep Deprivation) Intel Security Speaker & SANS Instructor (lots of Photoshop)
. 9 We’ve Been on a Few of These… Hundreds of cases involved in the last few years, many involving ransomware
. 10 1 The threat landscape keeps evolving, over and over again… How Would You Run Your Organization Without Computers? What the media is not telling you: – Attackers have been burning down the house as they walked out of the door • Saudi Aramco (2012) • South Korea (2013) • Sony (2014) • Many other unpublicized ones in 2014 & 2015 • What has been the trend in the last year? • And more importantly, what can we expect going forward?
. 1111 Targeted Ransomware • First campaign observed by Intel Security against the financial sector of a particular country • Early in 2016 we observed a new widespread campaign affecting healthcare organizations. This time with a new modus operandi… • Attackers exploited vulnerable Internet facing servers through an unpatched vulnerability • Used Sysinternals and open-source tools to harvest AD details and move laterally • Executed malicious payload (samsam.exe) manually on multiple Windows systems, deleting original files and backups https://blogs.mcafee.com/mcafee-labs/targeted-ransomware-no-longer-future-threat/ No Longer a Future Threat
. 12 Why Ransomware?
. 13 Why Has Ransomware Such a Strong Growth? • Explosive growth in unique samples • Rootkit programs make it easy for amateurs to create malware and earn extra money • Source code for ransomware publically available • Polymorphic techniques leads to obfuscation and hard to recognize signatures for detection2010 2013 2016
. 14 CryptoWall v3 CyberThreat Alliance • 49 campaign code identifiers • 406,887 attempted infections of CryptoWall version 3 • Estimated $631 million (USD) in damages • 4,046 malware samples • 839 command and control URLs • 5 second-tier IP addresses used for command and control
. 15 Wannabee Affiliate Organized Crime Who’s Behind Ransomware Attacks?
. 16 What is The Impact of a Ransomware Attack? February 5, 2016: Media reports that Hollywood Presbyterian Medical Center has become victim to a ransomware attack. Original reports state that staff cannot access the network and that a large ransom is required to regain access to their system. 1
. 17 What is The Impact of a Ransomware Attack? February 16, 2016: After days without access to their electronic medical records, email and other systems, Hollywood Presbyterian Medical Center pays $17,000 to hackers. 1
. 18 Where Next? You are in Canada? I have been researching about ransomware some, and I had the impression it all came from Russia. Interesting. Is this your main source of income? Midnight on 24th by what time zone? So I can handle it, and you don’t have any more issues. As far as your income question … I don’t even know how you got it. We are hired by corporation to cyber disrupt day-to-day business of their competition. Never have we done anything in Finland, and, since you seem like an individual that got the wrong email to open, I am trying to keep it at the minimum. Interesting. So that’s why the ransom is so low—because you are already getting paid by the corporation, so you are mostly interested in disrupting the business rather than making a lot of money off the ransom? That’s crazy. Is it like a legitimate corporation, and is it well-known? I will try to find an open R-Kioski or Siwa, although it might be tough with the holiday weekend. Paysafe seems like the easiest way for me.
. 19 Why Cloud?
. 20 IT’s Top Challenges for Hybrid Datacenter Security Lack of visibility to all computing resources on-premises and off-premises • Incomplete visibility to all workloads and data due to Shadow IT and the growth of public and private clouds Difficulty detecting breaches and remediating any damage that may have occurred • IT needs to assume that hackers do get through Lack of unified management and reporting across entire infrastructure and data • Cloud infrastructure which isn’t owned nor managed by the business • Workloads and corporate data in the public cloud
. 21 Ransomware & Cloud Services • “Children In Film” case (reported by Brian Krebs in Jan 2016)* • Company’s operations run off of application cloud services, from QuickBooks to Microsoft Office and Outlook. • Employees use Citrix to connect to the cloud, mapping the cloud drive as a local disk. • One email, and 30 mins later, +4,000 files encrypted * http://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-too/
. 22 Top Exposures Resulting in Cloud Tenant Breaches 2 1. Internet Exposed RDP or SSH Endpoints 2. Virtual Machine Missing Security Patches 3. Web Application Vulnerability 4. Weak Admin/Co-Admin Credentials 5. Unrestricted SQL Endpoint 6. Storage Key Disclosure 7. Insufficient Security Monitoring Mark Russinovich (CTO, Microsoft Azure): https://twitter.com/markrussinovich/status/591277863644434432
. 2323 What If The Target is Not the Tenant, but The Host Take advantage of a vulnerability in the provider’s platform/infrastructure, encrypt and hold hostage of data for 2,000 customers? What if an attacker is able to compromise the cloud service provider?
. 24 Is This a Lost Battle?
. 25 It’s time to REDEFINE the game 2 Adversaries are dominant, and this will not change • And they are already IN, in case you didn’t notice it Therefore, winning requires a ‘new definition’, a new security paradigm, focused on preventing attacker’s success Yes, YOU WIN every time you prevent the attacker from achieving their goal, whatever this is: data exfiltration, holding hostage, etc. New game RULES 1. Detecting attacker activity toward end goal 2. Preventing their success If they don’t win, YOU WIN!
. 26 “The Upstream Story”
. 27 Root Cause: Going Upstream Victims had flat networks for the most part (no segmentation/segregation), and many open shares No whitelisting / application control Deployed security technology is mostly ‘preventive’ and in default mode (block & forget) Little or no capabilities to automate the response No ability to ‘hunt’ for indicators of compromise or indicators of attack (IOCs / IOAs) Unpatched and legacy systems, including Internet- facing systems on DMZ Little or no IR plans in place (never tested/rehearsed) 2 Lessons Learnt from the Trenches
. 28 Effective Strategies to Fight Ransomware www.mcafee.com/ransomware
. 29 Consider the Cloud an extension of your Data Center Identify your Crown Jewels and Focus on Impact Do you know where attackers will attempt to pivot? Start with something actionable: • Create a list of prioritized defended assets: domain controllers, mail servers, network infrastructure devices, databases.. • Once you have identified your crown jewels, try to determine who should access them and how. • Associate pre-approved IR actions on them: blocking ports, blackhole traffic, disable accounts, isolate the system, scan for vulnerabilities, etc. • Focus not only prevention but also on detecting and reacting against critical assets
. 30 Adaptive Security Model Adapting: Turning Information into Actionable Intelligence! Applied integration, automation, and intelligence Detect – Identify anomalous, outlier behavior, integrate network and endpoint detection, use sandboxes to inspect “grey” files Protect – Patch management, tune endpoint access protection rules, leverage cloud intelligence for signatures and reputation, limit unknown processes Adapt - Apply insights immediately throughout a collaborative infrastructure Correct – Automate triage and response to provide prioritization and fluid investigation, frequent (tested) backups 30
. 31 Understand Your Responsibility
. 32 Understand Your Responsibility
. 33 Cloud Security To-Do List  Implement whitelisting on your critical servers * and access protection rules on endpoints  Enforce segmentation (security 101)  Use Cloud Access Security Brokers (CASB) in proxy or API mode  Hunt for Indicators Of Compromise (IOCs) and Indicators of Attack (IOAs)  Consume actionable Threat Intelligence  Test your backup plan. Can you meet your Recovery Time Objective?  Define expectations before-hand (SLAs)  What is my Maximum Tolerable Downtime? My Recovery Time Objective? (BCM)  Identify responsibilities across teams/vendors  Don’t assume you have the logs you need. Ask and demand MORE!  Bring your cloud based logs into your SIEM (IDS, network flows, IDS, etc.)  Run vulnerability assessments, pentest & red teaming exercises regularly Be Prepared, Increase Visibility, Access Control and Be Proactive! Strategies to Mitigate Targeted Cyber Intrusions by the Australian Government - http://www.asd.gov.au/publications/Mitigation_Strategies_2014.pdf
. 34 Maturity requires experience, which comes with exposure to real world Evaluate and Rehearse your IR Program Rehearse and coordinate an emergency response across all business units: legal, HR, PR, office of CIO, CEO, etc.. including LE, vendors, and cloud providers. Incorporate lessons learnt in your program Many of the organizations we meet with have IR plans, but they’re not rehearsed against real-world scenarios. Use table top exercises, red team / blue team, and dry runs to test your IR plans.
. 35 You CAN survive a Ransomware attack!
Matt Anthony VP Incident Response, Herjavec Group
Let’s Talk Incident Response  The first 24 hours  The first few days  Answering some tough questions – or not.  Are you ready?  What Does Ready Mean?  How to be less vulnerable and more resilient
The IR Lifecycle
MSS – Monitoring & Detection Managed Services and Monitoring LIVE here.
WHY is important!
WHY you ask? Most incidents could have been prevented! Bad Luck Technical Controls Process Deficiencies
Thinking About Threats Commodity Hackers/ Scripters/Malware Highly skilled and focused attacks (like Sony or Sands) Accidents, errors, staff “just trying to do a job” Evil insiders – people with an axe to grind IncreasingSkill Increasing Malice or Focus
Why Did A Breach Happen? Errors and AccidentsUser Action Malicious insider or near insider threats Ransomware or Malware Commercially tooled criminals Highly skilled criminals with custom tools
It CAN Happen × Vulnerabilities × Bad Admin Passwords × Phishing schemes × Unpatched…everything Today’s lesson is brought to you by the letter U. UNDERPREPARED
Hiding In The Herd Doesn’t Work
There Are A Lot Of Lions
A Case Study Day 1 – The Notice 45 Machines 150%
A Case Study Day 1 Continues 45 Machines +20 Machines
A Case Study Day 1 Continues 60 + Machines
A Case Study Day 2- Incident Response – Scoping
A Case Study Day 2- Incident Response
What Happens Next? Decision Time! •Do we pay? •Should the Internet be disabled? •Should the police be engaged? • What statements of assurance can be made to the ELT, board, stakeholders, staff?
Questions To Be Addressed •Why this breach? •Why were we vulnerable? •Why were the controls weak? •Why were those elements missing? •Why wasn’t there any responsibility assigned?
Looking For Causes • No plan/process • Little local expertise • Unpatched systems • Weak security metrics • Poor measurement • Lack of management commitment • Limited resources • Unclear accountability/responsibility • Weak identity and access management • Decentralized IT • Poor or No Logging/Monitoring • Warnings are missed
Outrun The Lions
Start Running… Get meaningful info about risks/threats Measure and report info sec risks outside of IT Report risks in business terms Develop & present metrics Don’t sugar coat it Educate executives every chance you get
Cover The Basics Harden Endpoints Identity & Access Management Patch
Time To Do More  Segment Networks  Deploy SIEMs  Update your Asset Database  Next Generation Endpoint Tools  If you don’t have expertise, buy it
Agility Is Key
Thank You

Recomendados

LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityRobert Herjavec
 
LIFT OFF 2017: AWS and Cloud Computing
LIFT OFF 2017: AWS and Cloud ComputingLIFT OFF 2017: AWS and Cloud Computing
LIFT OFF 2017: AWS and Cloud ComputingRobert Herjavec
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeCristian Garcia G.
 
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...Amazon Web Services
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
 
Chapter 3, Data Protection vs Ransomware
Chapter 3, Data Protection vs RansomwareChapter 3, Data Protection vs Ransomware
Chapter 3, Data Protection vs RansomwareAdi Saputra
 
Darktrace Proof of Value
Darktrace Proof of ValueDarktrace Proof of Value
Darktrace Proof of ValueDarktrace
 
IT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatIT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatETech 7
 

Recomendados

LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityRobert Herjavec
 
LIFT OFF 2017: AWS and Cloud Computing
LIFT OFF 2017: AWS and Cloud ComputingLIFT OFF 2017: AWS and Cloud Computing
LIFT OFF 2017: AWS and Cloud ComputingRobert Herjavec
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeCristian Garcia G.
 
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...Amazon Web Services
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
 
Chapter 3, Data Protection vs Ransomware
Chapter 3, Data Protection vs RansomwareChapter 3, Data Protection vs Ransomware
Chapter 3, Data Protection vs RansomwareAdi Saputra
 
Darktrace Proof of Value
Darktrace Proof of ValueDarktrace Proof of Value
Darktrace Proof of ValueDarktrace
 
IT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatIT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatETech 7
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityCentrify Corporation
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...EC-Council
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Block Armour
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Cloud security: Industry Trends and Research Challenges
Cloud security: Industry Trends and Research ChallengesCloud security: Industry Trends and Research Challenges
Cloud security: Industry Trends and Research ChallengesDr. Rajesh P Barnwal
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019Advanced Technology Consulting (ATC)
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud SecuritySusanne Tedrick
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry
 
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoDesafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoCristian Garcia G.
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​AlgoSec
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Securescoopnewsgroup
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access Er. Ajay Sirsat
 
The Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-AdversariesThe Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-AdversariesKaspersky
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 

Mais conteúdo relacionado

Mais procurados

Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityCentrify Corporation
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...EC-Council
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Block Armour
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Cloud security: Industry Trends and Research Challenges
Cloud security: Industry Trends and Research ChallengesCloud security: Industry Trends and Research Challenges
Cloud security: Industry Trends and Research ChallengesDr. Rajesh P Barnwal
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud SecuritySusanne Tedrick
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry
 
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoDesafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoCristian Garcia G.
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​AlgoSec
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Securescoopnewsgroup
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access Er. Ajay Sirsat
 
The Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-AdversariesThe Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-AdversariesKaspersky
 

Mais procurados (20)

Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Security
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
 
Cloud security: Industry Trends and Research Challenges
Cloud security: Industry Trends and Research ChallengesCloud security: Industry Trends and Research Challenges
Cloud security: Industry Trends and Research Challenges
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise Portfolio
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)
 
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoDesafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
 
The Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-AdversariesThe Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-Adversaries
 

Semelhante a LIFT OFF 2017: Ransomware and IR Overview

Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeMelbourne IT
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014Bee_Ware
 
Top 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfTop 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfinfosec train
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityHome
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017Bret Piatt
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxIntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxfuebf
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityfrcarlson
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...M Mehdi Ahmadian
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Security Solution - IBM Business Connect Qatar Defend your company against cy...
Security Solution - IBM Business Connect Qatar Defend your company against cy...Security Solution - IBM Business Connect Qatar Defend your company against cy...
Security Solution - IBM Business Connect Qatar Defend your company against cy...Dalia Reda
 

Semelhante a LIFT OFF 2017: Ransomware and IR Overview (20)

Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat Landscape
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014
 
Top 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfTop 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdf
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurity
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxIntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Security Solution - IBM Business Connect Qatar Defend your company against cy...
Security Solution - IBM Business Connect Qatar Defend your company against cy...Security Solution - IBM Business Connect Qatar Defend your company against cy...
Security Solution - IBM Business Connect Qatar Defend your company against cy...
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

LIFT OFF 2017: Ransomware and IR Overview

  • 1. Ismael Valenzuela Global Director of Foundstone Consulting/Incident Response, Intel Security
  • 2. . 2 . Ismael Valenzuela, GSE #132 – Global Director, Foundstone Consulting Services Prediction 2017: I survived a ransomware attack in my cloud! www.mcafee.com/ransomware
  • 3. . 33 Fast Forward To Sometime Later this Year…
  • 4. . 4 A Hypothetical Scenario Targeted Ransomware Attacks in the Cloud Cloud Services Local Data Center Watering Hole Victim
  • 5. . 5 Today’s Questions… Are we really far from this? How can we pre-empt, contain and mitigate these attacks? What can we learn from the trenches and how can we apply it to cloud based attacks?
  • 6. . 6 I don't know who you are. I don't know what you want. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills… …skills that make me a nightmare for people like you. Taken (2008)
  • 7. . 7 A Day in the Life of a Cyber Incident Responder
  • 8. . 8 My 15+ year Career in CyberSecurity 8 Twitter: @aboutsecurity Computer Geek (Linux User) PenTester (Shell Rockstar) Forensicator, IR & Threat Researcher (Sleep Deprivation) Intel Security Speaker & SANS Instructor (lots of Photoshop)
  • 9. . 9 We’ve Been on a Few of These… Hundreds of cases involved in the last few years, many involving ransomware
  • 10. . 10 1 The threat landscape keeps evolving, over and over again… How Would You Run Your Organization Without Computers? What the media is not telling you: – Attackers have been burning down the house as they walked out of the door • Saudi Aramco (2012) • South Korea (2013) • Sony (2014) • Many other unpublicized ones in 2014 & 2015 • What has been the trend in the last year? • And more importantly, what can we expect going forward?
  • 11. . 1111 Targeted Ransomware • First campaign observed by Intel Security against the financial sector of a particular country • Early in 2016 we observed a new widespread campaign affecting healthcare organizations. This time with a new modus operandi… • Attackers exploited vulnerable Internet facing servers through an unpatched vulnerability • Used Sysinternals and open-source tools to harvest AD details and move laterally • Executed malicious payload (samsam.exe) manually on multiple Windows systems, deleting original files and backups https://blogs.mcafee.com/mcafee-labs/targeted-ransomware-no-longer-future-threat/ No Longer a Future Threat
  • 13. . 13 Why Has Ransomware Such a Strong Growth? • Explosive growth in unique samples • Rootkit programs make it easy for amateurs to create malware and earn extra money • Source code for ransomware publically available • Polymorphic techniques leads to obfuscation and hard to recognize signatures for detection2010 2013 2016
  • 14. . 14 CryptoWall v3 CyberThreat Alliance • 49 campaign code identifiers • 406,887 attempted infections of CryptoWall version 3 • Estimated $631 million (USD) in damages • 4,046 malware samples • 839 command and control URLs • 5 second-tier IP addresses used for command and control
  • 15. . 15 Wannabee Affiliate Organized Crime Who’s Behind Ransomware Attacks?
  • 16. . 16 What is The Impact of a Ransomware Attack? February 5, 2016: Media reports that Hollywood Presbyterian Medical Center has become victim to a ransomware attack. Original reports state that staff cannot access the network and that a large ransom is required to regain access to their system. 1
  • 17. . 17 What is The Impact of a Ransomware Attack? February 16, 2016: After days without access to their electronic medical records, email and other systems, Hollywood Presbyterian Medical Center pays $17,000 to hackers. 1
  • 18. . 18 Where Next? You are in Canada? I have been researching about ransomware some, and I had the impression it all came from Russia. Interesting. Is this your main source of income? Midnight on 24th by what time zone? So I can handle it, and you don’t have any more issues. As far as your income question … I don’t even know how you got it. We are hired by corporation to cyber disrupt day-to-day business of their competition. Never have we done anything in Finland, and, since you seem like an individual that got the wrong email to open, I am trying to keep it at the minimum. Interesting. So that’s why the ransom is so low—because you are already getting paid by the corporation, so you are mostly interested in disrupting the business rather than making a lot of money off the ransom? That’s crazy. Is it like a legitimate corporation, and is it well-known? I will try to find an open R-Kioski or Siwa, although it might be tough with the holiday weekend. Paysafe seems like the easiest way for me.
  • 20. . 20 IT’s Top Challenges for Hybrid Datacenter Security Lack of visibility to all computing resources on-premises and off-premises • Incomplete visibility to all workloads and data due to Shadow IT and the growth of public and private clouds Difficulty detecting breaches and remediating any damage that may have occurred • IT needs to assume that hackers do get through Lack of unified management and reporting across entire infrastructure and data • Cloud infrastructure which isn’t owned nor managed by the business • Workloads and corporate data in the public cloud
  • 21. . 21 Ransomware & Cloud Services • “Children In Film” case (reported by Brian Krebs in Jan 2016)* • Company’s operations run off of application cloud services, from QuickBooks to Microsoft Office and Outlook. • Employees use Citrix to connect to the cloud, mapping the cloud drive as a local disk. • One email, and 30 mins later, +4,000 files encrypted * http://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-too/
  • 22. . 22 Top Exposures Resulting in Cloud Tenant Breaches 2 1. Internet Exposed RDP or SSH Endpoints 2. Virtual Machine Missing Security Patches 3. Web Application Vulnerability 4. Weak Admin/Co-Admin Credentials 5. Unrestricted SQL Endpoint 6. Storage Key Disclosure 7. Insufficient Security Monitoring Mark Russinovich (CTO, Microsoft Azure): https://twitter.com/markrussinovich/status/591277863644434432
  • 23. . 2323 What If The Target is Not the Tenant, but The Host Take advantage of a vulnerability in the provider’s platform/infrastructure, encrypt and hold hostage of data for 2,000 customers? What if an attacker is able to compromise the cloud service provider?
  • 24. . 24 Is This a Lost Battle?
  • 25. . 25 It’s time to REDEFINE the game 2 Adversaries are dominant, and this will not change • And they are already IN, in case you didn’t notice it Therefore, winning requires a ‘new definition’, a new security paradigm, focused on preventing attacker’s success Yes, YOU WIN every time you prevent the attacker from achieving their goal, whatever this is: data exfiltration, holding hostage, etc. New game RULES 1. Detecting attacker activity toward end goal 2. Preventing their success If they don’t win, YOU WIN!
  • 27. . 27 Root Cause: Going Upstream Victims had flat networks for the most part (no segmentation/segregation), and many open shares No whitelisting / application control Deployed security technology is mostly ‘preventive’ and in default mode (block & forget) Little or no capabilities to automate the response No ability to ‘hunt’ for indicators of compromise or indicators of attack (IOCs / IOAs) Unpatched and legacy systems, including Internet- facing systems on DMZ Little or no IR plans in place (never tested/rehearsed) 2 Lessons Learnt from the Trenches
  • 28. . 28 Effective Strategies to Fight Ransomware www.mcafee.com/ransomware
  • 29. . 29 Consider the Cloud an extension of your Data Center Identify your Crown Jewels and Focus on Impact Do you know where attackers will attempt to pivot? Start with something actionable: • Create a list of prioritized defended assets: domain controllers, mail servers, network infrastructure devices, databases.. • Once you have identified your crown jewels, try to determine who should access them and how. • Associate pre-approved IR actions on them: blocking ports, blackhole traffic, disable accounts, isolate the system, scan for vulnerabilities, etc. • Focus not only prevention but also on detecting and reacting against critical assets
  • 30. . 30 Adaptive Security Model Adapting: Turning Information into Actionable Intelligence! Applied integration, automation, and intelligence Detect – Identify anomalous, outlier behavior, integrate network and endpoint detection, use sandboxes to inspect “grey” files Protect – Patch management, tune endpoint access protection rules, leverage cloud intelligence for signatures and reputation, limit unknown processes Adapt - Apply insights immediately throughout a collaborative infrastructure Correct – Automate triage and response to provide prioritization and fluid investigation, frequent (tested) backups 30
  • 33. . 33 Cloud Security To-Do List  Implement whitelisting on your critical servers * and access protection rules on endpoints  Enforce segmentation (security 101)  Use Cloud Access Security Brokers (CASB) in proxy or API mode  Hunt for Indicators Of Compromise (IOCs) and Indicators of Attack (IOAs)  Consume actionable Threat Intelligence  Test your backup plan. Can you meet your Recovery Time Objective?  Define expectations before-hand (SLAs)  What is my Maximum Tolerable Downtime? My Recovery Time Objective? (BCM)  Identify responsibilities across teams/vendors  Don’t assume you have the logs you need. Ask and demand MORE!  Bring your cloud based logs into your SIEM (IDS, network flows, IDS, etc.)  Run vulnerability assessments, pentest & red teaming exercises regularly Be Prepared, Increase Visibility, Access Control and Be Proactive! Strategies to Mitigate Targeted Cyber Intrusions by the Australian Government - http://www.asd.gov.au/publications/Mitigation_Strategies_2014.pdf
  • 34. . 34 Maturity requires experience, which comes with exposure to real world Evaluate and Rehearse your IR Program Rehearse and coordinate an emergency response across all business units: legal, HR, PR, office of CIO, CEO, etc.. including LE, vendors, and cloud providers. Incorporate lessons learnt in your program Many of the organizations we meet with have IR plans, but they’re not rehearsed against real-world scenarios. Use table top exercises, red team / blue team, and dry runs to test your IR plans.
  • 35. . 35 You CAN survive a Ransomware attack!
  • 36. Matt Anthony VP Incident Response, Herjavec Group
  • 37. Let’s Talk Incident Response  The first 24 hours  The first few days  Answering some tough questions – or not.  Are you ready?  What Does Ready Mean?  How to be less vulnerable and more resilient
  • 39. MSS – Monitoring & Detection Managed Services and Monitoring LIVE here.
  • 41. WHY you ask? Most incidents could have been prevented! Bad Luck Technical Controls Process Deficiencies
  • 42. Thinking About Threats Commodity Hackers/ Scripters/Malware Highly skilled and focused attacks (like Sony or Sands) Accidents, errors, staff “just trying to do a job” Evil insiders – people with an axe to grind IncreasingSkill Increasing Malice or Focus
  • 43. Why Did A Breach Happen? Errors and AccidentsUser Action Malicious insider or near insider threats Ransomware or Malware Commercially tooled criminals Highly skilled criminals with custom tools
  • 44. It CAN Happen × Vulnerabilities × Bad Admin Passwords × Phishing schemes × Unpatched…everything Today’s lesson is brought to you by the letter U. UNDERPREPARED
  • 45. Hiding In The Herd Doesn’t Work
  • 46. There Are A Lot Of Lions
  • 47. A Case Study Day 1 – The Notice 45 Machines 150%
  • 48. A Case Study Day 1 Continues 45 Machines +20 Machines
  • 49. A Case Study Day 1 Continues 60 + Machines
  • 50. A Case Study Day 2- Incident Response – Scoping
  • 51. A Case Study Day 2- Incident Response
  • 52. What Happens Next? Decision Time! •Do we pay? •Should the Internet be disabled? •Should the police be engaged? • What statements of assurance can be made to the ELT, board, stakeholders, staff?
  • 53. Questions To Be Addressed •Why this breach? •Why were we vulnerable? •Why were the controls weak? •Why were those elements missing? •Why wasn’t there any responsibility assigned?
  • 54. Looking For Causes • No plan/process • Little local expertise • Unpatched systems • Weak security metrics • Poor measurement • Lack of management commitment • Limited resources • Unclear accountability/responsibility • Weak identity and access management • Decentralized IT • Poor or No Logging/Monitoring • Warnings are missed
  • 56. Start Running… Get meaningful info about risks/threats Measure and report info sec risks outside of IT Report risks in business terms Develop & present metrics Don’t sugar coat it Educate executives every chance you get
  • 57. Cover The Basics Harden Endpoints Identity & Access Management Patch
  • 58. Time To Do More  Segment Networks  Deploy SIEMs  Update your Asset Database  Next Generation Endpoint Tools  If you don’t have expertise, buy it

Notas do Editor

  1. BEFORE YOU BEGIN Learn the material and be ready to present it in your own words. Do a dry-run presentation in advance. Customize the presentation – your name, relevant vendor logos, relevant customer logos. Pre-load the presentation on to your laptop – your setup must be smooth. The videos to be played are not embedded – you must queue it up ahead of time. Make sure the video works – including volume on, and loud enough. If your video does not work, it undermines your presentation. If there are more than two people in the room, YOU NEED SPEAKERS. The audience must be able to hear. Have a specific agenda in mind before you begin (page two). NEVER start the presentation unless you have a rough idea of where the customer wants to go with the discussion. ASK the question before you start – to reconfirm expectations. Reconfirm your time limit with the customer. Ascertain the KEY person watching the presentation – make eye contact with them throughout. NEVER FORGET: the purpose of the presentation is to engage with the customer – if they want to take your presentation on a different route, let them. The purpose of the presentation is NOT to hear yourself talk. Once you achieve your perceived agenda, ask yourself if it’s really necessary to continue. Don’t worry about dropping slides that don’t meet your agenda! WELCOME SLIDE Introduce yourself. Thank everyone for coming – always thank people! Ask, “before I begin, is there anything specific that you want me to address” beyond what you already know to be the topic.
  2. Continue talking about ransomware and based on what we’ve seen over the last 2 years..
  3. Fasten your seatbelts! Hypothetical scenario which is maybe not too far from the reality we see right now
  4. Computer on your network gets compromised (either via malicious attachment, watering hole attack, malvertising, etc.), evading perimeter protections, antispam gateways, proxies and ultimately your AV. After establishing contact with C&C the attacker changes the usual tactic.. Instead of encrypting the victim’s endpoint, it’s used to pivot to a higher value target. Stolen credentials are used to move to the cloud
  5. And what is the best response you can give… (taken)
  6. My Career So Far - This is a pretty accurate description… of what a malware, incident response and forensics specialist looks like What do we do?
  7. It feels like we are putting out more fires every day, with less resources. There was a time when it was something ALMOST ROMANTIC… oh.. An incident!! We have seen enough of these to see a clear pattern. On both the organizations we have helped with our IR/Forensics services and the ones we have helped with creating/improving their IR Program.
  8. Attackers have different goals, they are not always AFTER data exfiltration…
  9. On each system several tools were used to find, encrypt, and delete the original files as well as any backups. These tools included utilities from Microsoft Sysinternals and parts of open-source projects. After the encryption of the files, a ransom note appears, demanding a payment in Bitcoins to retrieve the files.
  10. Ransomware is growing. Not just in volume, but in sophistication. We have started to see the shift from only consumers to soft-target organizations and businesses like hospitals, universities and police stations
  11. Whole economy behind it. Wannabee – starter / less sophisticated Affiliate – in a pyramid scheme, used to distribute ransomware to a large nr of people, paying to the creators a fee, pretty much like a franchise.
  12. 11 days later… you pay the ransom. Is it over? Hundreds or thousands of machines with diff decryption codes and you have to manually do that. What if there’s a glitch in the algorithm? Do you have backups? How long does it take you to recover them… We have started to see the shift from only consumers to soft-target organizations and businesses like hospitals, universities and police stations
  13. This brings additional challenges… The problem of Shadow IT. I may spin out an instance in AWS and no one knows that. Do you have the same level of controls in your cloud that as in your org. Treat the cloud as extension of your own DC. Do you bring those logs into your SIEM?
  14. Cybercriminals, competitors, vigilante justice seekers, and nation-states will increasingly target cloud services platforms to exploit companies, not only to steal valuable and confidential data but also to take hostage of it. The cloud provider that Casala’s company is using was keeping daily backups, but she said it still took them almost a week to fully restore all of the files that were held hostage. She said the hosting service told her that the malware also disrupted operations for other customers on the same server.
  15. Intel image library
  16. In order to PREVENT the Exfil, you have to see it first!
  17. Parabole of 3 friends, well known in the healthcare community 1st friend jumps right in – let’s save those that are drowning first – pull them to the shore 2nd friend – let’s build a raft – so we can save more and prevent them from getting to the waterfall 3rd friend – swimming upstream – saving kids as she goes – I need to find WHO or WHAT is throwing kids in the river “upstreamists” health starts where we live, in our houses, where we work, where we sleep, where we spend the majority of our time 1st friend is the Incident Responder on the field / 2nd the Security Architect / we need more of the 3rd, the Threat Researcher, the Experienced Analyst that knows the threat landscape IR/Forensics/Attackers Techniques and Business Processes to look at Root Cause.
  18. Highly decentralization of data/systems (mobile + web + cloud + BYOD) coupled with data center consolidation (virtualization) and the increasing number of security devices and agents that we are deploying in our networks, that generate loads of events that need to be continuously tuned and managed generate more data that we can possibly ingest. Too much data generates noise, noise leads to stress and confusion, and that doesn't help to a faster reaction. Attackers LOVE noise, because it's easier to hide their malicious activities in a noisy environment. We need to refocus our efforts, moving from prevention to detection and reaction, and focusing on the critical assets.
  19. ADAPT – an unknown file will be inspected in a sandbox and if malicious it should be reported to all tools (network and endpoints) to contain and eradicate automatically, triggering a workflow to triage/collect artifacts for forensics purposes
  20. If you are in PaaS you’re effectively on shared resources, meaning you may not have access to IDS logs, etc. Whitelisting – most effective control
  21. Evaluate and REHEARSE against real world scenarios TTX – Involve all stake holders. Even if you decide to pay the ransom – you may need to coordinate a huge recovery task (getting bitcoins, multiple keys, across different platforms, etc.). That moment is not the best one to coordinate resources and improvise!
  22. BEFORE YOU BEGIN Learn the material and be ready to present it in your own words. Do a dry-run presentation in advance. Customize the presentation – your name, relevant vendor logos, relevant customer logos. Pre-load the presentation on to your laptop – your setup must be smooth. The videos to be played are not embedded – you must queue it up ahead of time. Make sure the video works – including volume on, and loud enough. If your video does not work, it undermines your presentation. If there are more than two people in the room, YOU NEED SPEAKERS. The audience must be able to hear. Have a specific agenda in mind before you begin (page two). NEVER start the presentation unless you have a rough idea of where the customer wants to go with the discussion. ASK the question before you start – to reconfirm expectations. Reconfirm your time limit with the customer. Ascertain the KEY person watching the presentation – make eye contact with them throughout. NEVER FORGET: the purpose of the presentation is to engage with the customer – if they want to take your presentation on a different route, let them. The purpose of the presentation is NOT to hear yourself talk. Once you achieve your perceived agenda, ask yourself if it’s really necessary to continue. Don’t worry about dropping slides that don’t meet your agenda! WELCOME SLIDE Introduce yourself. Thank everyone for coming – always thank people! Ask, “before I begin, is there anything specific that you want me to address” beyond what you already know to be the topic.
  23. Reinforce that we are specialists in information security – today you want to provide a scope of our core competencies and services. Make mention of Robert Herjavec as our founder and CEO Talk about how we are passionate about security and lead into that we are experts – who have been doing this a long time.
  24. Reinforce that we are specialists in information security – today you want to provide a scope of our core competencies and services. Make mention of Robert Herjavec as our founder and CEO Talk about how we are passionate about security and lead into that we are experts – who have been doing this a long time.
  25. Reinforce that we are specialists in information security – today you want to provide a scope of our core competencies and services. Make mention of Robert Herjavec as our founder and CEO Talk about how we are passionate about security and lead into that we are experts – who have been doing this a long time.
  26. Most incidents could be prevented. I make this claim because: I have never left a client site with the comment: “Bad luck, nothing you could have done.” Technical controls and processes are almost always deficient Most breaches have technical root causes; unpatched Java, Flash, or using “Passw0rd” for your common local admin PW. Most breaches also have management root causes; lack of coherent risk information, or lack of commitment. There is no defense that you can depend on from a highly-skilled and focused attacker – but they are relatively rare, and even then, they may not have to use elite techniques.
  27. Most incidents could be prevented. I make this claim because: I have never left a client site with the comment: “Bad luck, nothing you could have done.” Technical controls and processes are almost always deficient Most breaches have technical root causes; unpatched Java, Flash, or using “Passw0rd” for your common local admin PW. Most breaches also have management root causes; lack of coherent risk information, or lack of commitment. There is no defense that you can depend on from a highly-skilled and focused attacker – but they are relatively rare, and even then, they may not have to use elite techniques.
  28. Everyone is a potential victim. Most victims are simply vulnerable. Bad Admin passwords Bad user passwords Phishing vulnerabilities Unpatched… everything Think about all the high-profile breaches; there is a theme of being underprepared. Is that obvious? Not saying the good don’t get hacked, but… they have to be more unlucky, or more directly targeted.
  29. Day 1- The notice An alert is raised from log and activity monitoring. It is Severity 1. 45 machines on your network have attempted to contact a site known to host malicious content Further alerts that your network traffic is at 150% of baseline Your service desk has had a rash of unexplained reboots and ”system is slow” reports.
  30. Day 1- continues Preliminary analysis begins. IT teams examine several suspected machines, but don’t find anything. Firewall analysis continues to show unusual connection attempts outbound. 20 machines are added to the list.
  31. Day 1- Continues A breach is confirmed – more than 60 machines have been affected. Endpoint protection hasn’t flagged anything, but infection continues to spread. CISO and CIO are informed, and IT team begins to re-image machines to attempt to contain the spread. CIO and CISO determine that the incident is too complex for IT team and engage HG IR team.
  32. Day 2- Incident Response – Scoping IR team begins a timeline – exactly what is known and what has been done. Logging and recording of all actions and decisions is started. An Incident control room is established as a centre of control and technical activity. Forensic copies of affected machines are done, and analysis begins to attempt to understand the incident. Firewall and network traffic are analyzed to determine if there are any anomalies. Outbound connections are encrypted.
  33. Day 2- Incident Response A ransom demand is received by email. This confirms that the attack is ongoing, and there is a claim of hundreds of gigabytes of data stolen. Ransom is 100 BTC – around $110,000. IR team begins deep dive.
  34. What Happens next? Company must decide if paying ransom is possible or reasonable. Company must validate the impact of the breach. IR team must find and identify the source of the breach. Should the Internet be disabled? Should the police be engaged? What statements of assurance can be made to the ELT, board, stakeholders, staff?
  35. Get account management/identity under control. Get strong at onboarding and offboarding users. Get stronger at privileged account management. Get stronger at “least privilege”. Patch. While zero days are out there, we see some pretty old exploits getting used successfully. Harden your endpoints. Upgrade OS and Browsers. Disable Flash. Don’t put admin tools on endpoints. Use a dedicated VM for admin. Don’t let privileged accounts do anything except admin. Use separate “general use” accounts.
  36. What can you do? Segment networks. Deploy SIEMs, send and analyze logs for every important system. If you don’t have expertise, buy it. Have an up-to-date asset database. Next generation endpoint tools. Get more agile with deployment of tools and techniques – your attackers are!
  37. What can you do? Segment networks. Deploy SIEMs, send and analyze logs for every important system. If you don’t have expertise, buy it. Have an up-to-date asset database. Next generation endpoint tools. Get more agile with deployment of tools and techniques – your attackers are!
  38. BEFORE YOU BEGIN Learn the material and be ready to present it in your own words. Do a dry-run presentation in advance. Customize the presentation – your name, relevant vendor logos, relevant customer logos. Pre-load the presentation on to your laptop – your setup must be smooth. The videos to be played are not embedded – you must queue it up ahead of time. Make sure the video works – including volume on, and loud enough. If your video does not work, it undermines your presentation. If there are more than two people in the room, YOU NEED SPEAKERS. The audience must be able to hear. Have a specific agenda in mind before you begin (page two). NEVER start the presentation unless you have a rough idea of where the customer wants to go with the discussion. ASK the question before you start – to reconfirm expectations. Reconfirm your time limit with the customer. Ascertain the KEY person watching the presentation – make eye contact with them throughout. NEVER FORGET: the purpose of the presentation is to engage with the customer – if they want to take your presentation on a different route, let them. The purpose of the presentation is NOT to hear yourself talk. Once you achieve your perceived agenda, ask yourself if it’s really necessary to continue. Don’t worry about dropping slides that don’t meet your agenda! WELCOME SLIDE Introduce yourself. Thank everyone for coming – always thank people! Ask, “before I begin, is there anything specific that you want me to address” beyond what you already know to be the topic.