Presentation by Ismael Valenzuela from Intel Security about ransomware and how enterprises can design their IR responses to mitigate ransomware threats.
2. .
2
.
Ismael Valenzuela, GSE #132 – Global Director,
Foundstone Consulting Services
Prediction 2017: I survived a
ransomware attack in my cloud!
www.mcafee.com/ransomware
5. .
5
Today’s Questions…
Are we really far from this?
How can we pre-empt,
contain and mitigate these
attacks?
What can we learn from
the trenches and how can
we apply it to cloud based
attacks?
6. .
6
I don't know who you
are. I don't know
what you want.
If you are looking for
ransom, I can tell you
I don't have money.
But what I do have
are a very particular
set of skills…
…skills that make me
a nightmare for
people like you.
Taken (2008)
7. .
7
A Day in the Life of a Cyber Incident
Responder
8. .
8
My 15+ year Career in CyberSecurity
8
Twitter: @aboutsecurity
Computer Geek
(Linux User)
PenTester
(Shell Rockstar)
Forensicator, IR &
Threat Researcher
(Sleep Deprivation)
Intel Security
Speaker & SANS Instructor
(lots of Photoshop)
9. .
9
We’ve Been on a Few of These…
Hundreds of cases involved in the last
few years, many involving ransomware
10. .
10
1
The threat landscape keeps evolving, over and over again…
How Would You Run Your Organization Without
Computers?
What the media is not telling you:
– Attackers have been burning down the house as they walked out of the door
• Saudi Aramco (2012)
• South Korea (2013)
• Sony (2014)
• Many other unpublicized ones in 2014 & 2015
• What has been the trend in the last year?
• And more importantly, what can we expect going forward?
11. .
1111
Targeted Ransomware
• First campaign observed by Intel Security against
the financial sector of a particular country
• Early in 2016 we observed a new widespread
campaign affecting healthcare organizations. This
time with a new modus operandi…
• Attackers exploited vulnerable Internet facing
servers through an unpatched vulnerability
• Used Sysinternals and open-source tools to
harvest AD details and move laterally
• Executed malicious payload (samsam.exe)
manually on multiple Windows systems, deleting
original files and backups
https://blogs.mcafee.com/mcafee-labs/targeted-ransomware-no-longer-future-threat/
No Longer a Future Threat
13. .
13
Why Has Ransomware Such a Strong Growth?
• Explosive growth in unique samples
• Rootkit programs make it easy for
amateurs to create malware and earn
extra money
• Source code for ransomware publically
available
• Polymorphic techniques leads to
obfuscation and hard to recognize
signatures for detection2010 2013 2016
14. .
14
CryptoWall v3
CyberThreat Alliance
• 49 campaign code identifiers
• 406,887 attempted infections of CryptoWall
version 3
• Estimated $631 million (USD) in damages
• 4,046 malware samples
• 839 command and control URLs
• 5 second-tier IP addresses used for
command and control
16. .
16
What is The Impact of a Ransomware Attack?
February 5, 2016: Media reports that Hollywood Presbyterian Medical Center has become
victim to a ransomware attack. Original reports state that staff cannot access the network
and that a large ransom is required to regain access to their system.
1
17. .
17
What is The Impact of a Ransomware Attack?
February 16, 2016: After days without access to their electronic medical records, email and
other systems, Hollywood Presbyterian Medical Center pays $17,000 to hackers.
1
18. .
18
Where Next?
You are in Canada? I have been researching about ransomware some, and I had the impression it all came
from Russia. Interesting. Is this your main source of income? Midnight on 24th by what time zone?
So I can handle it, and you don’t have any more issues. As far as your income question … I don’t even know how
you got it. We are hired by corporation to cyber disrupt day-to-day business of their competition. Never have we
done anything in Finland, and, since you seem like an individual that got the wrong email to open, I am trying to
keep it at the minimum.
Interesting. So that’s why the ransom is so low—because you are already getting paid by the corporation, so
you are mostly interested in disrupting the business rather than making a lot of money off the ransom? That’s
crazy. Is it like a legitimate corporation, and is it well-known? I will try to find an open R-Kioski or Siwa,
although it might be tough with the holiday weekend. Paysafe seems like the easiest way for me.
20. .
20
IT’s Top Challenges for Hybrid Datacenter Security
Lack of visibility to all computing resources on-premises and off-premises
• Incomplete visibility to all workloads and data due to Shadow IT and the growth of public
and private clouds
Difficulty detecting breaches and remediating any damage that may
have occurred
• IT needs to assume that hackers do get through
Lack of unified management and reporting across entire infrastructure
and data
• Cloud infrastructure which isn’t owned nor managed by the business
• Workloads and corporate data in the public cloud
21. .
21
Ransomware & Cloud Services
• “Children In Film” case (reported by
Brian Krebs in Jan 2016)*
• Company’s operations run off of
application cloud services, from
QuickBooks to Microsoft Office and
Outlook.
• Employees use Citrix to connect to
the cloud, mapping the cloud drive
as a local disk.
• One email, and 30 mins later,
+4,000 files encrypted
* http://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-too/
22. .
22
Top Exposures Resulting in
Cloud Tenant Breaches
2
1. Internet Exposed RDP or SSH Endpoints
2. Virtual Machine Missing Security Patches
3. Web Application Vulnerability
4. Weak Admin/Co-Admin Credentials
5. Unrestricted SQL Endpoint
6. Storage Key Disclosure
7. Insufficient Security Monitoring
Mark Russinovich (CTO, Microsoft Azure):
https://twitter.com/markrussinovich/status/591277863644434432
23. .
2323
What If The Target is Not the Tenant, but The Host
Take advantage of a vulnerability in
the provider’s platform/infrastructure,
encrypt and hold hostage of data for
2,000 customers?
What if an attacker is able to
compromise the cloud service
provider?
25. .
25
It’s time to REDEFINE the
game
2
Adversaries are dominant, and this will not change
• And they are already IN, in case you didn’t notice it
Therefore, winning requires a ‘new definition’, a new
security paradigm, focused on preventing attacker’s
success
Yes, YOU WIN every time you prevent the attacker
from achieving their goal, whatever this is: data
exfiltration, holding hostage, etc.
New game RULES
1. Detecting attacker activity toward end goal
2. Preventing their success
If they don’t win, YOU WIN!
27. .
27
Root Cause: Going Upstream
Victims had flat networks for the most part (no
segmentation/segregation), and many open shares
No whitelisting / application control
Deployed security technology is mostly ‘preventive’ and
in default mode (block & forget)
Little or no capabilities to automate the response
No ability to ‘hunt’ for indicators of compromise or
indicators of attack (IOCs / IOAs)
Unpatched and legacy systems, including Internet-
facing systems on DMZ
Little or no IR plans in place (never tested/rehearsed)
2
Lessons Learnt from the Trenches
29. .
29
Consider the Cloud an extension of your Data Center
Identify your Crown Jewels and Focus on Impact
Do you know where attackers will attempt to pivot?
Start with something actionable:
• Create a list of prioritized defended assets: domain
controllers, mail servers, network infrastructure
devices, databases..
• Once you have identified your crown jewels, try to
determine who should access them and how.
• Associate pre-approved IR actions on them: blocking
ports, blackhole traffic, disable accounts, isolate the
system, scan for vulnerabilities, etc.
• Focus not only prevention but also on detecting and
reacting against critical assets
30. .
30
Adaptive Security Model
Adapting: Turning Information into Actionable
Intelligence!
Applied integration, automation, and intelligence
Detect – Identify anomalous, outlier
behavior, integrate network and endpoint
detection, use sandboxes to inspect “grey”
files
Protect – Patch management, tune
endpoint access protection rules, leverage
cloud intelligence for signatures and
reputation, limit unknown processes
Adapt - Apply insights immediately
throughout a collaborative infrastructure
Correct – Automate triage and response to
provide prioritization and fluid investigation,
frequent (tested) backups
30
33. .
33
Cloud Security To-Do List
Implement whitelisting on your critical
servers * and access protection rules on
endpoints
Enforce segmentation (security 101)
Use Cloud Access Security Brokers
(CASB) in proxy or API mode
Hunt for Indicators Of Compromise
(IOCs) and Indicators of Attack (IOAs)
Consume actionable Threat Intelligence
Test your backup plan. Can you meet
your Recovery Time Objective?
Define expectations before-hand (SLAs)
What is my Maximum Tolerable
Downtime? My Recovery Time
Objective? (BCM)
Identify responsibilities across
teams/vendors
Don’t assume you have the logs you
need. Ask and demand MORE!
Bring your cloud based logs into your
SIEM (IDS, network flows, IDS, etc.)
Run vulnerability assessments, pentest
& red teaming exercises regularly
Be Prepared, Increase Visibility, Access Control and Be Proactive!
Strategies to Mitigate Targeted Cyber Intrusions by the Australian Government - http://www.asd.gov.au/publications/Mitigation_Strategies_2014.pdf
34. .
34
Maturity requires experience, which comes with exposure to real world
Evaluate and Rehearse your IR Program
Rehearse and coordinate an emergency
response across all business units: legal,
HR, PR, office of CIO, CEO, etc.. including
LE, vendors, and cloud providers.
Incorporate lessons learnt in your program
Many of the organizations we meet with
have IR plans, but they’re not rehearsed
against real-world scenarios.
Use table top exercises, red team / blue
team, and dry runs to test your IR plans.
37. Let’s Talk Incident Response
The first 24 hours
The first few days
Answering some tough questions – or not.
Are you ready?
What Does Ready Mean?
How to be less vulnerable and more
resilient
43. Why Did A Breach Happen?
Errors and AccidentsUser Action
Malicious insider or near insider threats
Ransomware or Malware
Commercially tooled criminals
Highly skilled criminals with custom tools
44. It CAN Happen
× Vulnerabilities
× Bad Admin Passwords
× Phishing schemes
× Unpatched…everything
Today’s lesson is brought to you by the letter U.
UNDERPREPARED
52. What Happens Next? Decision Time!
•Do we pay?
•Should the Internet be disabled?
•Should the police be engaged?
• What statements of assurance can be made
to the ELT, board, stakeholders, staff?
53. Questions To Be Addressed
•Why this breach?
•Why were we vulnerable?
•Why were the controls weak?
•Why were those elements missing?
•Why wasn’t there any responsibility assigned?
54. Looking For Causes
• No plan/process
• Little local expertise
• Unpatched systems
• Weak security metrics
• Poor measurement
• Lack of management
commitment
• Limited resources
• Unclear
accountability/responsibility
• Weak identity and access
management
• Decentralized IT
• Poor or No
Logging/Monitoring
• Warnings are missed
56. Start Running…
Get meaningful info about risks/threats
Measure and report info sec risks outside of IT
Report risks in business terms
Develop & present metrics
Don’t sugar coat it
Educate executives every chance you get
58. Time To Do More
Segment Networks
Deploy SIEMs
Update your Asset Database
Next Generation Endpoint Tools
If you don’t have expertise, buy it
BEFORE YOU BEGIN
Learn the material and be ready to present it in your own words.
Do a dry-run presentation in advance.
Customize the presentation – your name, relevant vendor logos, relevant customer logos.
Pre-load the presentation on to your laptop – your setup must be smooth. The videos to be played are not embedded – you must queue it up ahead of time.
Make sure the video works – including volume on, and loud enough. If your video does not work, it undermines your presentation.
If there are more than two people in the room, YOU NEED SPEAKERS. The audience must be able to hear.
Have a specific agenda in mind before you begin (page two). NEVER start the presentation unless you have a rough idea of where the customer wants to go with the discussion. ASK the question before you start – to reconfirm expectations.
Reconfirm your time limit with the customer.
Ascertain the KEY person watching the presentation – make eye contact with them throughout.
NEVER FORGET: the purpose of the presentation is to engage with the customer – if they want to take your presentation on a different route, let them. The purpose of the presentation is NOT to hear yourself talk. Once you achieve your perceived agenda, ask yourself if it’s really necessary to continue. Don’t worry about dropping slides that don’t meet your agenda!
WELCOME SLIDE
Introduce yourself.
Thank everyone for coming – always thank people!
Ask, “before I begin, is there anything specific that you want me to address” beyond what you already know to be the topic.
Continue talking about ransomware and based on what we’ve seen over the last 2 years..
Fasten your seatbelts!
Hypothetical scenario which is maybe not too far from the reality we see right now
Computer on your network gets compromised (either via malicious attachment, watering hole attack, malvertising, etc.), evading perimeter protections, antispam gateways, proxies and ultimately your AV.
After establishing contact with C&C the attacker changes the usual tactic.. Instead of encrypting the victim’s endpoint, it’s used to pivot to a higher value target.
Stolen credentials are used to move to the cloud
And what is the best response you can give… (taken)
My Career So Far - This is a pretty accurate description… of what a malware, incident response and forensics specialist looks like
What do we do?
It feels like we are putting out more fires every day, with less resources. There was a time when it was something ALMOST ROMANTIC… oh.. An incident!!
We have seen enough of these to see a clear pattern. On both the organizations we have helped with our IR/Forensics services and the ones we have helped with creating/improving their IR Program.
Attackers have different goals, they are not always AFTER data exfiltration…
On each system several tools were used to find, encrypt, and delete the original files as well as any backups.
These tools included utilities from Microsoft Sysinternals and parts of open-source projects. After the encryption of the files, a ransom note appears, demanding a payment
in Bitcoins to retrieve the files.
Ransomware is growing. Not just in volume, but in sophistication.
We have started to see the shift from only consumers to soft-target organizations and businesses like hospitals, universities and police stations
Whole economy behind it.
Wannabee – starter / less sophisticated
Affiliate – in a pyramid scheme, used to distribute ransomware to a large nr of people, paying to the creators a fee, pretty much like a franchise.
11 days later… you pay the ransom. Is it over?
Hundreds or thousands of machines with diff decryption codes and you have to manually do that.
What if there’s a glitch in the algorithm?
Do you have backups? How long does it take you to recover them…
We have started to see the shift from only consumers to soft-target organizations and businesses like hospitals, universities and police stations
This brings additional challenges…
The problem of Shadow IT. I may spin out an instance in AWS and no one knows that.
Do you have the same level of controls in your cloud that as in your org.
Treat the cloud as extension of your own DC.
Do you bring those logs into your SIEM?
Cybercriminals, competitors, vigilante justice seekers, and nation-states will increasingly target cloud services platforms to exploit companies, not only to steal valuable and confidential data but also to take hostage of it.
The cloud provider that Casala’s company is using was keeping daily backups, but she said it still took them almost a week to fully restore all of the files that were held hostage. She said the hosting service told her that the malware also disrupted operations for other customers on the same server.
Intel image library
In order to PREVENT the Exfil, you have to see it first!
Parabole of 3 friends, well known in the healthcare community
1st friend jumps right in – let’s save those that are drowning first – pull them to the shore
2nd friend – let’s build a raft – so we can save more and prevent them from getting to the waterfall
3rd friend – swimming upstream – saving kids as she goes – I need to find WHO or WHAT is throwing kids in the river
“upstreamists” health starts where we live, in our houses, where we work, where we sleep, where we spend the majority of our time
1st friend is the Incident Responder on the field / 2nd the Security Architect / we need more of the 3rd, the Threat Researcher, the Experienced Analyst that knows the threat landscape IR/Forensics/Attackers Techniques and Business Processes to look at Root Cause.
Highly decentralization of data/systems (mobile + web + cloud + BYOD) coupled with data center consolidation (virtualization) and the increasing number of security devices and agents that we are deploying in our networks, that generate loads of events that need to be continuously tuned and managed generate more data that we can possibly ingest. Too much data generates noise, noise leads to stress and confusion, and that doesn't help to a faster reaction. Attackers LOVE noise, because it's easier to hide their malicious activities in a noisy environment.
We need to refocus our efforts, moving from prevention to detection and reaction, and focusing on the critical assets.
ADAPT – an unknown file will be inspected in a sandbox and if malicious it should be reported to all tools (network and endpoints) to contain and eradicate automatically, triggering a workflow to triage/collect artifacts for forensics purposes
If you are in PaaS you’re effectively on shared resources, meaning you may not have access to IDS logs, etc.
Whitelisting – most effective control
Evaluate and REHEARSE against real world scenarios
TTX – Involve all stake holders.
Even if you decide to pay the ransom – you may need to coordinate a huge recovery task (getting bitcoins, multiple keys, across different platforms, etc.). That moment is not the best one to coordinate resources and improvise!
BEFORE YOU BEGIN
Learn the material and be ready to present it in your own words.
Do a dry-run presentation in advance.
Customize the presentation – your name, relevant vendor logos, relevant customer logos.
Pre-load the presentation on to your laptop – your setup must be smooth. The videos to be played are not embedded – you must queue it up ahead of time.
Make sure the video works – including volume on, and loud enough. If your video does not work, it undermines your presentation.
If there are more than two people in the room, YOU NEED SPEAKERS. The audience must be able to hear.
Have a specific agenda in mind before you begin (page two). NEVER start the presentation unless you have a rough idea of where the customer wants to go with the discussion. ASK the question before you start – to reconfirm expectations.
Reconfirm your time limit with the customer.
Ascertain the KEY person watching the presentation – make eye contact with them throughout.
NEVER FORGET: the purpose of the presentation is to engage with the customer – if they want to take your presentation on a different route, let them. The purpose of the presentation is NOT to hear yourself talk. Once you achieve your perceived agenda, ask yourself if it’s really necessary to continue. Don’t worry about dropping slides that don’t meet your agenda!
WELCOME SLIDE
Introduce yourself.
Thank everyone for coming – always thank people!
Ask, “before I begin, is there anything specific that you want me to address” beyond what you already know to be the topic.
Reinforce that we are specialists in information security – today you want to provide a scope of our core competencies and services.
Make mention of Robert Herjavec as our founder and CEO
Talk about how we are passionate about security and lead into that we are experts – who have been doing this a long time.
Reinforce that we are specialists in information security – today you want to provide a scope of our core competencies and services.
Make mention of Robert Herjavec as our founder and CEO
Talk about how we are passionate about security and lead into that we are experts – who have been doing this a long time.
Reinforce that we are specialists in information security – today you want to provide a scope of our core competencies and services.
Make mention of Robert Herjavec as our founder and CEO
Talk about how we are passionate about security and lead into that we are experts – who have been doing this a long time.
Most incidents could be prevented. I make this claim because:
I have never left a client site with the comment: “Bad luck, nothing you could have done.”
Technical controls and processes are almost always deficient
Most breaches have technical root causes; unpatched Java, Flash, or using “Passw0rd” for your common local admin PW.
Most breaches also have management root causes; lack of coherent risk information, or lack of commitment.
There is no defense that you can depend on from a highly-skilled and focused attacker – but they are relatively rare, and even then, they may not have to use elite techniques.
Most incidents could be prevented. I make this claim because:
I have never left a client site with the comment: “Bad luck, nothing you could have done.”
Technical controls and processes are almost always deficient
Most breaches have technical root causes; unpatched Java, Flash, or using “Passw0rd” for your common local admin PW.
Most breaches also have management root causes; lack of coherent risk information, or lack of commitment.
There is no defense that you can depend on from a highly-skilled and focused attacker – but they are relatively rare, and even then, they may not have to use elite techniques.
Everyone is a potential victim.
Most victims are simply vulnerable.
Bad Admin passwords
Bad user passwords
Phishing vulnerabilities
Unpatched… everything
Think about all the high-profile breaches; there is a theme of being underprepared. Is that obvious?
Not saying the good don’t get hacked, but… they have to be more unlucky, or more directly targeted.
Day 1- The notice
An alert is raised from log and activity monitoring. It is Severity 1.
45 machines on your network have attempted to contact a site known to host malicious content
Further alerts that your network traffic is at 150% of baseline
Your service desk has had a rash of unexplained reboots and ”system is slow” reports.
Day 1- continues
Preliminary analysis begins.
IT teams examine several suspected machines, but don’t find anything.
Firewall analysis continues to show unusual connection attempts outbound. 20 machines are added to the list.
Day 1- Continues
A breach is confirmed – more than 60 machines have been affected.
Endpoint protection hasn’t flagged anything, but infection continues to spread.
CISO and CIO are informed, and IT team begins to re-image machines to attempt to contain the spread.
CIO and CISO determine that the incident is too complex for IT team and engage HG IR team.
Day 2- Incident Response – Scoping
IR team begins a timeline – exactly what is known and what has been done. Logging and recording of all actions and decisions is started.
An Incident control room is established as a centre of control and technical activity.
Forensic copies of affected machines are done, and analysis begins to attempt to understand the incident.
Firewall and network traffic are analyzed to determine if there are any anomalies.
Outbound connections are encrypted.
Day 2- Incident Response
A ransom demand is received by email. This confirms that the attack is ongoing, and there is a claim of hundreds of gigabytes of data stolen. Ransom is 100 BTC – around $110,000.
IR team begins deep dive.
What Happens next?
Company must decide if paying ransom is possible or reasonable.
Company must validate the impact of the breach.
IR team must find and identify the source of the breach.
Should the Internet be disabled?
Should the police be engaged?
What statements of assurance can be made to the ELT, board, stakeholders, staff?
Get account management/identity under control. Get strong at onboarding and offboarding users. Get stronger at privileged account management. Get stronger at “least privilege”.
Patch. While zero days are out there, we see some pretty old exploits getting used successfully.
Harden your endpoints. Upgrade OS and Browsers. Disable Flash.
Don’t put admin tools on endpoints. Use a dedicated VM for admin.
Don’t let privileged accounts do anything except admin. Use separate “general use” accounts.
What can you do?
Segment networks.
Deploy SIEMs, send and analyze logs for every important system.
If you don’t have expertise, buy it.
Have an up-to-date asset database.
Next generation endpoint tools.
Get more agile with deployment of tools and techniques – your attackers are!
What can you do?
Segment networks.
Deploy SIEMs, send and analyze logs for every important system.
If you don’t have expertise, buy it.
Have an up-to-date asset database.
Next generation endpoint tools.
Get more agile with deployment of tools and techniques – your attackers are!
BEFORE YOU BEGIN
Learn the material and be ready to present it in your own words.
Do a dry-run presentation in advance.
Customize the presentation – your name, relevant vendor logos, relevant customer logos.
Pre-load the presentation on to your laptop – your setup must be smooth. The videos to be played are not embedded – you must queue it up ahead of time.
Make sure the video works – including volume on, and loud enough. If your video does not work, it undermines your presentation.
If there are more than two people in the room, YOU NEED SPEAKERS. The audience must be able to hear.
Have a specific agenda in mind before you begin (page two). NEVER start the presentation unless you have a rough idea of where the customer wants to go with the discussion. ASK the question before you start – to reconfirm expectations.
Reconfirm your time limit with the customer.
Ascertain the KEY person watching the presentation – make eye contact with them throughout.
NEVER FORGET: the purpose of the presentation is to engage with the customer – if they want to take your presentation on a different route, let them. The purpose of the presentation is NOT to hear yourself talk. Once you achieve your perceived agenda, ask yourself if it’s really necessary to continue. Don’t worry about dropping slides that don’t meet your agenda!
WELCOME SLIDE
Introduce yourself.
Thank everyone for coming – always thank people!
Ask, “before I begin, is there anything specific that you want me to address” beyond what you already know to be the topic.