ransomware - peakresources.com...•ransomware is malware -malicious software that encrypts and...

Virtual Roundtable Series

Ransomware

PE

AK

RE

SO

UR

CE

S

Email us at architecture@peakresources.com

Paul WatsonCTO

Matt ManesSecurity Sales Director

Gene BallardSecurity SE

Alyson GoodmanProject Manager

Today’s Panel

pwatson@peakresources.com agoodman@peakresources.commmanes@peakresources.com gballard@peakresources.com

Brian BlackDeep Instinct

brianb@deepinstinct.com

2

PE

AK

RE

SO

UR

CE

S

Anatomy of a Ransomware Attack 10 minutes

Best Practices 13 minutes

Open Forum Q&A 15 minutes

Future Thought 15 minutes

• This session is being recorded

• You will get a PDF copy of the slides

• Use the Q&A function to ask a question before we go live for the open forum

• Keep an eye out for other’s questions and upvote those you would like answered!

Today’s Agenda

3

PE

AK

RE

SO

UR

CE

S

Ransomware: The Problem Statement... 4

• Virus' have been around since the late 1980s and here to stay!

• Ransomware is Malware - Malicious software that encrypts and holds

data/systems hostage for a ransom payment.

• Organizations will use Bitcoin or other methods for ransom payment that are

practically impossible to trace.

• Pay to prevent embarrassment – if publicized can have negative effect on

companies’ reputation, stock price, etc.

• PEAK is seeing multiple industries/verticals specifically targeted.

• PEAK is seeing that many companies don’t have sufficient controls in place to

effectively detect/respond to or recover from a Ransomware attack, let

alone prevent it.

• Are your backups alone a 'good enough' strategy?

RansomwareAnatomy of an Attack

PE

AK

RE

SO

UR

CE

S

Stages of A Ransomware Attack

Stage 1: Campaign

Stage 2: Infection

Stage 3: Staging

Stage 4: Scanning

Stage 5: Encryption

Stage 6: Payday

6

PE

AK

RE

SO

UR

CE

S

Stage 1: Campaign7

• Attack Vectors− Phishing (Attachments, URLs)

− Vulnerable Websites (Exploit Kits, Trojans)

− Compromised USB Drives

− Vulnerable Systems (RDP/Gateways/VPN, Endpoints, Applications)

− Credential Scraping

− Brute Force (RDP, Dictionary Attacks)

• Reconnaissance− Intruder selects target, researches it, and attempts to identify vulnerabilities in the target

network

• Weaponization− Intruder creates remote access malware weapon, such as a virus or worm, tailored to one

or more vulnerabilities

• Delivery− Intruder transmits weapon to target

PE

AK

RE

SO

UR

CE

S

Stage 2: Infection8

• Exploitation- Malware weapon's program code triggers, which

takes action on target network to exploit vulnerability

• Installation- Malware weapon installs access point (e.g.,

"backdoor") usable by intruder

• Command and Control - Malware enables intruder to have "hands on the

keyboard" persistent access to target network

• Actions on Objective- Intruder takes action to achieve their goals, such as

data exfiltration, data destruction, or delivery or ransomware, etc

PE

AK

RE

SO

UR

CE

S

Stage 3: Staging9

• Ransomware-Specific Stage of Infection− Initial Dropper or Infection Process has been terminated

− Ransomware Payload has been delivered/executed

− Recon of local permissions

− C2C Communication for Key Exchange

− C2C Communication for any Exfil Activities

• Housekeeping− Moves itself to new folders/processes

− Cleans up original footprint

− Sets to run upon reboot

− Delete local Shadow Copy files (Windows)

PE

AK

RE

SO

UR

CE

S

Stage 4: Scanning10

• Targets for Encryption− Local files, Filesystems, Drives/MBR, etc

− Network file share locations - SMB/CIFS, NFS, mapped drives, etc

− Cloud - SaaS, IaaS, synced folders, etc

• Timing & Frequency− Varies by type & variant - seconds/minutes to hours

− Local/cloud scanning often quick

− Network scanning often delayed / set to a schedule

− Hide from controls

PE

AK

RE

SO

UR

CE

S

Stage 5: Encryption11

PE

AK

RE

SO

UR

CE

S

Stage 6: Payday12

• Facts− 96 percent of organizations that paid the ransom received a decryption tool from the hackers.

(Source: Coveware)− Decryption success depends on the type of virus. Dharma variants were often unreliable after

paying the ransom, compared to GrandGrab TOR which almost always delivered a successful decryption tool after a ransom was paid. (Source: Coveware)

− Bitcoin was the primary method of payment for ransomware. Around 98 percent of payments were made in Bitcoin. (Source: Coveware)

• Demands− Timed for a date that will have the most

impact− Typically demands are well thought out an

provide a painful, but easy out for those under attack

− IBM study - A quarter of executives would be willing to pay between $20K and $50K to regain access to encrypted data.

PE

AK

RE

SO

UR

CE

S

Stage 6: Payday13

To Pay or Not To Pay?

− Are you able to restore from back-up

− How critical is the data

− Business impact

Advantages Disadvantages− Reduce Disruption - No Guarantees

− Cheaper - Decryptor may not work

− Insurance may help - May be targeted again

− May save your business - Ethical and future Implications

RansomwareBest Practices

PE

AK

RE

SO

UR

CE

S

Ransomware: Best Practices

Vulnerability/Patch Management

Network Security

Identity Access Management

Endpoint Security

Data Protection

Security User and Awareness Training

Continuous Monitoring

Security Policies/Plans

15

PE

AK

RE

SO

UR

CE

S

Best Practice: Vulnerability/Patch Management

• Scan regularly

• Prioritize vulnerability remediation

• Patch, patch, patch

− OS (Critical and Security related)

− Common apps (Adobe, Java, Office, browsers, etc)

− Services (IIS, Apache, SQL, PostgreSQL, MySQL, etc)

• Disable/remove unnecessary services

16

PE

AK

RE

SO

UR

CE

S

Best Practice: Network Security

• Network segmentation/filtering

• Network access control

• NGFW

• Explicit firewall rules

• Email threat prevention

• IDS/IPS

• Traffic analysis – source of truth!!

17

PE

AK

RE

SO

UR

CE

S

Best Practice: Identity & Access Management

• Identity− Federated Identity - One Identity

− Single Identity Policy

− RBAC Easier

• Access Control− Ensure Least Privilege Access

− Privileged Access Management (PAM)

− ACLs

18

PE

AK

RE

SO

UR

CE

S

Best Practice: Endpoint Security

• Deploy an Effective Prevention Solution

• Effective Enterprise EDR Solution

• Detecting & Responding to Advanced Threats/Attacks at

Scale in Real-Time

• Detecting & Responding to Malicious System Activity

− %APPDATA% , %TEMP%, etc.

− PowerShell, WMI, SSH, VSS, Memory, etc.

− Pre-Execution, On-Execution, Post-Execution

19

PE

AK

RE

SO

UR

CE

S

Best Practice: Data Protection

• Regular Backups

− Know your critical data

− Understand RTO/RPO requirements

• Protect Your Backups

− Multiple copies / immutable

− Backup data analytics

• Make Time to Test Your Backups – Restore, Restore !!

20

PE

AK

RE

SO

UR

CE

S

Best Practice: Security User & Awareness Training

• Conduct Ongoing Security Awareness

Training/Campaigns

− e.g. Quarterly internal phishing campaigns

− Newsletters, posters, regular security awareness

communications

• Conduct Ongoing User Training

− Regular shaping of user behavior and knowledge of

corporate policies

− More than the once a year “Check the Box” approach

− e.g. Brown Bag Lunch & Learn

21

PE

AK

RE

SO

UR

CE

S

Best Practice: Continuous Monitoring

• Formally Define an InfoSec Continuous Monitoring Plan

− Roles, responsibilities, communications, metrics, etc

• Common Monitoring Sources

− EDR, IDS, NGFW, SIEM, user behavioral analytics, threat analytics, network traffic

analysis

− Monitor the network, endpoint, cloud, and user

− Monitor for brute force attempts, account lockouts, clearing of logs, deletion of

critical files, unexpected alteration of critical files, etc

− Implement deceptive technologies

22

PE

AK

RE

SO

UR

CE

S

Best Practice: Security Policies/Plans

• Administrative Controls Dictate Operational Controls

• Formally Define/Document InfoSec Policies

− Organization infosec policy, risk management, incident response, vulnerability/patch

management, endpoint security, access control (systems, network), continuous

monitoring, security awareness and user training, etc

• e.g. Incident Response, DR/BC, and Risk Management

− IR policy, plan, procedure specific to ransomware, regular tabletop exercises, etc

− DR/BC policy, plan

− Risk management policy, plan/assessment… insurance?

23

PE

AK

RE

SO

UR

CE

S

Q & A

Do you have a more individual question?

Please email us at architecture@peakresources.com

Type a question into the Q & A box in Zoom below.

Questions can be submitted and upvoted anonymously.

24

RansomwareFuture Thought

with Brian Black of Deep Instinct

Facing Future Threats

Brian Black - Technology Evangelist / DSE

2020

Private and confidential

WHAT IS DEEP LEARNING ?

Private and confidential

28The World of Artificial Intelligence (AI)

Artificial Intelligence | 1950

Private and confidential

29The World of Artificial Intelligence (AI)

Artificial Intelligence | 1950

Optimization Method

Logic

Planning

Probabilistic Reasoning

Language Processing

Perception

Robotics

Expert Systems

Search Methods Recommendation

Machine learning | 1980

Private and confidential

30The World of Artificial Intelligence (AI)

Machine learning | 1980

Artificial Intelligence | 1950

Optimization Method

Logic

Planning

Probabilistic Reasoning

Language Processing

Perception

Robotics

Expert Systems

Deep learning | 2010

Multi-Layered Perceptron

Decision Trees

Regression

Support Vector Machines

Nearest Neighbor

Bayesian Models

Evolutionary Computation

Swarm Intelligence

Reinforcement Learning

Search Methods Recommendation

Private and confidential

31

CLASSICAL MACHINE LEARNING

Private and confidential

32Machine Learning Approach

Label = cat Label = dog Label = dog Label = cat

Label = cat Label = dog Label = catLabel = dog

Label = dogLabel = dog Label = cat Label = cat

Label = dog Label = dog Label = dog Label = cat

InferenceModel

Label = cat Label = dog Label = catLabel = cat

Labeldog

Private and confidential

33

CLASSICAL MACHINE LEARNING – HAND CRAFTED FEATURES

Ear = 9cm

Nose = 11.42cm

Eyes = 4.2cm

Private and confidential

34Misleading Features

Private and confidential

35Misleading Features

Dogs Cats

Private and confidential

36Noise

Original Images

Noisy Input

Private and confidential

37Deep Learning Vs. Machine Learning: No Feature Engineering

Mac

hine

Lea

rnin

gDe

ep L

earn

ing

Manual feature engineering

Machine learningVector of featuresRaw data

0.51.8-6.42.3

.

.

.N

Deep learningRaw data

<2% of the data

100% of the data

Private and confidential

Thank you

PE

AK

RE

SO

UR

CE

S

39

PE

AK

RE

SO

UR

CE

S

Closing Statements

Please email us at architecture@peakresources.com

Thank you to Brian Black and Deep Instinct!

You can reach Brian at brianb@deepinstinct.com

40

Thank you for joining today’s session

303-934-12001-800-925-PEAK

www.peakresources.com