![Page 1: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/1.jpg)
1 // Guardicore – 21st Annual Privacy Conference
Defending Against
Nation State Attackers & Ransomware
Dave Klein
Senior Director of
Engineering & Architecture
Guardicore
@cybercaffeinate
![Page 2: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/2.jpg)
2 // Guardicore – 21st Annual Privacy Conference
Introductions
![Page 3: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/3.jpg)
3 // Guardicore – 21st Annual Privacy Conference
About me…
Dave Klein
▪ 21 plus year veteran in cybersecurity
▪ 4 Years NYC post 911
▪ 10 Years US Federal
▪ Plenty of Incident Response Work
▪ Twitter @cybercaffeinate
Dave Klein
Senior Director of
Engineering & Architecture
Guardicore
![Page 4: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/4.jpg)
4 // Guardicore – 21st Annual Privacy Conference
About Guardicore…
Guardicore Centra
Visibility & Software-Defined Segmentation across all platforms seamlessly• Reduces Risk
• Ensures Compliance
• Reduce Costs
Breach Detection & Incident Response• Reputation
• Dynamic Deception
• Etc.
![Page 5: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/5.jpg)
5 // Guardicore – 21st Annual Privacy Conference
About Guardicore Labs…
Critical Guardicore Researchers• https://www.guardicore.com/labs/
![Page 6: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/6.jpg)
6 // Guardicore – 21st Annual Privacy Conference
About Guardicore Labs…
Guardicore Infection Monkey• Free, Easy, Opensource• Automatic Attack Simulation• Continuous & Safe Assessments• Available for:
• vSphere, AWS, Azure, GCP• Windows, Linux, OpenStack, • K8/OpenShift
• Actionable Prescriptive Recommendations
• https://www.guardicore.com/infectionmonkey/
![Page 7: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/7.jpg)
7 // Guardicore – 21st Annual Privacy Conference
What this Talk is About
![Page 8: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/8.jpg)
8 // Guardicore – 21st Annual Privacy Conference
Goals of Today’s Talk
Arming You With What You Need
▪ Despite the fear of Nation State Actors & Ransomware
▪ We have the capabilities at our disposal to defend ourselves, minimize the damage, recover
![Page 9: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/9.jpg)
9 // Guardicore – 21st Annual Privacy Conference
Goals of Today
Arming You With What You Need
▪ Highlight a specific success story
▪ Discuss my research and findings
▪ Prescriptive list of things that will make you successful
![Page 10: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/10.jpg)
10 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang
![Page 11: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/11.jpg)
11 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
Olympic Public Website
Official Olympic App with Schedules, Reservation, Mapping, Help & Ticketing System
347 Large Screen Displays
Thousands of RFID Security Gates
7,400 Display Screens
16,000+ Video Cameras
85 Robots
Multiple Press Centers
10,000 PCs
20,000 Mobile Devices
6,300 Wi-Fi routers
2 Data Centers
1 Co-located Data Center
300+ Servers
100+ Servers (Co-located)
![Page 12: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/12.jpg)
12 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang
20:00 February 9, 2016
![Page 13: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/13.jpg)
13 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
Olympic Public Website
Official Olympic App with Schedules, Reservation, Mapping, Help & Ticketing System
347 Large Screen Displays
Thousands of RFID Security Gates
7,400 Display Screens
16,000+ Video Cameras
85 Robots
Multiple Press Centers
10,000 PCs
20,000 Mobile Devices
6,300 Wi-Fi routers
2 Data Centers
1 Co-located Data Center
300+ Servers
100+ Servers (Co-located)
20:10 February 9, 2016
![Page 14: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/14.jpg)
14 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
Olympic Public Website
Official Olympic App with Schedules, Reservation, Mapping, Help & Ticketing System
347 Large Screen Displays
RFID Security Gates
7,400 Display Screens
16,000+ Video Cameras
85 Robots
Multiple Press Centers
10,000 PCs
20,000 Mobile Devices
6,300 Wi-Fi routers
2 Data Centers
1 Co-located Data Center
300+ Servers
100+ Servers (Co-located)
WIPED OUT!
![Page 15: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/15.jpg)
15 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
Every time the Olympic IT staff try to restore servers they are wiped clean by a yet unknow attacker
21:00 – 23:00
![Page 16: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/16.jpg)
16 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
![Page 17: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/17.jpg)
17 // Guardicore – 21st Annual Privacy Conference
Research
![Page 18: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/18.jpg)
18 // Guardicore – 21st Annual Privacy Conference
January 2020
Assignment:
▪ Research the most devastating breaches of the last 5 years and write a series of articles about them
▪ Began researching, over 10+ major cases
![Page 19: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/19.jpg)
19 // Guardicore – 21st Annual Privacy Conference
January 2020
Found Serious Commonalities
1. The attackers generally went after the same ”low hanging fruit” to attack and spread
2. Things that could be addressed relatively easily
3. The victims suffered from a same set of issues a lack of a strategy/game plan
![Page 20: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/20.jpg)
20 // Guardicore – 21st Annual Privacy Conference
January 2020
Led to a series of articles, blog posts and interviews
Found Serious Commonalities
![Page 21: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/21.jpg)
21 // Guardicore – 21st Annual Privacy Conference
Concerns
Concern over “Reverse Survivor Bias”
![Page 22: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/22.jpg)
22 // Guardicore – 21st Annual Privacy Conference
What is Survivor Bias?Abraham Wald
Operational Research
Statistical Research Group (SRG) at Columbia University
WWII
![Page 23: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/23.jpg)
23 // Guardicore – 21st Annual Privacy Conference
To Ensure No “Reverse Survival Bias”
What About Those Who Succeeded?
![Page 24: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/24.jpg)
24 // Guardicore – 21st Annual Privacy Conference
What About Those Who Succeeded?
Data was more difficult to accrue:
Combination of research into the success stories I found
▪ Interviewing CISOs
▪ Customers and other industry professionals
▪ Some documented success stories
![Page 25: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/25.jpg)
25 // Guardicore – 21st Annual Privacy Conference
▪ Attack Targets▪ Known vulnerabilities
▪ Weak passwords, no dual factor authentication
▪ Machines running with unnecessary elevated privileges
▪ Systems with poor account control/expiration procedures
▪ Certificate monitoring errors
▪ Utilizing poor DNS security, Remote Access and other critical services
▪ Poor Segmentation Practices
Findings
Same for Winners & Losers
![Page 26: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/26.jpg)
26 // Guardicore – 21st Annual Privacy Conference
Findings
Different for Winners & Losers
#1 Indicator of Success or Failure
▪ Winners - Incident Response Plan▪ Sets expectations that you will be breached
▪ Well thought out
▪ Includes non-technical staff – legal, business owners and even board members
▪ Well practiced
![Page 27: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/27.jpg)
27 // Guardicore – 21st Annual Privacy Conference
Findings
Different for Winners & Losers
▪ Winners have begun to address the list of attack targets
▪ Not complete by any means
▪ At worst becomes an early warning alert that prevents long dwell time
#2 Indicator of Success or Failure
![Page 28: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/28.jpg)
28 // Guardicore – 21st Annual Privacy Conference
Findings
Different for Winners & Losers
#2 Indicator of Success or Failure
▪ Progress Made…▪ Vulnerability Scanning and Patching
▪ Strong password enforcement combined with dual factor authentication
▪ Run without elevated privileges
▪ Account control/expiration procedures
▪ Certificate management practices
▪ Control of enterprise services like DNS, Remote Access (SSH/RDP), AD and other critical services
▪ Segmentation (most often in Software Defined Segmentation)
![Page 29: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/29.jpg)
29 // Guardicore – 21st Annual Privacy Conference
Findings
Different for Winners & Losers
#3 Indicator of Success or Failure
▪ Acknowledgement that DevOps had accelerated provisioning and management
▪ This could be an accelerant for either success or failure
▪ Incorporation of DevOps playbooks methods to accelerate, automate and simplify security
![Page 30: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/30.jpg)
30 // Guardicore – 21st Annual Privacy Conference
Findings
DevOps Role in the Modern Enterprise
Speed Innovation
Business Demands
✓ Accelerated Delivery
✓ Essential Competitive Differentiation
✓ Efficiencies & Savings
✓ Integrations & Access
IT Delivers Through DevOps/Cloud Model
✓ Simplification via Solutions that are
Platform & OS Agnostic
✓ Playbooks/Scripting
✓ Provisioning
✓ Automation/Autoscaling
✓ Cloud Models*
* Even companies only on-premises
![Page 31: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/31.jpg)
31 // Guardicore – 21st Annual Privacy Conference
Findings
DevOps Role in the Modern Enterprise
Speed Innovation
What about security?
![Page 32: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/32.jpg)
32 // Guardicore – 21st Annual Privacy Conference
Findings
▪ Strategy - Security at the Speed of DevOps
Speed Innovation
SecuritySecurity Solutions
✓ Simplification via Solutions that are
Platform & OS Agnostic
✓ Speed
✓ DevOps Friendly – playbook/scriptable
✓ Automatable
✓ Visibility & Granular Enforcement
✓ Done Once – Done Right
![Page 33: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/33.jpg)
33 // Guardicore – 21st Annual Privacy Conference
Findings
▪ Automate updates, checks and remediation
▪ Provides protection while you to go after these in a sane, easy manner▪ Vulnerability Scanning and Patching
▪ Strong password enforcement combined with dual factor authentication
▪ Run without elevated privileges
▪ Account control/expiration procedures
▪ Certificate management practices
▪ Control of enterprise services like DNS, Remote Access (SSH/RDP), AD and other critical services
DevOps Example - Playbooks: Chef, Puppet, Ansible Etc.
![Page 34: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/34.jpg)
34 // Guardicore – 21st Annual Privacy Conference
Findings
▪ Software-Defined Segmentation▪ Provides visibility
▪ Decoupled from the underlying platforms and OS
▪ DevOps: Playbook friendly
▪ Granular▪ User, Process and FQDN
▪ Can be deployed in minutes versus months
▪ Provides protection while you to go after these in a sane, easy manner▪ Vulnerability Scanning and Patching
▪ Strong password enforcement combined with dual factor authentication
▪ Run without elevated privileges
▪ Account control/expiration procedures
▪ Certificate management practices
▪ Control of enterprise services like DNS, Remote Access (SSH/RDP), AD and other critical services
DevOps Modeled - Software-Defined Segmentation Example
![Page 35: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/35.jpg)
35 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang
![Page 36: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/36.jpg)
36 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
Olympic Staff• Had very well-developed
incident response plans
that included everyone
including industry
partners and government
entities (domestic and
foreign)
• These were well
practiced repeatedly
VITAL!
Well developed and
rehearsed incident
response plans!
![Page 37: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/37.jpg)
37 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
From the start everyone knew exactly what to do
• Ticket takers – moved to printed books to validate tickets
• LTE hotspots were distributed throughout the Olympic facilities to temporarily restore some capabilities and for the press
• Ahn Labs and others already on standby given notification
20:10
![Page 38: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/38.jpg)
38 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
Critical decision to take the entire Olympic network off the Internet.
23:30
![Page 39: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/39.jpg)
39 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
Ahn Labs provides patch for winlogin.exe
05:00
![Page 40: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/40.jpg)
40 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
Reset Laptops, Active Directory Services
0630
![Page 41: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/41.jpg)
41 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
Reimage every server from backup, restart all services accelerated by automated scripting
0755
![Page 42: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/42.jpg)
42 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
The first event starts…0900
![Page 43: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/43.jpg)
43 // Guardicore – 21st Annual Privacy Conference
Olympic Games Pyeongyang 2016
The first event starts…0900
SUCCESS!!
![Page 44: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/44.jpg)
44 // Guardicore – 21st Annual Privacy Conference
Investigation
![Page 45: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/45.jpg)
45 // Guardicore – 21st Annual Privacy Conference
Investigation Ensues
Two Years Prior
• Spearfishing
• Word Doc – List of VIP Guests
• Opens looking like it had been corrupted
• “Click here to fix”
• Launches Word Macro that uses the users’ rights to elevate privileges via powershell and load malware
![Page 46: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/46.jpg)
46 // Guardicore – 21st Annual Privacy Conference
Investigation Ensues
Spreads Throughout Olympic Network
• Active Directory poisoning
• Wiper program hidden on each machine
![Page 47: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/47.jpg)
47 // Guardicore – 21st Annual Privacy Conference
Investigation Ensues
Who was it?
![Page 48: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/48.jpg)
48 // Guardicore – 21st Annual Privacy Conference
Investigation Ensues
At first seemed to be North Korea
• Header info, language and techniques seemed to be like Lazarus Group APT 38
![Page 49: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/49.jpg)
49 // Guardicore – 21st Annual Privacy Conference
Investigation Ensues
But Part of Preparation was a Great Deal of Diplomacy
• North invited to the games
• North and South would come out as a unified Korea at the opening of the games
• The North & South women’s hockey team would play together
• Kim John-Ung sends his sister to attend
![Page 50: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/50.jpg)
50 // Guardicore – 21st Annual Privacy Conference
Investigation Ensues
At first seemed to be North Korea
• Header info, language and techniques seemed to be like Lazarus Group APT 38
![Page 51: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/51.jpg)
51 // Guardicore – 21st Annual Privacy Conference
Investigation Ensues
Then a major discovery occurs:
• The infected Word document technique was found to have been used before in multiple attacks on the Ukraine
• Programmer meta data names from both are identical
• Techniques as well
• We were experiencing an excellent false flag attack
![Page 52: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/52.jpg)
52 // Guardicore – 21st Annual Privacy Conference
Investigation Concludes
It was Russia
![Page 53: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/53.jpg)
53 // Guardicore – 21st Annual Privacy Conference
Summary
▪ Have an Incident Response Plan▪ Sets expectations that you will be breached
▪ Well thought out
▪ Includes non-technical staff – legal, business owners and even board members
▪ Well practiced
![Page 54: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/54.jpg)
54 // Guardicore – 21st Annual Privacy Conference
Summary
▪ Make Progress On The Common Targets:▪ Vulnerability Scanning and Patching
▪ Strong password enforcement combined with dual factor authentication
▪ Run without elevated privileges
▪ Account control/expiration procedures
▪ Certificate management practices
▪ Control of enterprise services like DNS, Remote Access (SSH/RDP), AD and other critical services
▪ Segmentation (most often in Software Defined Segmentation)
![Page 55: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/55.jpg)
55 // Guardicore – 21st Annual Privacy Conference
Summary
▪ Make Progress On The Common Targets:▪ Vulnerability Scanning and Patching
▪ Strong password enforcement combined with dual factor authentication
▪ Run without elevated privileges
▪ Account control/expiration procedures
▪ Certificate management practices
▪ Control of enterprise services like DNS, Remote Access (SSH/RDP), AD and other critical services
▪ Segmentation (most often in Software Defined Segmentation)
![Page 56: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/56.jpg)
56 // Guardicore – 21st Annual Privacy Conference
Summary
▪ Incorporate DevOps▪ Automate updates, checks and remediation
▪ In selecting new cybersecurity solutions
▪ Use software-defined segmentation
![Page 57: Defending Against Nation State Attackers & Ransomware€¦ · 1 // Guardicore –21st Annual Privacy Conference Defending Against Nation State Attackers & Ransomware Dave Klein Senior](https://reader033.vdocument.in/reader033/viewer/2022052017/602f99e12fe67e5a687e8063/html5/thumbnails/57.jpg)
57 // Guardicore – 21st Annual Privacy Conference
Thank You