security, cyber , and information assurance...
TRANSCRIPT
Initial draft for community review [email protected] 1
Ransomware - Risk Posture
Introduction - Have you been asked, “Are we cyber safe yet?” Or questions from a more discerning and risk aware leadership, like “what’s our risk
posture?” (Of course you then ask them what their risk appetite is!). Even better when the Board of Directors (BoD) asks, “How will we recover from
a Ransomware attack?” as then they get that it’s not IF, but when! So how do you start to structurally answer those questions, especially the last one?
Provide an estimate of the residual risks posed by Ransomware, even as that can be a fairly complex equation with many moving factors. Then
provide a methodology to minimize the impact and likelihood of a Ransomware attack within the company. Given the current industry Ransomware
statistics, where it is the worst year ever and the negative impact is growing very quickly, our collective approach must be to assume we will have an
attack and that the hackers are likely inside our network. Thus also demonstrating the critical need for an effective incident response process to
control and reduce data and resource losses.
Once the Security team has assessed the organization’s relative risk posture for any vulnerability, then the operative challenge is communicating the
residual risk in a common format, using familiar vernacular, especially to the C-Suite / BoD. This community paper provides a methodical approach
in considering the major factors, heuristically quantifying each element’s relative risk, then aggregating that into a notional, overall risk level. We
then provide prioritized mitigation suggestions and recommend a ‘risk heat map’ format to distill that information into one type of a communication
medium – using standard risk management vernacular – where your mileage may vary!
Summary – The Company is not currently in any known, obvious risk state for a Ransomware attack. Ransomware poses data loss (inability to access
it) and possible blackmail (going public) risks and all the negative business ramifications that go with those risks. For the current Company security
posture, the overall aggregate risk for Ransomware is estimated as MEDIUM, as quantified later. The risk compilation and enumeration can be
complex for a multifunctional risk element like Ransomware that is both non-linear and holistic, as well as complex with interdependent variables;
thus resulting in relative, notional residual risk estimates. That said, this risk based process facilitates mitigation prioritization. Even as the key risks
we found in our structured methodology are most likely common to all organizations, we offer this overall risk assessment approach so anyone can
tailor it to their organization; thus providing a set of prioritized mitigations to yield a minimum risk posture and best risk value.
So, what’s the answer (so I don’t have to read this whole paper)? Well, as usual “it depends” on your security environment and managed baseline
posture. We summarize the major factors below, where this paper also provides a Ransomware background, key threats, best practices, risk
formulations (especially in nondeterministic environments), recommended mitigations, etc. The outcome of this risk assessment is what most already
know, that the major mitigations are still effective: (A) verified ‘secure’ backup approach, (B) enterprise malware identification, detection and
prevention (NGAV), (C) enforced access controls / IAM, (D) cyber hygiene / vulnerability management (patching, CMDB, etc), and (E) Firewall and
Application control rule sets. (BTW, cyber awareness training will make the top risk list for many as phishing is a huge threat vector; whereas in our
notional security environment we assessed that as adequately effective (e.g., had a medium risk and was all we could support at the time)(and it only
takes one user clicking one link); thus we mainly focused on technical controls. (IF already attacked; then go to https://www.nomoreransom.org/ )
Still, no surprises here, these risks and related mitigation activities are the hallmarks of an effective risk based security strategy, be that Ransomware
risk minimization, data breach risk reduction, or any other threat vectors and associated security vulnerabilities and risks! The effectiveness of these
methods and key mitigations therein also need to be assessed within the techniques threat actors can use to bypass them or render them partially
ineffective, as suggested in the right most column below. Then the challenging task is to determine which of these 17 methods need attention in your
Initial draft for community review [email protected] 2
environment given the possibility of being rendered less effective to start with. We later examine the major vulnerability areas (e.g., the “methods /
weaknesses” column listed below) associated with the utility of each mitigation given the effectiveness of the threat actors’ tactics, and then distill the
residual risk into the risk heat map (that is assessed and captured later in Table 2.0).
Table 1.0
Methods / Weaknesses Mitigations Vulnerabilities / Threat Actor Techniques
1. Secure Backup / not effective
(or partially in place)
All devices covered. Backups stored offline (onsite and
offsite). Periodically test restore. Automatic back-up validated
that it does not contain malware
Backup images poisoned (malware already installed);
backup credentials stored on endpoint; backups stored in
cloud, but if entire enterprise is encrypted, cloud backup
is infeasible
2. Phishing training / high click
rate or no enforcement
Use digital signatures for assured identities of senders. User
behavior modification through periodic exercises and targeted
training. Consequences for those who fail exercises.
Sophisticated messages with specific content related to
victim; spoofed email addresses that appear legitimate;
zipped or encrypted attachments to bypass scanners
3. Patching effectiveness / weak
or ad hoc ITAM / CMDB
Automated / virtual patching. Vulnerability prioritization.
Effective CMDB / release management. Actively monitor
threat intel for 0-day malware and prioritize patching.
Ransomware will leverage entry vectors that 0/1-days
have, or don’t rely on vulnerability exploits to begin with.
4. FW and APPs rule sets / not
implemented or poorly managed
Firewall (FW) whitelisting / URL and egress filtering.
Application (APP) whitelisting (and limit exceptions) – where
code signing greatly complements Apps WL.
Depending on implementation, whitelisting can be
ineffective, as some environments are too dynamic.
Malware moves laterally, executes commands, etc
5. IAM, users and PAM / weak
process or ineffective monitoring
Limit local admins (all types), tightly control exceptions, block
local executables install. No user boot bypass. Strictly manage
privileged users. Log activity for changes to service accounts.
Using local backup administrators’ accounts and service
accounts are increasingly being used by adversaries, and
these cannot be removed without breaking their
respective service(s).
6. Email Server & exchange /
weakly or partially enabled
Employ all scan & block capabilities, including blocking
JavaScript and executables. Continue to use sender policy
framework (SPF); DomainKeys identified mail (DKIM); and
domain-based message authentication, reporting, and
conformance (DMARC) to reduce spoofed inbound email.
Unable to keep up with the pace of evasive ransomware
campaigns that easily detect when they are in a virtual
machine. An adversary can bypass detonation chamber
technology.
7. Next Gen AV / not effective
or weakly integrated
Use both host and network AV. Use behavior (and reputation)
based AV as primary tool, versus only signature based AV
(which is hard to keep up-to-date). Integrate with SIEM and
SOC.
Ransomware markets and RaaS ensure every piece of
ransomware ever launched in a campaign has a 1-off
unique signature/hash. Heuristic and behavior (including
detonation chambers) are bypassable via evasion and
persistence techniques routinely used by malware.
8. Client / PC controls set-up / no
profile is managed
Strictly manage client security profile (restrict / disable settings
& controls – see appendix, Table 4.0)).
Ransomware may still execute successfully, even if client
security policies are enabled.
Initial draft for community review [email protected] 3
Table 1.0
Methods / Weaknesses Mitigations Vulnerabilities / Threat Actor Techniques
9. Internet browser controls / not
defined or managed
Develop a minimum security baseline for browser. Block
general “Tor” browser use. Provide tighter controls (file
sharing, wireless, powershell, etc.), minimize active code
(JavaScript, ActiveX, etc.)
Blocking TOR may prevent users from visiting the “dark
net,” but won’t fully stop ransomware, except the ability
to pay the ransom.
10. Password policy & operations
/ not audited or enforced
Password & privileged account management (PAM) policy
with automated monitoring supporting enforcement. Conduct
periodic audits. Use MultiFactor Authentication (MFA) for
sensitive devices (e.g., IT & Security ‘crown jewels’)
MFA/2FA is a solid recommendation when it comes to
confidentiality, but does not prevent an end-user from
authenticating to an email application then opening an
attachment or clicking on a malicious link and becoming
infected via that vector.
11. Security Monitoring /
inadequate or not integrated
Defense in depth monitoring, SIEM & SOC integrated, bi-
directional monitoring, fine-tuned filtering, prioritized alerts
for specific use cases; consider improving cloud security and
monitoring therein with ‘CASB’ (cloud access security broker)
‘Alert Fatigue’ from organizations collecting data on
almost everything; SIEMs are routinely either ‘turned-on’
but doing little and not being operationalized, or else they
are over-fed by 10s thousands of alerts per day; attackers
benefit from the tremendous noise by burying the signal
of their activities.
12. IDS or IPS / not used or poor
placement or not properly
configured
Actually have one (or more) – with well-placed sensors on key
network segments. Sandbox. Located at the perimeter, used to
decrypt most web and email traffic, and be application aware;
used in conjunction with Web Application Firewall (WAF) or
application gateway firewall (for client-server apps)
It is often the IDS alerts that create so much of the SIEM
noise that has paralyzed organizations. Adversaries
routinely use IDS/IPS as weapons of distraction in order
to send analysts down rabbit holes.
13. Adobe Flash (Reader) / not
replaced or kept patched
Do not use flash if at all possible. If required, diligently update
the many patches per week. Most should consider another
reader such as “unity web player” or GNU Gnash (and/or
choose an overall PDF reader replacement:
https://www.foxitsoftware.com/products/pdf-reader/ )
This will work for Locky and a few other variants /
campaigns; there are many ways to get ransomware on
the victim machine, and it really depends on whether they
are opportunistic or targeted threats.
14. Mobile Security / weak policy,
inadequate MDM, NAC
Enforced Mobile / BYOD policy. Manage devices and apps
using Mobile Device Management(MDM), Mobile Application
Management (MAM) and Network Access Controls (NAC)
TTPs for Mobile are slightly different – adversaries
probably won’t use encryption, but exfiltrate data and
hold it for ransom with threat of public release; may also
steal financial information from mobile devices to get into
bank accounts.
15. Microsoft “macros” /
ineffective identify and removal
Malware includes macros and scripts that must be scanned for
in Email, Office, security tools; use GPO to globally disable
macros by default; limit user’s ability to enable macros
Macros are used pervasively now to spread ransomware;
disabling macros is one way to mitigate this; however,
users are able to enable them on a per-use basis.
Initial draft for community review [email protected] 4
Table 1.0
Methods / Weaknesses Mitigations Vulnerabilities / Threat Actor Techniques
16. Application controls / no
policy, no V&V, no S-SDLC
Formal “Secure-SDLC” approach, Apps whitelisting, along
wit code signing, scan for dated / unlicensed software,
minimize poor software development (SQL injections, etc)
using “Secure SDLC”
Removing common software security errors is always
good business, it won’t mitigate a ransomware campaign
from occurring, because the attack vector is not aimed at
application vulnerabilities. adversaries may try to embed
malware into known applications to bypass whitelisting.
17. Block Malware’s Command
and Control / not done
Use Server Black Hole DNS Sinkhole approach - This blocks
the command and control (C2) of malware from “phoning
home” for the key, etc.
Adversaries now use algorithms to set up and tear down
domains at cyclical rates; C2 can be carried out over
many channels now as well (e.g., embedded in the images
via steganography); more recent forms of malware do not
need to retrieve the key like CryptoWall used to, and
instead have the key already embedded in the binary code
and purposely do not rely upon any C2
Assumptions & Limitations – No security system is ever close to 100% effective; thus there is always some residual risk. The optimum security
environment has proven, effective protection controls in place, using a defense in depth / breath approach, complemented by security continuous
monitoring, effective security education, and periodic audits. The residual risk of any capability is then assessed within this environment using a
combination of mitigation factors from policy, process, people, and product (technology). The major Ransomware factors were proposed in the table,
whereas the effectiveness of this risk reduction journey must be supported collaboratively within the entire IMS/Operations/IT Security department as
a priority. Thus, we strongly recommend that the department take a dedicated risk team, working group approach to Ransomware prevention, to
maximize the overall company protection state, using collective and limited resources, to then offer the best value risk posture.
The appendix provides more information on risk conditions, best practices, and detailed client technical controls. These are a few additional
references and sources of interest (in this paper, we liberally excerpt the key recommendations therein):
1. http://www.ebulletinsresources.com/hubfs/D1/KnowBe4/Ransomware-Hostage-Rescue-Manual.pdf Detailed overview and response checklists.
2. https://www.csiac.org/podcast/ransomware/ Educational video on the topic
3. https://www.nomoreransom.org/ +++ Offers a one-stop shop resource for battling Ransomware infections. +++
4. http://www.ebulletinsresources.com/hubfs/D1/Eset/Ransomware.pdf Ransomware Best practices.
5. https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf great overview and high level mitigations steps!
Couple of recent articles to note:
http://www.healthcare-informatics.com/article/cybersecurity/cost-ransomware-attacks-can-reach-far-beyond-ransom-payment-itself
http://www.securityweek.com/cybereason-unveils-free-ransomware-protection-tool
http://essentials.code42.com/rs/760-OMU-478/images/Ransomware%20roadmap-%20where%20cybercriminals%20will%20attack%20next.pdf
Initial draft for community review [email protected] 5
The sample risk heat map below depicts the risks in # 1 – 17 methods above. The outcome of this risk assessment suggests that the major mitigations
are to accommodate effective : (A) –Secure backup (the failure of, #1); (B) –Next Generation AV/malware prevention (#7); (C) –IAM / access
controls (weak or unenforced policy, #5); (D) –vulnerability management (poor patching / CMDB, #3); and (E) – FW and APPs rule sets (#4). (NOTE – Notional values used for illustration purposes only – they do not represent actual values, rather the likely key risks to consider - use your numbers when tailoring this paper)
Initial draft for community review [email protected] 6
Methods – We first propose a set of methods for a Ransomware risk reduction approach within the Company’s cyber posture from which the residual
risk is then estimated. The risk likelihood and consequences are initially heuristically estimated for each major method which then is weighted in the
aggregate to provide a notional residual risk level. Residual risk, like reliability, safety, etc is complex and generally not a linear function where some
factors variables are weighted more than others. Risk is also relative in any environment (the impacts they cause); thus all risk factors must be taken
in context. Whereas if all risk is quantified in the same manner, those outputs tend to be naturally normalized and it’s easier to show the higher
relative risk factors. The overall “risk heat map” result approach used herein is one method to prioritize mitigations where limited resources are used
to minimize the company’s overall risk posture. (Note – this general risk approach does not go into the “Return on Investment (RoI)” of security,
using annualized loss expectancy (ALE) or other cost methods, to determine the ‘value’ of each protection measure in reducing risk). Complex
vulnerabilities residual risk must be viewed and assessed from several perspectives to obtain an aggregated and weighted notional risk determination.
In highly interrelated system relationships, the actual risk interdependencies have many unknowns and typically behave in a nondeterministic manner.
Therefore to try to quantify an absolute level of risk for each element and then aggregate those into an overall residual risk with any degree of
certainty, becomes quite costly to even approximate the level of risk for little value added. In addition, all risk has an associated confidence factor
which takes into account the fidelity, quality and assurance level of the estimate. Given the nature of a complex aggregated risk determination, and
within a holistic and nondeterministic environment, the law of diminishing returns is usually reached early on in obtaining a high confidence factor
for any risk estimate. That is, once a nominal risk estimate is developed with general department concurrence, resources are better used in prioritizing
the risk mitigations themselves versus trying to increase confidence factors. Ideally the key department managers and stakeholders agree on an
acceptable confidence level in advance of estimating the nominal risk level.
Discussion – Ransomware is malware that can encrypt a device contents in order to extort money from the owner in return for restoring access to
those resources. This kind of malware can also have a built-in timer with a payment deadline that must be met, otherwise the price for unlocking the
data and hardware will grow – or the information will ultimately be rendered permanently inaccessible. Among the well-known examples of
Ransomware affecting desktop computers are Reveton, CryptoLocker, CryptoWall, TeslaCrypt and Locky (to name a few); and on mobile platforms
Simplocker and LockerPin. The most recent top two variants are Teslacrypt (58%) and CTB-Locker (24%) which are all spread mainly through spam
email with malicious attachments or links to infected webpages. Industry studies and analyses show that Ransomware has emerged as a very popular
form of malware for cybercriminals, and that its use has been rising for many years, targeting both privately owned as well as business devices.
Windows and Android are currently the most commonly targeted operating systems, but recent attacks show that even Linux and OS X are not
exempt from Ransomware. Companies need to mitigate the risks of Ransomware infection, by focusing on frequently used attack vectors, then
provide guidance on how to effectively protect company devices and their contents, as well as recommend available options when devices or files
have already been taken hostage.
Increasingly Sophisticated Variants Are Emerging
Ransomware is evolving using increasingly sophisticated tactics, techniques, and procedures (TTPs) to execute attacks, including:
--- RAA is javascript masquerading as a Word file with a .DOC file extension to avoid binary detection. Once launched, it seeks to disable the
restoration of backups by deleting the Microsoft Volume Shadow Copy Service (VSS). RAA also employs a Trojan horse feature by dropping Pony, a
password stealing Trojan, for future hacking.
Initial draft for community review [email protected] 7
--- Unlike variants with an end-user and endpoint focus, SamSam targets servers via a JBoss vulnerability from which it moves laterally to infect and
encrypt data on other Windows systems. In the same family of server-side Ransomware, MakTub is a variant that will compress files to speed the
encryption process.
--- Hackers are even operationalizing Ransomware. Jigsaw is a newer variant that includes a chat feature to coordinate the ransom payment between
victim and hacker.
--- The major Ransomware threat vectors are: email attachments, web download & email links.
Additionally, we suggest the answer to the most pressing question that victims of Ransomware attack have to answer “Should I pay what the
cybercriminals demand?” is NO. In general that is what the FBI recommends, yet in addition there is no guarantee that you will get the encryption
key and they could also resort to releasing the data publically, infect other devices, etc. To be confident with not paying the ransom, a company must
provide a due diligence level of security protection against this threat; whereas the notionally assessed organizational residual risk should ideally be
LOW/MED or at most MEDIUM.
Ransomware prevention can be a relatively complex endeavor with many moving parts requiring interdepartmental collaboration to maximize the
cyber performance for the entire company. In most cases, if one of the major risk factors described in the following table is not effectively managed to
an adequate level of risk, then the overall Ransomware risk will likely be directly increased in proportion. Yet the reverse is not generally true; that is
spending a lot more resources to minimally reduce one type of risk, likely will not correspond to an overall risk reduction. The major factors in a
Ransomware risk are assessed in the following discussions and listed in table 2.0, including one table with best practice mitigations recommendations
(in the appendix).
Sources on minimizing a Ransomware impact are numerous, whereas any well-known resource is adequate, we highlight ESET’s top 11 (ref #4):
1. Back up important data regularly – ‘securely’ (storing offline) and periodically verify restore.
2. Patch & update your software routinely – using a disciplined process (e.g., ITAM/CMDB/Release Management).
3. Pay attention to your employees' security training (and conduct periodic phishing attacks).
4. Show hidden file-extensions (many malware related executables as PDF, DOC, etc.).
5. Filter executable attachments in email, use anti-spam filters, categorize subject lines, etc.
6. Disable files running from AppData/LocalAppData folders.
7. Minimize the use of shared folders, provide compartmentalization as much as possible, as malware can spread.
8. Disable RDP - a Windows utility that allows others to access desktops remotely.
9. Use a reputable security suite – including capable firewall, AV on host and network, whitelisting, etc.
10. Use System Restore to get back to a known-clean state.
11. Always use a standard account wherever possible, versus one with administrator privileges.
Initial draft for community review [email protected] 8
Recommendations - For table 2.0 that follows, the major Ransomware risk causal factors are listed as ‘methods’ since they contain the typical mix
of policy, process, people and product elements. To start the risk estimation journey, especially for those who have only a general awareness of the
security methods, we first start with a proposed high level sense of the security ‘posture.’ This state is estimated first to frame each method’s general
effectiveness posture (e.g., provide an initial, relative, qualitative ‘goodness’ measure such as: good, average, marginal or poor) to provide a general
sense of the capabilities operational status. The common ‘weak areas / exposure’ column in the table then provides a high level view of the key
residual problem areas of that method, which can also help link to the relationship, dependencies and potential impacts in the other methods. The
posture and exposure columns then helps frame the numerical risk columns. The relative posture level and numeric risk value estimates for each
method then provide a proposed potential for reducing the vulnerabilities risk level, given the defense in depth status of the system architecture as a
whole (the dependencies, hierarchy, inheritance, etc. at play). For example, mitigating a method’s vulnerabilities which has a good posture and lower
risk level will likely have less overall risk reduction effect than mitigating a below average posture (all other factors remaining the same).
When prioritizing mitigations overall to put resources toward, these two columns (posture and risk) can help provide a relative weight for that
method’s residual weaknesses and also help factor the method into follow on risk calculations. We use Likelihood (1-5) and Consequence (1-5) in a
“5 by 5” risk matrix; where overall risk is then ranked 1 – 25 and also color coded as green, yellow, orange and red – lowest to highest. See your
company risk management plan for further definitions, steps and processes therein.
---Likelihood
(1) Low = 0 - 20%
(2) Low-to-Medium = 21 – 40%
(3) Medium = 41 – 60%
(4) Medium-to-High = 61 – 80%
(5) High = 81-99.9%
---Consequence
(Consequence = Effects for Risk and a Program’s CSP (cost / schedule / performance) changes
(1) Low = No to minimal CSP impacts or added risk
(2) Low-to-Medium = Minor reduction, tolerable CSP impacts, with some added risks,
(3) Medium = Moderate increase in CSP impacts causing execution adjustment, with high added risks,
(4) Medium-to-High = Major degradation in CSP, critical shortfalls experienced, with severe added risks
(5) High = Significant degradation in CSP, likely program default, with critical added risks.
How to calculate the risk numbers - using your current security environment’s state of the method under assessment, plus factoring in the potential
reduced effectiveness effect of the hacker bypass techniques listed in the first table, estimate the approximate levels between 1 and 5.
Calculating likelihood – Each method’s level will involve different factors with varying weights. The mitigations themselves will also have varying
effectiveness levels along with the countering effects of the hacker evasion techniques. Thus the guidance provided for estimating the likelihood can’t
be exact or definitively provided herein as the variables are once again wide ranging and generally nonlinear as well. Suffice to suggest that one can
use the posture and general sense of your environment’s status along with the method’s mitigation effectiveness to then roughly estimate the
probability of occurrence. This risk assessment process proposal is after all an ‘approximately correct’ methodology to help prioritize the major
impact reducing mitigations and not an absolute risk level determination thereof. The discussion on level of confidence factor applies here as well, the
intent to have a relatively simple risk model that is applied uniformly to arrive at an overall organizational risk reduction, value-added way forward.
Initial draft for community review [email protected] 9
Calculating consequence - Just as in estimating likelihood was a ‘best effort’ given the complexity of the variables involved, so too is consequence.
Here the major difficulty is that it is hard to quantify a method’s specific impact whereas in the end they all can lead to a data loss and public
exposure. So given the estimated posture for that method and having a sense of the other, more directly related method’s postures (again a fuzzy,
empirical determination), as well as the evasion techniques influence, one provides a relative, heuristic risk level. Again, it’s the relative risk
outcomes of the methods that are the objective; thus providing a structured method to prioritize mitigations therein, not assess absolute impacts, etc.
The Likelihood and Consequence values are typically notional, heuristic, best holistic estimates, based on a general sense of the residual risk
potential. Due to the complexity and non-linear aspects of the Ransomware risk equation, the risk values below assume the other 16 risk methods are
held constant and assumed adequate for that point in time to simplify that method’s risk determination. (NOTE - This evaluation method estimates
the methods at a snapshot in time, with each method being estimated individually. Since internal and external factors change over time, impacting the
methods in varying degrees, the risk process must be iterative, where the next evaluation/estimation effort will include the changes in the inter-
relationships.) (Again - the posture and risks are notional values to illustrate the process, not actual values of any company… insert yours here!)
Table 2.0
Methods - weaknesses Posture Common weak areas / exposure
Lik
elih
oo
d
Co
nse
qu
en
ce
Risk Comments (Mitigations)
1. Secure Backup - failure Average Malware embedded. No “Secure” verification and
validation (V&V), minimal / ineffective restore testing
4 5 20 Back-up process is effective, regularly
tested.
2. Phishing training -
effectiveness
Average Weak compliance (no enforcement), infrequent
exercises, low user retention.
3 4 12 More / targeted exercises will raise
efficiency. Add digital signatures.
3. patching (ITAM/CMDB) -
effectiveness
Average Unpatched vulnerabilities, many are known. Weak
vulnerability management process feeding CMDB and
release management
4 4 16 Weight / rank vulnerabilities; then patch
critical ones asap, starting with external
items. Establish a CMDB
4. FW and APPs rule sets -
effectiveness
Marginal Firewall (FW) rules lax / open, minimal black or white
listing not used nor URL filtering. APPs whitelist not
in place or ineffective, allows too many exceptions
4 4 16 Improve FW rules / URL filtering.
Implement architecture changes that
affect the rule sets optimization
5. IAM, users and PAM -
coverage / effectiveness
Average Minimal control local admins – too many excepted
users. Weak privileged account management.(PAM)
4 4 16 Local admin’s and “PAM” better
monitored. Some SW runs w/o install.
6. Email Server / exchange -
set-up inadequate
Average Email scans / categorization so-so, some sandboxing,
not using digital signatures, not blocking JavaScript
3 3 9 Make fake emails easy to spot. Better
SPAM filters. Block scripts.
7. Next Gen AV product -
effectiveness
Good Need to assess AV effectiveness, gaps - including
script use. Incorporate Linux.
4 5 20 Assess effectiveness, integrate into SIEM
8. Client / PC controls set-up -
effectiveness
Average Unclear status, no risk assessment done. Need to
periodically verify Client security profile.
3 3 9 Verify the client posture; restrict / disable
settings (see appendix, table 4.0)
Initial draft for community review [email protected] 10
Methods - weaknesses Posture Common weak areas / exposure
Lik
elih
oo
d
Co
nse
qu
en
ce
Risk Comments (Mitigations)
9. Internet browser control -
effectiveness
Marginal Need to assess status and develop a minimum security
baseline (MSB) on allowed plugins and overall
security controls. Block “Tor” use.
3 3 9 Tighter controls (file sharing, wireless,
powershell, etc.), minimize active code
(JavaScript, ActiveX, etc.)
10. Password policy -
enforcement
Marginal Weak / dated password policy. No Audit /
enforcement. Likely used in several systems.
3 4 12 Enforced PW policy, conduct baseline
audit, strictly manage accounts!
11. Security Monitoring –
effectiveness
Good Defense in depth monitoring needed, SIEM & SOC not
current / integrated, use bi-directional monitoring
2 3 6 Update SIEM & SOC. Integrate other
tools. Consider MS’ Log Analytics?
12. IDS / IPS - effectiveness Average IDS minimally effective, nor integrated with AV 2 3 6 Integrate with AV / SIEM, position better
13. Adobe Flash – in use Average Flash software has the most security flaws / patches of
any product, thus not worth using.
2 3 6 IF used, diligently update the many
patches. Otherwise use sites with
HTML5, other alteratives
14. Mobile Security – not
managed
Average Policy needs to cover BYOD. Manage phones access
(device & Apps), use MDM for NAC
3 3 9 Policy update. Enforce mobile controls,
configure MDM for NAC & Apps.
15. MS “macro’ - not filtered Good Better effective filtering set-up/CM, in general the
Microsoft & security tools are not fully effective
2 3 6 Verify security products sandbox
documents and effectively clean them
16. Application controls – not
used
Marginal Need “Secure-SDLC” approach, some whitelisting
done, need audit / V&V process
3 4 12 Use a formal Secure-SDLC process,
expand Apps WL, scan for illegal SW
17. Domain Blocking – not used Poor Not using Server Black Hole DNS Sinkhole approach
(which blocks malware C2 comms)
3 4 12 Install blocking services, prevents
‘phoning home’ for the key, etc.
– Overall risk assessment
As mentioned earlier, risk aggregation in a complex, multifaceted environment is usually non-linear and typically acts as a heuristic function within a
nondeterministic equation to then integrate into an overall risk value. Due to their inter-related functions and interfaces (e.g., defense-in-depth,
inheritance, dependencies, etc.) – as well as many other holistic effects, each of the posture, likelihood, and consequences values are themselves also
best effort estimates; thus ‘approximate’ in nature as well. Suffice to say, an aggregated risk score of a complex risk is essentially a “ROM” (rough
order of magnitude) estimate that is best used in a relative manner amongst other environment risks, versus an absolute measure. As mentioned
earlier, adding more assessment resources does not necessarily increase the risk confidence factor due to the nonlinear and nondeterministic behaviors
in a complex ecosphere.
Initial draft for community review [email protected] 11
For Ransomware overall, we suggest each organization decide which risk factors are more relevant, then sum and average them (even as they are not
linear, as mentioned) for an approximate risk level. Such a nominal risk weighting approach might focus on secure backup as a major factor, then pick
a few others as secondary effects. For example, using security awareness training in general and patching effectiveness as lessor influencing elements.
Given the risk estimates in the table above, the overall aggregated risk is then estimated as MEDIUM.
From a more heuristic aggregation of all the various risk elements overall, we can also generalize the risk to be:
Likelihood – Med (3) – Even as some elements have an overall higher risk, within our complex defense in depth environment, the general likelihood
is medium, especially as a major factor is NGAV, which in this use case example is well covered (e.g., a ‘good’ posture).
Consequence – Med (4) – Again, given our overall defense in depth effectiveness, security tools, and effective backup methods, the impact of data
loss (hostile encryption) is assessed as Medium.
Risk – L x C = 12 = MEDIUM.
– Prioritize mitigations
Now that we have a general sense of each method’s residual risk that makes up our overall risk map level, we need to take actions that mitigate the
highest risk factors to obtain an overall minimal company risk posture. That is, how do we prioritize the mitigations proposed in table two to provide
the highest risk value in a temporal manner – mitigations planned in a time phased, resource constrained environment. No risk map is complete until
we both explicitly quantify the most critical mitigations and then plan their implementation, given limited resources and competing business
objectives. We provide several mitigation activities for each method (where many are a combination of policy, process (and services), people and
product (technology)). The ranking proposed and actions needed will vary with the specific environment and company culture. Yet the results will
still provide a traceable output from the requirements (methods and risks) to actions needed (the prioritized mitigations). Regardless of the
organization or industry, this structured assessment process still yields useful results, mapped back to a quantified basis and methodology (even as it
is heuristic / holistic in nature).
The outcome of this risk assessment suggests that the major mitigations are to accommodate: (A) – Effective Secure backup (failure of, #1); (B) –
Effective IAM (weak or unenforced policy, #5); C) – Effective Next Generation AV (NGAV)/malware prevention (#7); (D) – effective vulnerability
management (poor patching / CMDB, #3); and (E) – FW and APPs whitelisting (#4). (We again note that cyber awareness training is likely on most
folks top five risk heat map, depending on how you score the risks in the previous table, your top risks will change from this nominal example!)
So what’s next?
We need to tell our risk story to leadership in their language and make the point directly. So how do we distill the many complex factors, discussions
and recommended mitigations (and costs therein) above and develop a leadership level risk view for Ransomware? While the risk determination for
all the methods tend to have complex and holistic effects, presenting that aggregate risk to leadership has to be clear and obvious. We suggest a ‘risk
heat map’ format, covering the major risk factors / vulnerabilities. This risk approach is especially useful when a briefer has minimal time to quickly
inform a non-technical audience about the status of the problem and your approach, while then following that slide with the next steps and solicit any
support needed. Heat maps can be several formats, types, etc; whereas the intent is conveying critical information quickly, showing both before and
after views when key mitigations are put in place. All your risks will then have the same visual impact too!
Initial draft for community review [email protected] 12
So how to now tell the overall risk story to leadership?
We use the previous key risks and develop the heat map (the lowest level you present is dependent on the company’s risk appetite, as you can’t
overwhelm them with everything security wants to address)! If you have several top ‘red / critical’ risks, pick the top several to start the conversation,
where some method’s risks may be combined where strongly related. For this paper, we picked the methods below to demonstrate the risk heat map
process.
---The problem statement and impact
Data is any company’s greatest asset both from a competitive advantage business value and a risk exposure reduction impact. Thus any company
should specifically assess, monitor and track Ransomware risks and required remediations to obtain the best risk value (impact reduction versus
resources). One Ransomware attack can negatively impact the business, including potential lost clients, reduced productivity and fines for inadequate
compliance measures (and possibly law suits or punitive damages from lack of due diligence).
---Risk mitigation high level status:
Take the major ‘methods’ in the table, with higher residual risks (start with medium or above 13) and call them out here. We use the top five;
A - 1 – Secure Backup failure . “Red” (4 x 5)
B - 7 – Next Gen AV / malware protection “Red” (4 x 5)
C - 5 – Identity and Access Management (IAM) “Red” (4 x 4)
D - 3 – Patching effectiveness - ITAM/CMDB “Red” (4 x 4)
E – 4 - FW and APPs whitelisting “Red” (4 x 4)
Then add a couple of specific concerns for each risk called out in the heat map slide (note, sometimes it’s more direct to just state the actual
vulnerability). We believe that it’s useful to indicate (using the circle) risks that could cause brand / reputation damage as especially critical to the
organizations long term financial health. In this example, lack of a secure backup can potentially cause that sort of damage. These concerns and
vulnerabilities will need to be followed by a slide with the key mitigation / remediation activates needed to minimize the risk to some affordable, ‘risk
value’ level (proposed using the blue (or greyed out) levels in the heat map). Which assumes the mitigations are resourced adequately – including
personnel, time and funding; whereas the major mitigation tasks will most likely need to be formalized in some level of a project to track the usual
“C/S/P” elements (cost / schedule / performance), especially considering the competing organizational business priorities.
Initial draft for community review [email protected] 13
Initial draft for community review [email protected] 14
Major remediation activities and key deliverables schedule (with any added costs highlighted):
Now that you told your leadership what the top risks are, what mitigation changes are needed to get them to their planned residual risk state? We
suggest listing your top two mitigations actions for each risk, so as not to overwhelm management with details, and to take the opportunity to let
leadership know where resources (money and people) are required. Illustrate how your security strategy tasks are focused on risk reduction - given
requested resources availability and overall department priority assigned (e.g., requiring current funding level and any added cost while also
potentially using existing personnel in other prioritized tasks that compete for their time in the department).
Table 3.0 Task Steps / activities Deliverables (example)
A1 – Verify ‘secure’ storage in place Update requirements; assess as-is state & provide gaps, remediate risks, update processes Plans Q1, Implement Q2
A2 – Periodic testing, audit controls Schedule restores periodically, assess for malware, use V&V processes, and check for covert
channels. Ensure effective data at rest encryption is in place (minimizes theft, public disclosure)
Plans Q1, Implement Q2
B1 – Effectiveness of NGAV Malware prevention is the top technical protection; it will help minimize the risk in many other
methods - thus assess the product status; including all OSes and devices using them.
Plans Q1, Implement Q2
B2 – Enterprise holistic coverage It’s not just the end-point protection, assess the overall environment’s malware lifecycle; include
security tools, integrate into SIEM and SOC efforts, etc.
Plans Q1, Implement Q2
C1 – IAM Policy and processes Update IAM policy, include users, insider threat aspects, PAM (including local admin rights),
etc. Translate policy into IAM execution processes, use run books, etc. (require $$$ for tool)
Plans Q1, Implement Q2
C2 – Monitor & Audit IAM activities Formalize an IAM audit / V&V process. Can’t manage what you don’t measure applies to risk as
well. Integrate inputs from major sources: AD, Windows files, scans, security tools, etc.
Plans Q1, Remediate Q2
D1 – Vulnerability Management SoP Within an overall Threat & Vulnerability Management (VM) strategy, integrate and correlate the
many VM sources to establish a vulnerability prioritization schema that feeds “D2.”
Plans Q1, Implement Q2
D2 – ITAM / CMDB / release
management
Develop an IMS CMDB process that integrates IT/OPS and SEC capability attributes and
configuration items (CIs) that prioritizes patching for release management – that includes V&V.
Plans Q1, implement Q2
E1 – Firewall rule sets Develop FW requirements; FW white listing and URL & egress filtering, iterate the rule set
(build the white list, URL by URL as needed (keep the black list too as needed))
Plans Q1, Implement Q2
E2 – Application rule sets Develop APPs requirements; Apps white listing plan (start with monitor mode, limit exceptions),
ideally use code signing to enforce rules. Develop PPSM rules for both Apps & FW
Plans Q1, implement Q2
Initial draft for community review [email protected] 15
--Appendix---
Added support information, two tables below:
(Again - the status and exposure items are notional values to illustrate the process, not actual values of any company… insert yours here!)
Detailed client controls Table 4.0
Methods Status Weak areas / exposure Comments / mitigations
Use HIPS (re: a host IPS) no Network IDS / security tools not optimally configured Use a host IPS to complement network IPS, at least
on critical systems
Use Anti-Exploitation Features no Addressed by other AV – Cylance, Carbon Black, etc. Consider enabling MS’ EMET
“Boot-Proof” Logon yes Don’t allow users to bypass log-on scripts, start-up
programs
Use BIOS to prevent booting from other than hard-
drive & PW protect BIOS
Show file extensions yes Allows user to see if a file is an executable Continue to block executables as email attachments
Consider disabling vssaexe no This disables system restore and file versioning restore, if you disable this feature, consider another form of system restore to do
backups
Develop alternatives, show risk levels / utility for
each
Windows FW is on yes Windows FW is on for Public and Private connections
(but not domain connections, would suggest turning on
FW for all connection types)
Test in development environment, develop residual
risk level with options, then deploy
Disable Windows Script Host no This would require testing, could impact applications Test in development environment, develop residual
risk level with options, then deploy
Disable Windows PowerShell no PS should be disabled, only a small percentage of the
Company uses PS
Test in development environment, develop residual
risk level with options, then deploy
Switch off unused wireless no This would require some user education if we did disable
unused wireless. Some systems have physical switches
and others can be disabled via software
Minimizes remote connections unless user actively
turns them on; provide user training on process for
activating a wireless connection
Deactivate AutoPlay yes disabled due to a previous autorun attack Validate if setting is still disabled (new systems may
have it enabled)
Monitor for host profile changes some Use Microsoft’s SCCM host profile compliance feature Actively monitor centralized host logging files
GPO settings some mitigate stealing passwords from memory (mimikatz) Updating to Windows 8 or 10 makes this much
more effective
Windows remote desktop
protocol (RDP) – lock down
Server
only
For example, Crysis malware is using compromised
credentials for RDP computers
A common threat vector, strictly identify uses and
control in your environment
Initial draft for community review [email protected] 16
Methods Status Weak areas / exposure Comments / mitigations
Limit shared folders some Compartmentalize as much as possible. Disable files
running from AppData/LocalAppData folders.
Minimizes the spread of malware, especially
network drives
Minimum security baseline
(MSB)
In
work
Quantifies the security configuration items to set and
manage a client profile (includes the above items as a
start, & others as tailored for your environment
Documented MSB for PC, laptops, etc., including
Windows and Linux. Use to develop client profile
which is then periodically assessed.
Additional client secure set up references:
https://www.gov.uk/government/publications/end-user-devices-security-guidance-windows-81/end-user-devices-security-guidance-windows-81
http://www.dss.mil/documents/odaa/ODAA_Baseline_Tech_Security_Configurations_Win7-2K8.pdf
http://www.asd.gov.au/publications/protect/Hardening_Win8.pdf
http://iasecontent.disa.mil/stigs/zip/July2015/U_MicrosoftOfficeSystem2010_V1R10_STIG.zip
https://www.sans.org/reading-room/whitepapers/basics/managing-desktop-security-520
http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
Risk Conditions – mitigation methods Table 5.0
Methods Best practices
Secure Backup https://blogs.mcafee.com/business/security-connected/backup-security-best-practices/
http://www.zmanda.com/backup-security.html
http://www.oracle.com/technetwork/products/secure-backup/overview/osb-openworld2012-1930151.pdf
Phishing training https://dsimg.ubm-
us.net/envelope/357963/374353/1429543955_Best_Practices_for_Dealing_with_Phishing_and_NextGeneration_Malware_ThreatTrack_Security.pdf
http://docs.apwg.org/sponsors_technical_papers/Anti-Phishing_Best_Practices_for_Institutions_Consumer0904.pdf
Patching /
ITAM/CMDB
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf
https://www.sans.org/reading-room/whitepapers/bestprac/practical-methodology-implementing-patch-management-process-1206
IP / APPs
whitelisting
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf
http://mobile.esecurityplanet.com/malware/whitelisting-why-and-how-it-works.html
http://resources.infosecinstitute.com/top-10-common-misconceptions-application-whitelisting/
IAM - Lock down
end user devices
http://www.pcworld.com/article/114727/article.html
http://www.pcworld.com/article/2025897/a-road-warriors-guide-to-locking-down-your-laptop.html
http://windowsitpro.com/security/10-steps-lock-down-desktops
Email Server /
exchange
https://technet.microsoft.com/en-us/library/bb691338(v=exchg.141).aspx
https://support.rackspace.com/white-paper/email-security-best-practices-and-avoiding-downtime/
Initial draft for community review [email protected] 17
Methods Best practices
Effective Next Gen
anti-virus product
Use both a client and network product, different vendors. One should be anomaly vs signatures based (or both combined). Consider cloud based AV
File Reputation Services… http://www.pcmag.com/article2/0,2817,2372364,00.asp
http://www.pcworld.com/article/2974465/software-security/the-quick-and-easy-way-to-find-the-best-antivirus-software.html
https://isc.sans.edu/forums/diary/Using+File+Entropy+to+Identify+Ransomwared+Files/21351/
Client / PC controls
set-up
See appendix on detailed client controls above
Internet browser
control
https://heimdalsecurity.com/blog/ultimate-guide-secure-online-browsing/ https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/380013/Browser_Security_Guidance_-_Microsoft_Internet_Explorer.pdf
https://isc.sans.edu/forums/diary/Controlling+JavaScript+Malware+Before+it+Runs/21171/
PW policy and
enforcement
https://www.sans.org/security-resources/policies/general/pdf/password-protection-policy
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf (note - dated / retired, but still a good reference)
Security Monitoring Use a SIEM to detect abnormal events & behaviors –
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24830/en_US/siem_best_practices_guide.pdf
https://www.sans.org/reading-room/whitepapers/auditing/successful-siem-log-management-strategies-audit-compliance-33528
Using an IPS https://www.sans.org/reading-room/whitepapers/intrusion/network-ids-ips-deployment-strategies-2143
http://www.cisco.com/c/dam/en/us/products/collateral/security/ios-intrusion-prevention-system-ips/IOS_IPS_Best_Practices.pdf
https://www.wickhill.com/products/vendors/download/657/Best-practices-for-deploying-IPS
Adobe Flash/Reader https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/Acrobat_Enhanced_Security_FAQ.pdf
Mobile Security See mobile security paper, recommended controls (items A – F at the end)
http://www.sciap.org/blog1/wp-content/uploads/Mobile-Security-paper-draft.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf
MS “macro” /
hardening
http://www.asd.gov.au/publications/protect/Hardening_MS_Office_2013.pdf
Note that Office 2016 has much more granular group policy controls – O2016 can apply different controls to your personal files, your corporations files
Application controls https://isc.sans.edu/forums/diary/A+Wall+Against+Cryptowall+Some+Tips+for+Preventing+Ransomware/20821/
Domain Blocking (Black Hole DNS Sinkhole) http://www.malwaredomains.com/?cat=6 http://mirror1.malwaredomains.com/files/BOOT