why federal systems are immune from ransomware...& other grim fairy tales)

Be

yo

nd

Tru

st W

eb

ina

r

1© Copyright 2017, National Security Corporation, all rights reserved

Why Federal Systems are Immune

from Ransomware

(and other grim fairy tales)

G. Mark Hardy @g_markNational Security Corporation

+1 410.933.9333

Be

yo

nd

Tru

st W

eb

ina

r

© Copyright 2017, National Security Corporation, all rights reserved 2

Why a Grim(m) Fairy Tale?

• The original book included Hansel & Gretel, Little Red Riding Hood, Snow White, Rapunzel

• Delightful children's stories

• Except in the original, the prince knocks up Rapunzel, Little Red Riding Hood is eaten by the wolf, Snow White's stepmother chokes to death in rage, and Gretel murders an old woman by shoving her into a flaming oven

Pay my ransom and I'll give you

back your files. (ribbit)

Be

yo

nd

Tru

st W

eb

ina

r


So What's Our Latest Fairy Tale?

• "After her keynote, [Acting U.S. CIO

Margie] Graves told reporters she had a

'swell of emotion' knowing the federal

government, at least so far, was able to

escape the

havoc of

WannaCry."– Billy Mitchell

18 May 2017

fedscoop

Ref: https://www.fedscoop.com/acting-u-s-cio-touts-2015-cyber-sprint-agencies-go-unaffected-wannacry/

Be

yo

nd

Tru

st W

eb

ina

r


Not Looking Too Good for U.S.

Government …

• Ranked 16 of 18

– (up from 18 of 18)

Ref: http://info.securityscorecard.com/2017-us-government-cybersecurity-report

Be

yo

nd

Tru

st W

eb

ina

r


We May Be Our Own Worst Enemy

• "Government

agencies tend to

struggle with basic

security hygiene

issues, like password

reuse on

administrative

accounts"

Ref: https://www.wired.com/story/us-government-cybersecurity/

Be

yo

nd

Tru

st W

eb

ina

r


What is ransomware?

• An interesting twist on a business model:

– Your customers (victims) contact

– You (the criminal) offering

– Money (usually Bitcoin) for

– Something you create (decryption key)

– That only the customer can use

(they hope)

• Is "Hope" a viable strategy

for Federal Systems security?

Image source: https://larryfire.files.wordpress.com/2008/10/hopeless_poster.jpg fair use claimed

Be

yo

nd

Tru

st W

eb

ina

r


The Inbox is an Infection Vector

• "Malicious emails were the weapon of

choice"

– One in 131 e-mails contained malware

(Should we call it "mailware™"?)

• 64% of Americans pay the ransom

– Compared to 34% globally

• Average ransom was over $1,000 per

victim

– An increase of 266%

Ref: Symantec's 2017 Internet Security Threat Report (ISTR)

Be

yo

nd

Tru

st W

eb

ina

r


Nearly 2/3 of Malware Payloads are

Ransomware

Ref: https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf

Ransomware

Be

yo

nd

Tru

st W

eb

ina

r


Damage Assessment

• Ransomware to exceed $5 billion in 2017

– Up from $325 million in 2015

• 44% of alerts are NOT investigated

– 54% of legitimate alerts are NOT remediated

• Attackers often operate outside U.S. law

enforcement jurisdiction

– No extradition treaties with Russia

• Ransom payments are continuing to get

much more expensiveRef: https://cybersecurityventures.com/ransomware-damage-report-2017-5-billion/

Cisco 2017 Annual Cybersecurity Report

Be

yo

nd

Tru

st W

eb

ina

r


Got Bitcoin?

16 July $1826.20

17 Aug $4492.30

246% increase in 1 month

https://cryptowat.ch/bitfinex/btcusd

Be

yo

nd

Tru

st W

eb

ina

r


Who's Bright Idea Was This???

Be

yo

nd

Tru

st W

eb

ina

r


Public-key cryptography is essential

to the attacks that we demonstrate

We present … a twist on

cryptography, showing that it can

also be used offensively.

Access to cryptographic tools should

be well controlled.

SEPTEMBER 1996 (!)

Be

yo

nd

Tru

st W

eb

ina

r


Thanks, Guys!

• Ransomware is an attack on the

Availability leg of the C-I-A triad

• Our backup systems are

engineered for HAZARD

(power surge, disk fails)

– Must rethink strategy for

MALICE, not merely hazard

• Malice can't be engineered away as easily

• This is an entirely new threat model

– We need to rethink our responses13

Availability

Be

yo

nd

Tru

st W

eb

ina

r


Plenty of Weapons for Attackers to

Choose From

Be

yo

nd

Tru

st W

eb

ina

r


Toolbox Keeps Getting Bigger

Ref: https://heimdalsecurity.com/blog/wp-content/uploads/ransomware-discoveries-CERT-RO-2.png

Be

yo

nd

Tru

st W

eb

ina

r


Credit for cartoon to Phil Johnson -- Fair use claimed under 17 U.S.C. 107

Be

yo

nd

Tru

st W

eb

ina

r


Why Have Federal Systems

Largely Escaped Ransomware?

• Security defenses superior to industry?

• Really good backups available 24x7?

• Fully redundant systems throughout?

• Less valuable things to ransom?

• Crooks don't want to tangle with Uncle

Sam?

• Luck?

– (I don't think we can really know quite yet)

17

Be

yo

nd

Tru

st W

eb

ina

r


Major Types of Ransomware

• Client-side (desktop/laptop/tablet/phone)

• Server-side (datacenter/cloud)

• Hybrid (Client-side plus Fileshares)

• Each seeks to directly monetize an

availability attack.

18

Be

yo

nd

Tru

st W

eb

ina

r


Client-side Ransomware

• Carpet bombing of weaponized docs in

phishing emails

• Exploit kits targeting Flash in the browser

• Locks up patient zero machine

– And whatever it can touch on the network

• Goal is to mitigate 'patient zero' infection

• Internal segmentation is critical:

– A laptop catching fire shouldn't become a

LAN-level conflagration

19

Be

yo

nd

Tru

st W

eb

ina

r


Server-Side Ransomware (1/2)

• Target Internet-exposed resources

• Pivot internally, enumerate servers,

backup infrastructure, etc

• Create keys for each target

• Install ransomware

• Import keys to script

• Detonate

20

Ref: https://www.theregister.co.uk/2017/01/09/mongodb/

Be

yo

nd

Tru

st W

eb

ina

r


Server-side Ransomware (2/2)

• Manual hacking, can take days or weeks

from initial perimeter scan to detonation

• Opportunities for detection similar to

traditional kill-chain (minus exfil phase

[or not])

• Interrupt at any point before detonation,

keep your datacenter

21

Be

yo

nd

Tru

st W

eb

ina

r


What About Reporting?

• United States Department of Health and

Human Services (HHS) ruling

– Ransomware infection of personal health

information (PHI) reportable as a breach

• Will increased reporting requirements

increase efforts to avoid ransomware?

– Or will agencies accept new risk of NOT

reporting compromises

Be

yo

nd

Tru

st W

eb

ina

r


Why Does Ransomware Work?

• Users are gullible

• Endpoint configurations are not correct

• Network configurations are not correct

• Access control is not correct

• A lot of things have to go wrong for

ransomware to work right

Be

yo

nd

Tru

st W

eb

ina

r


Let's Map Ransomware to Federal

Controls and Guidelines

Be

yo

nd

Tru

st W

eb

ina

r


Presidential Executive Order on

Strengthening the Cybersecurity of Federal

Networks and Critical Infrastructure

• Section 1. (b) Findings

– "The executive branch has for too long accepted antiquated and difficult–to-defend IT."

• (c) Risk Management

– "Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency's cybersecurity risk."

Ref: https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal

Be

yo

nd

Tru

st W

eb

ina

r


FY 2017 CIO FISMA Metrics

• Some Cross Agency Priority (CAP) goals

• Identify– 1.2, 1.4, 1.5 IT assets under auto inventory (95%)

• Protect– 2.5 Privileged network accounts (100%)

• Detect– 3.11 Privileged network accts with access limits (90%)

– 3.16 Auto detect and alert unauthorized hardware assets (95%)

– 3.17 Auto detect and alert unauthorized software (95%)

• Respond– (no CAP goals)

• Recover– (no CAP goals)

Ref: https://www.dhs.gov/sites/default/files/publications/FY%202017%20CIO%20FISMA%20Metrics-%20508%20Compliant.pdf

Be

yo

nd

Tru

st W

eb

ina

r


FISMA FY2016 Report by Agency

(percent that met target)

• Hardware asset management - 36%

• Software asset management - 39%

• Privileged user PIV implemented - 45%

• Malware defenses - 73%

• 30,899 reported incidents

– The word "ransomware" never mentioned in

the annual report (maybe it's under "other"?)

Ref: https://www.whitehouse.gov/sites/whitehouse.gov/files/briefing-room/presidential-actions/

related-omb-material/fy_2016_fisma_report%20to_congress_official_release_march_10_2017.pdf

Be

yo

nd

Tru

st W

eb

ina

r


NIST SP800-53 rev 5 draft

1. Access control

2. Awareness and training

3. Audit and accountability

4. Assessment, authorization, and monitoring

5. Configuration management

6. Contingency planning

7. Identification and authentication

8. Individual participation

9. Incident response

10.Maintenance

11.Media protection

12.Privacy authorization

13.Physical and environmental protection

14.Planning

15.Program management

16.Personnel security

17.Risk assessment

18.System and services acquisition

19.System and communications protection

20.System and information integrity

Ref: Security and Privacy Controls for Information Systems and Organizations

Be

yo

nd

Tru

st W

eb

ina

r


Be

yo

nd

Tru

st W

eb

ina

r


What Happens When you DO Get

Ransomware?

Be

yo

nd

Tru

st W

eb

ina

r


MedStar Health (2016)

• $10B healthcare group in DC area

• 1 wk to 90%, full recovery ~ 5 wks

• Likely server-side ransomware

• Is paying ransom against principles?

Be

yo

nd

Tru

st W

eb

ina

r


Forget Principles!

• What costs more? Your principles or the

ransom?

• WRONG QUESTION.

• What costs more? The ransom or the

cost of operational downtime?

– Why would you argue about $1K if the

argument were costing you $100K / hour?

Be

yo

nd

Tru

st W

eb

ina

r


To The Rescue! (sort of)

• ID Ransomware by MalwareHunterTeam

• Upload ransom note or encrypted file

– They will attempt to match it to 470 known

ransomware variants

• You don't get

your files back,

but you know

what zapped

you.

– Feel better?Ref: https://id-ransomware.malwarehunterteam.com/

Be

yo

nd

Tru

st W

eb

ina

r


To The Rescue! (more so)

• No More Ransom project

– Created by Dutch National Police, Europol,

Intel Security and Kaspersky Labs

• Crypto Sheriff by NoMoreRansom

– Upload encrypted file; they'll try all the keys

– Get lucky, get

your files back

for free

• But luck is not

a strategy. :(

Ref: https://www.nomoreransom.org/crypto-sheriff.php

Be

yo

nd

Tru

st W

eb

ina

r


Ransomware Trends

(Kaspersky Lab Report)

• Attackers shifting to targeted attacks

– Today, financial institutions (they can pay

more money)

– Tomorrow, the government? (they can print

more money)

• Over 2.5M ransomware victims past year

– (up 11.4% from 2015-2016)

• 1.2M victims had files encrypted

– (45% of ransomware incidents)

Ref: https://securelist.com/ksn-report-ransomware-in-2016-2017/78824/

Be

yo

nd

Tru

st W

eb

ina

r


Latest Ransomware is Much More

Dangerous

• (Not)Petya

– Steals passwords in memory and re-uses

them to infect other machines

– Moves laterally with compromised

credentials

– If a domain admin account is compromised,

it is "pretty much game over"

• Are you using the same password on

multiple machines?

– Are any (or all) at the administrator level?Ref: Alain Mowat, A pentester's take on (Not)Petya, https://blog.scrt.ch/2017/06/30/a-pentesters-take-on-notpetya/

Be

yo

nd

Tru

st W

eb

ina

r


Prevention Strategies

Be

yo

nd

Tru

st W

eb

ina

r


May Have Windows 10 Coming to

a Desktop Near You

• DoD goal was Windows 10 upgrade on 4

million devices by January 2017

• Interoperability concerns holding us back

– "It's kind of like trying to put airbags on a '65

Mustang — it just wasn't designed for

security, wasn't designed for safety."

• Former Federal CIO Tony Scott

• We may never quite catch up with

"native" security in our OS

– Need something else to keep us secureRef: https://federalnewsradio.com/defense/2016/09/dod-close-no-cigar-windows-10-migration/

https://www.federaltimes.com/2015/06/15/feds-on-30-day-sprint-to-better-cybersecurity/

Be

yo

nd

Tru

st W

eb

ina

r


Technical Solutions

• Most ransomware relies on DNS

– Uses dodgy gTLDs that can be registered for

little or no money

• http://www.iana.org/domains/root/db

• "Throw-away

domains"

Be

yo

nd

Tru

st W

eb

ina

r


Say Yes to the DNS (Filtering)

• Over 1,500 DNS Top Level Domains

– ccTLDs for country codes

– gTLDs for 'generic' domains

– Some TLDs are 80-90% garbage sites

• Do your servers (or employees) need to

go to .hair domains? .top? .bid?

– Foghorn project is DNS proxy to reduce risk

through greylisting

Ref: https://github.com/hasameli/foghorn

Be

yo

nd

Tru

st W

eb

ina

r


Block Communications

(ransomwaretracker.abuse.ch)

Be

yo

nd

Tru

st W

eb

ina

r


Email Defenses

• Filter before or at email server:

– Attachment types (.js files get clicked on)

– Inspect/strip content (Macros to powershell)

– Rewrite links

– Block spoofed emails (reply to != sent from)

• (This can hurt scan-to-email on copiers)

– Use virtualized apps, viewers, etc.

Be

yo

nd

Tru

st W

eb

ina

r


Start To Add Controls

• Segment your network

• Block ports like 445 at your perimeter

• Create (different) one-time passwords for every admin account

• Lower privilege on each user to bare minimum

• Strip macros at the mail server

• Disable macros in your endpoints

– Only very specific users may use them

• Retire Windows XP and Server 2003 asapRef: ibid.

Be

yo

nd

Tru

st W

eb

ina

r


More Controls

• Monitor devices after network access

– MAC spoofing can make an attacker look like

a printer when connecting

• Upgrade every PowerShell instance to 5.0

– Default on Server 2016 and Windows 10

– Better credential handling, logging, rights

• If you have to support old protocols

(SMBv1, SNMP v1, NTLM)

– Put them on separate network segments

– Isolate from rest of enterpriseRef: https://docs.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-windows-powershell-50?view=powershell-5.1

Be

yo

nd

Tru

st W

eb

ina

r


Even More Controls

• Block untrusted applications

– Whitelisting helps against new malware

– Does not help with macro calling PowerShell

• Apply patches as soon as possible

– Patch Tuesday is always followed by Exploit

Wednesday

– Block application execution if patches not

current

• Default Deny for any ruleset

– Execute explicit privilege rules first

Be

yo

nd

Tru

st W

eb

ina

r


Seven CSC Tips for Reducing the

Federal Attack Surface• Inventory all devices on your network

– (CSC 1)

• Inventory all software on your systems– (CSC 2)

• Control the use of admin privileges– (CSC 5)

• Employ malware defenses– (CSC 8)

• Limit network ports, protocols, services– (CSC 9)

• Regularly backup your critical info– (CSC 10)

• Train and inoculate your users regularlyRef: http://www.cisecurity.org/critical-controls.cfm

Be

yo

nd

Tru

st W

eb

ina

r


Future of Ransomware

• Buckle up!

– Estimated $5 Billion revenue in 2017

• For every dollar spent on ransom…

– Countless more spent on response/remediation

– Often poorly thought out and implemented

• Targets:

– VDI desktops

– Cloud Synch apps (Box sync for desktop)

– Mobile (already happening from iCloud)

– NoSQL/Redis/etc on perimeter

Be

yo

nd

Tru

st W

eb

ina

r


Summary

• Ransomware becoming billion-dollar

business

• Offers significant amount of revenue at

low cost for attacker

• Biggest danger in government are older

systems without adequate backup

• Danger is many willing to pay as path of

least resistance (persistent threat)

• Must use additional tools to security

government enterprises

Be

yo

nd

Tru

st W

eb

ina

r


Why Federal Systems are Immune from

Ransomware

(and other grim fairy tales)

G. Mark Hardy @g_markNational Security Corporation

+1 410.933.9333

Be

yo

nd

Tru

st W

eb

ina

r


References

https://www.fedscoop.com/acting-u-s-cio-touts-2015-cyber-sprint-agencies-go-unaffected-wannacry/

http://info.securityscorecard.com/2017-us-government-cybersecurity-report

https://www.wired.com/story/us-government-cybersecurity/

https://www.symantec.com/security-center/threat-report, Symantec's 2017 Internet Security Threat Report (ISTR)

https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf

https://cybersecurityventures.com/ransomware-damage-report-2017-5-billion/

http://b2me.cisco.com/en-us-annual-cybersecurity-report-2017, Cisco 2017 Annual Cybersecurity Report

https://cryptowat.ch/bitfinex/btcusd

https://www.researchgate.net/publication/2301959_Cryptovirology_Extortion-Based_Security_Threats_and_Countermeasures

https://heimdalsecurity.com/blog/wp-content/uploads/ransomware-discoveries-CERT-RO-2.png

https://www.theregister.co.uk/2017/01/09/mongodb/

https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal

https://www.dhs.gov/sites/default/files/publications/FY%202017%20CIO%20FISMA%20Metrics-%20508%20Compliant.pdf

https://www.whitehouse.gov/sites/whitehouse.gov/files/briefing-room/presidential-actions/related-omb-material/fy_2016_fisma_report%20to_congress_official_release_march_10_2017.pdf

http://csrc.nist.gov/publications/drafts/800-53/sp800-53r5-draft.pdf , Security and Privacy Controls for Information Systems andOrganizations

https://tomgraves.house.gov/uploadedfiles/discussion_draft_active_cyber_defense_certainty_act_2.0_rep._tom_graves_ga-14.pdf

https://id-ransomware.malwarehunterteam.com/

https://www.nomoreransom.org/crypto-sheriff.php

https://securelist.com/ksn-report-ransomware-in-2016-2017/78824/

https://blog.scrt.ch/2017/06/30/a-pentesters-take-on-notpetya/, Alain Mowat, A pentester's take on (Not)Petya

https://federalnewsradio.com/defense/2016/09/dod-close-no-cigar-windows-10-migration/

https://www.federaltimes.com/2015/06/15/feds-on-30-day-sprint-to-better-cybersecurity/

https://github.com/hasameli/foghorn

https://ransomwaretracker.abuse.ch/blocklist

https://docs.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-windows-powershell-50?view=powershell-5.1

http://www.cisecurity.org/critical-controls.cfm

Retina Enterprise

Vulnerability Management

Alex DaCosta

Product Manager, Retina

RETINAVULNERABILITY MANAGEMENT

POWERBROKERPRIVILEGED ACCOUNT MANAGEMENT

PRIVILEGE MANAGEMENT

ACTIVE DIRECTORY BRIDGING

PRIVLEGED PASSWORD

MANAGEMENT

AUDITING & PROTECTION

ENTERPRISE VULNERABILITY MANAGEMENT

BEYONDSAAS CLOUD-BASED

SCANNING

NETWORK SECURITY SCANNER

WEB SECURITY SCANNER

BEYONDINSIGHT CLARITY THREAT ANALYTICS

BEYONDINSIGHT IT RISK MANAGEMENT PLATFORM

EXTENSIVE

REPORTING

CENTRAL DATA

WAREHOUSE

ASSET

DISCOVERY

ASSET

PROFILING

ASSET SMART

GROUPS

USER

MANAGEMENT

WORKFLOW &

NOTIFICATION

THIRD-PARTY

INTEGRATION

Poll + Q&A

Thank you for attending

today’s webinar!