One of the biggest concerns for info security professionals and business executives right now is ransomware attacks. It has prompted many organizations urgently assess what they need to do to contain and limit their exposure to this threat.
Presented by renowned industry expert Prof. Avishai Wool, this new technical webinar will provide some best practices and tips to help organizations prevent, contain and respond to a ransomware attack.
In this webinar Professor Wool will discuss:
• The different methods used by cyber criminals to penetrate the network security perimeter
• Best practices for reducing cyber criminals’ lateral movements across the network
• How to augment incident triage with critical business context to assess the severity, risk and potential business impact of an attack
• Prioritizing incident remediation efforts based on business risk, and neutralizing impacted systems through zero-touch automation
• The impact of a ransomware on regulatory compliance
Ransomware Attack: Best Practices to proactively prevent contain and respond
1. BEST PRACTICES TO PROACTIVELY
PREVENT, CONTAIN AND RESPOND
TO A RANSOMWARE ATTACK
Prof. Avishai Wool, CTO, AlgoSec
2. AGENDA
1. Structure of an ransomware attack
2. Back to Basics: Reducing the attack surface
3. Network segmentation and security zones
4. Managing zoned networks with AlgoSec
2
4. HOW?
1. Deliver exploits to 1st victim computer
2. Repeat per victim computer:
• Encrypt file system
• Encrypt accessible networked file shares
• Move laterally: explore the network
• Deliver exploits to next victim via network
3. Wait for victim to call
4. Collect ransom
5. Supply decryption key “Advanced Persistent Threat”, Wikipedia
4
5. 1ST VICTIM: ATTACK TECHNIQUES (PARTIAL LIST)
• Email attachment
• Send a malicious email attachment
• Browser Drive-By-Download
• Host the malicious content on a website
• “Water-hole” technique
• Compromise a website the victim likely to visit
• Social Engineering
• Fool someone to do it for you
• Mobile malware
• Spread a malicious mobile application
5
6. EXPLORE THE COMPROMISED NETWORK
• Encrypting network shares:
Requires network access from victim to file system
Produces (unusual) network traffic
• Move Laterally:
• Find more devices, gain more access, encrypt more interesting data
Requires network access from victim1 to victim2 to …
Produces (unusual) network traffic
E.g., WannaCry used the infamous SMB ports
TCP/445, UDP/137-138, TCP/139
6
11. 2. BACK TO BASICS: REDUCING THE ATTACK
SURFACE
11
12. THE FIRST STEP IS THE HARDEST
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Most ingenious step (social engineering, clever technical exploit delivery, …)
• Much of the attack is happening outside of your control
• Requires fancy defense technologies to mitigate
12
13. MAKE LATERAL STEPS HARDER FOR ATTACKER!
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 1 Step 2 Step 3
13
14. LATERAL STEPS
• The attacker is now on your turf
• Use your advantages:
• Control your network
• Know what traffic is usual and what is not
14
15. UNUSUAL – IN THE USUAL WAYS
• Lateral traffic is unusual – in the usual ways
• Communicating parties that never communicate
• Protocols & ports that are never used across security zones
• Firewalls are really good at blocking such traffic … as long as:
• There are firewalls in the traffic path
• The firewalls are properly configured
15
17. RECOMMENDATION #1: SEGMENTATION
• Define network zones
• Place firewalls to filter traffic between zones
• Write restrictive policies for traffic between zones
17
18. USE TECHNOLOGY YOU KNOW WELL
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
18
19. SEGMENT THE NETWORK: INTERNAL FIREWALLS
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Place internal firewalls between network zones
• Use SDN virtualization technologies to filter traffic inside data center
19
20. ZONES FOR HUMANS
• Humans are the weakest link (especially as 1st victim)
• Systems they touch directly are at risk
• Usual communication patterns:
• Desktop/Laptop Server
• Server Server
• Desktops don’t communicate with other desktops
• Servers don’t initiate connections to desktops
• Desktops only mount certain network shares – not all and not always
20
21. RECOMMENDATION #2: HUMAN-ACCESS ZONES
• Desktops in separate zones from servers
• Firewalls between human-access zones and server zones
• Keep different departments in separate zones
• Keep file servers / network share servers in separate zones
21
22. RECOMMENDATION #3: SENSITIVE DATA ZONES
• Some types of data are more sensitive
• Credit card data (PCI regulation)
• Personally Identifiable Information (GLBA, privacy laws)
• Medical data (HIPAA)
• Financial data (SOX, etc)
• Ransomware encryption of personal or PCI data: equivalent to theft
• Regulatory implications
• Keep servers with sensitive data in separate zones
22
23. POLICY IN A SEGMENTED NETWORK
• Define the segmentation policy as a matrix:
Internal
Network
DMZ Peer’s
DMZ
23
27. WORKING WITH A SEGMENTED NETWORK
• Preparation:
• Identify the network segments
• Create a segmentation policy matrix (spreadsheet)
• Place internal firewalls / virtualized filters between zones
• Continuous Compliance
• Ensure that firewalls enforce the segmentation policy
• Change Requests
• Identify all the firewalls that need to be modified
• What-if proactive risk check against segmentation policy
27
40. AN INCIDENT STARTS WITH DETECTION
• Humans call Cyber Operations Center (COC):
• “My computer locked up” / “I see a request for ransom”
• Technological detectors, with different methodologies:
• Heavy file system activity
• Network-based, host-based activity alerts
• Etc.…
Evidence of malicious activity can be observed in logs
40
41. BUSINESS-DRIVEN TRIAGE
• Identify impacted business processes
• Which business applications rely on impacted systems?
• How business-critical are these applications?
• Who are the business owners?
• Identify data sensitivity
• Do impacted applications handle sensitive data?
• Is impacted system a “stepping stone” to sensitive data?
• Can impacted system exfiltrate data?
• Triage outcomes:
• Urgency of mitigation (now/tonight/change-control-window)
• Aggressiveness of mitigation (filter/disconnect/shutdown/patch)
41
42. BUSINESS-DRIVEN CONSIDERATIONS
• Weigh 2 types of risk:
• Security risk: damage of attack until it is mitigated
• Operational risk: downtime during mitigation + unintended side effects
• Business criticality primarily affects the operational risk
• Data sensitivity primarily affects the security risk
• … also regulatory compliance and reporting requirements
43. REACHABILITY CONSIDERATIONS
• The ransomware-impacted system is “0wned”
• All data on that system is encrypted
• … but network defenses are still in place:
• East-West traffic filters (in a segmented datacenter)
• North-South traffic filters (perimeter firewalls)
• Can impacted system connect to more sensitive systems?
• Lateral movement
• Stepping stone
44. • Contain:
• Remediate through automatic isolation of
compromised servers from network
• Report:
• Report incident to relevant teams
• Maintain audit trail of actions taken
RESPONSE: TAKING ACTION
44
• Restore:
• Either restore data from backup
• … Or pay the ransom
46. ALGOSEC APPS FOR INCIDENT RESPONSE
• Splunk/QRadar App for Incident Response based on AlgoSec capabilities
• To be used as-is or incorporated into other SIEM apps
46
54. SUMMARY
• Take control your turf: Make lateral steps within your network harder
for attackers
• Segment the network
• Segment the users
• Segment sensitive data
• Maintain control
• Intelligent, structured process for change requests
• Proactively assess risk
• Ensure continuous compliance
• Use Business-Driven Incident Response
54