One of the biggest concerns for info security professionals and business executives right now is ransomware attacks. It has prompted many organizations urgently assess what they need to do to contain and limit their exposure to this threat. Presented by renowned industry expert Prof. Avishai Wool, this new technical webinar will provide some best practices and tips to help organizations prevent, contain and respond to a ransomware attack. In this webinar Professor Wool will discuss: • The different methods used by cyber criminals to penetrate the network security perimeter • Best practices for reducing cyber criminals’ lateral movements across the network • How to augment incident triage with critical business context to assess the severity, risk and potential business impact of an attack • Prioritizing incident remediation efforts based on business risk, and neutralizing impacted systems through zero-touch automation • The impact of a ransomware on regulatory compliance

1. BEST PRACTICES TO PROACTIVELY
PREVENT, CONTAIN AND RESPOND
TO A RANSOMWARE ATTACK
Prof. Avishai Wool, CTO, AlgoSec

2. AGENDA
1. Structure of an ransomware attack
2. Back to Basics: Reducing the attack surface
3. Network segmentation and security zones
4. Managing zoned networks with AlgoSec
2

3. 1. STRUCTURE OF A RANSOMWARE ATTACK
3

4. HOW?
1. Deliver exploits to 1st victim computer
2. Repeat per victim computer:
• Encrypt file system
• Encrypt accessible networked file shares
• Move laterally: explore the network
• Deliver exploits to next victim via network
3. Wait for victim to call
4. Collect ransom
5. Supply decryption key “Advanced Persistent Threat”, Wikipedia
4

5. 1ST VICTIM: ATTACK TECHNIQUES (PARTIAL LIST)
• Email attachment
• Send a malicious email attachment
• Browser Drive-By-Download
• Host the malicious content on a website
• “Water-hole” technique
• Compromise a website the victim likely to visit
• Social Engineering
• Fool someone to do it for you
• Mobile malware
• Spread a malicious mobile application
5

6. EXPLORE THE COMPROMISED NETWORK
• Encrypting network shares:
Requires network access from victim to file system
Produces (unusual) network traffic
• Move Laterally:
• Find more devices, gain more access, encrypt more interesting data
Requires network access from victim1 to victim2 to …
Produces (unusual) network traffic
E.g., WannaCry used the infamous SMB ports
TCP/445, UDP/137-138, TCP/139
6

7. STEPPING STONES
7
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
7

8. STEPPING STONES
8
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1
8

9. STEPPING STONES
9
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1 Step 2 Step 3
9

10. STEPPING STONES
1
0
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1 Step 2 Step 3
Pay $$$$ or lose data
10

11. 2. BACK TO BASICS: REDUCING THE ATTACK
SURFACE
11

12. THE FIRST STEP IS THE HARDEST
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Most ingenious step (social engineering, clever technical exploit delivery, …)
• Much of the attack is happening outside of your control
• Requires fancy defense technologies to mitigate
12

13. MAKE LATERAL STEPS HARDER FOR ATTACKER!
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 1 Step 2 Step 3
13

14. LATERAL STEPS
• The attacker is now on your turf
• Use your advantages:
• Control your network
• Know what traffic is usual and what is not
14

15. UNUSUAL – IN THE USUAL WAYS
• Lateral traffic is unusual – in the usual ways
• Communicating parties that never communicate
• Protocols & ports that are never used across security zones
• Firewalls are really good at blocking such traffic … as long as:
• There are firewalls in the traffic path
• The firewalls are properly configured
15

16. 3. NETWORK SEGMENTATION AND SECURITY
ZONES
16

17. RECOMMENDATION #1: SEGMENTATION
• Define network zones
• Place firewalls to filter traffic between zones
• Write restrictive policies for traffic between zones
17

18. USE TECHNOLOGY YOU KNOW WELL
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
18

19. SEGMENT THE NETWORK: INTERNAL FIREWALLS
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Place internal firewalls between network zones
• Use SDN virtualization technologies to filter traffic inside data center
19

20. ZONES FOR HUMANS
• Humans are the weakest link (especially as 1st victim)
• Systems they touch directly are at risk
• Usual communication patterns:
• Desktop/Laptop  Server
• Server  Server
• Desktops don’t communicate with other desktops
• Servers don’t initiate connections to desktops
• Desktops only mount certain network shares – not all and not always
20

21. RECOMMENDATION #2: HUMAN-ACCESS ZONES
• Desktops in separate zones from servers
• Firewalls between human-access zones and server zones
• Keep different departments in separate zones
• Keep file servers / network share servers in separate zones
21

22. RECOMMENDATION #3: SENSITIVE DATA ZONES
• Some types of data are more sensitive
• Credit card data (PCI regulation)
• Personally Identifiable Information (GLBA, privacy laws)
• Medical data (HIPAA)
• Financial data (SOX, etc)
• Ransomware encryption of personal or PCI data: equivalent to theft
• Regulatory implications
• Keep servers with sensitive data in separate zones
22

23. POLICY IN A SEGMENTED NETWORK
• Define the segmentation policy as a matrix:
Internal
Network
DMZ Peer’s
DMZ
23

24. ZOOM IN: FROM/TO THE PEER DMZ
Internal
Network
DMZ Peer’s
DMZ
24

25. POLL
How many firewalled zones segment your network?
1. Flat, non segmented network
2. 2-3 zones
3. 4-10 zones
4. More than 10 zones
25

26. 4. MANAGING ZONED NETWORKS WITH
ALGOSEC
26

27. WORKING WITH A SEGMENTED NETWORK
• Preparation:
• Identify the network segments
• Create a segmentation policy matrix (spreadsheet)
• Place internal firewalls / virtualized filters between zones
• Continuous Compliance
• Ensure that firewalls enforce the segmentation policy
• Change Requests
• Identify all the firewalls that need to be modified
• What-if proactive risk check against segmentation policy
27

28. IMPORT SEGMENTATION POLICY SPREADSHEET
28

29. CONTINUOUS COMPLIANCE
29
• Daily analysis of all
firewalls

30. CONTINUOUS COMPLIANCE
30
• Automatically check
segmentation policy

31. CONTINUOUS COMPLIANCE
31
• + best-practices
knowledge base

32. MAKING A CHANGE REQUEST
32

33. AUTOMATICALLY IDENTIFY DEVICES TO MODIFY
2 traditional firewalls
separate network into zones
33

34. AUTOMATICALLY IDENTIFY DEVICES TO MODIFY
34
VMware NSX firewall filters
all traffic inside the
datacenter

35. EXPLORE PATH DETAILS
35

36. WHAT-IF RISK CHECK
• How were the risks checked?
36

37. WHAT-IF RISK CHECK
37
• How were the risks checked?
• Network segmentation matrix!

38. WHAT-IF RISK CHECK
38
• Automatically creates ‘Work Order’ per device
• Implements new rules
… Details in another webinar!

39. BUSINESS DRIVEN INCIDENT RESPONSE

40. AN INCIDENT STARTS WITH DETECTION
• Humans call Cyber Operations Center (COC):
• “My computer locked up” / “I see a request for ransom”
• Technological detectors, with different methodologies:
• Heavy file system activity
• Network-based, host-based activity alerts
• Etc.…
 Evidence of malicious activity can be observed in logs
40

41. BUSINESS-DRIVEN TRIAGE
• Identify impacted business processes
• Which business applications rely on impacted systems?
• How business-critical are these applications?
• Who are the business owners?
• Identify data sensitivity
• Do impacted applications handle sensitive data?
• Is impacted system a “stepping stone” to sensitive data?
• Can impacted system exfiltrate data?
• Triage outcomes:
• Urgency of mitigation (now/tonight/change-control-window)
• Aggressiveness of mitigation (filter/disconnect/shutdown/patch)
41

42. BUSINESS-DRIVEN CONSIDERATIONS
• Weigh 2 types of risk:
• Security risk: damage of attack until it is mitigated
• Operational risk: downtime during mitigation + unintended side effects
• Business criticality primarily affects the operational risk
• Data sensitivity primarily affects the security risk
• … also regulatory compliance and reporting requirements

43. REACHABILITY CONSIDERATIONS
• The ransomware-impacted system is “0wned”
• All data on that system is encrypted
• … but network defenses are still in place:
• East-West traffic filters (in a segmented datacenter)
• North-South traffic filters (perimeter firewalls)
• Can impacted system connect to more sensitive systems?
• Lateral movement
• Stepping stone

44. • Contain:
• Remediate through automatic isolation of
compromised servers from network
• Report:
• Report incident to relevant teams
• Maintain audit trail of actions taken
RESPONSE: TAKING ACTION
44
• Restore:
• Either restore data from backup
• … Or pay the ransom

45. SIEM INTEGRATION WITH ALGOSEC

46. ALGOSEC APPS FOR INCIDENT RESPONSE
• Splunk/QRadar App for Incident Response based on AlgoSec capabilities
• To be used as-is or incorporated into other SIEM apps
46

47. 47

48. 48

49. AlgoSec App adds an action
menu to all IP address fields
49

50. - Critical business process?
(identify business impact, set priority)
- Who to report to?
50

51. Can reach sensitive zone?
 Stepping stone
 Regulatory impact
 Reporting requirements
• From impacted system
• To sensitive zone
10.3.3.3
51

52. 52

53. 53

54. SUMMARY
• Take control your turf: Make lateral steps within your network harder
for attackers
• Segment the network
• Segment the users
• Segment sensitive data
• Maintain control
• Intelligent, structured process for change requests
• Proactively assess risk
• Ensure continuous compliance
• Use Business-Driven Incident Response
54

55. MORE RESOURCES
55

56. THANK YOU!
Questions can be emailed to
marketing@algosec.com