Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)

BeyondTrustWebinar
1© Copyright 2017, National Security Corporation, all rights reserved
Why Federal Systems are Immune
from Ransomware
(and other grim fairy tales)
G. Mark Hardy @g_mark
National Security Corporation
+1 410.933.9333

BeyondTrustWebinar
© Copyright 2017, National Security Corporation, all rights reserved
2
Why a Grim(m) Fairy Tale?
• The original book
included Hansel & Gretel,
Little Red Riding Hood,
Snow White, Rapunzel
• Delightful children's
stories
• Except in the original,
the prince knocks up
Rapunzel, Little Red
Riding Hood is eaten by
the wolf, Snow White's
stepmother chokes to
death in rage, and Gretel
murders an old woman
by shoving her into a
flaming oven
Pay my ransom and I'll give you
back your files. (ribbit)

BeyondTrustWebinar
3
So What's Our Latest Fairy Tale?
• "After her keynote, [Acting U.S. CIO
Margie] Graves told reporters she had a
'swell of emotion' knowing the federal
government, at least so far, was able to
escape the
havoc of
WannaCry."
– Billy Mitchell
18 May 2017
fedscoop
Ref: https://www.fedscoop.com/acting-u-s-cio-touts-2015-cyber-sprint-agencies-go-unaffected-wannacry/

BeyondTrustWebinar
4
Not Looking Too Good for U.S.
Government …
• Ranked 16 of 18
– (up from 18 of 18)
Ref: http://info.securityscorecard.com/2017-us-government-cybersecurity-report

BeyondTrustWebinar
5
We May Be Our Own Worst Enemy
• "Government
agencies tend to
struggle with basic
security hygiene
issues, like password
reuse on
administrative
accounts"
Ref: https://www.wired.com/story/us-government-cybersecurity/

BeyondTrustWebinar
6
What is ransomware?
• An interesting twist on a business model:
– Your customers (victims) contact
– You (the criminal) offering
– Money (usually Bitcoin) for
– Something you create (decryption key)
– That only the customer can use
(they hope)
• Is "Hope" a viable strategy
for Federal Systems security?
Image source: https://larryfire.files.wordpress.com/2008/10/hopeless_poster.jpg fair use claimed

BeyondTrustWebinar
7
The Inbox is an Infection Vector
• "Malicious emails were the weapon of
choice"
– One in 131 e-mails contained malware
(Should we call it "mailware™"?)
• 64% of Americans pay the ransom
– Compared to 34% globally
• Average ransom was over $1,000 per
victim
– An increase of 266%
Ref: Symantec's 2017 Internet Security Threat Report (ISTR)

BeyondTrustWebinar
8
Nearly 2/3 of Malware Payloads are
Ransomware
Ref: https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf
Ransomware

BeyondTrustWebinar
9
Damage Assessment
• Ransomware to exceed $5 billion in 2017
– Up from $325 million in 2015
• 44% of alerts are NOT investigated
– 54% of legitimate alerts are NOT remediated
• Attackers often operate outside U.S. law
enforcement jurisdiction
– No extradition treaties with Russia
• Ransom payments are continuing to get
much more expensive
Ref: https://cybersecurityventures.com/ransomware-damage-report-2017-5-billion/
Cisco 2017 Annual Cybersecurity Report

BeyondTrustWebinar
10
Got Bitcoin?
16 July $1826.20
17 Aug $4492.30
246% increase in 1 month
https://cryptowat.ch/bitfinex/btcusd

BeyondTrustWebinar
Who's Bright Idea Was This???

BeyondTrustWebinar
12
Public-key cryptography is essential
to the attacks that we demonstrate
We present … a twist on
cryptography, showing that it can
also be used offensively.
Access to cryptographic tools should
be well controlled.
SEPTEMBER 1996 (!)

BeyondTrustWebinar
13
Thanks, Guys!
• Ransomware is an attack on the
Availability leg of the C-I-A triad
• Our backup systems are
engineered for HAZARD
(power surge, disk fails)
– Must rethink strategy for
MALICE, not merely hazard
• Malice can't be engineered away as easily
• This is an entirely new threat model
– We need to rethink our responses
13
Availability

BeyondTrustWebinar
14
Plenty of Weapons for Attackers to
Choose From

BeyondTrustWebinar
15
Toolbox Keeps Getting Bigger
Ref: https://heimdalsecurity.com/blog/wp-content/uploads/ransomware-discoveries-CERT-RO-2.png

BeyondTrustWebinar
16
Credit for cartoon to Phil Johnson -- Fair use claimed under 17 U.S.C. 107

BeyondTrustWebinar
17
Why Have Federal Systems
Largely Escaped Ransomware?
• Security defenses superior to industry?
• Really good backups available 24x7?
• Fully redundant systems throughout?
• Less valuable things to ransom?
• Crooks don't want to tangle with Uncle
Sam?
• Luck?
– (I don't think we can really know quite yet)
17

BeyondTrustWebinar
18
Major Types of Ransomware
• Client-side (desktop/laptop/tablet/phone)
• Server-side (datacenter/cloud)
• Hybrid (Client-side plus Fileshares)
• Each seeks to directly monetize an
availability attack.
18

BeyondTrustWebinar
19
Client-side Ransomware
• Carpet bombing of weaponized docs in
phishing emails
• Exploit kits targeting Flash in the browser
• Locks up patient zero machine
– And whatever it can touch on the network
• Goal is to mitigate 'patient zero' infection
• Internal segmentation is critical:
– A laptop catching fire shouldn't become a
LAN-level conflagration
19

BeyondTrustWebinar
20
Server-Side Ransomware (1/2)
• Target Internet-exposed resources
• Pivot internally, enumerate servers,
backup infrastructure, etc
• Create keys for each target
• Install ransomware
• Import keys to script
• Detonate
20
Ref: https://www.theregister.co.uk/2017/01/09/mongodb/

BeyondTrustWebinar
21
Server-side Ransomware (2/2)
• Manual hacking, can take days or weeks
from initial perimeter scan to detonation
• Opportunities for detection similar to
traditional kill-chain (minus exfil phase
[or not])
• Interrupt at any point before detonation,
keep your datacenter
21

BeyondTrustWebinar
22
What About Reporting?
• United States Department of Health and
Human Services (HHS) ruling
– Ransomware infection of personal health
information (PHI) reportable as a breach
• Will increased reporting requirements
increase efforts to avoid ransomware?
– Or will agencies accept new risk of NOT
reporting compromises

BeyondTrustWebinar
23
Why Does Ransomware Work?
• Users are gullible
• Endpoint configurations are not correct
• Network configurations are not correct
• Access control is not correct
• A lot of things have to go wrong for
ransomware to work right

BeyondTrustWebinar
Let's Map Ransomware to Federal
Controls and Guidelines

BeyondTrustWebinar
25
Presidential Executive Order on
Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure
• Section 1. (b) Findings
– "The executive branch has for too long
accepted antiquated and difficult–to-defend
IT."
• (c) Risk Management
– "Effective immediately, each agency head
shall use The Framework for Improving
Critical Infrastructure Cybersecurity (the
Framework) developed by the National
Institute of Standards and Technology, or
any successor document, to manage the
agency's cybersecurity risk."
Ref: https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal

BeyondTrustWebinar
26
FY 2017 CIO FISMA Metrics
• Some Cross Agency Priority (CAP) goals
• Identify
– 1.2, 1.4, 1.5 IT assets under auto inventory (95%)
• Protect
– 2.5 Privileged network accounts (100%)
• Detect
– 3.11 Privileged network accts with access limits (90%)
– 3.16 Auto detect and alert unauthorized hardware assets (95%)
– 3.17 Auto detect and alert unauthorized software (95%)
• Respond
– (no CAP goals)
• Recover
– (no CAP goals)
Ref: https://www.dhs.gov/sites/default/files/publications/FY%202017%20CIO%20FISMA%20Metrics-%20508%20Compliant.pdf

BeyondTrustWebinar
27
FISMA FY2016 Report by Agency
(percent that met target)
• Hardware asset management - 36%
• Software asset management - 39%
• Privileged user PIV implemented - 45%
• Malware defenses - 73%
• 30,899 reported incidents
– The word "ransomware" never mentioned in
the annual report (maybe it's under "other"?)
Ref: https://www.whitehouse.gov/sites/whitehouse.gov/files/briefing-room/presidential-actions/
related-omb-material/fy_2016_fisma_report%20to_congress_official_release_march_10_2017.pdf

BeyondTrustWebinar
28
NIST SP800-53 rev 5 draft
1. Access control
2. Awareness and training
3. Audit and accountability
4. Assessment,
authorization, and
monitoring
5. Configuration
management
6. Contingency planning
7. Identification and
authentication
8. Individual participation
9. Incident response
10.Maintenance
11.Media protection
12.Privacy authorization
13.Physical and
environmental protection
14.Planning
15.Program management
16.Personnel security
17.Risk assessment
18.System and services
acquisition
19.System and
communications
protection
20.System and information
integrity
Ref: Security and Privacy Controls for Information Systems and Organizations

BeyondTrustWebinar
29

BeyondTrustWebinar
30

BeyondTrustWebinar
What Happens When you DO Get
Ransomware?

BeyondTrustWebinar
32
MedStar Health (2016)
• $10B healthcare group in DC area
• 1 wk to 90%, full recovery ~ 5 wks
• Likely server-side ransomware
• Is paying ransom against principles?

BeyondTrustWebinar
33
Forget Principles!
• What costs more? Your principles or the
ransom?
• WRONG QUESTION.
• What costs more? The ransom or the
cost of operational downtime?
– Why would you argue about $1K if the
argument were costing you $100K / hour?

BeyondTrustWebinar
34
To The Rescue! (sort of)
• ID Ransomware by MalwareHunterTeam
• Upload ransom note or encrypted file
– They will attempt to match it to 470 known
ransomware variants
• You don't get
your files back,
but you know
what zapped
you.
– Feel better?
Ref: https://id-ransomware.malwarehunterteam.com/

BeyondTrustWebinar
35
To The Rescue! (more so)
• No More Ransom project
– Created by Dutch National Police, Europol,
Intel Security and Kaspersky Labs
• Crypto Sheriff by NoMoreRansom
– Upload encrypted file; they'll try all the keys
– Get lucky, get
your files back
for free
• But luck is not
a strategy. :(
Ref: https://www.nomoreransom.org/crypto-sheriff.php

BeyondTrustWebinar
36
Ransomware Trends
(Kaspersky Lab Report)
• Attackers shifting to targeted attacks
– Today, financial institutions (they can pay
more money)
– Tomorrow, the government? (they can print
more money)
• Over 2.5M ransomware victims past year
– (up 11.4% from 2015-2016)
• 1.2M victims had files encrypted
– (45% of ransomware incidents)
Ref: https://securelist.com/ksn-report-ransomware-in-2016-2017/78824/

BeyondTrustWebinar
37
Latest Ransomware is Much More
Dangerous
• (Not)Petya
– Steals passwords in memory and re-uses
them to infect other machines
– Moves laterally with compromised
credentials
– If a domain admin account is compromised,
it is "pretty much game over"
• Are you using the same password on
multiple machines?
– Are any (or all) at the administrator level?
Ref: Alain Mowat, A pentester's take on (Not)Petya, https://blog.scrt.ch/2017/06/30/a-pentesters-take-on-notpetya/

BeyondTrustWebinar
Prevention Strategies

BeyondTrustWebinar
39
May Have Windows 10 Coming to
a Desktop Near You
• DoD goal was Windows 10 upgrade on 4
million devices by January 2017
• Interoperability concerns holding us back
– "It's kind of like trying to put airbags on a '65
Mustang — it just wasn't designed for
security, wasn't designed for safety."
• Former Federal CIO Tony Scott
• We may never quite catch up with
"native" security in our OS
– Need something else to keep us secure
Ref: https://federalnewsradio.com/defense/2016/09/dod-close-no-cigar-windows-10-migration/
https://www.federaltimes.com/2015/06/15/feds-on-30-day-sprint-to-better-cybersecurity/

BeyondTrustWebinar
40
Technical Solutions
• Most ransomware relies on DNS
– Uses dodgy gTLDs that can be registered for
little or no money
• http://www.iana.org/domains/root/db
• "Throw-away
domains"

BeyondTrustWebinar
41
Say Yes to the DNS (Filtering)
• Over 1,500 DNS Top Level Domains
– ccTLDs for country codes
– gTLDs for 'generic' domains
– Some TLDs are 80-90% garbage sites
• Do your servers (or employees) need to
go to .hair domains? .top? .bid?
– Foghorn project is DNS proxy to reduce risk
through greylisting
Ref: https://github.com/hasameli/foghorn

BeyondTrustWebinar
42
Block Communications
(ransomwaretracker.abuse.ch)

BeyondTrustWebinar
43
Email Defenses
• Filter before or at email server:
– Attachment types (.js files get clicked on)
– Inspect/strip content (Macros to powershell)
– Rewrite links
– Block spoofed emails (reply to != sent from)
• (This can hurt scan-to-email on copiers)
– Use virtualized apps, viewers, etc.

BeyondTrustWebinar
44
Start To Add Controls
• Segment your network
• Block ports like 445 at your perimeter
• Create (different) one-time passwords for
every admin account
• Lower privilege on each user to bare
minimum
• Strip macros at the mail server
• Disable macros in your endpoints
– Only very specific users may use them
• Retire Windows XP and Server 2003 asap
Ref: ibid.

BeyondTrustWebinar
45
More Controls
• Monitor devices after network access
– MAC spoofing can make an attacker look like
a printer when connecting
• Upgrade every PowerShell instance to 5.0
– Default on Server 2016 and Windows 10
– Better credential handling, logging, rights
• If you have to support old protocols
(SMBv1, SNMP v1, NTLM)
– Put them on separate network segments
– Isolate from rest of enterprise
Ref: https://docs.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-windows-powershell-50?view=powershell-5.1

BeyondTrustWebinar
46
Even More Controls
• Block untrusted applications
– Whitelisting helps against new malware
– Does not help with macro calling PowerShell
• Apply patches as soon as possible
– Patch Tuesday is always followed by Exploit
Wednesday
– Block application execution if patches not
current
• Default Deny for any ruleset
– Execute explicit privilege rules first

BeyondTrustWebinar
47
Seven CSC Tips for Reducing the
Federal Attack Surface
• Inventory all devices on your network
– (CSC 1)
• Inventory all software on your systems
– (CSC 2)
• Control the use of admin privileges
– (CSC 5)
• Employ malware defenses
– (CSC 8)
• Limit network ports, protocols, services
– (CSC 9)
• Regularly backup your critical info
– (CSC 10)
• Train and inoculate your users regularly
Ref: http://www.cisecurity.org/critical-controls.cfm

BeyondTrustWebinar
48
Future of Ransomware
• Buckle up!
– Estimated $5 Billion revenue in 2017
• For every dollar spent on ransom…
– Countless more spent on
response/remediation
– Often poorly thought out and implemented
• Targets:
– VDI desktops
– Cloud Synch apps (Box sync for desktop)
– Mobile (already happening from iCloud)
– NoSQL/Redis/etc on perimeter

BeyondTrustWebinar
49
Summary
• Ransomware becoming billion-dollar
business
• Offers significant amount of revenue at
low cost for attacker
• Biggest danger in government are older
systems without adequate backup
• Danger is many willing to pay as path of
least resistance (persistent threat)
• Must use additional tools to security
government enterprises

BeyondTrustWebinar
Why Federal Systems are Immune from
Ransomware
(and other grim fairy tales)
G. Mark Hardy @g_mark
National Security Corporation
+1 410.933.9333

BeyondTrustWebinar
51
References
https://www.fedscoop.com/acting-u-s-cio-touts-2015-cyber-sprint-agencies-go-unaffected-wannacry/
http://info.securityscorecard.com/2017-us-government-cybersecurity-report
https://www.wired.com/story/us-government-cybersecurity/
https://www.symantec.com/security-center/threat-report, Symantec's 2017 Internet Security Threat Report (ISTR)
https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf
https://cybersecurityventures.com/ransomware-damage-report-2017-5-billion/
http://b2me.cisco.com/en-us-annual-cybersecurity-report-2017, Cisco 2017 Annual Cybersecurity Report
https://cryptowat.ch/bitfinex/btcusd
https://www.researchgate.net/publication/2301959_Cryptovirology_Extortion-Based_Security_Threats_and_Countermeasures
https://heimdalsecurity.com/blog/wp-content/uploads/ransomware-discoveries-CERT-RO-2.png
https://www.theregister.co.uk/2017/01/09/mongodb/
https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal
https://www.dhs.gov/sites/default/files/publications/FY%202017%20CIO%20FISMA%20Metrics-%20508%20Compliant.pdf
https://www.whitehouse.gov/sites/whitehouse.gov/files/briefing-room/presidential-actions/
related-omb-material/fy_2016_fisma_report%20to_congress_official_release_march_10_2017.pdf
http://csrc.nist.gov/publications/drafts/800-53/sp800-53r5-draft.pdf , Security and Privacy Controls for Information Systems and
Organizations
https://tomgraves.house.gov/uploadedfiles/discussion_draft_active_cyber_defense_certainty_act_2.0_rep._tom_graves_ga-
14.pdf
https://id-ransomware.malwarehunterteam.com/
https://www.nomoreransom.org/crypto-sheriff.php
https://securelist.com/ksn-report-ransomware-in-2016-2017/78824/
https://blog.scrt.ch/2017/06/30/a-pentesters-take-on-notpetya/, Alain Mowat, A pentester's take on (Not)Petya
https://federalnewsradio.com/defense/2016/09/dod-close-no-cigar-windows-10-migration/
https://www.federaltimes.com/2015/06/15/feds-on-30-day-sprint-to-better-cybersecurity/
https://github.com/hasameli/foghorn
https://ransomwaretracker.abuse.ch/blocklist
https://docs.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-windows-powershell-50?view=powershell-5.1
http://www.cisecurity.org/critical-controls.cfm

Retina Enterprise
Vulnerability Management
Alex DaCosta
Product Manager, Retina

RETINA
VULNERABILITY MANAGEMENT
POWERBROKER
PRIVILEGED ACCOUNT MANAGEMENT
PRIVILEGE
MANAGEMENT
ACTIVE DIRECTORY
BRIDGING
PRIVLEGED
PASSWORD
MANAGEMENT
AUDITING &
PROTECTION
ENTERPRISE
VULNERABILITY
MANAGEMENT
BEYONDSAAS
CLOUD-BASED
SCANNING
NETWORK SECURITY
SCANNER
WEB SECURITY
SCANNER
BEYONDINSIGHT CLARITY THREAT ANALYTICS
BEYONDINSIGHT IT RISK MANAGEMENT PLATFORM
EXTENSIVE
REPORTING
CENTRAL DATA
WAREHOUSE
ASSET
DISCOVERY
ASSET
PROFILING
ASSET SMART
GROUPS
USER
MANAGEMENT
WORKFLOW &
NOTIFICATION
THIRD-PARTY
INTEGRATION

Poll + Q&A
Thank you for attending
today’s webinar!

Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)

Ähnlich wie Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales) (20)

Mehr von BeyondTrust

Mehr von BeyondTrust (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)