Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Glasswall - How to Prevent, Detect and React to Ransomware incidents

433 Aufrufe

Veröffentlicht am

Presentation delivered at the https://www.sccongressuk.com/ on 29th June 2019

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Glasswall - How to Prevent, Detect and React to Ransomware incidents

  1. 1. How to prevent, detect and react to Ransomware incidents 29th june 2020 Dinis Cruz CISO and SVP Engineering
  2. 2. Ransomware Incident React: What should the focus be during and after an incident so that the business and customer impact of the incident is minimised? Detect: Once you are are a victim of an attack, what are techniques you can use to gain an advantage on the malicious behaviour? (which will dramatically reduce the impact of the attack) Prevent: What are the most effective solutions (people, process and technology) that help with preventing Ransomware incidents?
  3. 3. Public/Media sequence of events Stage 1 ⁄ Breaking news ⁄ What happened? Stage 2 ⁄ Story telling ⁄ Make it personal (attackers and victims) Stage 3 ⁄ Crisis Analysis ⁄ Aftermath Stage 4 ⁄ Anniversary stories The final version of the ‘incident story’ will depend on how you behaved during the incident
  4. 4. How you react and behave! ...before during and after the event... Is more important ...to your customers, employees and regulators... Than `what happened?`
  5. 5. With Ransomware - what are you protecting? ⁄ Confidentiality - Don’t play this game ⁄ Integrity - So far we have been lucky ⁄ Availability - This is what is all about Focus on restoring Availability of your Data and Operations ⁄ Customer Data ⁄ Employee Data ⁄ Server’s Availability ⁄ Backups ⁄ Business Operations ⁄ Customer Trust ⁄ Compliance
  6. 6. Key activities covered in this presentation ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
  7. 7. Prevent
  8. 8. What are the most effective solutions (people, process and technology) that help with preventing Ransomware incidents?
  9. 9. All of the ones below(x investment before incident = 10x reduction in impact) ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
  10. 10. Let start with this one: ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
  11. 11. Preventing Malware files to reach the User
  12. 12. Reducing instances of Patient Zero
  13. 13. User Stories As a CISO I don’t want to worry That my security defences Rely on users not to Open and Execute files As a User I don’t want to worry That the file that I want to open is Going to be Malicious As a CISO I don’t want my users To focus on Security And to have Security Skills (since that doesn’t scale) As a User I want to focus on my Job And be able to open all files Sent to me in a Safe way
  14. 14. Reducing quantity of Patient Zero ⁄ Patient zero is the first device that executes malicious code ⁄ Reducing the number of Patient Zero is an effective solution that balances usability, business risk and business impact ⁄ Augment solutions that are hard to scale ○ User Education ○ Network Segmentation ○ Endpoint protection ⁄ Common infection points ○ Email ○ Downloaded files ○ Compromised installers of ‘benign application’
  15. 15. Why are Office/PDFs files used to infect Patient Zero ⁄ Users open these files every day ⁄ Users need these files to do their work ⁄ Preventing users from accessing these files will cause significant business disruption ⁄ Users have been trained to open files (and click on links) ⁄ Office and PDF files have ‘built-in’ dangerous functionality (for example: macros or javascript execution) ⁄ Office and PDF files are very complex file formats (reader apps historically have been vulnerable to buffer overflows)
  16. 16. How to prevent malicious files to reach Patient Zero 3 technologies that work (when used together) ○ Anti-Virus ○ Detonation Chambers (Sandboxing) ○ Content Disarm and Reconstruction (CDR) Antivirus = Identify Known Bad Detonation Chambers (Sandboxing ) = Identify Unknown Bad CDR (Content Disarm and Reconstruction) = Rebuild into Known Good
  17. 17. Content Disarm and Reconstruction (CDR)
  18. 18. https://file-drop.co.uk/ CDR in action https://www.youtube.com/watch?v=Lfaj71aGsqY
  19. 19. ⁄ Web Proxies = Protect Downloads from Websites ⁄ Email = Protect Attachments ⁄ USB Devices = Protect against USB distributed files ⁄ File Uploads = Protect locations where 3rd-parties upload files ⁄ Cross Domain = Protect networks (using Diodes) Objective: ⁄ Prevent users from exposure to malicious files ⁄ Provide users with visually identical files ○ Minimum business impact ○ Safe files (rebuilt into known good) CDR locations and deployment models
  20. 20. CDR Players and technical information Company Technical Documents Check Point https://blog.checkpoint.com/2019/07/16/practical-prevention-maximum-zero-day-prevention-without-compromising-productivity/ Clearswift https://www.clearswift.com/sites/default/files/Clearswift_CNI_Solution_Brief_Defence_Security_Solutions_UK_Eng_WR.pdf Deep Secure https://www.deep-secure.com/blog/165-what-is-zero-trust-and-can-it-turn-the-tables-in-the-cyber-security-war.php Glasswall https://glasswallsolutions.com/content-disarm-and-reconstruction/ Jiran Security https://drive.google.com/open?id=1uyI4js5YXPEBmSd-YcHJv8HIabNmVrlS MIMEcast https://www.mimecast.com/globalassets/documents/whitepapers/gl-1556-email-security-deep-dive.pdf OD-IX https://odi-x.com/true-cdr-the-next-generation-of-malware-prevention-tools/ Opswat https://www.opswat.com/blog/questions-to-ask-before-you-select-a-cdr-technology Resec https://resec.co/cdr-cybersecurity/ SASA Software https://www.sasa-software.com/our-technology/ SOFTCAMP https://www.softcamp.co.kr/eng/sub/sub_2_4.php Votiro https://cdn2.hubspot.net/hubfs/6559474/Whitepapers/Stopping_threats_with_Votiro_solutions_Booklet.pdf?utm_source=hs_automation Yazamtech https://yazamtech.com/content-disarm-reconstruction-what-does-a-business-really-need-to-ensure-smooth-business-continuity/ Fortinet https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/441368/content-disarm-and-reconstruction-cdr
  21. 21. Detect
  22. 22. Once you are are a victim of an attack, what are techniques you can use to gain an advantage on the malicious behaviour? (which will dramatically reduce the impact of the attack)
  23. 23. The following activities should also be done during incidents
  24. 24. Incidents Are a very effective environment to fix security gaps and improve your capabilities
  25. 25. Next let’s covers these Key activities ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
  26. 26. Sequence of event (each produces a weak signal) (all attackers/malware) - Initial Infection (Patient Zero) - Reconnaissance - Elevation of privilege and Propagation - Asset Enumeration - Encryption Your job is to make it harder for attackers to perform each of these actions Your defence model should be based on the “Attacker making a mistake” (vs you having to protect everything) (more advanced attackers) - Gain Persistence - Additional payloads - Data Extraction
  27. 27. Reduce Blast Radius: ⁄ Break your network into hundred of smaller networks ○ Not that hard to do once you go that path ⁄ Start with Assets ⁄ Redirect patching efforts into network segmentation ○ Patching doesn’t scale ○ Ok to have insecure devices on network as long as they are not exposed Network Segmentation
  28. 28. Block propagation and detonation: ⁄ You need to have visibility into what is happening with your endpoints ⁄ Pay attention to weak signals ⁄ Invest in SOC data consumption and visualisation ⁄ Outsource where it make sense (for example SIEM level 1) Endpoint protection
  29. 29. Reduce Payloads Activated ⁄ Creatively educate your users on your current threat landscape ⁄ Make it relevant for them (both at home and in their business function) ⁄ Gamify it ⁄ Reward detection ⁄ Don’t punish Patient Zero User Education
  30. 30. Prepare and Rehearse Response ⁄ Single most important activity ⁄ View incidents (before Ransomware) as ‘warm up’ events ⁄ Use incident strategically (‘over-allocate’ resources) ⁄ Use Playbook’s maturity as a way to measure preparedness ⁄ People management and communications are the HARDEST to scale Incident Response Playbooks
  31. 31. Reduce Impact: ⁄ Know what are your assets ⁄ Know where they are located ⁄ Monitor assets usage ⁄ Use Security violations (Role based security) as early-warning signals Asset Protection
  32. 32. Understand Attack Surface ⁄ Map all your applications (to your assets) ⁄ Know who owns them ⁄ Understand what should happen if an application is compromised ⁄ Know how to restore it ⁄ Backup everything (not just the data) ⁄ Put it all in a Graph (we use Jira to consolidate all data) Application Catalogue
  33. 33. See What is Happening: ⁄ SOC team is the one that should see it first ⁄ Create model where the attacker needs to make a mistake ⁄ The sooner you can detect malicious activity the less damage will occur ⁄ Before incident, align SOC with Business Intelligence ⁄ Machine Learning is the only way to scale ○ Understand the Known Good status of your network Situational Awareness (SOC)
  34. 34. React
  35. 35. What should the focus be during and after an incident so that the business and customer impact of the incident is minimised?
  36. 36. Activity we are going to cover in this section ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
  37. 37. Incident Response Team Respond to Events: ⁄ The effectiveness of this team will determine the impact of the incident ⁄ Over-provision resources ⁄ Create operational structures to help scaling resources allocated ⁄ Manage People effectively (food, rest, meeting rooms) ⁄ Focus on Process namely on Comms and Stakeholder management ⁄ Effective use of Technology is key
  38. 38. Playbook in action
  39. 39. Immutable Infrastructure Reduce Targets: ⁄ Know what is in a Known Good state ⁄ Know what you can trust ⁄ The less you infrastructure is editable the less the attack surface
  40. 40. Everything as Code (EaC) Automate Recovery: ⁄ The more automation you have in your infrastructure the faster you will recover ⁄ As long as your build scripts are not compromised, rebuild it ⁄ Kick start rebuild process as soon as event occurs (even before you’ll need it)
  41. 41. Ransomware Incident Simulation
  42. 42. Session at Open Security Summit https://open-security-summit.org/training/week-2/ciso-and-risk-management/incident-scenario-exercise/
  43. 43. Rules ⁄ Create multiple teams (one team per ‘persona’ ) ○ Management ○ Operations ○ Customer Group ○ Security Team (Blue Team) ○ Attackers (Red Team) ⁄ Gameplay happens over multiple rounds ⁄ Round one defines initial scenario (first detections) ⁄ Each team meet to decide what they want to do next (for 10 to 15 minutes) ⁄ Incident ‘Scenario’ team is part of each team and adjust scenario based on decisions made ⁄ Sessions executed over Zoom with Slack used to synchronize actions
  44. 44. Event players
  45. 45. Event players
  46. 46. Scenario
  47. 47. What was compromised
  48. 48. Here are the slides created by the “Red Team” with its moves
  49. 49. Try it at your company
  50. 50. Thanks - Questions? dcruz@glasswallsolutions.com @DinisCruz

×