SlideShare ist ein Scribd-Unternehmen logo

Ransomware Resistance

•
•
F
Florian Roth

Protective Measures with Low Effort and High Impact

Technologie
1 von 23
Downloaden Sie, um offline zu lesen
Ransomware Resistance Protective Measures with Low Effort and High Impact
§ Florian Roth § Head of Research @ Nextron Systems § IT Sec since 2000, Nation State Cyber Attacks since 2012 § THOR Scanner § Twitter @cyb3rops § Open Source Projects: § Sigma (Generic SIEM Rule Format) § LOKI (Open Source Scanner) § APT Groups and Operations Mapping § Antivirus Event Analysis Cheat Sheet § ... About Me
Ransomware Overview Spreadsheet – Prevention Tab § Public Google Document https://docs.google.com/spreadsheets/d/1TWS238xacAto- fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
Protection the preservation from injury or harm Resistance the ability not to be affected by something, especially adversely Resilience the capacity to recover quickly from difficulties; toughness
Protection (implies previous Detection) Antivirus, Sandboxes and EDRs to detect and avert threats Resistance basic methods of separation and blocking to protect from new and unknown threats Resilience fast and easy recovery from occurred incidents
Ransomware Kill Chain Delivery Infection Propagation Methods Phishing Emails Vulnerabilities (SMBv1) Brute Force (RDP) Malicious Document Dropper/Downloader Network Scanning Extracted Credentials Protection Security Awareness Tranings Multi-Factor-Authentication Antivirus EDR IPS Detection Security Monitoring Antivirus EDR Security Monitoring NSM IDS Resistance Firewalling Email Filters Patch Management Policies Execution Prevention Firewalling (OS level) Network Segregation User Account Segregation
Ransomware Kill Chain – Industry Focus Delivery Infection Propagation Methods Phishing Emails Vulnerabilities (SMBv1) Brute Force (RDP) Malicious Document Dropper/Downloader Network Scanning Extracted Credentials Protection Security Awareness Tranings Multi-Factor-Authentication Antivirus EDR IPS Detection Security Monitoring Antivirus EDR Security Monitoring NSM IDS Resistance Firewalling Email Filters Patch Management Policies Execution Prevention Firewalling (OS level) Network Segregation User Account Segregation This is what we’ll look atIndustry Focus
1. Backup and Restore Process 2. Windows Defender Ransomware Protection 3. Block Macros 4. Block Windows Binary Access to Internet 5. Filter Attachments Level 1 6. Filter Attachments Level 2 7. Use Web Proxies 8. Block Executable Downloads 9. Enforce UAC Prompt 10. Remove Admin Privileges 11. Restrict Workstation Communication 12. Sandboxing Email Input 13. Execution Prevention 14. Change Default "Open With" to Notepad 15. Restrict program execution 16. Sysmon 17. VSSAdmin Rename 18. Disable WSH 19. Folder Redirection 20. Remove Backup Server from Domain 21. Multi-Factor-Authentication (MFA) Protective Measures 80% 20% Low Complexity Measures 80% 20% EffectEffort
Low Complexity Measures Measures that have a low complexity of implementation, minimal influence on business critical processes and don’t require a lot of previous research or expertise
High Complexity Measures Examples
High Complexity: Filter Attachments § Where can I get a good and curated list of problematic extensions? § Do we have critical business processes that depend on one or more of these extensions? § How and where can we block them?
High Complexity: Block program executions § Which programs should we white-list? § Is there a list of legitimate programs that we use in our organisation? § Who maintains that list? § Where do we apply the restrictions? (Workstations, Admin Workstations, Systems of Support Staff, Servers, Admin Jump Server)
1. Backup and Restore Process 2. Windows Defender Ransomware Protection 3. Block Macros 4. Block Windows Binary Access to Internet 5. Filter Attachments Level 1 6. Filter Attachments Level 2 7. Use Web Proxies 8. Block Executable Downloads 9. Enforce UAC Prompt 10. Remove Admin Privileges 11.Restrict Workstation Communication 12. Sandboxing Email Input 13. Execution Prevention 14. Change Default "Open With" to Notepad 15. Restrict program execution 16. Sysmon 17. VSSAdmin Rename 18. Disable WSH 19. Folder Redirection 20. Remove Backup Server from Domain 21.Multi-Factor-Authentication (MFA) Low Complexity Measures Communication Restrictions
“Worst” Practice Communication InternetIntranet
Best Practice Communication InternetIntranet Proxy No Workstation to Workstation Communication Executable Filter
Resistance 1 – Block Executable Downloads InternetIntranet Proxy Mal Doc Cannot retrieve second stage Blocks EXE from uncategorized domain
Resistance 2 – Enforce Web Proxy InternetIntranet Proxy Mal Doc Can retrieve 2nd stage Allows EXE from categorized domain 2nd stage 2nd stage has no proxy support and cannot communicate with C2 server
Resistance 3 – Block Workstation to Workstation Communication InternetIntranet Proxy Mal Doc Can retrieve 2nd stage Allows EXE from categorized domain 2nd stage 2nd stage has proxy support and can communicate with C2 server Cannot spread to other Workstations
§ Enforce Web Proxies § Level 1: from workstations on which humans open emails § Level 2: from all internal systems § Block Executable Downloads § Level 1: from domains known as malicious (not recommended) § Level 2: Instead of blocking, show a splash page for downloads from uncategorized domains (recommended) § Level 3: from uncategorized domains § Block Workstation to Workstation Communication § Network segragation is a requirement (allow connections to server segments, proxy, disallow to other client networks) § You can use the integrated Windows Firewall Resistence Measures in Details
§ Block Executable Downloads (from uncategorized domains) § Enforce Web Proxies § Block Workstation to Workstation Communication Resistence Measures Effects averts ~90 percent* averts ~60 percent* greatly reduces impact* *of attacks
§ I am not alone with that opinion § Other experts in the industry have made the same experiences Many Experts Share My View
§ Many remote workers, especially due to the global pandemic § Bandwidth problems with VPN & corporate proxies § A solid asset management is a requirement § You can’t control / restict / defend what you don’t know § Affected systems are often the neglected and forgotten ones (embedded systems, POS devices, display systems, print servers etc.) Challenges
Ransomware Resistance Protective Measures with Low Effort and High Impact

Empfohlen

Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 

Empfohlen

Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Huntingn|u - The Open Security Community
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modelingPrabath Siriwardena
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Frameworkđź‘€ Joe Gray
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modelingPrabath Siriwardena
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 

Was ist angesagt? (20)

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 

Ă„hnlich wie Ransomware Resistance

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Week3Project Part 1-Task 2 – Risk Assessment.docx
Week3Project Part 1-Task 2 – Risk Assessment.docxWeek3Project Part 1-Task 2 – Risk Assessment.docx
Week3Project Part 1-Task 2 – Risk Assessment.docxhelzerpatrina
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 
Active Testing
Active TestingActive Testing
Active Testingfrisksoftware
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network securitySreerag Gopinath
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityLumension
 
Network security chapter 1,2
Network security chapter 1,2Network security chapter 1,2
Network security chapter 1,2Education
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and ITKomalah Nair
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
Computing safety
Computing safetyComputing safety
Computing safetyBrulius
 
Mitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksMitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksErdem Erdogan
 

Ă„hnlich wie Ransomware Resistance (20)

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Week3Project Part 1-Task 2 – Risk Assessment.docx
Week3Project Part 1-Task 2 – Risk Assessment.docxWeek3Project Part 1-Task 2 – Risk Assessment.docx
Week3Project Part 1-Task 2 – Risk Assessment.docx
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat Management
 
Active Testing
Active TestingActive Testing
Active Testing
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
 
Network security chapter 1,2
Network security chapter 1,2Network security chapter 1,2
Network security chapter 1,2
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and IT
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
 
Computing safety
Computing safetyComputing safety
Computing safety
 
Mitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksMitigating Rapid Cyberattacks
Mitigating Rapid Cyberattacks
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 

KĂĽrzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

KĂĽrzlich hochgeladen (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Ransomware Resistance

  • 1. Ransomware Resistance Protective Measures with Low Effort and High Impact
  • 2. § Florian Roth § Head of Research @ Nextron Systems § IT Sec since 2000, Nation State Cyber Attacks since 2012 § THOR Scanner § Twitter @cyb3rops § Open Source Projects: § Sigma (Generic SIEM Rule Format) § LOKI (Open Source Scanner) § APT Groups and Operations Mapping § Antivirus Event Analysis Cheat Sheet § ... About Me
  • 3. Ransomware Overview Spreadsheet – Prevention Tab § Public Google Document https://docs.google.com/spreadsheets/d/1TWS238xacAto- fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
  • 4. Protection the preservation from injury or harm Resistance the ability not to be affected by something, especially adversely Resilience the capacity to recover quickly from difficulties; toughness
  • 5. Protection (implies previous Detection) Antivirus, Sandboxes and EDRs to detect and avert threats Resistance basic methods of separation and blocking to protect from new and unknown threats Resilience fast and easy recovery from occurred incidents
  • 6. Ransomware Kill Chain Delivery Infection Propagation Methods Phishing Emails Vulnerabilities (SMBv1) Brute Force (RDP) Malicious Document Dropper/Downloader Network Scanning Extracted Credentials Protection Security Awareness Tranings Multi-Factor-Authentication Antivirus EDR IPS Detection Security Monitoring Antivirus EDR Security Monitoring NSM IDS Resistance Firewalling Email Filters Patch Management Policies Execution Prevention Firewalling (OS level) Network Segregation User Account Segregation
  • 7. Ransomware Kill Chain – Industry Focus Delivery Infection Propagation Methods Phishing Emails Vulnerabilities (SMBv1) Brute Force (RDP) Malicious Document Dropper/Downloader Network Scanning Extracted Credentials Protection Security Awareness Tranings Multi-Factor-Authentication Antivirus EDR IPS Detection Security Monitoring Antivirus EDR Security Monitoring NSM IDS Resistance Firewalling Email Filters Patch Management Policies Execution Prevention Firewalling (OS level) Network Segregation User Account Segregation This is what we’ll look atIndustry Focus
  • 8. 1. Backup and Restore Process 2. Windows Defender Ransomware Protection 3. Block Macros 4. Block Windows Binary Access to Internet 5. Filter Attachments Level 1 6. Filter Attachments Level 2 7. Use Web Proxies 8. Block Executable Downloads 9. Enforce UAC Prompt 10. Remove Admin Privileges 11. Restrict Workstation Communication 12. Sandboxing Email Input 13. Execution Prevention 14. Change Default "Open With" to Notepad 15. Restrict program execution 16. Sysmon 17. VSSAdmin Rename 18. Disable WSH 19. Folder Redirection 20. Remove Backup Server from Domain 21. Multi-Factor-Authentication (MFA) Protective Measures 80% 20% Low Complexity Measures 80% 20% EffectEffort
  • 9. Low Complexity Measures Measures that have a low complexity of implementation, minimal influence on business critical processes and don’t require a lot of previous research or expertise
  • 11. High Complexity: Filter Attachments § Where can I get a good and curated list of problematic extensions? § Do we have critical business processes that depend on one or more of these extensions? § How and where can we block them?
  • 12. High Complexity: Block program executions § Which programs should we white-list? § Is there a list of legitimate programs that we use in our organisation? § Who maintains that list? § Where do we apply the restrictions? (Workstations, Admin Workstations, Systems of Support Staff, Servers, Admin Jump Server)
  • 13. 1. Backup and Restore Process 2. Windows Defender Ransomware Protection 3. Block Macros 4. Block Windows Binary Access to Internet 5. Filter Attachments Level 1 6. Filter Attachments Level 2 7. Use Web Proxies 8. Block Executable Downloads 9. Enforce UAC Prompt 10. Remove Admin Privileges 11.Restrict Workstation Communication 12. Sandboxing Email Input 13. Execution Prevention 14. Change Default "Open With" to Notepad 15. Restrict program execution 16. Sysmon 17. VSSAdmin Rename 18. Disable WSH 19. Folder Redirection 20. Remove Backup Server from Domain 21.Multi-Factor-Authentication (MFA) Low Complexity Measures Communication Restrictions
  • 15. Best Practice Communication InternetIntranet Proxy No Workstation to Workstation Communication Executable Filter
  • 16. Resistance 1 – Block Executable Downloads InternetIntranet Proxy Mal Doc Cannot retrieve second stage Blocks EXE from uncategorized domain
  • 17. Resistance 2 – Enforce Web Proxy InternetIntranet Proxy Mal Doc Can retrieve 2nd stage Allows EXE from categorized domain 2nd stage 2nd stage has no proxy support and cannot communicate with C2 server
  • 18. Resistance 3 – Block Workstation to Workstation Communication InternetIntranet Proxy Mal Doc Can retrieve 2nd stage Allows EXE from categorized domain 2nd stage 2nd stage has proxy support and can communicate with C2 server Cannot spread to other Workstations
  • 19. § Enforce Web Proxies § Level 1: from workstations on which humans open emails § Level 2: from all internal systems § Block Executable Downloads § Level 1: from domains known as malicious (not recommended) § Level 2: Instead of blocking, show a splash page for downloads from uncategorized domains (recommended) § Level 3: from uncategorized domains § Block Workstation to Workstation Communication § Network segragation is a requirement (allow connections to server segments, proxy, disallow to other client networks) § You can use the integrated Windows Firewall Resistence Measures in Details
  • 20. § Block Executable Downloads (from uncategorized domains) § Enforce Web Proxies § Block Workstation to Workstation Communication Resistence Measures Effects averts ~90 percent* averts ~60 percent* greatly reduces impact* *of attacks
  • 21. § I am not alone with that opinion § Other experts in the industry have made the same experiences Many Experts Share My View
  • 22. § Many remote workers, especially due to the global pandemic § Bandwidth problems with VPN & corporate proxies § A solid asset management is a requirement § You can’t control / restict / defend what you don’t know § Affected systems are often the neglected and forgotten ones (embedded systems, POS devices, display systems, print servers etc.) Challenges
  • 23. Ransomware Resistance Protective Measures with Low Effort and High Impact