Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

ITPG Secure on WannaCry

Recently a ransomware variant titled “WannaCry” has infected thousands of unpatched endpoints worldwide.This quick presentation will provide a synopsis of what this threat might mean for end users and what actions can be taken in response to this new information.

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

ITPG Secure on WannaCry

  1. 1. ITPG Secure on WannaCry‘ Malware Attack WannaCry – Addressing the Unprecedented Global Ransomware Attackhttps://itpgsecure.com
  2. 2. The facts about WannaCry On Friday, May 12, a ransomware variant titled “WannaCry” infiltrated several UK-based National Health Service locations. Since then, it has spread across 200 countries and infected more than 200,000 endpoints. Microsoft has since released a patch to fix legacy operating systems (Windows XP and onward). While a patch to remove the underlying vulnerability (Windows Vista and onward) had been issued on March 14, delays in applying security updates, and lack of support by Microsoft for legacy Windows versions have left users vulnerable. WannaCry is a ransomware variant that leverages a known Microsoft SMB vulnerability – EternalBlue – targeting unpatched Windows operating systems (Windows XP, 8, Vista, 7, 2012, 10, and Server 2003). Infected users experience file encryption in exchange for a $300 bitcoin ransom. The malware has been documented propagating laterally, rapidly infecting affiliated endpoints. A short-term “kill-switch” was identified that prevented the infection of additional systems. Since then, new variants of the malware, which lack the kill-switch, have been reported. As of May 15, 2017, the threat is still prevalent and at large. 1 2 3 WannaCry is the result of the recent leaked NSA arsenal of exploits and tools by the ShadowBrokers.
  3. 3. WannaCry details and misconceptions Important information is getting lost amongst the online clutter – take the time to eliminate all WannaCry misconceptions. • The most common WannaCry variant uses IPC$ shares and SMB resources to propagate. • WannaCry leverages the exploit EternalBlue – the vulnerability drops an executable onto the targeted system and conducts a beacon check for the kill-switch domain. If it doesn’t receive a response, then the malware executes the ransomware routines. See Endgame.com for more detailed information. • WannaCry installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (Source: Malwarebytes) • On the LAN, it scans for all enumerated addresses within its LAN with an open port 445 & 139 (i.e. the SMB port). • On the internet, it scans for random IP addresses to see if it has an open port 445. If it finds one with an open port, it scans all devices in the same /24 IP range (i.e. IP addresses that share the first three octets) as the found address. • WannaCry kills SQL Server, Exchange, MySQL and installs TOR on the endpoint. • When the ransom demand-time elapses, the malware writes up to 1GB of free space on host- disk and then deletes the file. • A variant of WannaCry has been previously documented before this instance. For more information, please visit: https://gist.github.com/rain- 1/989428fa5504f378b993ee6efbc0b168 https://www.endgame.com/blog/wcrywana cry-ransomware-technical-analysis https://www.malwaretech.com/2017/05/ho w-to-accidentally-stop-a-global-cyber- attacks.html https://www.bleepingcomputer.com/news/s ecurity/with-the-success-of-wannacry- imitations-are-quickly-in-development/
  4. 4. Immediate actions – If you have not been infected Action Actions Patch or Inoculate OS  Determine your exposure and the potential risk implications – identify and document outdated windows operating systems. Update all legacy software with the recent Microsoft patch. Update supported software with Microsoft’s March 2017 patch. Back Up Your Data  Make the time to back up all critical data to the cloud and/or to an external hard drive.  Create an image of your current operating system to prevent future data loss. Disable Unused Ports  Assess your organizational exposure for all internet-facing devices. Maintain a dynamic and frequently updated listing of active ports.  Close all unnecessary ports and adopt the principle of least privilege. Disable legacy protocol such as SMBv1. Communicate  Send internal alerts to educate employees on the WannaCry threat campaign.  Deliver security training sessions on threat mitigation tactics; foster a culture of organizational situational awareness.  Send external alerts to clientele; proactively address any efforts undertaken to combat the threat.  Schedule cadence meetings with your managed service providers and third-party vendors to discuss WannaCry. Address any/all corresponding security measures they have undertaken to combat it.  Share this intelligence and actively collaborate with external stakeholders to manage any potential risk.  Enterprises can demand proof of change from vendors by asking for evidence such as records of change, patches deployed, etc. Threat Intelligence  Review your threat intelligence program (if there are none, refer to Info-Tech for guidance on setting them up) and ensure that they are being consumed and actioned. Timely intelligence can give you a crucial head start against threat actors. Endpoint Protection  Install EPP vendor updates. Ensure endpoint protection solutions incorporate the most recent indicators of compromise and updated signature lists. Adopt machine learning and heuristic-based analysis to monitor threats in real-time. Leverage IOCs  Organizations should block all connections to TOR nodes.  Block relevant indicators of compromise. Reference the appendix for a comprehensive list of IOCs. Incident Response  Formalize incident response procedures. Create detailed runbooks that actively address all mitigation and operational procedures in the event that an endpoint is infected. Actively distribute runbooks and collaborate internally so that all security members are aware of the required steps and procedures.
  5. 5. Immediate actions – If you have not been infected Action Shut Down  Shut down and disconnect any infected systems as part of your overall risk mitigation strategy.  Isolate the infected host if available.  Do not attempt to clean the system or run any AV or malware scans. These processes are done later.  Assess your organizational exposure for all internet-facing devices. Determine why open ports are open. Maintain a dynamic and frequently updated listing of active ports.  Close all unnecessary ports (disable SMBv1) and adopt the principle of least privilege. Don’t Pay  After evaluating all possible outcomes – if you become infected, payment should not be an option. Analyze the Scope  Determine exactly how much of your network has been infected and how many files have been compromised.  Identify any connected devices that had access to the infected device. Create an inventory of infected devices so you know what must be restored from backup.  For each connected device, check for signs of infection, e.g. perform a file scan for encryption, file rename spikes, or other signs of ransomware. Communicate  Report your experience: organizations that have fallen victim to a ransomware attack are encouraged to work with their local law enforcement office. US-based companies should report the incident to the FBI Internet Crime Complaint Center (IC3).  Send internal alerts to educate employees on the WannaCry threat campaign.  If client-facing operations have been impacted, work with your legal or field department to communicate to your customers. Proactively address any efforts undertaken to combat the threat. Locate Backups and Restore Data  Google Drive, Dropbox, OneDrive – have you shared the data with someone else using a cloud-based storage service? Even if the data is encrypted, these services will often allow you to revert your files to a previous state.  Removable media – did you put the files onto a USB, external hard drive, DVD, or some other removable media to transfer the data? If you find you have copies on removable media, then manually verify the files by restoring to a separate computer. It is essential to verify the files if using physical media, as these can tend to deteriorate.
  6. 6. A cost-benefit analysis can easily tell you what you should do when it comes to ransomware We live in the real world and often we work for companies looking to maximize their profits. It is practical for them to perform a risk-based cost benefit analysis to determine whether to pay or not. To pay or not should be a business decision based on which option is most cost effective. Consider these variables: • What is the potential harm caused from losing that data or system? Is the data or system critical in nature? What is the potential impact to the information system, the business process, or the organization? Are there adequate backups and a recovery process to minimize operational interruptions? • What is the relative cost associated with paying? Most ransom demands are meant to be reasonable to incite you to pay. • What is the probability that your data will be decrypted? An “unethical” extortionist could receive payment and choose not to decrypt your data. • What is the probability that once you pay, you may be extorted in the future? An attacker could leave malware on your systems in the form of a backdoor, which they could use to compromise you for additional ransom. An attacker could also spread the knowledge that you are willing to pay, inciting other cybercriminals to attack you. DON’T PAY: For most cases, paying the ransom does not make sense. It is the unequivocal recommendation from authorities, vendors, and Info-Tech that you do not pay unless absolutely necessary. These considerations result in the conclusion:
  7. 7. Best practices moving forward Just because a patch is available does not mean it has been deployed. Many organizations run a few patching cycles behind. Conduct an inventory of current operating systems and immediately patch vulnerable endpoints. Stay up to date with your patching efforts, and ensure other vulnerability management practices (e.g. hardening, virtual patching, system isolation) are in place where appropriate. Backup Your Data Leverage Threat Intelligence Patching ≠ Security Take a proactive approach to vulnerability identification. Leverage third-party open-source vendor websites and mailing lists to actively search for new indicators of compromise and CVEs. Schedule regular scans and prioritize your patching efforts. Drive Adoption Assess Port Security Assess port security and exposure of internet-facing services related to affected RDP and SMB services. Standard ports include 139 and 445. Consider disabling unused legacy protocol such as SMBv1. Use this release as leverage not only to create organizational situational awareness around security initiatives, but also to drive adoption of foundational security measures such as patch management, threat intelligence, and zero-day mitigation policies, procedures, and solutions. Get in the habit of periodically backing up all sensitive data. Whether through cloud-based solutions or via external hard drives, sensitive data must be frequently backed up and stored in a secure manner. Plan For The Worst Formalize incident response procedures. Create detailed runbooks that actively address all mitigation and operational procedures in the event that an endpoint is infected. Actively distribute runbooks and collaborate internally so that all security members are aware of the required steps and procedures. Block Indicators Information alone is not actionable. A successful security program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives. Actively block indicators and act on gathered intelligence.
  8. 8. Maintain a holistic security program Respond Analyze Detect Prevent WannaCry is a good reminder that security threats are often unknown and unpredictable. The only way to maintain effective defense is through a comprehensive and flexible security program. Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Effective anti-malware, diligent patching and vulnerability management, and strong human-centric security are essential. Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs. Analyze: Raw data without interpretation cannot improve security, and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but provides visibility into your threat landscape. Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.
  9. 9. Use this opportunity to conduct a security program evaluation Integrate Threat Intelligence Into Your Security Operations Humanize The Security Awareness & Training Program Leverage Info-Tech’s various security blueprints: Enhance your organizational security posture • Risk reduction • Enhanced compliance management • Improved organizational situational awareness Create and clarify accountability and responsibility • Formalized role and process responsibility • Enhanced internal and external communication Control security costs • Incident reduction • Streamlined security operations processes • Strategy alignment Identify opportunities for improvement • Defined measurement programs • Defined opportunities for continuous improvement Effective information security management will help you: Improve threat protection • Intelligence-driven security operations process • Optimized patch management program • Improved effectiveness of internal controls • Standardized operational use cases Develop and Implement a Security Incident Management Program Design and Implement a Vulnerability Management Program Defend Against Ransomware
  10. 10. Appendix* Indicators of Compromise • Attached is a list of indicators of compromise issued by US-CERT (as of May 15, 2017). Take the time to ingest and actively block indicators within all security controls.
  11. 11. Appendix* File Types There are a number of files and folders WannaCry will avoid. Some because it’s entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present: •"Content.IE5" •"Temporary Internet Files" •" This folder protects against ransomware. Modifying it will reduce protection" •"Local SettingsTemp" •"AppDataLocalTemp" •"Program Files (x86)" •"Program Files" •"WINDOWS" •"ProgramData" •"Intel" •"$“ The filetypes it looks for to encrypt are: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
  12. 12. Want to learn more, joint to our webinar series at http://cybercast.itpgsecure.com