Upload
beyondtrust
View
341
Download
2
Embed Size (px)
Citation preview
Be
yo
nd
Tru
st W
eb
ina
r
1© Copyright 2017, National Security Corporation, all rights reserved
Why Federal Systems are Immune
from Ransomware
(and other grim fairy tales)
G. Mark Hardy @g_markNational Security Corporation
+1 410.933.9333
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 2
Why a Grim(m) Fairy Tale?
• The original book included Hansel & Gretel, Little Red Riding Hood, Snow White, Rapunzel
• Delightful children's stories
• Except in the original, the prince knocks up Rapunzel, Little Red Riding Hood is eaten by the wolf, Snow White's stepmother chokes to death in rage, and Gretel murders an old woman by shoving her into a flaming oven
Pay my ransom and I'll give you
back your files. (ribbit)
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 3
So What's Our Latest Fairy Tale?
• "After her keynote, [Acting U.S. CIO
Margie] Graves told reporters she had a
'swell of emotion' knowing the federal
government, at least so far, was able to
escape the
havoc of
WannaCry."– Billy Mitchell
18 May 2017
fedscoop
Ref: https://www.fedscoop.com/acting-u-s-cio-touts-2015-cyber-sprint-agencies-go-unaffected-wannacry/
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 4
Not Looking Too Good for U.S.
Government …
• Ranked 16 of 18
– (up from 18 of 18)
Ref: http://info.securityscorecard.com/2017-us-government-cybersecurity-report
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 5
We May Be Our Own Worst Enemy
• "Government
agencies tend to
struggle with basic
security hygiene
issues, like password
reuse on
administrative
accounts"
Ref: https://www.wired.com/story/us-government-cybersecurity/
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 6
What is ransomware?
• An interesting twist on a business model:
– Your customers (victims) contact
– You (the criminal) offering
– Money (usually Bitcoin) for
– Something you create (decryption key)
– That only the customer can use
(they hope)
• Is "Hope" a viable strategy
for Federal Systems security?
Image source: https://larryfire.files.wordpress.com/2008/10/hopeless_poster.jpg fair use claimed
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 7
The Inbox is an Infection Vector
• "Malicious emails were the weapon of
choice"
– One in 131 e-mails contained malware
(Should we call it "mailware™"?)
• 64% of Americans pay the ransom
– Compared to 34% globally
• Average ransom was over $1,000 per
victim
– An increase of 266%
Ref: Symantec's 2017 Internet Security Threat Report (ISTR)
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 8
Nearly 2/3 of Malware Payloads are
Ransomware
Ref: https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf
Ransomware
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 9
Damage Assessment
• Ransomware to exceed $5 billion in 2017
– Up from $325 million in 2015
• 44% of alerts are NOT investigated
– 54% of legitimate alerts are NOT remediated
• Attackers often operate outside U.S. law
enforcement jurisdiction
– No extradition treaties with Russia
• Ransom payments are continuing to get
much more expensiveRef: https://cybersecurityventures.com/ransomware-damage-report-2017-5-billion/
Cisco 2017 Annual Cybersecurity Report
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 10
Got Bitcoin?
16 July $1826.20
17 Aug $4492.30
246% increase in 1 month
https://cryptowat.ch/bitfinex/btcusd
Be
yo
nd
Tru
st W
eb
ina
r
11© Copyright 2017, National Security Corporation, all rights reserved
Who's Bright Idea Was This???
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 12
Public-key cryptography is essential
to the attacks that we demonstrate
We present … a twist on
cryptography, showing that it can
also be used offensively.
Access to cryptographic tools should
be well controlled.
SEPTEMBER 1996 (!)
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 13
Thanks, Guys!
• Ransomware is an attack on the
Availability leg of the C-I-A triad
• Our backup systems are
engineered for HAZARD
(power surge, disk fails)
– Must rethink strategy for
MALICE, not merely hazard
• Malice can't be engineered away as easily
• This is an entirely new threat model
– We need to rethink our responses13
Availability
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 14
Plenty of Weapons for Attackers to
Choose From
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 15
Toolbox Keeps Getting Bigger
Ref: https://heimdalsecurity.com/blog/wp-content/uploads/ransomware-discoveries-CERT-RO-2.png
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 16
Credit for cartoon to Phil Johnson -- Fair use claimed under 17 U.S.C. 107
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 17
Why Have Federal Systems
Largely Escaped Ransomware?
• Security defenses superior to industry?
• Really good backups available 24x7?
• Fully redundant systems throughout?
• Less valuable things to ransom?
• Crooks don't want to tangle with Uncle
Sam?
• Luck?
– (I don't think we can really know quite yet)
17
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 18
Major Types of Ransomware
• Client-side (desktop/laptop/tablet/phone)
• Server-side (datacenter/cloud)
• Hybrid (Client-side plus Fileshares)
• Each seeks to directly monetize an
availability attack.
18
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 19
Client-side Ransomware
• Carpet bombing of weaponized docs in
phishing emails
• Exploit kits targeting Flash in the browser
• Locks up patient zero machine
– And whatever it can touch on the network
• Goal is to mitigate 'patient zero' infection
• Internal segmentation is critical:
– A laptop catching fire shouldn't become a
LAN-level conflagration
19
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 20
Server-Side Ransomware (1/2)
• Target Internet-exposed resources
• Pivot internally, enumerate servers,
backup infrastructure, etc
• Create keys for each target
• Install ransomware
• Import keys to script
• Detonate
20
Ref: https://www.theregister.co.uk/2017/01/09/mongodb/
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 21
Server-side Ransomware (2/2)
• Manual hacking, can take days or weeks
from initial perimeter scan to detonation
• Opportunities for detection similar to
traditional kill-chain (minus exfil phase
[or not])
• Interrupt at any point before detonation,
keep your datacenter
21
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 22
What About Reporting?
• United States Department of Health and
Human Services (HHS) ruling
– Ransomware infection of personal health
information (PHI) reportable as a breach
• Will increased reporting requirements
increase efforts to avoid ransomware?
– Or will agencies accept new risk of NOT
reporting compromises
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 23
Why Does Ransomware Work?
• Users are gullible
• Endpoint configurations are not correct
• Network configurations are not correct
• Access control is not correct
• A lot of things have to go wrong for
ransomware to work right
Be
yo
nd
Tru
st W
eb
ina
r
24© Copyright 2017, National Security Corporation, all rights reserved
Let's Map Ransomware to Federal
Controls and Guidelines
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 25
Presidential Executive Order on
Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure
• Section 1. (b) Findings
– "The executive branch has for too long accepted antiquated and difficult–to-defend IT."
• (c) Risk Management
– "Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency's cybersecurity risk."
Ref: https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 26
FY 2017 CIO FISMA Metrics
• Some Cross Agency Priority (CAP) goals
• Identify– 1.2, 1.4, 1.5 IT assets under auto inventory (95%)
• Protect– 2.5 Privileged network accounts (100%)
• Detect– 3.11 Privileged network accts with access limits (90%)
– 3.16 Auto detect and alert unauthorized hardware assets (95%)
– 3.17 Auto detect and alert unauthorized software (95%)
• Respond– (no CAP goals)
• Recover– (no CAP goals)
Ref: https://www.dhs.gov/sites/default/files/publications/FY%202017%20CIO%20FISMA%20Metrics-%20508%20Compliant.pdf
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 27
FISMA FY2016 Report by Agency
(percent that met target)
• Hardware asset management - 36%
• Software asset management - 39%
• Privileged user PIV implemented - 45%
• Malware defenses - 73%
• 30,899 reported incidents
– The word "ransomware" never mentioned in
the annual report (maybe it's under "other"?)
Ref: https://www.whitehouse.gov/sites/whitehouse.gov/files/briefing-room/presidential-actions/
related-omb-material/fy_2016_fisma_report%20to_congress_official_release_march_10_2017.pdf
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 28
NIST SP800-53 rev 5 draft
1. Access control
2. Awareness and training
3. Audit and accountability
4. Assessment, authorization, and monitoring
5. Configuration management
6. Contingency planning
7. Identification and authentication
8. Individual participation
9. Incident response
10.Maintenance
11.Media protection
12.Privacy authorization
13.Physical and environmental protection
14.Planning
15.Program management
16.Personnel security
17.Risk assessment
18.System and services acquisition
19.System and communications protection
20.System and information integrity
Ref: Security and Privacy Controls for Information Systems and Organizations
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 29
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 30
Be
yo
nd
Tru
st W
eb
ina
r
31© Copyright 2017, National Security Corporation, all rights reserved
What Happens When you DO Get
Ransomware?
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 32
MedStar Health (2016)
• $10B healthcare group in DC area
• 1 wk to 90%, full recovery ~ 5 wks
• Likely server-side ransomware
• Is paying ransom against principles?
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 33
Forget Principles!
• What costs more? Your principles or the
ransom?
• WRONG QUESTION.
• What costs more? The ransom or the
cost of operational downtime?
– Why would you argue about $1K if the
argument were costing you $100K / hour?
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 34
To The Rescue! (sort of)
• ID Ransomware by MalwareHunterTeam
• Upload ransom note or encrypted file
– They will attempt to match it to 470 known
ransomware variants
• You don't get
your files back,
but you know
what zapped
you.
– Feel better?Ref: https://id-ransomware.malwarehunterteam.com/
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 35
To The Rescue! (more so)
• No More Ransom project
– Created by Dutch National Police, Europol,
Intel Security and Kaspersky Labs
• Crypto Sheriff by NoMoreRansom
– Upload encrypted file; they'll try all the keys
– Get lucky, get
your files back
for free
• But luck is not
a strategy. :(
Ref: https://www.nomoreransom.org/crypto-sheriff.php
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 36
Ransomware Trends
(Kaspersky Lab Report)
• Attackers shifting to targeted attacks
– Today, financial institutions (they can pay
more money)
– Tomorrow, the government? (they can print
more money)
• Over 2.5M ransomware victims past year
– (up 11.4% from 2015-2016)
• 1.2M victims had files encrypted
– (45% of ransomware incidents)
Ref: https://securelist.com/ksn-report-ransomware-in-2016-2017/78824/
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 37
Latest Ransomware is Much More
Dangerous
• (Not)Petya
– Steals passwords in memory and re-uses
them to infect other machines
– Moves laterally with compromised
credentials
– If a domain admin account is compromised,
it is "pretty much game over"
• Are you using the same password on
multiple machines?
– Are any (or all) at the administrator level?Ref: Alain Mowat, A pentester's take on (Not)Petya, https://blog.scrt.ch/2017/06/30/a-pentesters-take-on-notpetya/
Be
yo
nd
Tru
st W
eb
ina
r
38© Copyright 2017, National Security Corporation, all rights reserved
Prevention Strategies
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 39
May Have Windows 10 Coming to
a Desktop Near You
• DoD goal was Windows 10 upgrade on 4
million devices by January 2017
• Interoperability concerns holding us back
– "It's kind of like trying to put airbags on a '65
Mustang — it just wasn't designed for
security, wasn't designed for safety."
• Former Federal CIO Tony Scott
• We may never quite catch up with
"native" security in our OS
– Need something else to keep us secureRef: https://federalnewsradio.com/defense/2016/09/dod-close-no-cigar-windows-10-migration/
https://www.federaltimes.com/2015/06/15/feds-on-30-day-sprint-to-better-cybersecurity/
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 40
Technical Solutions
• Most ransomware relies on DNS
– Uses dodgy gTLDs that can be registered for
little or no money
• http://www.iana.org/domains/root/db
• "Throw-away
domains"
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 41
Say Yes to the DNS (Filtering)
• Over 1,500 DNS Top Level Domains
– ccTLDs for country codes
– gTLDs for 'generic' domains
– Some TLDs are 80-90% garbage sites
• Do your servers (or employees) need to
go to .hair domains? .top? .bid?
– Foghorn project is DNS proxy to reduce risk
through greylisting
Ref: https://github.com/hasameli/foghorn
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 42
Block Communications
(ransomwaretracker.abuse.ch)
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 43
Email Defenses
• Filter before or at email server:
– Attachment types (.js files get clicked on)
– Inspect/strip content (Macros to powershell)
– Rewrite links
– Block spoofed emails (reply to != sent from)
• (This can hurt scan-to-email on copiers)
– Use virtualized apps, viewers, etc.
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 44
Start To Add Controls
• Segment your network
• Block ports like 445 at your perimeter
• Create (different) one-time passwords for every admin account
• Lower privilege on each user to bare minimum
• Strip macros at the mail server
• Disable macros in your endpoints
– Only very specific users may use them
• Retire Windows XP and Server 2003 asapRef: ibid.
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 45
More Controls
• Monitor devices after network access
– MAC spoofing can make an attacker look like
a printer when connecting
• Upgrade every PowerShell instance to 5.0
– Default on Server 2016 and Windows 10
– Better credential handling, logging, rights
• If you have to support old protocols
(SMBv1, SNMP v1, NTLM)
– Put them on separate network segments
– Isolate from rest of enterpriseRef: https://docs.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-windows-powershell-50?view=powershell-5.1
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 46
Even More Controls
• Block untrusted applications
– Whitelisting helps against new malware
– Does not help with macro calling PowerShell
• Apply patches as soon as possible
– Patch Tuesday is always followed by Exploit
Wednesday
– Block application execution if patches not
current
• Default Deny for any ruleset
– Execute explicit privilege rules first
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 47
Seven CSC Tips for Reducing the
Federal Attack Surface• Inventory all devices on your network
– (CSC 1)
• Inventory all software on your systems– (CSC 2)
• Control the use of admin privileges– (CSC 5)
• Employ malware defenses– (CSC 8)
• Limit network ports, protocols, services– (CSC 9)
• Regularly backup your critical info– (CSC 10)
• Train and inoculate your users regularlyRef: http://www.cisecurity.org/critical-controls.cfm
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 48
Future of Ransomware
• Buckle up!
– Estimated $5 Billion revenue in 2017
• For every dollar spent on ransom…
– Countless more spent on response/remediation
– Often poorly thought out and implemented
• Targets:
– VDI desktops
– Cloud Synch apps (Box sync for desktop)
– Mobile (already happening from iCloud)
– NoSQL/Redis/etc on perimeter
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 49
Summary
• Ransomware becoming billion-dollar
business
• Offers significant amount of revenue at
low cost for attacker
• Biggest danger in government are older
systems without adequate backup
• Danger is many willing to pay as path of
least resistance (persistent threat)
• Must use additional tools to security
government enterprises
Be
yo
nd
Tru
st W
eb
ina
r
50© Copyright 2017, National Security Corporation, all rights reserved
Why Federal Systems are Immune from
Ransomware
(and other grim fairy tales)
G. Mark Hardy @g_markNational Security Corporation
+1 410.933.9333
Be
yo
nd
Tru
st W
eb
ina
r
© Copyright 2017, National Security Corporation, all rights reserved 51
References
https://www.fedscoop.com/acting-u-s-cio-touts-2015-cyber-sprint-agencies-go-unaffected-wannacry/
http://info.securityscorecard.com/2017-us-government-cybersecurity-report
https://www.wired.com/story/us-government-cybersecurity/
https://www.symantec.com/security-center/threat-report, Symantec's 2017 Internet Security Threat Report (ISTR)
https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf
https://cybersecurityventures.com/ransomware-damage-report-2017-5-billion/
http://b2me.cisco.com/en-us-annual-cybersecurity-report-2017, Cisco 2017 Annual Cybersecurity Report
https://cryptowat.ch/bitfinex/btcusd
https://www.researchgate.net/publication/2301959_Cryptovirology_Extortion-Based_Security_Threats_and_Countermeasures
https://heimdalsecurity.com/blog/wp-content/uploads/ransomware-discoveries-CERT-RO-2.png
https://www.theregister.co.uk/2017/01/09/mongodb/
https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal
https://www.dhs.gov/sites/default/files/publications/FY%202017%20CIO%20FISMA%20Metrics-%20508%20Compliant.pdf
https://www.whitehouse.gov/sites/whitehouse.gov/files/briefing-room/presidential-actions/related-omb-material/fy_2016_fisma_report%20to_congress_official_release_march_10_2017.pdf
http://csrc.nist.gov/publications/drafts/800-53/sp800-53r5-draft.pdf , Security and Privacy Controls for Information Systems andOrganizations
https://tomgraves.house.gov/uploadedfiles/discussion_draft_active_cyber_defense_certainty_act_2.0_rep._tom_graves_ga-14.pdf
https://id-ransomware.malwarehunterteam.com/
https://www.nomoreransom.org/crypto-sheriff.php
https://securelist.com/ksn-report-ransomware-in-2016-2017/78824/
https://blog.scrt.ch/2017/06/30/a-pentesters-take-on-notpetya/, Alain Mowat, A pentester's take on (Not)Petya
https://federalnewsradio.com/defense/2016/09/dod-close-no-cigar-windows-10-migration/
https://www.federaltimes.com/2015/06/15/feds-on-30-day-sprint-to-better-cybersecurity/
https://github.com/hasameli/foghorn
https://ransomwaretracker.abuse.ch/blocklist
https://docs.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-windows-powershell-50?view=powershell-5.1
http://www.cisecurity.org/critical-controls.cfm
Retina Enterprise
Vulnerability Management
Alex DaCosta
Product Manager, Retina
RETINAVULNERABILITY MANAGEMENT
POWERBROKERPRIVILEGED ACCOUNT MANAGEMENT
PRIVILEGE MANAGEMENT
ACTIVE DIRECTORY BRIDGING
PRIVLEGED PASSWORD
MANAGEMENT
AUDITING & PROTECTION
ENTERPRISE VULNERABILITY MANAGEMENT
BEYONDSAAS CLOUD-BASED
SCANNING
NETWORK SECURITY SCANNER
WEB SECURITY SCANNER
BEYONDINSIGHT CLARITY THREAT ANALYTICS
BEYONDINSIGHT IT RISK MANAGEMENT PLATFORM
EXTENSIVE
REPORTING
CENTRAL DATA
WAREHOUSE
ASSET
DISCOVERY
ASSET
PROFILING
ASSET SMART
GROUPS
USER
MANAGEMENT
WORKFLOW &
NOTIFICATION
THIRD-PARTY
INTEGRATION
Demo
Poll + Q&A
Thank you for attending
today’s webinar!