Upload
crowdstrike
View
151
Download
0
Embed Size (px)
Citation preview
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RANSOMWARE
DAN BROWN
DETECTION ARCHITECT
Continuous Breach Prevention
MANAGEDHUNTING
ENDPOINT DETECTION AND RESPONSE
NEXT-GEN ANTIVIRUS
Cloud Delivered2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT WE DO
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
What is Ransomware?
How Bad is it?
What can we do about it?
What will Tomorrow’s Ransomware Look Like?
RANSOMWAREWHAT IS IT?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
TREND
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
TYPES OF CYBER RANSOM ATTACKS
IaaVInfrastructure-as-a-Victim
DataEncrypting
Scareware
FILE ENCRYPTING RANSOMWARE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
A YEAR IN RANSOMWARE
TopFamilies
• Locky• Cerber
InfectionTrend
• LargeIncreasein2016over2015• Currentlylowervolumethan2016
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
COMMON ACTIONS
DirectoryTraversal
• Localdirectories• Mappedshares
FileEncryption
• VictimFiles:Whitelistvs.Blacklist• Encryption:Strongvs.Weak• Fileaccessmethods
NotificationofRansom
• BrowserinvokedwithWebPage• Textfilecreated
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FILE ENCRYPTION
File-basedvsFile-less
• Useofknowngood(Powershell,cmd.exe,javascript)• NSISInstallers
NarrowvsBroad
• Targetedpaths• Victimfiletype
CryptoLibraries
• Customlibrariesmorestealthy• Systemlibrariesstronger,morereliable
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
OTHER ACTIONS
DeletingBackups
• VolumeShadowSnapshots• Accessibleonlinebackupdeletion
BootConfigData
• DisablingWindowsrecoverysequence• DisablingWindowsstartuprepair
MaliciousBehaviors
• Datatheft• Passwordtheft(e.g.RAA/PonyStealer)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RANSOMWAREHOW BAD IS IT?
RANSOMWARE TRENDS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NOTABLE ATTACKS IN PAST YEAR
§ SFC rail system
§ U.K. National Health Services
§ Indiana county gov
§ Apple ransom demand§ “Turkish Crime Family”§ Questionable credibility§ Threatening to wipe data§ Ostensible deadline of April 7
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
VOLUME BREAKDOWN
1H/2016 2H/2016
Worldwide Locky Cerber
U.S. Locky Locky*
* Mostly new Locky variants: Zepto, Osiris, etc.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHO?
Perpetrators
• ~75%DevelopedbyEasternEuropeanCriminalGroups
Targets
• EuropeandAsiamoretargeted• U.S.relativelylesstargeted
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
HOW?
Locky
• WidespreadNecurs botnet• DominatedLocky disseminationin2016• Nowdisseminating“pump&dump”schemeemailspam
Cerber
• RIG• Magnitude• PseudoDarkleech• Neutrino
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RECENT LULL
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NSIS EVASION
§ New NSIS installer based ransomware
§ Scripting and “in memory” techniques
§ Intended to evade AV
§ IOA approach unaffected by obfuscation
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RANSOMWAREWHAT CAN WE DO ABOUT IT?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
BACKUPS
§ A secure, robust backup strategy is the single most important factor
§ Ensure that backups are not susceptible to malicious encryption/deletion§ Avoid using mapped drives, Windows shares, or similar mechanisms for backups
§ Offline and/or rolling
§ Backup restoration has its own cost
§ Previous Versions feature in Windows
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
IF YOU ARE ATTACKED
§ Ransom – to pay or not to pay?
§ Data recovery§ Volume Shadow Snapshots (Previous Versions feature)
§ www.NoMoreRansom.org/decryption-tools.html
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PARALLEL APPROACHES
Prevention
Next-GenAV(NGAV)
PEFile-based
Pre-execution
PEFiles(exe,dll,ocx,…) Signatureless
IndicatorsofAttack(IOA)
Behavioral
PEFiles
Exploitation
TargetedTTP
Fileless
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
BENEFITS OF PARALLEL APPROACH
§ Each approach has its own strengths:§ NGAV: volume of coverage for known and some unknown malware
§ IOA: unknown malware by behavior and prevents malicious use of e.g. powershell
§ When only one approach identifies malware§ Opportunity to improve IOA coverage of a class of malware
§ Opportunity to train ML on new/unknown samples
§ “Virtuous cycles”
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EXPLOIT MITIGATION
§ Heap Spray blocking
§ Force DEP enforcement
§ Force ASLR enforcement
§ Coming soon:§ Null page blocking
§ Structured Exception Handling Overwrite Protection (SEHOP)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EXPLOIT IOA
§ Targeting a class of post-exploit actions in commonly exploited contexts
§ Browsers / plugins
§ Document handling applications
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INDICATORS OF ATTACK
IOA IOC
Information Behaviors Artifacts
Timeliness Realtime After-the-fact
Preventability Almostalways Seldom
Effort Req’d toEvade High Low
Relevance Indefinite Typically short
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT GOES INTO FALCON IOA
§ High performance, high-efficiency on-sensor correlation
§ Quality of event data
§ Rapid development and deployment
§ High quality cloud data supporting analysis
§ Tools supporting IOA analysis and development
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EVENT STREAM PROCESSING (ESP)
§ Category of techniques used to efficiently process streams of data
§ Naïve approach§ Centralize all data required for correlation§ Perform retrospective queries periodically over centralized data§ Result: Bottleneck
§ Slightly Less naïve approach:§ Centralize all data required for correlation§ Event Stream Processing on centralized data§ Result: Slightly smaller bottleneck
§ Best approach*:§ Perform correlation efficiently on endpoints when possible§ Use cloud for correlation where necessary, e.g.: prevalence, first-seen, etc.§ Result: Highly efficient behavioral detection and prevention
* For more information, see:https://www.crowdstrike.com/blog/understanding-indicators-attack-ioas-power-event-stream-processing-crowdstrike-falcon/
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT MAKES A USEFUL IOA?
§ Identifies behaviors that are uniquely malicious
§ Identifies behaviors that can be blocked§ Credential theft
§ Backdoors
§ Post-exploit behaviors
§ Web shells
§ Document droppers
§ Process migration / hollowing
…
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT GOES INTO FALCON IOA
§ Quality of event data§ Beyond procmon, filenames, command-lines, etc.
§ Code injection
§ Evidence of ROP
§ What process scheduled this task?
§ What process installed this service?
§ What process caused WMI to create a process?
§ What commands were executed from this shell?
Among many others …
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT GOES INTO FALCON IOA
§ Rapid Development and Deployment§ Frictionless delivery of new IOAs from the cloud
§ Rapid low friction development and revision cycle
§ Analysis tools that make IOA development broadly accessible to analysts
§ Data, data, data…
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
DEVELOPING IOAS
§ Research areas:§ Behavioral machine learning
§ New sources of event data§ Network
§ Inter-process and intra-system communication
§ Script engines
§ Experimental pattern-matching graph query language
§ Behavioral fingerprinting
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EXAMPLE: DROPPERS VS INSTALLERS
§ Question: Is this process an installer or a dropper?
§ IOA:1. Process A creates executable E
2. Process A launches executable E à child Process B
3. Wait for exit of processes A and B
§ If process A exits first à Dropper
§ If process B exits first à Installer
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RANSOMWARE IOA
§ What behavior is universal and unique to file-encrypting ransomware?
§ More than one behavior = IOA correlation
§ Filesystem scanning
§ Patterns of file access
§ File modification / Encryption
§ Ransomware note dropping
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FALCON CLOUD DATA
§ Falcon provides cloud data to CrowdStrike analysts and customers
§ Indexed data (Endpoint Activity Monitor)§ Fast query results
§ Large, rich event data set
§ Graph database (ThreatGraph™)§ Links related data
§ Substantial speed improvement compared to “join” style queries
§ Contains “linking” events that represent relationships beyond just process/child
RANSOMWAREWHAT WILL TOMORROW’SRANSOMWARE LOOK LIKE?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RANSOMWARE’S FUTURE
§ Larger targets = larger payoff
§ One-time attacks
§ Infrastructure-as-a-Victim§ SCADA / ICS / DCS§ Public transportation§ Connected cars§ IoT
§ File encrypting ransomware§ Unlikely to go away any time soon§ Possibility of increases in other platforms such as Mac, Linux
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Questions?Please submit all questions in the Q&A chat
right below the presentation slides
Contact Us
Additional Information
JoinWeeklyDemos
crowdstrike.com/productdemos
UpcomingCrowdCast Topics
Mac Prevention – April 12th
Proactive Hunting – April 26th
Website: crowdstrike.comEmail: [email protected]: 1.888.512.8902 (US)