Successfully reported this slideshow.
Your SlideShare is downloading. ×

Fears and fulfillment with IT security

Loading in …3

Check these out next

1 of 33 Ad

More Related Content

Slideshows for you (20)

Similar to Fears and fulfillment with IT security (20)


More from David Strom (20)

Recently uploaded (20)


Fears and fulfillment with IT security

  1. 1. Fears and Fulfillment with Today’s IT security David Strom, MnCCC annual security conference Oct 2019
  2. 2. Agenda • Current state of IT security • Typical multi-stage cyber infection chain: • Phishing probe • Ransomware and data theft • Lateral movement with fileless malware • Recommendations for improving your security posture
  4. 4. A sample of breach detection delays • Yahoo (3B accounts, 2013): many years to detect and notify • Marriott (383M guests, 2014-18): 4 years to detect, 2 mo. to notify • Advent Health (42k customers, 2017-18): 16 months to detect, 18 months to notify • Uber (57M customers, 2016): 1 year to detect and notify • eBay (145M users, 2014): 7 months to detect and notify • Heartland Payments (134M accounts, 2008): 9 months to detect
  5. 5. Let’s look at the telltale signs of a typical phishing attack
  6. 6. Phishing awareness education especially needed for these situations • Business working with a foreign supplier. • Business receiving or initiating a wire transfer request. • Business contacts receiving fraudulent correspondence. • Executive and attorney impersonations. • Confidential data theft.
  7. 7. Phishing prevention suggestions Examine the tone and phrasing of the email Have shared authority on money transfers Understand the underlying social engineering ploy Don’t get sucked in with a phony sense of urgency Trust but verify -- phone calls can be spoofed
  8. 8. Spread and prevention of ransomware
  9. 9. Don’t become Georgia! • City of Atlanta • State Department of Public Safety • State and local court systems • City hospitals • County governments • Small city police departments
  10. 10. Behind the Texas local government August attacks
  11. 11. The wrong things to focus on Did the victim pay up? What did it cost to restore data? What data was deleted or lost? How long were things out of commission?
  12. 12. Six bad IT decisions exposed by ransomware Sloppy infosec makes it hard to find root cause Inconsistent IT infrastructure ownership Delay patching and updates Poor disaster and backup procedures Lousy staff comms and poor disruption planning Mismatch asset value and protection policies
  13. 13. Three general types of attacks: •Return-object programming •Scripting-based •Polymorphic
  14. 14. Sample fileless malware campaigns • Target 2014 breach (flat network) • DNC 2016 hack (PowerShell and WMI entry) • August Stealer 2016 (Word macros and PowerShell) • 3ve group November 2018 (ad click fraud) • Netwire phishing campaign February 2019 (Vbscript, Gdrive) • Astaroth campaign July 2019 (PowerShell) • Poison Ivy 2018 (Word macro, shown next slide)
  15. 15. Here are four practical tips to help protect your network Apply patches quickly across all systems Segment your network carefully Restrict admin rights severely Disable un-needed Windows apps and protocols (SMBv1!)
  16. 16. Best practices for better security Have dedicated and trained breach response teams 1 Limit and segment IoT devices on your network 2 Use security automation tools whenever possible 3 Find breaches and contain them quickly 4 Vet your MSP security procedures 5
  17. 17. Use these three email authentication protocols SPF DKIM DMARC
  18. 18. DMARC, SPF, and other email security tech
  19. 19. Use MFA to protect ALL logins
  20. 20. Questions, connections • My website: • Twitter: @dstrom • Email: • Slide copies can be found here:

Editor's Notes

  • Some somerbing stats from the Verizon 2019 report And phishing and emails were the most common entry points for attackers.
  • Compromises happen in minutes, discoveries in months.
    One report found that The average number of days between the breach discovery and reporting has gone back up, from 38 days in Q1 2018 to 54 days in Q1 2019. However, this average obscures one important fact: breaches that were reported by external sources (such as researchers or law enforcement) were found faster (43 days) versus internally (74 days).  (Risk Based Security 1q2019 report)
  • A Ponemon study in 2018 found it took US co’s an average of 200 days to detect.
  • Then add in this CEO impersonation attack to pay an invoice to a new bank account
  • Sense of urgency, using fear tactics, brand imitation with a fake email address, impersonal “dear user”
    More urgency with “required immediately” language and malicious link in the rollover URL
    More scare tactics -- “deactivation”,
    Impersonal signature
    Old copyright date and odd location in KY
    An attached ZIP file is icing on the cake
  • Email thread
  • Now add in criminal spoofing services such as this one to create more confusion
  • Use security awareness training regularly, not just once
  • The city of Baltimore has become everyone’s favorite ransomware poster child. The city IT infrastructure experienced a series of ransom attacks over the past 15 months. The first two occurred in March and April of 2018; the others began almost a year later. The city refused to pay, despite repeated attacks of both SamSam and RobbinHood strains.
  • All of these government entities were hacked in the past year. The note is from an office in Baltimore city hall.
  • This particular ransomware strain hit more than 20 different city government agencies in Texas in August happened through a vulnerability in remote desktop services that was used by an MSP running a managed endpoint protection agent.
  • This story in Pro Publica talks about how MSPs are becoming richer targets because hackers can hit multiple entities at once, such as what happened in Texas and elsewhere. Instead of targeting local government agencies, hackers are looking for vulnerabilities in the software supply chain, including managed email and backup services, ERP and accounting systems. This enables them to hit multiple targets with one exploit. MSPs are profitable because these agencies are more motivated to pay the ransoms to get back online and continue to serve their constituents. This article in ProPublica has a screencast video that shows how a hacker can disable AV and install the ransomware using a remote desktop program.
  • Lets move to the third stage of a typical attack, fileless malware. Its goal is to not leave any evidence behind that defenders can find. There are three general methods.
    ROP is the classic attack method and typically executes a DLL that can compromise a target PC. It could include code from your web browser or a desktop app routine that the malware piggybacks on to run.
    Scripting attacks uses built-in tools from MS Office or PowerShell or HTML Application Host and hook particular processes to run. If your detection routines don’t understand the details about script execution, they could easily miss these cues. These attacks are on the rise because there are so many scripts included in a modern endpoint.
    Then there is polymorphic, which adapt to changing conditions and try to evade your scanners and endpoint prevention tools. These can shift signatures and methods, look to see if they are running inside a VM for example.
  • “Live off the land” – leverage existing Windows OS tools, typically powershell but there are increasing other pieces of code that fileless can leverage. Back in the early days of the Internet, most blocking routines looked for certain signatures, either as the name of one of the running programs on your computer or specific patterns of behavior across your network. These worked until the malware authors got better at hiding their signature moves.
  • Poison Ivy infects PCs by creating a remote-access connection to log keystrokes and capture screens and videos from the PC.
    also tried to evade detection by Microsoft’s AppLocker protection system by inserting a reference to itself in AppLocker’s whitelisted applications using a series of Windows programs and scripts. It also created a series of decoy documents to make its operations seem benign to the infected user. As you can see, this software is very complex, with several different stages and methods to find its way into a user’s PC.

  • Because fileless attacks mimic legit Windows processes and executables, you have to get better at figuring out what these hijacked processes are actually doing. Something like this tool can help visualize the logic flows and point out when the malware is doing something odd.
  • Another technique is to use a tool such as AltFS, which can detonate a piece of malware in safety and show what happens in both Windows and Mac environments, to see where a piece of malware is hiding its artifacts.
  • So let’s look at a few practical suggestions on how to improve your cyber security.
    Make sure your patches are deployed for remote users too: one of the city-based ransomware attacks this year happened because of an employee who missed one of the updates because he was on the road and clicked on a phishing link.
  • Sender Policy Framework (SPF) hardens your DNS servers and restricts who can send emails from your domain
    DomainKeys Identified Mail (DKIM) ensures that the content of your emails remains trusted and hasn’t been tampered with or compromised
    Domain-based Message Authentication, Reporting and Conformance (DMARC) ties the first two protocols together with a consistent set of policies