Today’s IT security
David Strom, firstname.lastname@example.org
MnCCC annual security conference
• Current state of IT security
• Typical multi-stage cyber
• Phishing probe
• Ransomware and data theft
• Lateral movement with
• Recommendations for
improving your security
Four stages of a typical breach
COMPROMISE EXFILTRATION DISCOVERY CONTAINMENT
A sample of breach detection delays
• Yahoo (3B accounts, 2013): many years to detect and notify
• Marriott (383M guests, 2014-18): 4 years to detect, 2 mo. to
• Advent Health (42k customers, 2017-18): 16 months to
detect, 18 months to notify
• Uber (57M customers, 2016): 1 year to detect and notify
• eBay (145M users, 2014): 7 months to detect and notify
• Heartland Payments (134M accounts, 2008): 9 months to
Let’s look at the
telltale signs of
• Business working with a foreign
• Business receiving or initiating a
wire transfer request.
• Business contacts receiving
• Executive and attorney
• Confidential data theft.
Examine the tone and phrasing of the
Have shared authority on money
Understand the underlying social
Don’t get sucked in with a phony sense
Trust but verify -- phone calls can be
• City of Atlanta
• State Department of Public
• State and local court systems
• City hospitals
• County governments
• Small city police departments
Behind the Texas
Did the victim pay up?
What did it cost to restore
What data was deleted or
How long were things out of
Six bad IT decisions exposed by ransomware
makes it hard to
find root cause
Delay patching and
Poor disaster and
Lousy staff comms
and poor disruption
Three general types
Sample fileless malware campaigns
• Target 2014 breach (flat network)
• DNC 2016 hack (PowerShell and WMI entry)
• August Stealer 2016 (Word macros and PowerShell)
• 3ve group November 2018 (ad click fraud)
• Netwire phishing campaign February 2019 (Vbscript, Gdrive)
• Astaroth campaign July 2019 (PowerShell)
• Poison Ivy 2018 (Word macro, shown next slide)
Here are four
Apply patches quickly across all
Segment your network carefully
Restrict admin rights severely
Disable un-needed Windows
apps and protocols (SMBv1!)
Best practices for better security
devices on your
Vet your MSP
Use these three email authentication
SPF DKIM DMARC
Some somerbing stats from the Verizon 2019 report And phishing and emails were the most common entry points for attackers.
Compromises happen in minutes, discoveries in months. One report found that The average number of days between the breach discovery and reporting has gone back up, from 38 days in Q1 2018 to 54 days in Q1 2019. However, this average obscures one important fact: breaches that were reported by external sources (such as researchers or law enforcement) were found faster (43 days) versus internally (74 days). (Risk Based Security 1q2019 report)
A Ponemon study in 2018 found it took US co’s an average of 200 days to detect. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Then add in this CEO impersonation attack to pay an invoice to a new bank account
Sense of urgency, using fear tactics, brand imitation with a fake email address, impersonal “dear user” More urgency with “required immediately” language and malicious link in the rollover URL More scare tactics -- “deactivation”, Impersonal signature Old copyright date and odd location in KY An attached ZIP file is icing on the cake From https://www.varonis.com/blog/spot-phishing-scam/
Now add in criminal spoofing services such as this one to create more confusion
Use security awareness training regularly, not just once
The city of Baltimore has become everyone’s favorite ransomware poster child. The city IT infrastructure experienced a series of ransom attacks over the past 15 months. The first two occurred in March and April of 2018; the others began almost a year later. The city refused to pay, despite repeated attacks of both SamSam and RobbinHood strains.
All of these government entities were hacked in the past year. The note is from an office in Baltimore city hall.
This particular ransomware strain hit more than 20 different city government agencies in Texas in August happened through a vulnerability in remote desktop services that was used by an MSP running a managed endpoint protection agent.
This story in Pro Publica talks about how MSPs are becoming richer targets because hackers can hit multiple entities at once, such as what happened in Texas and elsewhere. Instead of targeting local government agencies, hackers are looking for vulnerabilities in the software supply chain, including managed email and backup services, ERP and accounting systems. This enables them to hit multiple targets with one exploit. MSPs are profitable because these agencies are more motivated to pay the ransoms to get back online and continue to serve their constituents. This article in ProPublica has a screencast video that shows how a hacker can disable AV and install the ransomware using a remote desktop program. https://www.propublica.org/article/the-new-target-that-enables-ransomware-hackers-to-paralyze-dozens-of-towns-and-businesses-at-once
Lets move to the third stage of a typical attack, fileless malware. Its goal is to not leave any evidence behind that defenders can find. There are three general methods. ROP is the classic attack method and typically executes a DLL that can compromise a target PC. It could include code from your web browser or a desktop app routine that the malware piggybacks on to run. Scripting attacks uses built-in tools from MS Office or PowerShell or HTML Application Host and hook particular processes to run. If your detection routines don’t understand the details about script execution, they could easily miss these cues. These attacks are on the rise because there are so many scripts included in a modern endpoint. Then there is polymorphic, which adapt to changing conditions and try to evade your scanners and endpoint prevention tools. These can shift signatures and methods, look to see if they are running inside a VM for example.
“Live off the land” – leverage existing Windows OS tools, typically powershell but there are increasing other pieces of code that fileless can leverage. Back in the early days of the Internet, most blocking routines looked for certain signatures, either as the name of one of the running programs on your computer or specific patterns of behavior across your network. These worked until the malware authors got better at hiding their signature moves.
Poison Ivy infects PCs by creating a remote-access connection to log keystrokes and capture screens and videos from the PC. also tried to evade detection by Microsoft’s AppLocker protection system by inserting a reference to itself in AppLocker’s whitelisted applications using a series of Windows programs and scripts. It also created a series of decoy documents to make its operations seem benign to the infected user. As you can see, this software is very complex, with several different stages and methods to find its way into a user’s PC.
Because fileless attacks mimic legit Windows processes and executables, you have to get better at figuring out what these hijacked processes are actually doing. Something like this tool can help visualize the logic flows and point out when the malware is doing something odd.
Another technique is to use a tool such as AltFS, which can detonate a piece of malware in safety and show what happens in both Windows and Mac environments, to see where a piece of malware is hiding its artifacts. https://github.com/SafeBreach-Labs/AltFS
So let’s look at a few practical suggestions on how to improve your cyber security. Make sure your patches are deployed for remote users too: one of the city-based ransomware attacks this year happened because of an employee who missed one of the updates because he was on the road and clicked on a phishing link.
Sender Policy Framework (SPF) hardens your DNS servers and restricts who can send emails from your domain DomainKeys Identified Mail (DKIM) ensures that the content of your emails remains trusted and hasn’t been tampered with or compromised Domain-based Message Authentication, Reporting and Conformance (DMARC) ties the first two protocols together with a consistent set of policies