Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Aon Ransomware Response and Mitigation Strategies

34 views

Published on

CSNP Chicago - presented by Elizabeth Martin

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Aon Ransomware Response and Mitigation Strategies

  1. 1. Prepared by Aon’s Cyber Solutions Group Proprietary and Confidential Elizabeth Martin – Manager, Security Advisory Practice Ransomware Response and Mitigation Strategies: A Practical Approach
  2. 2. 2 Aon’s Cyber Solutions Proprietary & Confidential Agenda Introduction Industry News Aon’s Client Experiences Aon’s Digital Forensics and Incident Response Activities Aon’s Pro-Active Mitigation Strategy Development What Does the Future Hold?
  3. 3. 3 Aon’s Cyber Solutions Proprietary & Confidential 3 Aon’s Cyber Solutions Proprietary & Confidential Introduction
  4. 4. 4 Aon’s Cyber Solutions Proprietary & Confidential Proactive Security Advisory Elizabeth Martin Manager Chicago, IL E: Elizabeth.M.Martin@aon.com P: +1 312.646.7358 EDUCATION: B.S. – Electronics Engineering Technology Elizabeth Martin provides over 20 years of experience in the Information Security, Compliance, and Risk Management industry and 25 years in Information Technology. Ms. Martin evaluates challenges associated with protecting an organization’s assets while offering improvements that will support growth, improve operational efficiencies, meet compliance requirements, and mitigate risk. Ms. Martin has extensive experience in the Fortune 500 automotive, retail, financial, healthcare, government, and managed security services verticals. Expertise highlights include Information Security and Risk Management Program Development, Information Security and Risk Management Assessments, Program Development, and Workshops, Regulatory Compliance Analysis, Implementation, and Management, as well as Policy and Procedure Development. In her capacity at Aon, Ms. Martin proactively helps organizations assess and manage their risk in accordance with their business requirements. She performs holistic Security Risk Assessments for clients that involve evaluating enterprise risks including assessment of security architectures, policies and governance.
  5. 5. 5 Aon’s Cyber Solutions Proprietary & Confidential Aon Services: DFIR and Pro-Active Advisory Overview * Includes former Head of the Cyber Division at FBI Headquarters and former founder of the FBI’s computer crime squad in New York
  6. 6. 6 Aon’s Cyber Solutions Proprietary & Confidential 6 Aon’s Cyber Solutions Proprietary & Confidential Industry News: The Rise of Ransomware
  7. 7. 7 Aon’s Cyber Solutions Proprietary & Confidential The Headlines
  8. 8. 8 Aon’s Cyber Solutions Proprietary & Confidential What Do the Experts Have to Say?
  9. 9. 9 Aon’s Cyber Solutions Proprietary & Confidential The Costs are Increasing Global Data Breach Cost – Per Capita, by Industry (Measured in US$) Impact of the Top 22 Factors on the Per Capita Costs MEAN TIME TO CONTAIN (MTTC) A BREACH 69 Days FOR THE FOURTH YEAR, PONEMON’S STUDY SHOWS THE RELATIONSHIP BETWEEN HOW QUICKLY AN ORGANIZATION CAN CONTAIN DATA BREACH INCIDENTS AND FINANCIAL CONSEQUENCES.
  10. 10. 10 Aon’s Cyber Solutions Proprietary & Confidential 10 Aon’s Cyber Solutions Proprietary & Confidential Aon’s Client Experiences
  11. 11. 11 Aon’s Cyber Solutions Proprietary & Confidential What Does This Mean For Our Clients? What are we doing about Cybersecurity and ransomware? What is our strategy? BOARD OF DIRECTORS CEO What are we doing about Cybersecurity? Do we have a strategy for ransomware? We’re doing things about this Cybersecurity right? CISO Yes of course! We’re doing all these things!!  Increased attention from the Board of Directors  Driving accountability at the C-Level  CISOs facing increased scrutiny and/or requesting 3rd Party Assistance  5 of my last 6 Security Risk Assessments were driven by the BoD  Security and IT Teams are still challenged  Varying degrees of diligence, tools, practices, risk management, etc.
  12. 12. 12 Aon’s Cyber Solutions Proprietary & Confidential The Challenges We Face We are doing enough right? Is everything I put in place working? CISO Team, we’re doing all the things, right? Security Team NOOO!!! WE’RE NOT DOING ENOUGH!! THE SKY IS FALLING!!!! IT – You are doing all the things, right? IT Uhhh…my hair is on fire with new deployments, acquisitions, outages, but we’re trying!!! 3 Months Later…. Aon DFIR Team Do you have an EDR Solution? Do you have Logs? Do you have a list of systems? Can we access the SIEM? Do you have a SIEM?? How do we deploy IoC Detection?
  13. 13. 13 Aon’s Cyber Solutions Proprietary & Confidential Here We Are: Not So Exact Numbers  Prior to summer of 2019 we saw one or two ransomware cases per month  Summer of 2019 we saw something like 5 or 6 cases in a 10 or 15 day period  They continue to come in on a regular basis  We typically only see catastrophic cases  Most cases contain common attack vectors and malware strains
  14. 14. 14 Aon’s Cyber Solutions Proprietary & Confidential 14 Aon’s Cyber Solutions Proprietary & Confidential Aon DFIR Incident Response, Analysis, and Containment Activities
  15. 15. 15 Aon’s Cyber Solutions Proprietary & Confidential Aon DFIR: Engagement Overview  Forensic acquisition of systems and host-based forensic analysis  Malware analysis  Log analysis: Firewalls; Threat Detection; Active Directory; All Available Logs  Network Monitoring: Deploy Open Source tools if none available  Malware Protection triage and review  IoC scanning via LIMA (Proprietary Tool) and other tools as available  O365 / Email log collection and analysis  Dark web threat intelligence  Law enforcement engagement Note: Cyber Insurance and ransomware payments are typically conducted outside of DFIR and Pro-Active purview. We are nearly always engaged through client attorney under Privilege
  16. 16. 16 Aon’s Cyber Solutions Proprietary & Confidential Aon DFIR: Engagement Overview By The Numbers SAMPLE – Overview of Efforts  397 systems (99 servers, 298 workstations) identified as infected  613 potential attacker IP addresses blocked  5 strains of malware identified  3000+ malware samples identified  530+ LIMA Scans  1200+ Linux Scans  Inoculations (“kill switch”) deployed for Trojans (used to harvest credentials and propagate ransomware) Above reflects a smaller environment, we have responded to environments with 2000+ affected machines
  17. 17. 17 Aon’s Cyber Solutions Proprietary & Confidential Aon DFIR: Anatomy of an Attack - Response Activities Infection Vector:  Initial infection vector often not confirmed, phishing email with malicious link/attachment most likely.  Often see IoCs dating years back reducing ability to tie to the incident timeline Multi-Stage Malware Deployment:  Attacks generally followed typical pattern of multi-stage malware deployment, leading to ransomware infection  Multiple Emotet, Trickbot, Dridex, and Ryuk infections observed
  18. 18. 18 Aon’s Cyber Solutions Proprietary & Confidential Aon DFIR: Anatomy of an Attack - Response Activities Lateral Propagation  Attackers harvest credentials and create backdoors  Attackers map network and use compromised accounts to propagate Malware broadly  Remote Shells / Meterpreter deployed to escalate privileges and create backdoors in machines  Attackers gain access to admin-level accounts and domain controllers to deploy malware across the environment  Most lateral propagation is occurring through remote administration tools such as Powershell, Named Pipes, RDP, etc. and go largely undetected and uncontrolled
  19. 19. 19 Aon’s Cyber Solutions Proprietary & Confidential Aon DFIR: Anatomy of an Attack - Response Activities Lateral Propagation (Cont’d)  Limited network segmentation, choke points, and visibility to restrict SMB and remote Windows administration traffic  Clear evidence of “hands on keyboard” attacker activity typically 3-4 weeks in advance of ransomware payload execution  Attackers typically obtain a host list as part of reconnaissance activity, including identification of backups, Domain Controllers, etc. Containment Efforts  In most cases, at this point, the ransomware has spread rapidly and many systems are down – both endpoints and servers. In some cases certain environments are not affected  SMB traffic is quickly restricted to the best of the capabilities available, usually on the fly router ACLs due to a flat network combined with on the fly firewall rules
  20. 20. 20 Aon’s Cyber Solutions Proprietary & Confidential Aon DFIR: Anatomy of an Attack - Response Activities Containment Efforts  Overall – TANGO DOWN within a 2-3 day timeframe. Business functions have halted, have seen cases where employees are simply asked to not work. Some IT folks are going to BestBuy, laying down AmEx and buying all available workstations (Procurement services are not available)  3-7 Days later and infections continue if a successful containment strategy is not deployed  Often see reinfections of same machines due to lack of the following:  System hardening, host based controls, configuration management practices, network segmentation, or inadequate / ineffective malware protection  Malware Protection may not automatically detect IoCs, custom signatures must be deployed, assuming Malware Protection console is available and not affected by ransomware  Containment strategies using Windows tools such as SCCM, AppLocker, Windows Defender, etc. are restricted due to limitation of SMB traffic Aon DFIR Team IT Security Team
  21. 21. 21 Aon’s Cyber Solutions Proprietary & Confidential Aon DFIR: Anatomy of an Attack - Response Activities Containment Efforts  In some cases attacker directly accessed backup console and deleted backups, in other cases the backups were simply not functioning, which had gone unnoticed  In many cases client does not maintain Asset Management solutions or network diagrams, or if they do they are unavailable due to the ransomware, further complicating response and increasing the timeline for containment  Obtaining access to tools, deploying Aon tools where visibility is lacking, and overall availability of fundamental information and systems significantly increases the timeline of containment Aon DFIR Team IT Security Team
  22. 22. 22 Aon’s Cyber Solutions Proprietary & Confidential Aon DFIR: Anatomy of an Attack - Response Activities Containment Efforts Realized!  Our Malware Analysis team is able to identify specific IoCs, lateral propagation methods, etc. Our DFIR team has become accustomed to deploying containment solutions in some of the most challenging environments  In many cases our DFIR team requests deployment of an EDR tool, which seems to be the most effective  Specific host based controls are deployed depending on the environment and tools available. This includes EDR, Malware Protection, and any additional tools in place that can block IoCs and allow for rebuild, restore, recovery, etc.  Log Analysis and Monitoring is in place to immediately alert to all IoCs  Network based restrictions are slowly lifted, in a phased approach, once it is confirmed the containment strategy is successful Aon DFIR Team IT Security Team
  23. 23. 23 Aon’s Cyber Solutions Proprietary & Confidential Aon DFIR: Anatomy of an Attack – Eradication Eradication  While the spread of the ransomware may be contained, there are still many items to consider on an ongoing basis, such as the following:  Diligence in eradication measures – do not reintroduce infected machines to the network  Establish a safe practice for data recovery, including paying the ransom and restoring data  Ensuring there is a sound set of protective controls to prevent subsequent infection vectors (e.g. phishing protection, advanced threat, etc.) Data Exfiltration  While the incident may be contained, there should be an ongoing effort to conduct Deep / Dark Web searches to identify data exfiltration Aon DFIR Team IT Security Team
  24. 24. 24 Aon’s Cyber Solutions Proprietary & Confidential 24 Aon’s Cyber Solutions Proprietary & Confidential Aon Pro-Active Advisory Mitigation Strategy
  25. 25. 25 Aon’s Cyber Solutions Proprietary & Confidential Aon Pro-Active Advisory: Engagement Status  Containment has been achieved through a collaboration between Client and our DFIR team  Client has not yet fully recovered  Additional Pro-Active Mitigation Strategies need to be developed to further strengthen detection, prevention, and response capabilities
  26. 26. 26 Aon’s Cyber Solutions Proprietary & Confidential Aon Advisory: Pro-Active Ransomware Mitigation Strategy Establish Threat Profiles, Network Baseline, Enhance Chokepoints  Whiteboard environment, gather a threat profile of the following:  User profiles  Location Profiles  Establish Network Baseline and Chokepoints  Develop Network Reference Architecture  Develop Traffic Profiling
  27. 27. 27 Aon’s Cyber Solutions Proprietary & Confidential REMOTE LOCATIONS Cloud ServicesAWS Internet Regional Data Center Infrastructure VPN CORE INFRASTRUCTURE Backup Data Center Primary Data Center Infrastructure Business Apps Business Apps / ERP / Etc. Business Apps / ERP / Etc. Business Apps / ERP / Etc. Mgmt Business Apps / ERP / Etc. Pre-Prod Security Tools RDC/File Servers RDC/File Servers Internet Infrastructure Backups E-Commerce Middleware Development Core Infrastructure Backup Network WAN Users Users Router Users POS Firewall / UTM Retail Locations WAN Retail Back Office Firewall / UTM O365 Small Office Campus Router Firewall / UTM Router Firewall / UTM Network Reference Architecture Aon’s Cyber Solutions Proprietary & Confidential
  28. 28. 28 Aon’s Cyber Solutions Proprietary & Confidential Aon Advisory: Pro-Active Ransomware Mitigation Strategy  Traffic Baselining  Restrict network traffic based on user and location threat profiles  Keep SMB traffic localized
  29. 29. 29 Aon’s Cyber Solutions Proprietary & Confidential Aon Advisory: Pro-Active Ransomware Mitigation Strategy Understand Current and Planned Security Controls  Gather current, planned, and recommended security controls related to the following:  Mobile Device Controls  Endpoint Controls  Email / Browsing  Perimeter Controls  Server / Identity Management  Security Analytics  Overlay Controls to a general “Anatomy of an Attack”
  30. 30. Vulnerability Management Dark Web Search Threat Intelligence SIEM Traffic Baselining Security Analytics Cloud E-commerce Infection Vector Email Filtering URL Filtering Email / Browsing Firewall Advanced Threat Advanced Threat Perimeter Controls Mobile Device Controls Corporate Device BYOD Device MDM Wireless Wireless Controls Malware Corporate Endpoint EDR / Malware Protection Malware Configuration Management Patching Endpoint Controls Windows Defender AppLocker LAPS Lateral Propagation Identity Directory Server EDR PAM Lateral Propagation Server / Identity Management Application Whitelisting Configuration Management Patching Malware VPN 24x7 Monitoring MalwareMalicious Actor Malicious Actor Malicious Actor SDN DDoS WAF IPS Security Reference Architecture Backup Protection Insider Threat Aon’s Cyber Solutions Proprietary & Confidential
  31. 31. SECURITY ANALYTICS PERSISTENCE PHISHING MALICIOUS WEBSITE CREDENTIAL HARVESTING API HOOKING RANSOMWARE DATA EXFILTRATION BOTNET LATERAL MOVEMENT COMMAND AND CONTROL ROOTKIT INFECTION VECTORS PROPAGATION PAYLOAD TenableDark Web Search Threat Intelligence Backstory (Google) Cortex XDR Backup ProtectionNetwork Segmentation Palo Alto FirewallWildFire Carbon Black Host Based Controls Thycotic Host Based ControlsURL FilteringProofpoint Carbon Black Carbon Black Host Based Controls 24x7 Monitoring KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN Palo Alto IPS Anatomy of An Attack Insider Threat Microsoft ATA KILLCHAIN Aon’s Cyber Solutions Proprietary & Confidential
  32. 32. 32 Aon’s Cyber Solutions Proprietary & Confidential Aon Advisory: Pro-Active Ransomware Mitigation Strategy Develop Roadmap, Budget aligned with NIST CSF Enhance DFIR Preparedness
  33. 33. 33 Aon’s Cyber Solutions Proprietary & Confidential What Does the Future Hold?
  34. 34. 34 Aon’s Cyber Solutions Proprietary & Confidential Aon’s Cyber Solutions Group Aon plc (NYSE:AON) is the leading global provider of risk management, insurance and reinsurance brokerage, and human resources solutions and outsourcing services. Through its more than 66,000 colleagues worldwide, Aon unites to empower results for clients in over 120 countries via innovative and effective risk and people solutions and through industry- leading global resources and technical expertise. Aon has been named repeatedly as the world’s best broker, best insurance intermediary, best reinsurance intermediary, best captives manager, and best employee benefits consulting firm by multiple industry sources. Visit aon.com for more information on Aon. Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents. Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. www.aon.com | © Aon plc 2019. All rights reserved. Disclaimer of Liability: This strictly confidential report provides a written account of information collected and collated by us within limited time constraints. It contains information obtained from sources which have not been validated and the accuracy or veracity of which cannot be guaranteed. It is being provided to the addressee “as is” and with specific disclaimer of any express or implied warranties of any kind, including merchantability, fitness for purpose, title and/or non-infringement. Further, we make no representations regarding the sufficiency of our work for any business, financial, or other purpose, including the purpose for which it has been requested. We do not express an opinion regarding any business decisions associated with the subject matter of our deliverables. Sufficiency of the work and business decisions are the sole responsibility of the addressee. We shall not be liable for any loss or injury caused by the neglect or other act or failure to act on the part of us and/or our agents in procuring, collecting or communicating any information. Further, no liability is accepted by us for any loss or damage arising out of any reliance on the information contained in this report. About Aon

×