SlideShare a Scribd company logo

Ransomware is Knocking your Door_Final.pdf

Ransomware Overview • Ransomware Trends in 2021 from Mandiant cases • Ransomware Attack Stages • Defense Strategies to Harden the Security Posture • Ransomware Remediation Stages • Prepare for Enterprise Password Resets

1 of 46
Download to read offline
Ransomware is Knocking your Door ! Proactive
Hardening and Defense Strategies
Guillermo Diaz & Thirumalai Natarajan
Security Transformation Services,
Mandiant Consulting
©2021 Mandiant 2
Thirumalai Natarajan
• Senior Manager – Consulting Services, Mandiant
• Responding & Remediating to Security Breaches
• Proactive Security Assessments
• Built & Managed Security Operations Centers
• Team Management & Business Development
• Speaker at Blackhat Asia, BSides SG, Virus Bulletin,
SANS Summit etc.
©2021 Mandiant 3
Guillermo Diaz
• Principal Consultant– Consulting Services, Mandiant
• Incident Response Remediation & Recovery
• Active Directory & Cloud Connoisseur
• Automate Everything
• Ex Microsoft
• Worked in South America, Middle East & Australia regions
©2021 Mandiant 4
What will We talk about Today
• Ransomware Overview
• Ransomware Trends in 2021 from Mandiant cases
• Ransomware Attack Stages
• Defense Strategies to Harden the Security Posture
• Ransomware Remediation Stages
• Prepare for Enterprise Password Resets
©2021 Mandiant 5
Ransomware Overview
©2021 Mandiant 6
Active
Directory
Servers
Ransomware is Evolving…
 Ransomware is not what it used to be!
• The term ‘ransomware’ traditionally refers to the malware used for encrypting files and
entire systems
• Evolved to indicate a category of financially-motivated attacks
• Leverage extortion tactics to coerce victims into complying with demands
• ‘Multifaceted extortion’ is a term starting to gain traction when discussing ransomware
• Ransomware as a Service (RaaS)
ransomware
noun
[ ran-suh m-wair ]
malware that requires the victim to pay a ransom to access
encrypted files
1
extortion
noun
[ ik-stawr-shuhn ]
the practice of obtaining something, especially money, through
force or threats.
1
Examples: Ryuk, Conti, BitPaymer, DoppelPaymer, Maze, etc. Example: The theft of data and demand for money in exchange
for not publicly releasing the stolen data

Recommended

Workshop Trend Micro
Workshop Trend MicroWorkshop Trend Micro
Workshop Trend MicroAymen Mami
 
5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust Security5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust SecurityRebekah Rodriguez
 
Data center disaster recovery.ppt
Data center disaster recovery.ppt Data center disaster recovery.ppt
Data center disaster recovery.ppt omalreda
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsSyam Madanapalli
 
Getting Started with ThousandEyes
Getting Started with ThousandEyesGetting Started with ThousandEyes
Getting Started with ThousandEyesThousandEyes
 

More Related Content

What's hot

Presentation on Wireless border security system
Presentation on  Wireless border security systemPresentation on  Wireless border security system
Presentation on Wireless border security systemStudent
 
Mobile device management presentation
Mobile device management presentationMobile device management presentation
Mobile device management presentationratneshsinghparihar
 
Getting Started With ThousandEyes Proof of Concepts: End User Digital Experience
Getting Started With ThousandEyes Proof of Concepts: End User Digital ExperienceGetting Started With ThousandEyes Proof of Concepts: End User Digital Experience
Getting Started With ThousandEyes Proof of Concepts: End User Digital ExperienceThousandEyes
 
Desktop as a Service DaaS in India by BSNL SIS
Desktop as a Service DaaS in India by BSNL SISDesktop as a Service DaaS in India by BSNL SIS
Desktop as a Service DaaS in India by BSNL SISSATYAVEER PAL
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf
 
Enterprise Storage NAS - Dual Controller
Enterprise Storage NAS - Dual ControllerEnterprise Storage NAS - Dual Controller
Enterprise Storage NAS - Dual ControllerFernando Barrientos
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Modern Requirements and Solutions for Privileged Access Management (PAM)
Modern Requirements and Solutions for Privileged Access Management (PAM)Modern Requirements and Solutions for Privileged Access Management (PAM)
Modern Requirements and Solutions for Privileged Access Management (PAM)Enterprise Management Associates
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Netgate
 
The Top Outages of 2021: Analysis and Takeaways
The Top Outages of 2021: Analysis and TakeawaysThe Top Outages of 2021: Analysis and Takeaways
The Top Outages of 2021: Analysis and TakeawaysThousandEyes
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Vdi how-it-works618
Vdi how-it-works618Vdi how-it-works618
Vdi how-it-works618shiva2shetty
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
The Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesThe Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesAlgoSec
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
 
The Data Center Evolution and Pre-Fab Data Centers
The Data Center Evolution and Pre-Fab Data CentersThe Data Center Evolution and Pre-Fab Data Centers
The Data Center Evolution and Pre-Fab Data CentersSchneider Electric
 

What's hot (20)

Mac address authentication
Mac address authenticationMac address authentication
Mac address authentication
 
Presentation on Wireless border security system
Presentation on  Wireless border security systemPresentation on  Wireless border security system
Presentation on Wireless border security system
 
Mobile device management presentation
Mobile device management presentationMobile device management presentation
Mobile device management presentation
 
Getting Started With ThousandEyes Proof of Concepts: End User Digital Experience
Getting Started With ThousandEyes Proof of Concepts: End User Digital ExperienceGetting Started With ThousandEyes Proof of Concepts: End User Digital Experience
Getting Started With ThousandEyes Proof of Concepts: End User Digital Experience
 
Desktop as a Service DaaS in India by BSNL SIS
Desktop as a Service DaaS in India by BSNL SISDesktop as a Service DaaS in India by BSNL SIS
Desktop as a Service DaaS in India by BSNL SIS
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
 
Enterprise Storage NAS - Dual Controller
Enterprise Storage NAS - Dual ControllerEnterprise Storage NAS - Dual Controller
Enterprise Storage NAS - Dual Controller
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
Modern Requirements and Solutions for Privileged Access Management (PAM)
Modern Requirements and Solutions for Privileged Access Management (PAM)Modern Requirements and Solutions for Privileged Access Management (PAM)
Modern Requirements and Solutions for Privileged Access Management (PAM)
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
 
The Top Outages of 2021: Analysis and Takeaways
The Top Outages of 2021: Analysis and TakeawaysThe Top Outages of 2021: Analysis and Takeaways
The Top Outages of 2021: Analysis and Takeaways
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
VMware Workspace One
VMware Workspace OneVMware Workspace One
VMware Workspace One
 
Vdi how-it-works618
Vdi how-it-works618Vdi how-it-works618
Vdi how-it-works618
 
Windows 2019
Windows 2019Windows 2019
Windows 2019
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 
The Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesThe Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management Migraines
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
 
The Data Center Evolution and Pre-Fab Data Centers
The Data Center Evolution and Pre-Fab Data CentersThe Data Center Evolution and Pre-Fab Data Centers
The Data Center Evolution and Pre-Fab Data Centers
 

Similar to Ransomware is Knocking your Door_Final.pdf

Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università Jürgen Ambrosi
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksProtecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksZoho Corporation
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Tom Eston
 
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserverMicro Focus
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 
Net scaler appfw customer technical presentation dec 2012f
Net scaler appfw customer technical presentation dec 2012fNet scaler appfw customer technical presentation dec 2012f
Net scaler appfw customer technical presentation dec 2012fxKinAnx
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2Anne Starr
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019Kumton Suttiraksiri
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Marco Di Martino
 
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Identity Days
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack AzureAbdul Khan
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...JamieWilliams130
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsChristopher Frenz
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windowsarpit06055
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 

Similar to Ransomware is Knocking your Door_Final.pdf (20)

Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksProtecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?
 
Dakotacon 2017
Dakotacon 2017Dakotacon 2017
Dakotacon 2017
 
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 
Net scaler appfw customer technical presentation dec 2012f
Net scaler appfw customer technical presentation dec 2012fNet scaler appfw customer technical presentation dec 2012f
Net scaler appfw customer technical presentation dec 2012f
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3
 
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
 
Ram
RamRam
Ram
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windows
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 

More from Security Bootcamp

Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecuritySecurity Bootcamp
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewSecurity Bootcamp
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSecurity Bootcamp
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrSecurity Bootcamp
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-wantSecurity Bootcamp
 
Macro malware common techniques - public
Macro malware   common techniques - publicMacro malware   common techniques - public
Macro malware common techniques - publicSecurity Bootcamp
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuSecurity Bootcamp
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 costSecurity Bootcamp
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectorySecurity Bootcamp
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018Security Bootcamp
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Security Bootcamp
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaSecurity Bootcamp
 

More from Security Bootcamp (20)

Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
 
Deception change-the-game
Deception change-the-gameDeception change-the-game
Deception change-the-game
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdr
 
Sbc2019 luong-cyber startup
Sbc2019 luong-cyber startupSbc2019 luong-cyber startup
Sbc2019 luong-cyber startup
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
 
Macro malware common techniques - public
Macro malware   common techniques - publicMacro malware   common techniques - public
Macro malware common techniques - public
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cu
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Build SOC
Build SOC Build SOC
Build SOC
 
AD red vs blue
AD red vs blueAD red vs blue
AD red vs blue
 
Securitybox
SecurityboxSecuritybox
Securitybox
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
 
Api security-present
Api security-presentApi security-present
Api security-present
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ Vikjava
 

Recently uploaded

ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...Neo4j
 
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptxGraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptxNeo4j
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Chris Bingham
 
IT Nation Evolve event 2024 - Quarter 1
IT Nation Evolve event 2024  - Quarter 1IT Nation Evolve event 2024  - Quarter 1
IT Nation Evolve event 2024 - Quarter 1Inbay UK
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingerssuser9354ce
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Product School
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31shyamraj55
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriSafe Software
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareAsma Ben Abacha
 
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...ShapeBlue
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsEvangelia Mitsopoulou
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerSaiLinnThu2
 
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Product School
 
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlueCloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlueShapeBlue
 
AI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientAI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientKari Kakkonen
 
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...DianaGray10
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceVijayananda Mohire
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, TripadvisorProduct School
 

Recently uploaded (20)

ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
 
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptxGraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
 
IT Nation Evolve event 2024 - Quarter 1
IT Nation Evolve event 2024  - Quarter 1IT Nation Evolve event 2024  - Quarter 1
IT Nation Evolve event 2024 - Quarter 1
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostinger
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & Esri
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in Healthcare
 
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applications
 
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
 
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
 
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlueCloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
 
AI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientAI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficient
 
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial Intelligence
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
 

Ransomware is Knocking your Door_Final.pdf

  • 1. Ransomware is Knocking your Door ! Proactive Hardening and Defense Strategies Guillermo Diaz & Thirumalai Natarajan Security Transformation Services, Mandiant Consulting
  • 2. ©2021 Mandiant 2 Thirumalai Natarajan • Senior Manager – Consulting Services, Mandiant • Responding & Remediating to Security Breaches • Proactive Security Assessments • Built & Managed Security Operations Centers • Team Management & Business Development • Speaker at Blackhat Asia, BSides SG, Virus Bulletin, SANS Summit etc.
  • 3. ©2021 Mandiant 3 Guillermo Diaz • Principal Consultant– Consulting Services, Mandiant • Incident Response Remediation & Recovery • Active Directory & Cloud Connoisseur • Automate Everything • Ex Microsoft • Worked in South America, Middle East & Australia regions
  • 4. ©2021 Mandiant 4 What will We talk about Today • Ransomware Overview • Ransomware Trends in 2021 from Mandiant cases • Ransomware Attack Stages • Defense Strategies to Harden the Security Posture • Ransomware Remediation Stages • Prepare for Enterprise Password Resets
  • 6. ©2021 Mandiant 6 Active Directory Servers Ransomware is Evolving…  Ransomware is not what it used to be! • The term ‘ransomware’ traditionally refers to the malware used for encrypting files and entire systems • Evolved to indicate a category of financially-motivated attacks • Leverage extortion tactics to coerce victims into complying with demands • ‘Multifaceted extortion’ is a term starting to gain traction when discussing ransomware • Ransomware as a Service (RaaS) ransomware noun [ ran-suh m-wair ] malware that requires the victim to pay a ransom to access encrypted files 1 extortion noun [ ik-stawr-shuhn ] the practice of obtaining something, especially money, through force or threats. 1 Examples: Ryuk, Conti, BitPaymer, DoppelPaymer, Maze, etc. Example: The theft of data and demand for money in exchange for not publicly releasing the stolen data
  • 7. ©2021 Mandiant 7 Kerberoasting • Mainstream ransomware emerged in 2013 • Began affecting a limited number of systems • Morphed over time to impact entire organizations • Sophisticated actors perform targeted attacks • Human driven attacks delete backups and encrypt host infrastructure, reducing the chance of recovery • Ransomware as a Service (RaaS) lowers entry bar for less sophisticated actors • Multifaceted tactics become more widespread • Demanding payment with the promise not to release data to the public Evolution of Ransomware to Multifaceted Extortion Manual deployment by an attacker after they have penetrated an environment and have administrator-level privileges broadly across the environment.
  • 8. ©2021 Mandiant 8 2021 Ransomware Trends from Mandiant Cases • 21 Days – Average downtime experienced from a ransomware attack • The median number of days between initial compromise and ransomware deployment was 7 days; approximately a quarter of ransomware incidents occurred within 1 day of initial attacker access. • More than 85 percent of ransomware deployments occurred outside normal business hours, and 55 percent of incidents occurred between Thursday and Saturday. • In post-compromise ransomware incidents that Mandiant responded to in 2021, actors demanded a range of ransom fees starting at $44,999 USD and climbing to $20 million USD, with an average ransom demand of nearly $4 million USD.
  • 9. ©2021 Mandiant 9 Gaining Initial Access Method Phishing Exploiting vulnerable firewall, VPN appliances , Exchange Service, Web Servers Poorly configured internet facing services Credential stuffing and password spraying
  • 10. ©2021 Mandiant 10 Multifactor Authentication (MFA) MFA Types MFA Enforcement MFA Monitoring • App Codes • Hard / Soft Token based OTP • App Notification • “Push Notification” • SMS / Phone Call • Security Keys • External FIDO2 key • Built-in key • Apple / Android TouchID, Windows Hello • External Access • Portals (OWA / SSO) • VPN • Vendors • Remote Access Gateways • Internal Access • RDP • Jump Boxes • Interactive Logon • Applications • Device Registrations • Token Issuance • Failure Mode • Admin Access Gaining Initial Access
  • 11. ©2021 Mandiant 11 • MFA Methods Most Susceptible to Phishing (Session Cookie Theft) • SMS • Phone Call • Push Notifications MFA Methods • Why is FIDO2 / WebAuthN Effective Against Phishing Attacks? • The WebAuthn Client (browser) compares the domain name with the Relying Party Identifier (RP ID) of the public keys in the FIDO2 security key. • If a domain string matches, it can be used as a method to authenticate. • Spoofed domain = No Match for authentication (even if a user attempts to authenticate using the FIDO2 device) Risk: Users accepting push notifications & validating malicious sessions Gaining Initial Access
  • 12. ©2021 Mandiant 12 Password Policies Existing Password Policies •Single Password Policy •Multiple Password Policies Fine Grained Password Policy •Privileged Accounts •Service Accounts Policy Account Type Standard User Privileged User Service Account Account Lockout Duration 30 minutes 0 (indefinite) 0 (indefinite) Account Lockout Threshold 10 attempts 5 attempts 5 attempts Enforce Password history 24 passwords 24 passwords 24 passwords Maximum Password Age 90 days 60 days 120 days Minimum Password Age 1 day 1 day 1 day Minimum Password Length 15 characters 20 characters 30 characters Complexity Enabled Enabled Enabled Reset Lockout Counter After 30 minutes 30 minutes 30 minutes Reversible Encryption Disabled Disabled Disabled Gaining Initial Access
  • 13. ©2021 Mandiant 13 • Enforce Password Protections by filtering common and weak passwords • Maintain custom banned password lists • Eliminate Weak Passwords in the cloud and on-prem • Azure AD Password Protection detects, and blocks known weak passwords and their variants and can also block additional weak terms that are specific to your organization. Password Protection https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises Gaining Initial Access
  • 14. ©2021 Mandiant 14 Office Hardening Macro Restrictions • Block macros in files from internet Trust Center Hardening • Dynamic Data Exchange (DDE) • Security Advisory 4053440 • Trusted Documents • Trusted Locations • File Block Settings • Protected View • Automatic Links Object Linking and Embedding (OLE) • Block additional file extensions for OLE Embedding (ex: py;rb) • OLE package activation behaviors • No prompt, Object will not execute Legacy File Blocking • Block “old” MS Office file formats Gaining Initial Access
  • 15. ©2021 Mandiant 15 Additional Defense Controls • External scanning to identify open administrative ports • Educate users awareness and Conduct Phishing Simulation exercise • Robust Patching process • Sandboxing Attachments and Web Links in the emails • Harden perimeter device configuration Gaining Initial Access
  • 16. ©2021 Mandiant 16 Credential Harvesting Method LSA Process Dump Extracting NTDS.DIT Kerberos Ticket Dumping Extracting Passwords from browser Kerberoasting Azure AD Connect, ADFS , ADCS compromise
  • 17. ©2021 Mandiant 17 Tiered Admin Model • Objective = prevent Credential harvesting and privilege escalation in AD • Reduce the exposure of privileged credentials amongst tiers • Accounts of a lower tier should not be able to control systems, applications, or other accounts in a higher tier (and vice versa) • Auth Policies / Silos, user rights Assignment Settings Tier 0 Definition Tier 0 assets are the accounts, groups or other assets that have direct or indirect administrative control over the AD forest & domain, AD domain controllers, PKI, Identity or that have a direct or indirect administrative control over other assets that do. Credentials Harvesting
  • 18. ©2021 Mandiant 18 Credentials Protections in Endpoints Credentials Protection • WDigest Authentication • GPO – “MS Security Guide” ADMX template or registry key: requires KB2871997 (released in 2014) • Default disabled in Windows 8.1 / 2012R2 (and higher) • Windows Credential Manager • Disable and Enforce in GPO • "TokenLeakDetectDelaySecs" registry key • Clears credentials of logged off users after 30 seconds, mimicking the behavior of Windows 8.1/ 2012R2 (and higher) Credentials Stored in memory • Interactive Logon • Remote Desktop (RDP) Logon • PSExec with explicit credentials • Batch logon (scheduled tasks) • Running Services • RunAs (New Credentials) • PowerShell Remoting w/ CredSSP  Memory (LSASS process)  Local Accounts in SAM Database  Cached Credentials in Registry Credentials Harvesting
  • 19. ©2021 Mandiant 19 • LSA Protection for LSASS • Signature Verification • MSFT SDLC adherence • Prevents Reading Memory and Code Injections in LSASS • Windows 8.1 / 2012R2 (and higher) • Enabled w/ “RunAsPPL” registry key • Audit Mode : Trigger Events • Virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials • Splits Local Security Authority Subsystem Service to two processes: • the normal LSA process • The isolated LSA process (which runs in VSM = Lsalso.exe). • Tools that recover secrets from LSA not able to access the isolated LSA process • Windows 10 / Server 2016 • Virtual Secure Mode (VSM) LSA Protection Credential Guard Credentials Protections in Endpoints Credentials Harvesting
  • 20. ©2021 Mandiant 20 Restricted Admin RDP Protected Users Group must use Restricted Admin RDP Limits in-memory exposure of admin credentials on destination endpoint accessed using the Remote Desktop Protocol (RDP) Authenticating account must be administrator on destination Credential user account not stored in memory; rather the context of the user account appears as the destination machine account (domaindestination-computer$). Client Mode (Source) - Windows 7 or Windows Server 2008 R2 (and above) Server Mode (Destination) – Windows 8.1 or Windows Server 2012 R2 (and above) Credentials Harvesting
  • 21. ©2021 Mandiant 21 Remote Credential Guard • With Remote Credential Guard, all credentials remain on the client (origination system) – and are not directly exposed to the destination endpoint. Instead, the credentials remain on the source endpoint - and the destination endpoint requests Service Tickets from the source as needed Credentials Harvesting
  • 22. ©2021 Mandiant 22 Service Principal Name Hardening • Ensure that accounts assigned an SPN have complex / hardened passwords (which cannot be easily cracked or brute-forced) • Configure service accounts to support AES 128-bit / AES 256-bit encryption • If AES is enabled on the KRBTGT account and TGTs are still issued with RC4 encryption – ensure the KRBTGT account’s password was changed after DFL upgrade to 2008+. DFL is 2008 or higher, the KRBTGT account will always default to AES encryption. For all other account types (user and computer) the selected encryption type is determined by the msDS-SupportedEncryptionTypes attribute on the account Kerberoasting Attack Credentials Harvesting
  • 23. ©2021 Mandiant 23 Privilege Escalations Method Privileged Credentials/Tickets - Pass the Hash/Pass the Ticket Abusing Delegations Vulnerability exploitation- Zero logon, NTLM relay Attacks Abuse SANS attribute in Certificates DS Replication Permissions Stealing Token Signing certificate from ADFS
  • 24. ©2021 Mandiant 24 Limit identities with Privileges in Domain Controller • Schema Admins • Enterprise Admins • Domain Admins • Administrators • Account Operators • Backup Operators • Cert Publishers • DNS Admins • Printer Operators • Server Operators • Organization Management • AdminSDHolder is an object in Active Directory to provide “template” permissions for protected accounts and groups. • Security Descriptor Propagator (SDProp) is a process to apply this ACL template to all “protected groups” Privileged Groups Admin SD Holder Container • DSRM Administrator • Administrator(RID 500) • KRBTGT Privileges defined through GPOs • Restricted Groups • User rights Assignment Settings Built-in Privileged Accounts Privilege Escalations
  • 25. ©2021 Mandiant 25 DS Replication permissions • Combination of two permissions: DS-Replication-Get-Changes DS-Replication-Get-Changes-All • Allows a principal to remotely retrieve NT hashes via the MS-DRSR protocol for any security principal • Review Identities with this permissions Roles that (by default) that have these permissions: • Domain Controllers • BUILTINAdministrators (DCs) • Domain Admins • Enterprise Admins • AD DS Connector account (eg. MSOL_ ) Privilege Escalations
  • 26. ©2021 Mandiant 26 Protected Users Group Automated Protections • Kerberos ticket granting ticket (TGT) expires after 4 hours • Cached credentials are blocked • DC must be available to authenticate the account • Plaintext passwords are not cached for • Windows Digest authentication or • default credential delegation (CredSSP) • NTLM one-way function (NTOWF) is blocked. • Kerberos pre-authentication (Server 2012 R2 or higher) • DES and RC4 not used • AES encryption enforced • Accounts cannot be used for • constrained or unconstrained delegation • Requires Domain Functional Level 2012R2 Add all the privileged user accounts to the protected User groups Privilege Escalations
  • 27. ©2021 Mandiant 27 1.“Account is sensitive and cannot be delegated” • Configure this for the privileged accounts 2.“Enable computer and user accounts to be trusted for delegation user right” (GPO) • Determines which users can set the Trusted for Delegation setting (SeEnableDelegationPrivilege) on a user or computer object 3. Disable TGTDelegation across two-way trust links 4. Don’t enable Unconstrained delegations Hardening Kerberos Delegation Privilege Escalations
  • 28. ©2021 Mandiant 28 Service Accounts Hardening Restrict logon capabilities • Deny log on through Remote Desktop • Deny log access to this computer from the network • Deny log on locally Restrict logon to specific hosts in AD Users & Computers • Logon Workstations Setting Standard Managed Service Accounts (MSA) • Account is associated with a single endpoint • Set with a complex (120 character) password managed and changed on a pre-defined frequency (30 days by default) Group Managed Service Accounts (gMSA) • Introduced with Windows Server 2012 • gMSAs are very similar to MSAs, but they allow for a single MSA to be leveraged across multiple endpoints. Privilege Escalations
  • 29. ©2021 Mandiant 29 Lateral Movements / Ransomware Deployment Method Deploying Ransomware through GPO Remote Executions – PSExec, SC.exe, WMI, Powershell Lateral movement through SMB, WinRM Local Admin account Schedule task Compromising SCCM or WSUS servers
  • 30. ©2021 Mandiant 30 • Identity / Trust • 802.1x and related • VPN Authentication • IP Address • MAC Address • Visibility • NetFlow • ACL / FW / Proxy Logging • Endpoint Agent Logging • Isolation • Physical topology • VLANs, WLANs & PVLANs • VRFs, MPLS VPN • GRE / IPSec / DMVPN • Policy Enforcement • Firewall technologies • Access Lists (ACL’s) • Intrusion Preventions Systems Network Segmentation Protect critical intellectual property from unauthorized applications or users Prevent lateral movement throughout the network Lateral Movement/Ransomware Deployment
  • 31. ©2021 Mandiant 31 Harden Lateral Paths – Between Endpoints • Block inbound access to systems using Windows Firewall or 3rd Party Endpoint technology (e.g., AV) • SMB (TCP/445, TCP/135, TCP/139) • Remote Desktop Protocol (TCP/3389) • Windows Remote Management / Remote PowerShell (TCP/80, TCP/5985, TCP/5986) • WMI (dynamic port range assigned through DCOM) netfirewall set rule group="remote desktop" new enable=Yes netsh advfirewall firewall tsh advfirewall set rule group="File and Printer Sharing" new enable=Yes Lateral Movement/Ransomware Deployment
  • 32. ©2021 Mandiant 32 Common administrative and hidden shares on endpoints include: • ADMIN$ • C$ • D$ • IPC$ Disable Admin/Hidden Shares Containment Action Lateral Movement/Ransomware Deployment
  • 33. ©2021 Mandiant 33 Local Administrator Password Solution • Unique password for the built-in administrator or custom account for each computer object • Password is randomly generated on a defined interval (30-days etc.) • Password is stored within AD for each computer object • ms-Mcs-AdmPwd • Password is securely transmitted to endpoints via AES encryption and Kerberos v5 protocol Harden Local Admin Account Limit Local Admin account for lateral movement • To mitigate the usage of local administrative accounts from being used for lateral movement, utilize the SID “S-1-5-114: NT AUTHORITYLocal account and member of Administrators group” within the following settings: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment • Deny access to this computer from the network (SeDenyNetworkLogonRight) • Deny log on as a batch job (SeDenyBatchLogonRight) • Deny log on as a service (SeDenyServiceLogonRight) • Deny log on through Terminal Services (SeDenyRemoteInteractiveLogonRight) • Debug Programs (SeDebugPrivilege – permission used for attempted privilege escalation and process injection) Containment Action Lateral Movement/Ransomware Deployment
  • 34. ©2021 Mandiant 34 • Review and Remove standard groups and accounts that were configured with edit permissions for various GPOs in Domain controller Review Group Policy Objects Edit Permissions PS> $GPOPermissions = Foreach ($GPO in (Get-GPO -All )) { Foreach ($GPOPermissions in (Get-GPPermissions $GPO.DisplayName -All )) { New-Object PSObject -property @{GPO=$GPO.DisplayName;Users=$GPOPermissions.Trustee.Name;Permission=$GPOPermission s.Permission} } } PS> $GPOPermissions | Select GPO,Users,Permission Lateral Movement/Ransomware Deployment
  • 35. ©2021 Mandiant 35 Destroy Backups Method Delete Volume Shadow copy Destroy VM Snapshots Abusing Backup Software APIs Delete Cloud storage files
  • 36. ©2021 Mandiant 36 Protect Backups from Ransomware encryption Ransomware operators often encrypt and destroy all organization’s backups before launching their attack. This increases the likelihood that an organization will pay the ransom. Create backup standards that includes, • Implement immutable backups to prevent unauthorized access to, deletion and encryption • Follow the 3-2-1 backup strategy. This means storing three copies of data, on two devices, and one offsite. • Maintain at least one copy of offline storage • Continue using Backup encryption at-rest and in-transit where applicable • Consider increasing the backup retention policy • Require MFA for backup deletion requests and access requests • Segmenting backup servers and restricting both inbound and outbound network traffic • Ensure that backup administrator related passwords are unique and strong by storing them in a privileged access management solution Destroy Backups
  • 37. ©2021 Mandiant 37 Monitoring Backup Operations – Use Case & Playbook Create alerts to indicate an attacker or malicious insider tampering with backups. • Mass deletion of backups or metadata • Deletion of Volume Shadow copies • Failed backup jobs • Unexpected configuration changes in Backup Servers • Deletion of VM Snapshots • Unauthorized access attempts to backup servers • Critical backup services stopped • PowerShell with command line win32_shadowcopy • leveraging native Windows utilities by adversaries to disable or delete system recovery features like vssadmin.exe, bcdedit.exe, wbadmin.exe, wmic shadow o Wmic.exe with command line shadowcopy delete o Vssadmin.exe with command line resize shadowstorage • Cloud Storage deletion activities Destroy Backups
  • 38. ©2021 Mandiant 38 Disable OneDrive synchronization Disable OneDrive synchronization on endpoints to minimize the impact of encrypted files and ransom notes being automatically synced to OneDrive cloud storage Block OneDrive file syncing to a specific Tenant ID of the impacted organization: • Step 1 :Computer Configuration > Policies > Administrative Templates > OneDrive > Allow syncing OneDrive accounts for only specific organizations Disabled | Not Configured • Step 2 : Computer Configuration > Policies > Administrative Templates > OneDrive > Block syncing OneDrive accounts for specific organizations Enabled Specify a TenantID for blocking synchronization • The TenantID can be found in the Directory ID box of the Properties page in Azure Active Directory Containment Action Destroy Backups
  • 39. ©2021 Mandiant 39 Ransomware Recovery Validation Recovery Detailed Configuration Design Documents Purchase Cyber Security Insurance Purchase a Cyber Security Retainer Robust Ransomware Recovery Plan Regular Testing of Recovery Plan Ransomware Recovery Playbook Develop Communications Plan Destroy Backups
  • 40. ©2021 Mandiant 40 Data Exfiltration Method Cloud Sync- MegaSync, OneDrive, DropBox, pCloud Microsoft BITS Remote Management Solutions – AnyDesk, TeamViewer FTP, SFTP, RoboCopy services
  • 41. ©2021 Mandiant 41 Defense & Detection – Data Exfiltration • Robust Monitoring of egress traffic that includes transfer rate/ upload size • Enable and Monitor Net Flow Logs • Identify crown jewel data and enable stringent defense controls • Data classification and leakage prevention (DLP Solution) • Prevent execution and installation of file sharing utilities megaSync, pCloud • Block Remote Management Solutions such as anydesk, teamviewer etc. Data Exfiltration
  • 42. ©2021 Mandiant 42 Ransomware Remediation Stages
  • 43. ©2021 Mandiant 43 Ransomware Remediation Stages Part 1 - Remediate the current incident 1. Containment - Take actions to disrupt attacker activities, monitor, harden and remove the attacker from a sensitive system or network segment to regain control of the affected environment. 2. Restoration - Take actions to restore encrypted endpoints, applications, and services, to reestablish business functionalities. 3. Eradication - Remove an attacker from the environment and implement security improvements to inhibit the attacker from quickly regaining access to the environment. Should be performed in a concise and coordinated manner hour window. Part 2 - Improve the organization’s security posture 4. Security Enhancement - Enhance the security posture of the organization (e.g., process improvements, privileged account management, network re-architecture) Containment Restoration Eradication Strategic Enhancements The four phases of remediation are organized in two parts:
  • 44. ©2021 Mandiant 44 Prepare for Enterprise Password Resets
  • 45. ©2021 Mandiant 45 Prepare for the Enterprise Password Reset
  • 46. ©2021 Mandiant 46 Thanks for Listening ! Thirumalai Natarajan @Th1ruM www.linkedin.com/in/thirumalainatarajan Guillermo Diaz www.linkedin.com/in/gmodiaz/