WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Aon Ransomware Response and Mitigation Strategies
1. Prepared by Aon’s Cyber Solutions Group
Proprietary and Confidential
Elizabeth Martin – Manager, Security Advisory Practice
Ransomware Response and Mitigation
Strategies: A Practical Approach
2. 2
Aon’s Cyber Solutions
Proprietary & Confidential
Agenda
Introduction
Industry News
Aon’s Client Experiences
Aon’s Digital Forensics and Incident Response Activities
Aon’s Pro-Active Mitigation Strategy Development
What Does the Future Hold?
4. 4
Aon’s Cyber Solutions
Proprietary & Confidential
Proactive Security Advisory
Elizabeth Martin
Manager
Chicago, IL
E: Elizabeth.M.Martin@aon.com
P: +1 312.646.7358
EDUCATION:
B.S. – Electronics Engineering
Technology
Elizabeth Martin provides over 20 years of experience in the Information Security, Compliance, and Risk Management industry
and 25 years in Information Technology. Ms. Martin evaluates challenges associated with protecting an organization’s assets
while offering improvements that will support growth, improve operational efficiencies, meet compliance requirements, and
mitigate risk. Ms. Martin has extensive experience in the Fortune 500 automotive, retail, financial, healthcare, government, and
managed security services verticals.
Expertise highlights include Information Security and Risk Management Program Development, Information Security and Risk
Management Assessments, Program Development, and Workshops, Regulatory Compliance Analysis, Implementation, and
Management, as well as Policy and Procedure Development.
In her capacity at Aon, Ms. Martin proactively helps organizations assess and manage their risk in accordance with their
business requirements. She performs holistic Security Risk Assessments for clients that involve evaluating enterprise risks
including assessment of security architectures, policies and governance.
5. 5
Aon’s Cyber Solutions
Proprietary & Confidential
Aon Services: DFIR and Pro-Active Advisory Overview
* Includes former Head of the Cyber Division at FBI Headquarters and former founder of the FBI’s computer crime squad in New York
9. 9
Aon’s Cyber Solutions
Proprietary & Confidential
The Costs are Increasing
Global Data Breach Cost – Per Capita, by Industry
(Measured in US$)
Impact of the Top 22 Factors on the Per Capita
Costs
MEAN TIME TO CONTAIN
(MTTC) A BREACH
69 Days
FOR THE FOURTH YEAR, PONEMON’S STUDY
SHOWS THE RELATIONSHIP BETWEEN HOW
QUICKLY AN ORGANIZATION CAN CONTAIN
DATA BREACH INCIDENTS AND FINANCIAL
CONSEQUENCES.
11. 11
Aon’s Cyber Solutions
Proprietary & Confidential
What Does This Mean For Our Clients?
What are we doing
about Cybersecurity
and ransomware?
What is our strategy?
BOARD OF DIRECTORS
CEO
What are we
doing about
Cybersecurity?
Do we have a
strategy for
ransomware?
We’re doing
things about
this
Cybersecurity
right?
CISO
Yes of course!
We’re doing all
these things!!
Increased attention from the Board of Directors
Driving accountability at the C-Level
CISOs facing increased scrutiny and/or requesting 3rd Party Assistance
5 of my last 6 Security Risk Assessments were driven by the BoD
Security and IT Teams are still challenged
Varying degrees of diligence, tools, practices, risk management, etc.
12. 12
Aon’s Cyber Solutions
Proprietary & Confidential
The Challenges We Face
We are doing
enough right?
Is everything
I put in place
working?
CISO
Team, we’re
doing all the
things, right?
Security Team
NOOO!!! WE’RE
NOT DOING
ENOUGH!! THE
SKY IS
FALLING!!!!
IT – You are
doing all the
things,
right?
IT
Uhhh…my hair is
on fire with new
deployments,
acquisitions,
outages, but we’re
trying!!!
3 Months Later….
Aon DFIR
Team
Do you have
an EDR
Solution? Do
you have
Logs? Do you
have a list of
systems? Can
we access the
SIEM? Do you
have a
SIEM?? How
do we deploy
IoC Detection?
13. 13
Aon’s Cyber Solutions
Proprietary & Confidential
Here We Are: Not So Exact Numbers
Prior to summer of 2019 we saw one or
two ransomware cases per month
Summer of 2019 we saw something like
5 or 6 cases in a 10 or 15 day period
They continue to come in on a regular
basis
We typically only see catastrophic cases
Most cases contain common attack
vectors and malware strains
15. 15
Aon’s Cyber Solutions
Proprietary & Confidential
Aon DFIR: Engagement Overview
Forensic acquisition of systems and host-based forensic analysis
Malware analysis
Log analysis: Firewalls; Threat Detection; Active Directory; All Available Logs
Network Monitoring: Deploy Open Source tools if none available
Malware Protection triage and review
IoC scanning via LIMA (Proprietary Tool) and other tools as available
O365 / Email log collection and analysis
Dark web threat intelligence
Law enforcement engagement
Note: Cyber Insurance and ransomware payments are typically conducted outside of DFIR and
Pro-Active purview. We are nearly always engaged through client attorney under Privilege
16. 16
Aon’s Cyber Solutions
Proprietary & Confidential
Aon DFIR: Engagement Overview By The Numbers
SAMPLE – Overview of Efforts
397 systems (99 servers, 298 workstations) identified as infected
613 potential attacker IP addresses blocked
5 strains of malware identified
3000+ malware samples identified
530+ LIMA Scans
1200+ Linux Scans
Inoculations (“kill switch”) deployed for Trojans (used to harvest credentials
and propagate ransomware)
Above reflects a smaller environment, we have responded to
environments with 2000+ affected machines
17. 17
Aon’s Cyber Solutions
Proprietary & Confidential
Aon DFIR: Anatomy of an Attack - Response Activities
Infection Vector:
Initial infection vector often not confirmed, phishing email with malicious
link/attachment most likely.
Often see IoCs dating years back reducing ability to tie to the incident
timeline
Multi-Stage Malware Deployment:
Attacks generally followed typical pattern of multi-stage malware
deployment, leading to ransomware infection
Multiple Emotet, Trickbot, Dridex, and Ryuk infections observed
18. 18
Aon’s Cyber Solutions
Proprietary & Confidential
Aon DFIR: Anatomy of an Attack - Response Activities
Lateral Propagation
Attackers harvest credentials and create backdoors
Attackers map network and use compromised accounts to propagate
Malware broadly
Remote Shells / Meterpreter deployed to escalate privileges and create
backdoors in machines
Attackers gain access to admin-level accounts and domain controllers to
deploy malware across the environment
Most lateral propagation is occurring through remote administration
tools such as Powershell, Named Pipes, RDP, etc. and go largely
undetected and uncontrolled
19. 19
Aon’s Cyber Solutions
Proprietary & Confidential
Aon DFIR: Anatomy of an Attack - Response Activities
Lateral Propagation (Cont’d)
Limited network segmentation, choke points, and visibility to restrict SMB and remote
Windows administration traffic
Clear evidence of “hands on keyboard” attacker activity typically 3-4 weeks in advance of
ransomware payload execution
Attackers typically obtain a host list as part of reconnaissance activity, including
identification of backups, Domain Controllers, etc.
Containment Efforts
In most cases, at this point, the ransomware has spread rapidly and many systems are
down – both endpoints and servers. In some cases certain environments are not affected
SMB traffic is quickly restricted to the best of the capabilities available, usually on the fly
router ACLs due to a flat network combined with on the fly firewall rules
20. 20
Aon’s Cyber Solutions
Proprietary & Confidential
Aon DFIR: Anatomy of an Attack - Response Activities
Containment Efforts
Overall – TANGO DOWN within a 2-3 day timeframe. Business functions have halted, have
seen cases where employees are simply asked to not work. Some IT folks are going to
BestBuy, laying down AmEx and buying all available workstations (Procurement services are
not available)
3-7 Days later and infections continue if a successful containment strategy is not deployed
Often see reinfections of same machines due to lack of the following:
System hardening, host based controls, configuration management practices, network
segmentation, or inadequate / ineffective malware protection
Malware Protection may not automatically detect IoCs, custom signatures must be deployed,
assuming Malware Protection console is available and not affected by ransomware
Containment strategies using Windows tools such as SCCM, AppLocker, Windows
Defender, etc. are restricted due to limitation of SMB traffic
Aon DFIR
Team
IT
Security Team
21. 21
Aon’s Cyber Solutions
Proprietary & Confidential
Aon DFIR: Anatomy of an Attack - Response Activities
Containment Efforts
In some cases attacker directly accessed backup console and deleted
backups, in other cases the backups were simply not functioning, which had
gone unnoticed
In many cases client does not maintain Asset Management solutions or
network diagrams, or if they do they are unavailable due to the ransomware,
further complicating response and increasing the timeline for containment
Obtaining access to tools, deploying Aon tools where visibility is
lacking, and overall availability of fundamental information and
systems significantly increases the timeline of containment
Aon DFIR
Team
IT
Security Team
22. 22
Aon’s Cyber Solutions
Proprietary & Confidential
Aon DFIR: Anatomy of an Attack - Response Activities
Containment Efforts Realized!
Our Malware Analysis team is able to identify specific IoCs, lateral propagation
methods, etc. Our DFIR team has become accustomed to deploying containment
solutions in some of the most challenging environments
In many cases our DFIR team requests deployment of an EDR tool, which seems to
be the most effective
Specific host based controls are deployed depending on the environment and tools
available. This includes EDR, Malware Protection, and any additional tools in place
that can block IoCs and allow for rebuild, restore, recovery, etc.
Log Analysis and Monitoring is in place to immediately alert to all IoCs
Network based restrictions are slowly lifted, in a phased approach, once it is
confirmed the containment strategy is successful
Aon DFIR
Team
IT
Security Team
23. 23
Aon’s Cyber Solutions
Proprietary & Confidential
Aon DFIR: Anatomy of an Attack – Eradication
Eradication
While the spread of the ransomware may be contained, there are still many items to
consider on an ongoing basis, such as the following:
Diligence in eradication measures – do not reintroduce infected machines to the
network
Establish a safe practice for data recovery, including paying the ransom and
restoring data
Ensuring there is a sound set of protective controls to prevent subsequent
infection vectors (e.g. phishing protection, advanced threat, etc.)
Data Exfiltration
While the incident may be contained, there should be an ongoing effort to conduct
Deep / Dark Web searches to identify data exfiltration
Aon DFIR
Team
IT
Security Team
25. 25
Aon’s Cyber Solutions
Proprietary & Confidential
Aon Pro-Active Advisory: Engagement Status
Containment has been achieved through a
collaboration between Client and our DFIR team
Client has not yet fully recovered
Additional Pro-Active Mitigation Strategies need to
be developed to further strengthen detection,
prevention, and response capabilities
26. 26
Aon’s Cyber Solutions
Proprietary & Confidential
Aon Advisory: Pro-Active Ransomware Mitigation Strategy
Establish Threat Profiles, Network Baseline, Enhance Chokepoints
Whiteboard environment, gather a threat profile of the following:
User profiles
Location Profiles
Establish Network Baseline and Chokepoints
Develop Network Reference Architecture
Develop Traffic Profiling
27. 27
Aon’s Cyber Solutions
Proprietary & Confidential
REMOTE LOCATIONS
Cloud ServicesAWS
Internet
Regional Data
Center
Infrastructure
VPN
CORE
INFRASTRUCTURE
Backup Data Center
Primary
Data Center
Infrastructure
Business Apps
Business Apps /
ERP / Etc.
Business Apps /
ERP / Etc.
Business Apps /
ERP / Etc. Mgmt
Business Apps /
ERP / Etc.
Pre-Prod
Security Tools
RDC/File
Servers
RDC/File
Servers
Internet
Infrastructure
Backups
E-Commerce
Middleware
Development
Core
Infrastructure
Backup Network
WAN
Users
Users
Router
Users
POS
Firewall / UTM
Retail
Locations
WAN
Retail Back
Office
Firewall / UTM
O365
Small
Office
Campus
Router
Firewall / UTM
Router
Firewall / UTM
Network Reference Architecture
Aon’s Cyber Solutions
Proprietary & Confidential
28. 28
Aon’s Cyber Solutions
Proprietary & Confidential
Aon Advisory: Pro-Active Ransomware Mitigation Strategy
Traffic Baselining
Restrict network traffic
based on user and location
threat profiles
Keep SMB traffic localized
29. 29
Aon’s Cyber Solutions
Proprietary & Confidential
Aon Advisory: Pro-Active Ransomware Mitigation Strategy
Understand Current and Planned Security Controls
Gather current, planned, and recommended security controls related to the
following:
Mobile Device Controls
Endpoint Controls
Email / Browsing
Perimeter Controls
Server / Identity Management
Security Analytics
Overlay Controls to a general “Anatomy of an Attack”
30. Vulnerability Management
Dark Web Search
Threat Intelligence
SIEM
Traffic Baselining
Security Analytics
Cloud
E-commerce
Infection Vector
Email Filtering
URL Filtering
Email / Browsing
Firewall
Advanced Threat
Advanced Threat
Perimeter Controls
Mobile Device Controls
Corporate Device
BYOD Device
MDM
Wireless
Wireless
Controls
Malware
Corporate
Endpoint
EDR /
Malware Protection
Malware
Configuration Management
Patching
Endpoint Controls
Windows Defender
AppLocker
LAPS
Lateral Propagation
Identity
Directory
Server
EDR
PAM
Lateral Propagation
Server / Identity Management
Application
Whitelisting
Configuration Management
Patching
Malware
VPN
24x7 Monitoring
MalwareMalicious Actor
Malicious Actor
Malicious Actor
SDN
DDoS
WAF
IPS
Security Reference Architecture
Backup Protection
Insider Threat
Aon’s Cyber Solutions
Proprietary & Confidential
31. SECURITY
ANALYTICS
PERSISTENCE
PHISHING
MALICIOUS
WEBSITE
CREDENTIAL
HARVESTING
API HOOKING
RANSOMWARE
DATA
EXFILTRATION
BOTNET
LATERAL
MOVEMENT
COMMAND AND CONTROL
ROOTKIT
INFECTION VECTORS PROPAGATION PAYLOAD
TenableDark Web Search
Threat Intelligence
Backstory
(Google)
Cortex XDR
Backup ProtectionNetwork
Segmentation
Palo Alto FirewallWildFire
Carbon Black Host Based
Controls
Thycotic Host Based ControlsURL FilteringProofpoint Carbon Black Carbon Black Host Based Controls
24x7 Monitoring
KILLCHAIN
KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN
Palo Alto IPS
Anatomy of An Attack
Insider Threat
Microsoft ATA
KILLCHAIN
Aon’s Cyber Solutions
Proprietary & Confidential