Glasswall - How to Prevent, Detect and React to Ransomware incidents
1. How to prevent, detect
and react to
Ransomware incidents
29th june 2020
Dinis Cruz
CISO and SVP Engineering
2. Ransomware
Incident
React: What should the focus be during and
after an incident so that the business and
customer impact of the incident is minimised?
Detect: Once you are are a victim of an attack,
what are techniques you can use to gain an
advantage on the malicious behaviour? (which will
dramatically reduce the impact of the attack)
Prevent: What are the most effective solutions
(people, process and technology) that help with
preventing Ransomware incidents?
3. Public/Media sequence of events
Stage 1
⁄ Breaking news
⁄ What happened?
Stage 2
⁄ Story telling
⁄ Make it personal (attackers and victims)
Stage 3
⁄ Crisis Analysis
⁄ Aftermath
Stage 4
⁄ Anniversary stories
The final
version of the
‘incident story’
will depend on
how you
behaved during
the incident
4. How you react and behave!
...before during and after the event...
Is more important
...to your customers, employees and regulators...
Than `what happened?`
5. With Ransomware - what are you protecting?
⁄ Confidentiality - Don’t play this game
⁄ Integrity - So far we have been lucky
⁄ Availability - This is what is all about
Focus on restoring Availability of your Data and Operations
⁄ Customer Data
⁄ Employee Data
⁄ Server’s Availability
⁄ Backups
⁄ Business Operations
⁄ Customer Trust
⁄ Compliance
6. Key activities covered in this presentation
⁄ Prevent files from reaching users - Reduce quantity of Patient Zero
⁄ Network Segmentation - Reduce Blast Radius
⁄ Endpoint protection - Block Propagation and Detonation
⁄ User Education - Reduce Payloads Activated
⁄ Incident Response Playbooks - Prepare and Rehearse Response
⁄ Asset Protection - Reduce Impact
⁄ Application Catalogue - Understand Attack Surface
⁄ Situational Awareness (SOC) - See What is Happening
⁄ Incident Response Team - Respond to Events
⁄ Immutable Infrastructure - Reduce Targets
⁄ Everything as Code - Automate Recovery
13. User Stories
As a CISO
I don’t want to worry
That my security defences
Rely on users not to
Open and Execute files
As a User
I don’t want to worry
That the file that I want to open is
Going to be Malicious
As a CISO
I don’t want my users
To focus on Security
And to have Security Skills
(since that doesn’t scale)
As a User
I want to focus on my Job
And be able to open all files
Sent to me in a Safe way
14. Reducing quantity of Patient Zero
⁄ Patient zero is the first device that executes malicious code
⁄ Reducing the number of Patient Zero is an effective solution that
balances usability, business risk and business impact
⁄ Augment solutions that are hard to scale
○ User Education
○ Network Segmentation
○ Endpoint protection
⁄ Common infection points
○ Email
○ Downloaded files
○ Compromised installers of ‘benign application’
15. Why are Office/PDFs files used to infect Patient Zero
⁄ Users open these files every day
⁄ Users need these files to do their work
⁄ Preventing users from accessing these files will cause significant
business disruption
⁄ Users have been trained to open files (and click on links)
⁄ Office and PDF files have ‘built-in’ dangerous functionality
(for example: macros or javascript execution)
⁄ Office and PDF files are very complex file formats
(reader apps historically have been vulnerable to buffer overflows)
16. How to prevent malicious files to reach Patient Zero
3 technologies that work (when used together)
○ Anti-Virus
○ Detonation Chambers (Sandboxing)
○ Content Disarm and Reconstruction (CDR)
Antivirus = Identify Known Bad
Detonation Chambers (Sandboxing ) = Identify Unknown Bad
CDR (Content Disarm and Reconstruction) = Rebuild into Known Good
22. Once you are are a victim of an attack,
what are techniques you can use to
gain an advantage on the malicious
behaviour?
(which will dramatically reduce
the impact of the attack)
24. Incidents
Are a very effective environment to
fix security gaps and improve your
capabilities
25. Next let’s covers these Key activities
⁄ Prevent files from reaching users - Reduce quantity of Patient Zero
⁄ Network Segmentation - Reduce Blast Radius
⁄ Endpoint protection - Block Propagation and Detonation
⁄ User Education - Reduce Payloads Activated
⁄ Incident Response Playbooks - Prepare and Rehearse Response
⁄ Asset Protection - Reduce Impact
⁄ Application Catalogue - Understand Attack Surface
⁄ Situational Awareness (SOC) - See What is Happening
⁄ Incident Response Team - Respond to Events
⁄ Immutable Infrastructure - Reduce Targets
⁄ Everything as Code - Automate Recovery
26. Sequence of event (each produces a weak signal)
(all attackers/malware)
- Initial Infection (Patient Zero)
- Reconnaissance
- Elevation of privilege and Propagation
- Asset Enumeration
- Encryption
Your job is to make it harder for attackers to perform each of these actions
Your defence model should be based on the “Attacker making a mistake”
(vs you having to protect everything)
(more advanced attackers)
- Gain Persistence
- Additional payloads
- Data Extraction
27. Reduce Blast Radius:
⁄ Break your network into hundred of smaller networks
○ Not that hard to do once you go that path
⁄ Start with Assets
⁄ Redirect patching efforts into network segmentation
○ Patching doesn’t scale
○ Ok to have insecure devices on network as long as they are not exposed
Network Segmentation
28. Block propagation and detonation:
⁄ You need to have visibility into what is happening with your endpoints
⁄ Pay attention to weak signals
⁄ Invest in SOC data consumption and visualisation
⁄ Outsource where it make sense (for example SIEM level 1)
Endpoint protection
29. Reduce Payloads Activated
⁄ Creatively educate your users on your current threat landscape
⁄ Make it relevant for them (both at home and in their business function)
⁄ Gamify it
⁄ Reward detection
⁄ Don’t punish Patient Zero
User Education
30. Prepare and Rehearse Response
⁄ Single most important activity
⁄ View incidents (before Ransomware) as ‘warm up’ events
⁄ Use incident strategically (‘over-allocate’ resources)
⁄ Use Playbook’s maturity as a way to measure preparedness
⁄ People management and communications are the HARDEST to scale
Incident Response Playbooks
31. Reduce Impact:
⁄ Know what are your assets
⁄ Know where they are located
⁄ Monitor assets usage
⁄ Use Security violations (Role based security) as early-warning signals
Asset Protection
32. Understand Attack Surface
⁄ Map all your applications (to your assets)
⁄ Know who owns them
⁄ Understand what should happen if an application is compromised
⁄ Know how to restore it
⁄ Backup everything (not just the data)
⁄ Put it all in a Graph (we use Jira to consolidate all data)
Application Catalogue
33. See What is Happening:
⁄ SOC team is the one that should see it first
⁄ Create model where the attacker needs to make a mistake
⁄ The sooner you can detect malicious activity the less damage will occur
⁄ Before incident, align SOC with Business Intelligence
⁄ Machine Learning is the only way to scale
○ Understand the Known Good status of your network
Situational Awareness (SOC)
35. What should the focus be
during and after an incident so
that the business and customer
impact of the incident is
minimised?
36. Activity we are going to cover in this section
⁄ Prevent files from reaching users - Reduce quantity of Patient Zero
⁄ Network Segmentation - Reduce Blast Radius
⁄ Endpoint protection - Block Propagation and Detonation
⁄ User Education - Reduce Payloads Activated
⁄ Incident Response Playbooks - Prepare and Rehearse Response
⁄ Asset Protection - Reduce Impact
⁄ Application Catalogue - Understand Attack Surface
⁄ Situational Awareness (SOC) - See What is Happening
⁄ Incident Response Team - Respond to Events
⁄ Immutable Infrastructure - Reduce Targets
⁄ Everything as Code - Automate Recovery
37. Incident Response Team
Respond to Events:
⁄ The effectiveness of this team will determine the impact of the incident
⁄ Over-provision resources
⁄ Create operational structures to help scaling resources allocated
⁄ Manage People effectively (food, rest, meeting rooms)
⁄ Focus on Process namely on Comms and Stakeholder management
⁄ Effective use of Technology is key
39. Immutable Infrastructure
Reduce Targets:
⁄ Know what is in a Known Good state
⁄ Know what you can trust
⁄ The less you infrastructure is editable the less the attack surface
40. Everything as Code (EaC)
Automate Recovery:
⁄ The more automation you have in your infrastructure the faster you
will recover
⁄ As long as your build scripts are not compromised, rebuild it
⁄ Kick start rebuild process as soon as event occurs (even before you’ll
need it)
42. Session at Open Security Summit
https://open-security-summit.org/training/week-2/ciso-and-risk-management/incident-scenario-exercise/
43. Rules
⁄ Create multiple teams (one team per ‘persona’ )
○ Management
○ Operations
○ Customer Group
○ Security Team (Blue Team)
○ Attackers (Red Team)
⁄ Gameplay happens over multiple rounds
⁄ Round one defines initial scenario
(first detections)
⁄ Each team meet to decide what they want to do next
(for 10 to 15 minutes)
⁄ Incident ‘Scenario’ team is part of each team and adjust
scenario based on decisions made
⁄ Sessions executed over Zoom with Slack used to synchronize actions