The document provides an overview of managing cloud security and implementing countermeasures against ransomware. It discusses how ransomware works, the economics driving ransomware attacks, and how cloud computing has impacted the ransomware threat landscape. It then outlines recommendations for security designs like preventing initial access, stopping lateral movement, and early detection. Specific examples are provided around authentication, open ports, IP whitelisting and data encryption. The importance of processes like testing, audits and rapid remediation of vulnerabilities is also covered.

1. #MDBE17
O2 Intercontinental
MANAGING CLOUD SECURITY
DESIGN AND IMPLEMENTATION
in a Ransomware World

2. #MDBE17
Head of Product Security, MongoDB
DAVI OTTENHEIMER
@daviottenheimer

3. #MDBE17
AGENDA
Whoami
Product Security
Background
Risk Management
Explanation
Ransomware
Design
Countermeasures
Implementation
Hardening
01 02 03 04 05

4. #MDBE17
WHOAMI
• Graduate of London School of Economics (Go Beavers!)
and ex-Resident of “the Charlton” (Go Athletics!)
• 20+ years in computer security as ... flyingpenguin
‒ Investigations
‒ Operations
‒ Products
‒ Audits

5. BACKGROUND

6. #MDBE17
IGNAZ SEMMELWEIS the “Savior of Mothers”
• Discovered hand washing
standards can drop childbed fever
from 30% to 1%
• “There is one cause,
all that matters is cleanliness”
• Went “insane” trying to convince
health care to adopt hand washing
Source: http://www.pbs.org/newshour/updates/ignaz-semmelweis-doctor-prescribed-hand-washing/

7. #MDBE17
• Health is a Process, Not a
Destination
• Resource Competition
(Economics)
Source: http://circoutcomes.ahajournals.org/content/10/9/e003532

8. #MDBE17
ECONOMICS OF (DIGITAL ASSET) MINING
• Mine instances generate high cost, daily losses
‒ “A better use of dollars is to buy coins instead of instance time”
‒ 1 instance per day is ~$8 cost for ~$2 in mined coin (variable)
‒ Net ~$6/day loss per instance
• Externalized cost (harm transfer) changes everything
‒ Attackers launch victim instances as quickly as possible
‒ $10,000/hour cost burden for victim
‒ $2,500/hour profit to attacker
Source: https://biblio.wiki/wiki/The_Diamond_Smugglers

9. #MDBE17
CYBER THREAT ECONOMICS
• Inflation for blackmail attempts
‒ Cloud agility = DDoS more expensive
‒ Expensive race condition for pay
• Deflation for ransom attempts
‒ Easier to find victims (Scan/Exploit kits)
‒ Easier to phish (Social engineering kits)
‒ Easier to encrypt (Key management kits)
‒ Easier to extort (Monetization kits)

10. #MDBE17
INFLATION FOR BLACKMAIL ATTEMPTS
June 16, 2014

11. #MDBE17
INFLATION FOR BLACKMAIL ATTEMPTS

12. #MDBE17
CLOUD AGILITY CHANGED RISK MARKET
2016 Q4 Akamai “State of the Internet” Report:
• 7 of 10 biggest (300+ Gbps) DDoS in history happened in 2016
• 3 of 10 were in 2016 Q4
“...agility single biggest reason
enterprise move to cloud”
“Big DDoS attacks
affect some AWS
customers, but chief
Andy Jassy assures
cloud is secure”
● DDoS targeted Dynamic Network Services (Dyn)
● Dyn one of many AWS DNS providers
● AWS services (Shield) helped, as did 3rd party tools
Sources: https://www.geekwire.com/2016/big-ddos-attacks-hit-amazon-web-services-customers-jassy-assures-cloud-secure/,
https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/

13. #MDBE17
CYBER THREAT MARKET HISTORY
1989
Viruses
Worms
Trojans
1994
Botnets
Adware
Spyware
Rogueware
2004
For-Profit
2014
Key & Cert
Management
GPCODE CRYPTOLOCKERCRYPTOVIRUSAIDS
CRYPTOWALL
TORRENTLOCKER
TESLACRYPT
LOCKER
LOCKY
R.I.P.
Tron
1998
R.I.P.
Hagbard
1989
“KGB Hack”
> DM 100K + drugs over 3 years
> Burned to death in forest
> http://phrack.org/issues/25/10.html

14. EXPLANATION

15. #MDBE17
THEREFORE 2016 RANSOMWARE!
• Definition: Access used to deny
others access, unless paid ransom
• May 12, 2017: “45 NHS hospital
groups across the country are taken
offline by WannaCrypt”
• Sep 27, 2017 Interpol: “Ransomware
attacks have eclipsed most other
global cybercrime
…
an increase of 750% from 2015”
Sources: http://www.zdnet.com/article/hospitals-across-england-hit-by-cyber-attack-systems-knocked-offline/
https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2017

16. #MDBE17
45 HOSPITAL GROUPS TAKEN OFFLINE
• “...19,500 medical appointments
were cancelled, computers at 600
GP surgeries were locked and five
hospitals had to divert
ambulances elsewhere.”
• “...unsophisticated attack and
could have been prevented by
NHS following basic IT security
best practice...NHS need to get
their act together”
Source: https://www.theguardian.com/technology/2017/oct/27/nhs-could-have-avoided-wannacry-hack-basic-it-security-national-audit-office
You’re
telling me

17. #MDBE17Source: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx#enterprise
JAN-JUN 2017 RANSOMWARE DISTRO

18. #MDBE17
HOW RANSOMWARE WORKS
1. Establish a Foothold
2. Find Assets and Encrypt
3. Extort
Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/
Build Attack Server
Scan to find vulns
Steal and Use Login
Credentials
Batch deploy malware via
PsExec
Delete shadow files via
vssadmin.exe
Install Trojan:MSIL/Samas Install Ransom:MSIL/Samas

19. #MDBE17
1. ESTABLISH A FOOTHOLD
A.Seek access route (credentialed or not)
‒ Internet facing services
‒ User devices
‒ Platforms (amazon, instagram, github, pastebin, facebook, etc.)
B.Pivot and traverse to expand access to assets
‒ Gather more credentials
‒ Elevate privileges
‒ Flag valuable data
North
South
East
West
Users
Apps
DirectoryDirectory

20. #MDBE17
2. FIND ASSETS AND ENCRYPT
•Encrypt anything
believed to be
valuable to target
•Destroy or
encrypt backups,
snapshots
(prevent restores)
● Use strong
algorithms
(AES256)
● Use unique keys
and remote
management
infrastructure

21. #MDBE17
3. EXTORT (TARGETS ARE MEANT TO FIND)
“Replaced” DB Name
‒ README
‒ ReadmePlease
‒ PLEASE_READ
‒ IHAVEYOURDATA
‒ WARNING
‒ WARNING_ALERT
‒ PWNED
‒ PWNED_SECURE_YOUR_STUFF_SILLY
‒ DELETED_BECAUSE_YOU_DIDNT_PASSWORD_PROTECT_YOUR_MONGODB
‒ to_get_DB_back_send_1BTC_to_1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD
{
"_id" : ObjectId("9854a4532b5e63f722fcc9da"),
"mail" : "user@domain.com",
"note" : "SEND 0.1 BTC TO THIS ADDRESS 1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD AND
CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"
} ● 0.1 BTC
● 0.15 BTC
● 0.2 BTC
● 0.25 BTC
● 0.5 BTC
● 1 BTC
Source: https://docs.google.com/spreadsheets/d/1QonE9oeMOQHVh8heFIyeqrjfKEViL0poLnY8mAakKhM/edit#gid=0

22. #MDBE17
SHOULD
VICTIMS
PAY
RANSOM?
Source: https://gblogs.cisco.com/jp/2016/05/ransomware-html/

23. DESIGN

24. #MDBE17
PREVENT FOOTHOLDS
• Stop Initial Access
‒ Network Filtering
‒ System Hardening
‒ Human (Phish) Training
• Stop Pivots
‒ Isolation and Segmentation
‒ Role Based Access
• Detect Early and Often
#MDBE17
attackers will fall into quickSAN ../../../../../..

25. #MDBE17
STOP INITIAL ACCESS
Source: https://tools.ietf.org/html/rfc2904
• Network Filtering
‒ Bind to localhost by default in v3.5.8
‒ IP Whitelisting option in v3.6
o Associate IP addresses/ranges to auth roles
o If IP fail, then authentication fail
o Can restrict __system user to authenticate from only cluster nodes
• System Hardening
‒ Authentication
‒ Authorization
‒ Accounting

26. #MDBE17
PROCESS OF DESIGN REVIEWS
• Provider Services*
‒ AWS Trusted Advisor, Inspector
‒ Azure Security Center
‒ GCP Cloud Security Scanner
• Self Tests
‒ Scan for Accidental Secret Leaks (“Github Commit Crawler”)
‒ Detect and Identify Assets (API Call, OVF Scan)
‒ Assess Configurations (SCAP, XCCDF, SSLcheck)
• External Audits
Sources: https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data
https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html

27. #MDBE17
PROCESS OF TEST CYCLES
• Daily Full Credential Scan of Any New Instance
• Weekly Full Credential Scan of Builds Prior to Staging
• Quarterly “Approved Scanning Vendor” (ASV) Report
• Biannually
‒ “Full” Penetration Test
‒ Code Review

28. #MDBE17
PROCESS OF FIX PRIORITY
• Critical Severity
‒ Remediate Immediately (R = 0)
‒ Fix Within 24 hours (e.g. HEARTBLEED)
• High Severity (R = 5 Days)
• Medium Severity (R = 60 Days)
• Low Severity
‒ Business Impact Analysis (BIA)
‒ Customer Impact Analysis

29. IMPLEMENTATION

30. #MDBE17
EXAMPLE 1

31. #MDBE17
EXAMPLE 2
• Is Authentication Disabled?
> if (db.adminCommand('getCmdLineOpts').parsed.security === undefined ||
db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined ||
db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled"){
print("NO AUTH! NO AUTH!")}else{print("Good work, Auth enabled")}
• Is Default Port (27017, 29017) Listening?
> db.adminCommand('getCmdLineOpts').parsed.net.port
Source: https://docs.mongodb.com/manual/reference/default-mongodb-port/

32. #MDBE17
EXAMPLE 2
Service connected to network without “security group” or firewall?
1. On system outside network, grab mongodb client
> wget https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz
> tar -zxf mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz -C 3.4 --strip-components=1
2. Test by connecting to Internet hostname
> ~/3.4/bin/mongo --host <urmongodb_host_name> --port <urmongodb_port>

33. #MDBE17
EXAMPLE 3
• Bind to localhost by default in v3.5.8
• IP Whitelisting option in v3.6
‒ Associate IP addresses/ranges to auth roles
‒ If IP fail, then authentication fail
‒ Can restrict __system user to authenticate from only cluster nodes

34. #MDBE17
EXAMPLE 3
● AES 256
● TLS 1.2
● FIPS 140-2
● PCI DSS
● SOC 2
● ISO 2700x
● HIPAA
● NIST 800-53
● GDPR
#MDBE17

35. IGNAZ SEMMELWEIS
1847 Etiology, Concept and Prophylaxis of Childbed Fever
“There is one cause,
all that matters is cleanliness.”

36. JOHN SNOW
1849 On the Mode of Communication of Cholera
Focus of infection…“handle of the pump
was removed on the following day”.