The document discusses strategies for defending against ransomware attacks. It begins by noting the increasing threat of ransomware, with over 390,000 new variants detected daily. The Rig exploit kit is highlighted as a major delivery method, exploiting vulnerabilities in browsers and plugins. The document emphasizes the importance of patching browsers, Java, and Flash to reduce attack surfaces. It then outlines the typical ransomware attack cycle and recommends stopping the cycle earlier by using application control to block unknown applications, privilege management to limit lateral movement, and memory injection protection. A multi-layered defense incorporating patching, application control, privilege management, and memory injection protection is recommended to prevent, detect, and remediate ransomware attacks.

2. OSB120 - Defeat Ransomware with Multi-Layered
Protection. Get the Skinny from Our Experts
Eran Livne, David Murray, Chris Goettl

3. An Increasing Threat

4. Ransomware isn't a new threat

5. It just evolved

6. And more keeps coming
Attacks on on the increase despite so called “next gen” solutions
 AV Test Institute now registers over 390K variants per day!

7. Malwarebytes, Cybercrime Tactics, Q1 2017

9. Ransomware as a Service – Real “Commercial” video

11.  Say Hello to the Rig Exploit Kit

12. “RIG EK is still the most active exploit kit used in various malware
campaigns”
Malwarebytes Q1,2017

14. What does RIG looks for?
 Microsoft Internet Explorer Use-After-Free Remote Code
Execution Vulnerability (CVE-2013-2551)
 Microsoft Internet Explorer Use-After-Free Remote Code
Execution Vulnerability (CVE-2014-0322)
 Adobe Flash Player Remote Code Execution Vulnerability (CVE-
2014-0497)
 Microsoft Silverlight Double Deference Remote Code Execution
Vulnerability (CVE-2013-0074)
 Oracle Java SE Memory Corruption Vulnerability (CVE-2013-2465)
 Oracle Java SE Remote Java Runtime Environment Code
Execution Vulnerability (CVE-2012-0507)

15. “Computer criminals have adapted once again by entrusting the RIG
exploit kit with the ongoing distribution of CrypMic ransomware.”
tripwire, Sept 2016

16. “With RIG, when it comes to the delivery of malware files, the same
malware file often gets written and executed multiple times on the
victim’s PC. If one method doesn’t work or is blocked by an anti-
malware solution, they have a couple of backup methods.”
Cisco Talos Research.

17. How to Protect?
“Patching and updating is mandatory for all browsers and their
plugins. Any browser with an unpatched outdated Flash plugin will get
infected, it is just a question of time,”
Cisco Talos researchers

18. Make Sure to Patch
 Patch Browsers
 Patch Java
 Patch Flash

19.  I have patched my systems so I am
good right?

20. Delivery
Ransomware – How does it happen?

21. Delivery
Phishing Email
Drive-By
Download
Botnet Malicious App
Malvertising
Ransomware – How does it happen?

22. Delivery
Infection
DisableDefenses
PhoneHome
EncryptDataFiles
Installation
Ransomware – How does it happen?

23. Delivery
Infection
DisableDefenses
PhoneHome
EncryptDataFiles
DemandRansom
SupportServices
Installation
Ransomware – How does it happen?

24. Delivery
Infection
DisableDefenses
PhoneHome
EncryptDataFiles
DemandRansom
SupportServices
ReleaseofFiles
Installation
Pay Ransom
Ransomware – How does it happen?

25. Delivery
Infection
DisableDefenses
PhoneHome
EncryptDataFiles
DemandRansom
SupportServices
ReleaseofFiles
Installation
Pay Ransom
Ransomware – How does it happen?
• File encryption occurs towards the end of the cycle
• Break the cycle by stopping it earlier

26. Application Control
• How does it help?
• Stops unknown, targeted malware, regardless of delivery mechanism
• Key Capabilities
• Proactive
• Rules Engine / Trust Engine
• Memory Protection
• Script Protection
• Verification Ratings / Reputation
• Operational Simplicity

27. Defending Against Memory Injections
 Memory injections typically a blind spot for Application Control solutions
 Focus on the file system
 How Memory Injections work
 Memory Injections force (inject) an external program into the memory of a
compromised application process
 Sometimes memory injections are referred to as DLL injections.

28. Privilege Management
• How does it help?
• Reduce ability for attacker to pivotlaterally move across network, access
common components that will aid them,
• Key Capabilities
• Remove the need for Local Admins
• Allow users access to the tools they need, without exposing yourself to
risk
• Elevate the rights of standards users, or restrict the rights of Admins, from
performing certain tasks

29. • Facilitate the removal of admin rights from enterprise
• Allow the running of applications that cannot run with standard user rights
• Not just to admin, to any rights level that is needed
• Allow users access to the tools they need, without excess rights
• Defrag the drive, change time etc
• Support personal apps while allowing the IT dept the control they require.
• Known good locations containing known good apps
• Elevation of Active X installs
• Apps within Internet Explorer
• Significantly lowers the cost of running a desktop
Privilege Management

30. Privilege Management
• Manage Apps
• Grant Standard users the Privileges to install business
related Apps
• Manage Applets
• Ensure that users have the sufficient Privileges to
perform common OS based tasks, such as Defrag the
drive, change time etc
• Manage the OS
• Allow a Standard user to control a Service or Process
• Stop a Local Admin from Uninstalling software or
clearing an Event Log

31. As well as elevating the rights of
standard users, restricting the
privileges of those who have
admin accounts is also
essential!
Privilege Management

32. Multi-Layered Defense
 Patch to reduce attack surface
 Patch Browsers
 Patch Java
 Patch Flash
 Privilege Management to limit attacker
 Prevent Lateral Movement
 Block access to common components used to further exploit systems
 Application Control
 Block unknown applicationspayloads
 Zero Day protection
 Memory Injection Protection Fileless Malware Prevention

33.  Tell me more!

34. Additional Session Recommendations
• OSB140 – Want a Safer Network? You CAN Remove Local Admin Rights
with Ivanti Application Control. (AppSense AM)
• OSB160 - Trust Your Apps. See How with Ivanti Application Control.
(AppSense AM)
• OSB180 - Learn More about Ivanti Endpoint Security: Prevention, Detection,
and Remediation for Non-LDMS Customers. (HEAT EMSS)
• OSB230 - Anatomy of Ransomware: Get Up Close and Personal with a Major
Security Threat. (AppSense AM)
• OSB310 - Whitelisting: The Good, the Bad, and the Ugly. Our Experts Help
You Avoid Common Pitfalls. (AppSense AM)
• OSB220 Operational Security Intermediate What's New in Security for
Management Suite?

35. Additional Hand on Lab Recommendations
• OSL100 - Prevent, Detect, Remediate: Tackle Ransomware
with Ivanti Endpoint Security for Management Suite (fka LDSS)
• OSL120 - What the #$@&%*! Is "Trusted Ownership"? Test
Drive Whitelisting in Ivanti Application Control (fka AppSense
AM)
• OSL130 - Balance Security and User Needs: Explore Privilege
Management in Ivanti Application Control (fka AppSense AM)
• OSL150 - Multi-Layered Security from the Trenches: Get
Hands On with Ivanti Endpoint Security (fka EMSS)

36.  Ivanti Strategy and Roadmap

38. Name of Presentation
Name of Presenter