The document discusses strategies for defending against ransomware attacks. It begins by noting the increasing threat of ransomware, with over 390,000 new variants detected daily. The Rig exploit kit is highlighted as a major delivery method, exploiting vulnerabilities in browsers and plugins. The document emphasizes the importance of patching browsers, Java, and Flash to reduce attack surfaces. It then outlines the typical ransomware attack cycle and recommends stopping the cycle earlier by using application control to block unknown applications, privilege management to limit lateral movement, and memory injection protection. A multi-layered defense incorporating patching, application control, privilege management, and memory injection protection is recommended to prevent, detect, and remediate ransomware attacks.
6. And more keeps coming
Attacks on on the increase despite so called “next gen” solutions
AV Test Institute now registers over 390K variants per day!
12. “RIG EK is still the most active exploit kit used in various malware
campaigns”
Malwarebytes Q1,2017
13.
14. What does RIG looks for?
Microsoft Internet Explorer Use-After-Free Remote Code
Execution Vulnerability (CVE-2013-2551)
Microsoft Internet Explorer Use-After-Free Remote Code
Execution Vulnerability (CVE-2014-0322)
Adobe Flash Player Remote Code Execution Vulnerability (CVE-
2014-0497)
Microsoft Silverlight Double Deference Remote Code Execution
Vulnerability (CVE-2013-0074)
Oracle Java SE Memory Corruption Vulnerability (CVE-2013-2465)
Oracle Java SE Remote Java Runtime Environment Code
Execution Vulnerability (CVE-2012-0507)
15. “Computer criminals have adapted once again by entrusting the RIG
exploit kit with the ongoing distribution of CrypMic ransomware.”
tripwire, Sept 2016
16. “With RIG, when it comes to the delivery of malware files, the same
malware file often gets written and executed multiple times on the
victim’s PC. If one method doesn’t work or is blocked by an anti-
malware solution, they have a couple of backup methods.”
Cisco Talos Research.
17. How to Protect?
“Patching and updating is mandatory for all browsers and their
plugins. Any browser with an unpatched outdated Flash plugin will get
infected, it is just a question of time,”
Cisco Talos researchers
18. Make Sure to Patch
Patch Browsers
Patch Java
Patch Flash
19. I have patched my systems so I am
good right?
26. Application Control
• How does it help?
• Stops unknown, targeted malware, regardless of delivery mechanism
• Key Capabilities
• Proactive
• Rules Engine / Trust Engine
• Memory Protection
• Script Protection
• Verification Ratings / Reputation
• Operational Simplicity
27. Defending Against Memory Injections
Memory injections typically a blind spot for Application Control solutions
Focus on the file system
How Memory Injections work
Memory Injections force (inject) an external program into the memory of a
compromised application process
Sometimes memory injections are referred to as DLL injections.
28. Privilege Management
• How does it help?
• Reduce ability for attacker to pivotlaterally move across network, access
common components that will aid them,
• Key Capabilities
• Remove the need for Local Admins
• Allow users access to the tools they need, without exposing yourself to
risk
• Elevate the rights of standards users, or restrict the rights of Admins, from
performing certain tasks
29. • Facilitate the removal of admin rights from enterprise
• Allow the running of applications that cannot run with standard user rights
• Not just to admin, to any rights level that is needed
• Allow users access to the tools they need, without excess rights
• Defrag the drive, change time etc
• Support personal apps while allowing the IT dept the control they require.
• Known good locations containing known good apps
• Elevation of Active X installs
• Apps within Internet Explorer
• Significantly lowers the cost of running a desktop
Privilege Management
30. Privilege Management
• Manage Apps
• Grant Standard users the Privileges to install business
related Apps
• Manage Applets
• Ensure that users have the sufficient Privileges to
perform common OS based tasks, such as Defrag the
drive, change time etc
• Manage the OS
• Allow a Standard user to control a Service or Process
• Stop a Local Admin from Uninstalling software or
clearing an Event Log
31. As well as elevating the rights of
standard users, restricting the
privileges of those who have
admin accounts is also
essential!
Privilege Management
32. Multi-Layered Defense
Patch to reduce attack surface
Patch Browsers
Patch Java
Patch Flash
Privilege Management to limit attacker
Prevent Lateral Movement
Block access to common components used to further exploit systems
Application Control
Block unknown applicationspayloads
Zero Day protection
Memory Injection Protection Fileless Malware Prevention
34. Additional Session Recommendations
• OSB140 – Want a Safer Network? You CAN Remove Local Admin Rights
with Ivanti Application Control. (AppSense AM)
• OSB160 - Trust Your Apps. See How with Ivanti Application Control.
(AppSense AM)
• OSB180 - Learn More about Ivanti Endpoint Security: Prevention, Detection,
and Remediation for Non-LDMS Customers. (HEAT EMSS)
• OSB230 - Anatomy of Ransomware: Get Up Close and Personal with a Major
Security Threat. (AppSense AM)
• OSB310 - Whitelisting: The Good, the Bad, and the Ugly. Our Experts Help
You Avoid Common Pitfalls. (AppSense AM)
• OSB220 Operational Security Intermediate What's New in Security for
Management Suite?
35. Additional Hand on Lab Recommendations
• OSL100 - Prevent, Detect, Remediate: Tackle Ransomware
with Ivanti Endpoint Security for Management Suite (fka LDSS)
• OSL120 - What the #$@&%*! Is "Trusted Ownership"? Test
Drive Whitelisting in Ivanti Application Control (fka AppSense
AM)
• OSL130 - Balance Security and User Needs: Explore Privilege
Management in Ivanti Application Control (fka AppSense AM)
• OSL150 - Multi-Layered Security from the Trenches: Get
Hands On with Ivanti Endpoint Security (fka EMSS)