The document summarizes the current state of IT security based on a presentation given at an annual security conference. It discusses the typical stages of a cyber attack including phishing, ransomware, and lateral movement with fileless malware. Examples are provided of detection delays for major data breaches. Recommendations are made for improving security posture such as applying patches quickly, segmenting networks, restricting admin rights, and disabling unneeded protocols. Best practices discussed include having dedicated breach response teams, limiting IoT devices, using security automation, and vetting managed service providers. The use of SPF, DKIM, and DMARC protocols for email authentication is also recommended.
2. Agenda
• Current state of IT security
• Typical multi-stage cyber
infection chain:
• Phishing probe
• Ransomware and data theft
• Lateral movement with
fileless malware
• Recommendations for
improving your security
posture
3.
4.
5.
6. Four stages of a typical breach
COMPROMISE EXFILTRATION DISCOVERY CONTAINMENT
7. A sample of breach detection delays
• Yahoo (3B accounts, 2013): many years to detect and notify
• Marriott (383M guests, 2014-18): 4 years to detect, 2 mo. to
notify
• Advent Health (42k customers, 2017-18): 16 months to
detect, 18 months to notify
• Uber (57M customers, 2016): 1 year to detect and notify
• eBay (145M users, 2014): 7 months to detect and notify
• Heartland Payments (134M accounts, 2008): 9 months to
detect
8.
9.
10. Let’s look at the
telltale signs of
a typical
phishing attack
12. Phishing
prevention
suggestions
Examine the tone and phrasing of the
email
Have shared authority on money
transfers
Understand the underlying social
engineering ploy
Don’t get sucked in with a phony sense
of urgency
Trust but verify -- phone calls can be
spoofed
16. Don’t become
Georgia!
• City of Atlanta
• State Department of Public
Safety
• State and local court systems
• City hospitals
• County governments
• Small city police departments
19. The wrong
things to
focus on
Did the victim pay up?
What did it cost to restore
data?
What data was deleted or
lost?
How long were things out of
commission?
20. Six bad IT decisions exposed by ransomware
Sloppy infosec
makes it hard to
find root cause
Inconsistent IT
infrastructure
ownership
Delay patching and
updates
Poor disaster and
backup procedures
Lousy staff comms
and poor disruption
planning
Mismatch asset
value and
protection policies
21. Three general types
of attacks:
•Return-object
programming
•Scripting-based
•Polymorphic
22.
23. Sample fileless malware campaigns
• Target 2014 breach (flat network)
• DNC 2016 hack (PowerShell and WMI entry)
• August Stealer 2016 (Word macros and PowerShell)
• 3ve group November 2018 (ad click fraud)
• Netwire phishing campaign February 2019 (Vbscript, Gdrive)
• Astaroth campaign July 2019 (PowerShell)
• Poison Ivy 2018 (Word macro, shown next slide)
24.
25.
26.
27. Here are four
practical tips
to help
protect your
network
Apply patches quickly across all
systems
Segment your network carefully
Restrict admin rights severely
Disable un-needed Windows
apps and protocols (SMBv1!)
28. Best practices for better security
Have dedicated
and trained
breach response
teams
1
Limit and
segment IoT
devices on your
network
2
Use security
automation
tools whenever
possible
3
Find breaches
and contain
them quickly
4
Vet your MSP
security
procedures
5
29. Use these three email authentication
protocols
SPF DKIM DMARC
Some somerbing stats from the Verizon 2019 report And phishing and emails were the most common entry points for attackers.
Compromises happen in minutes, discoveries in months.
One report found that The average number of days between the breach discovery and reporting has gone back up, from 38 days in Q1 2018 to 54 days in Q1 2019. However, this average obscures one important fact: breaches that were reported by external sources (such as researchers or law enforcement) were found faster (43 days) versus internally (74 days). (Risk Based Security 1q2019 report)
A Ponemon study in 2018 found it took US co’s an average of 200 days to detect.
https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Then add in this CEO impersonation attack to pay an invoice to a new bank account
Sense of urgency, using fear tactics, brand imitation with a fake email address, impersonal “dear user”
More urgency with “required immediately” language and malicious link in the rollover URL
More scare tactics -- “deactivation”,
Impersonal signature
Old copyright date and odd location in KY
An attached ZIP file is icing on the cake
From https://www.varonis.com/blog/spot-phishing-scam/
Now add in criminal spoofing services such as this one to create more confusion
Use security awareness training regularly, not just once
The city of Baltimore has become everyone’s favorite ransomware poster child. The city IT infrastructure experienced a series of ransom attacks over the past 15 months. The first two occurred in March and April of 2018; the others began almost a year later. The city refused to pay, despite repeated attacks of both SamSam and RobbinHood strains.
All of these government entities were hacked in the past year. The note is from an office in Baltimore city hall.
This particular ransomware strain hit more than 20 different city government agencies in Texas in August happened through a vulnerability in remote desktop services that was used by an MSP running a managed endpoint protection agent.
This story in Pro Publica talks about how MSPs are becoming richer targets because hackers can hit multiple entities at once, such as what happened in Texas and elsewhere. Instead of targeting local government agencies, hackers are looking for vulnerabilities in the software supply chain, including managed email and backup services, ERP and accounting systems. This enables them to hit multiple targets with one exploit. MSPs are profitable because these agencies are more motivated to pay the ransoms to get back online and continue to serve their constituents. This article in ProPublica has a screencast video that shows how a hacker can disable AV and install the ransomware using a remote desktop program.
https://www.propublica.org/article/the-new-target-that-enables-ransomware-hackers-to-paralyze-dozens-of-towns-and-businesses-at-once
Lets move to the third stage of a typical attack, fileless malware. Its goal is to not leave any evidence behind that defenders can find. There are three general methods.
ROP is the classic attack method and typically executes a DLL that can compromise a target PC. It could include code from your web browser or a desktop app routine that the malware piggybacks on to run.
Scripting attacks uses built-in tools from MS Office or PowerShell or HTML Application Host and hook particular processes to run. If your detection routines don’t understand the details about script execution, they could easily miss these cues. These attacks are on the rise because there are so many scripts included in a modern endpoint.
Then there is polymorphic, which adapt to changing conditions and try to evade your scanners and endpoint prevention tools. These can shift signatures and methods, look to see if they are running inside a VM for example.
“Live off the land” – leverage existing Windows OS tools, typically powershell but there are increasing other pieces of code that fileless can leverage. Back in the early days of the Internet, most blocking routines looked for certain signatures, either as the name of one of the running programs on your computer or specific patterns of behavior across your network. These worked until the malware authors got better at hiding their signature moves.
Poison Ivy infects PCs by creating a remote-access connection to log keystrokes and capture screens and videos from the PC.
also tried to evade detection by Microsoft’s AppLocker protection system by inserting a reference to itself in AppLocker’s whitelisted applications using a series of Windows programs and scripts. It also created a series of decoy documents to make its operations seem benign to the infected user. As you can see, this software is very complex, with several different stages and methods to find its way into a user’s PC.
Because fileless attacks mimic legit Windows processes and executables, you have to get better at figuring out what these hijacked processes are actually doing. Something like this tool can help visualize the logic flows and point out when the malware is doing something odd.
Another technique is to use a tool such as AltFS, which can detonate a piece of malware in safety and show what happens in both Windows and Mac environments, to see where a piece of malware is hiding its artifacts.
https://github.com/SafeBreach-Labs/AltFS
So let’s look at a few practical suggestions on how to improve your cyber security.
Make sure your patches are deployed for remote users too: one of the city-based ransomware attacks this year happened because of an employee who missed one of the updates because he was on the road and clicked on a phishing link.
Sender Policy Framework (SPF) hardens your DNS servers and restricts who can send emails from your domain
DomainKeys Identified Mail (DKIM) ensures that the content of your emails remains trusted and hasn’t been tampered with or compromised
Domain-based Message Authentication, Reporting and Conformance (DMARC) ties the first two protocols together with a consistent set of policies
https://www.csoonline.com/article/3254234/mastering-email-security-with-dmarc-spf-and-dkim.html?nsdr=true