Post on 22-Jan-2018
transcript
Laziest bio slide ever
Konrads Smelkovs
• Senior Manager, KPMG UK
• 17 years IT experience
• Security researcher, developer
Adrian Sanabria
• Founder, Savage Security
• 16 years IT/security experience
• Practictioner, consultant, industry analyst background
Agenda and Goals
Agenda
1. Why ransomware? A brief justification.
2. Why WEEP? Another justification.
3. Demos and Technical Explanations
4. Q&A
Goals
• Prove ransomware can be stopped with modest spend and effort
• Pitch the use of common sense defense as a broad malware strategy
• Make the endpoint security industry very angry with us ;-)
Defense
C
confidentiality
A
availability
I
integrity
Offense
D
disclosure
D
denial & destruction
D
distrustCredit: Terrance Lillard
What isn’t working? Where’s our safety net?
Unrealistic assumptions
“It’s easy, just patch everything, always! Quickly!”
This works great when we can install patches quickly.
What about when we can’t?
Prevention-only capabilities
For example:
• AV, NGAV, NGFW, IDS/IPS
• Expensive, noisy
• High labor for the value
Prevention-only is self-imposed blindness
Shaking things up a bit: Wannacry
Notable Facts• Spread as a worm, not via
phishing
• Patch was available 51 days prior
• ETERNALBLUE code was easily discovered via binary analysis
• Many behavioral red flags
• Didn’t even try to hide
• Didn’t work on WinXP
Lessons Learned• Can’t blame users for this one
• Patching IS part of basic hygine,
• Patching should NOT be viewed or depended on as a defensive measure
• No AV vendor should have missed it
Design defenses as if critical vulnerabilities are always presentand as if patches will never come.
Visibility and root-cause analysis are the key to finding red-flags which allow us to stop entire classes of attacks instead of
specific, individual attacks.
You don’t need a malware research lab – the work is already done by others!
Key to resilience is visibility and simplicity
What is a red flag?
• Something that’s always bad, almost zero chance for false positive
• Could be a combination of events (e.g. endpoint + network)
• Strategy for filtering noise and addressing alert fatigue
Examples:
1. ARP Route Poisoning
2. Long (>40char) domain names
3. Account creation from non-admin systems
4. TOR/.onion use where none existed previously
5. CryptAPI use not associated with sanctioned/installed app
Introducing WEEP
• What is WEEP?
• An anti-ransomware POC
• Showcases anti-malware strategies and tactics
• Strategies and tactics can be adapted and used in other FOSS or commercial tools
• A description of the current state of endpoint security?
WatchEvaluateEnrichPunch
Visibility is critical for detection
Without a detection strategy, we just
create more noise
Context is the key to eliminating false positives
The speed of automation is often necessary to halt
irreversible damages
Ransomware examples
Common Behaviors Mitigations
Disables Shadow Copy Services (vssvc.exe)
if net stop VSS, kill requesting
process
Use of CryptAPI from Win32 PEshim CryptAPI and save keys (see
PayBreak)
Random, invalid file extensions appended to files
1.create canary files/directories
2.kill any process using unrecognized
file ext
Very long domainsQuarantine any system requesting DNS
for domains > 40 chars
Paybreak
Source: https://eugenekolo.com/static/paybreak.pdf
Q&A and Thanks!
Konrads Smelkovs
ks@kpmg.co.uk
@truekonrads
Adrian Sanabria
adrian@savagesec.com
@sawaba