Post on 20-Sep-2019
transcript
Ransomware Overview
• Take consumer and enterprise digital assets hostage using high-strength encryption
• Demand payment from victims for decryption key
• Use high pressure techniques to get victims to pay• Make data unrecoverable after a certain time
• Threaten to post captured (potentially sensitive) data publicly
• Threaten to erase all data and render all enterprise computers inoperable
• Increase ransom payment amount as time goes on
• Extensive use of obfuscation to hide location/ownership of C2 servers, payment infrastructure
• Tor, Bitcoin commonly used
• Individual host ransoms range between $100s and $1000s (currently)
• May increase likelihood of payment
• May decrease involvement of law enforcement or takedown activities
Ransomware – Mechanics and money
Victim infrastructure
5. Decryption key promised upon receipt of funds
4. Victim sends ransom
payment
1. Target infected by ransomware
2. Files Encrypted
3. Payment
demand shown
Ransomware Scope of impact
Individual Host/User – commodity malware• Requires user/host attack (e.g. spam emails /
drive-by downloads)• Neutralizes local backup/restore capabilities
010101010101010101010101010101
0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101
Organization-Wide – targeted attack• Requires successful multi-stage attack
• User/host/webserver attack• Privileged access compromise• Neutralizes backup/restore capabilities
Single Stage Ransomware Attacks
Individual Host/User Impact
Plan Enter
0101010101001010101010010101010100101010101001010101010
Key Attack Characteristics
•
•
•
Organization-Wide Ransomware Attacks
010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101
Individual Host/User Impact Enterprise Impact
Plan Enter Traverse Encrypt
Command and Control
• •
Enter Traverse
•
Encrypt
Credential Theft Demonstration
http://aka.ms/credtheftdemo
DC
Client
Domain.
Local
Attack
Operator
DomainAdmin
Ransomware Italia
Word
38,5%
JavaScript
30,6%
EXE
18,6%
Excel
5,1%
URL
2,1% Other
5,2%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
January February March April May June
Perc
en
t o
f all m
alici
ou
s fi
les
Word JavaScript EXE Excel URL Other
Ransomware Mitigazioni
•
• Secure operational practices for IT admins (http://aka.ms/securestandards)
• Advanced Threat Detection and Response Processes
• Identify and protect high value assets
• Apply security updates on all operating systems and applications
• Upgrade OS and Apps when unsupported
• Evaluate data criticality and protections
• Remove users from local admins group
• Application whitelisting
•
•
http://aka.ms/ransomware
Note: Preventing future attacks will require
addressing all of these issues in time
Microsoft Active Protection Service (MAPS) Defender ATP
Everyone
Full Control
Modify
http://aka.ms/sparoadmap
Detect Respond Recover
Data backup in case of emergency
• Backups must include all critical business data
• Backups should be validated
• Offline backup
or
• Prevent delete/overwrite of online archives by your administrator accounts (which can be stolen by adversaries)
• Basic natural resistance to ransomware (subscription must also be secured appropriately)
Capability Resources
Mail and Application
Content Protections
• Office 365 Exchange Online Advanced Threat Protection
https://technet.microsoft.com/en-us/library/exchange-online-advanced-threat-protection-service-description.aspx
• Office 2016 Internet Macro Blocking
https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/
• Office 2013 VBA Macro Blocking (blocks ALL macros)
https://technet.microsoft.com/en-us/library/ee857085.aspx#changevba
• System Center Endpoint Protection / Windows Defender with Microsoft Active Protection Service (MAPS)
https://blogs.technet.microsoft.com/mmpc/2015/01/14/maps-in-the-cloud-how-can-it-help-your-enterprise/
Securing Privileged Access http://aka.ms/sparoadmap
Apply Security Updates Windows Server Update Services - https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
3rd Party application update – <varies by vendor>
Backups Offline or otherwise attacker-inaccessible backups
Application Whitelisting AppLocker - https://github.com/iadgov/AppLocker-Guidance
Windows 10 Device Guard - https://technet.microsoft.com/en-us/itpro/windows/whats-new/device-guard-overview
Application Reputation SmartScreen - http://windows.microsoft.com/en-US/internet-explorer/use-smartscreen-filter#ie=ie-11
Windows Defender with Microsoft Active Protection Service (MAPS)
Exploit Mitigations Windows 10 Control Flow Guard - https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#secure-the-
windows-core
Enhanced Mitigation Experience Toolkit – http://www.microsoft.com/emet
Security Development
Lifecycle (SDL)
Follow these practices for your applications and require or encourage vendors/suppliers to follow them
http://www.microsoft.com/sdl
User Education https://www.microsoft.com/en-us/security/online-privacy/phishing-symptoms.aspx
1
32
User
Resource Portal
Infrastructure
Brute Force
Password reset
Impersonation
Buffer overflow
SQL Injection
Privilege escalation
Certificate spoofing
Phishing
Drive-By-Download
Side channel
DDoS
Data integrity
N
1
4
2
3
Fase della Cyber Kill Chain On-premises Public cloud
Active reconnaissance HUMINT, OSINT (utenti) Foot printing (servizi)
Delivery Browser, mail, USB (interazione
utenti)
Hacking (no interazione utente)
Exploitation Vulnerabilità lato Client Vulnerabilità lato Server
Installation and Persistence Basata su File system Memory based
Actions: Internal reconnaissance Strumenti Custom Strumenti di amministrazione Built-in
Actions: Lateral movement Machine pivot Resource pivot
Communication with
malicious IP
41,0%
RDP brute force
25,5%
Spam
20,5%
DDoS
7,6%SSH brute force
2,2%
Port sweeping
1,7%Other
1,5%
Suspicious RDP VM activity; 37%
Network communication with a malicious machine detected; 15%
Suspicious incoming RDP network activity; 11%
Suspicious incoming SQL activity; 10%
DDOS; 8%
Spam; 7%
Suspicious outgoing port scanning activity detected; 4%
Successful RDP brute force attack; 2%
Numero di attacchi su clienti italiani
Suspicious RDP VM activity
Network communication with a malicious machine detected
Suspicious incoming RDP network activity
Suspicious incoming SQL activity
DDOS
Spam
Suspicious outgoing port scanning activity detected
Successful RDP brute force attack
Kill chain Fusion security incident
Suspicious outgoing SSH network activity to multiple destinations
Suspicious outgoing port scanning activity detected
Suspicious incoming SSH network activity
Suspicious outgoing RDP network activity to multiple destinations
Fusion security incident cross VM
Suspicious outgoing RDP network activity
Suspicious process executed
Suspicious outgoing SSH network activity
Suspicious command execution
Cross VM Kill Chain Fusion Incident
Possible compromised machine detected
Alert Numero di alert
su clienti italiani
Suspicious RDP VM activity (failed brute force) 3567
Network communication with a malicious machine detected 1479
Suspicious incoming RDP network activity (brute force) 1095
Suspicious incoming SQL activity 928
DDOS 814
Spam 650
Suspicious outgoing port scanning activity detected 341
Successful RDP brute force attack 157
Kill chain Fusion security incident 130
Suspicious outgoing SSH network activity to multiple destinations 105
Suspicious outgoing port scanning activity detected 83
Suspicious incoming SSH network activity 55
Suspicious outgoing RDP network activity to multiple destinations 44
Fusion security incident cross VM 39
Suspicious outgoing RDP network activity 34
Suspicious process executed 24
Suspicious outgoing SSH network activity 21
Suspicious command execution 18
Cross VM Kill Chain Fusion Incident 16
Possible compromised machine detected 16
Suspicious disguised file was executed 15
Suspicious logon 10
Suspicious activity 3
Suspicious Powershell Activity Detected 1
Suspicious incoming SSH network activity from multiple sources 1
Registry persistence 1
• Una mole considerevole di attacchi si concentra sul
tentato brute force di protocolli di amministrazione
(RDP ed SSH)
• Il numero di alert generati da meccanismi di Threat
Intelligence è intorno al 15%
• Una fetta significativa di incidenti (10%) è legata ad
attività su SQL.
• Il numero di attacchi brute force aventi successo è
intorno al 5% dei tentativi.
1. Discover and Manage SaaS risk
2. Secure Administration of Critical SaaS Tenants
3. Secure Administration of IaaS/PaaS Tenants
?
Shadow IT
Sanctioned
App Security
Visibility and
control
Compliance and
regulations
Integration with
existing systems and
workflows
Cloud security
expertise
Cloud Discovery
Discover Investigate Control Alerts
CASB
http://aka.ms/cyberpaw
Block primary entry pointsa. Internet Browsing and Email
• Block internet access
b. USB attacks• Block GPO Devices
c. Attacks from enterprise environment• Host Firewall
• Credential Isolation (local and domain)
• Remove/Harden Management Agents
Apply defense in deptha. Software Exploits
• Rapid patching
• Windows 10 Control Flow Guard
b. Malware Infection• Windows Defender
• Windows Defender ATP
• AppLocker and Device Guard
c. Disabling of security controls
d. …and more
101010101101010101101010101101010101101010101
9872521
Multi-Factor AuthenticationConfigure Office 365 MFA
Privileged Access
Workstations (PAWs)http://aka.ms/cyberpaw
Separate Admin
vs. User Accounts
Protect critical elements that enable administrative access
Security and Compliance CenterRecord and Monitor admin activity Your Office 365 Tenant
Baseline & Monitor key tenant configurationshttps://securescore.office.com
9872521
Multi-Factor
Authenticationhttp://aka.ms/AzureMFA
Privileged Access
Workstationshttp://aka.ms/cyberpaw
Time-bound privileges
(no permanent admins)http://aka.ms/AzurePIM
Tenant Subscription
PaaSIaaS
Enable and Configure Azure Security Center
Separate Admin
vs. User Accounts
Protect all elements that enable administrative access
Detection throughout the kill chain
under attack
One small mistake can
lead to attacker control
Attackers Can
• Steal any data
• Encrypt any data
• Modify
documents
• Impersonate
users
• Disrupt business
operations
Active Directory and Administrators control all the assets
More than 200 days (varies by industry)
First Host Compromised Domain Admin Compromised
Attack Discovered
Research & Preparation Attacker Undetected (Data Exfiltration)
24-48 Hours
Tier 2 Workstation &
Device Admins
Tier 0Domain &
Enterprise Admins
Tier 1Server Admins
1. Beachhead (Phishing Attack, etc.)
2. Lateral Movementa. Steal Credentials
b. Compromise more hosts &
credentials
3. Privilege Escalationa. Compromise unpatched servers
b. Get Domain Admin credentials
4. Execute Attacker Missiona. Steal data, destroy systems, etc.
b. Persist Presence
24-48 Hours
• Operating since 2007 and possibly earlier
• Regularly develops and uses zero-day exploits against victims (5 zero-day vulnerabilities were first used by Strontium in H1 2015)
• Mature set of implants and tools
• Focus on government, military, finance verticals
• Victims are primarily in the EU and Central Asia
STRONTIUM:
How does one become a target?
How is one attacked?
What happens once the compromise has taken place?
RECON
•Fingerprint
•Observation
•OSINT
WEAPONIZE
•Lures
•zero-day / EK
•Social
engineering
DELIVERY
•Waterhole
•Spear-phish
•MITM
EXPLOIT
• Installation
•Dropper
•Downloader
INSTALL
• Installation
•EOP/Gain
privilege
•Persistence
C&C
•Exploration
• Info
gathering
•Lateral
Movements
ACTIONS
•Exfiltration
•Destruction
•Compromise
RECON
•Fingerprint
•Observation
•OSINT
WEAPONIZE
•Lure
•zero-day / EK
•Social
engineering
DELIVERY
•Waterhole
•Spear-phish
•MITM
EXPLOIT
• Installation
•Dropper
•Downloader
INSTALL
• Installation
•EOP/Gain
privilege
•Persistence
C&C
•Exploration
• Info
gathering
•Lateral
Movements
ACTIONS
•Exfiltration
•Destruction
•Compromise
STRONTIUM:
Strontium
Spear-phishing
attachments lures
Office CVEs
Spear-phishing
drive-by URLs
IE/Flash/Java CVEs
Social-engineered
code-exec
Firefox XPI
Social-engineer
drive-by login
OWA, Yahoo, Gmail
STRONTIUM:
Remote code execution through browser drive-
by
JavaCVE-2015-2590
(0-day)
FlashCVE-2015-3043CVE-2015-5119CVE-2015-7645
(0-day)
Internet ExplorerCVE-2014-1776CVE-2014-6332CVE-2014-3897
Remote code execution through malicious
attachment
Microsoft WordCVE-2015-1641
(0-day)
Microsoft WordCVE-2015-2424
(0-day)
Privilege escalation or sandbox escape
Win32kCVE-2015-1701
(0-day)
ATMFDCVE-2015-2387
(0-day)
Security feature bypass
JavaCVE-2015-4902
(0-day)
Social engineering-based attack
FirefoxBootstrapped Add-
on (XPI)
STRONTIUM: • Lure through privacy alerts from
email addresses such as Privacy-alert@outlook.com
• Very effective
• Target hundreds of victims mined from public sources and probably successfully phished victims
• Persistent; repeated spear phishing attempts on victims with different lures
STRONTIUM:
defence.adviser.smith@gmail.com
http://eurasiaglobalnews.com/XXXXXXXX-spains-armed-forces-conclude-mission-in-central-african-republic/
STRONTIUM:
STRONTIUM: KillchainRECON
•Fingerprint
•Observation
•OSINT
WEAPONIZE
•Lure
•zero-day / EK
•Social
engineering
DELIVERY
•Waterhole
•Spear-phish
•MITM
EXPLOIT
• Installation
•Dropper
•Downloader
INSTALL
• Installation
•EOP/Gain
privilege
•Persistence
C&C
•Exploration
• Info
gathering
•Lateral
Movements
ACTIONS
•Exfiltration
•Destruction
•Compromise
Strontium
(latest campaign)
KEYLOGGER /
INJECTOR
SSL/PROXY
TUNNEL
PTH /
MIMIKATZ
AIRGAPPED
EXFILMAIL EXFIL
• Very active threat actor
• Utilizes 0-days on a variety of software products
• TTP (Tactics, Techniques and Procedures) seem crude
Protecting Active Directory and Admin privileges
1. Separate Admin account for admin tasks
3. Unique Local Admin Passwords
for Workstationshttp://Aka.ms/LAPS
2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW
4. Unique Local Admin
Passwords for Servershttp://Aka.ms/LAPS
2-4 weeks 1-3 months 6+ months
First response to the most frequently used attack techniques
Protecting Active Directory and Admin privileges
2. Time-bound privileges (no permanent admins)http://aka.ms/PAM http://aka.ms/AzurePIM
1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening
(Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW
4. Just Enough
Administrationhttp://aka.ms/JEA
987252
1
6. Attack Detectionhttp://aka.ms/ata
5. Lower attack surface
of Domain and DCs http://aka.ms/HardenAD
2-4 weeks 1-3 months 6+ months
Build visibility and control of administrator activity, increase protection against typical follow-up attacks
3. Multi-factor for elevation
Protecting Active Directory and Admin privileges
2. Smartcard or Passport
Authentication for all
adminshttp://aka.ms/Passport
1. Modernize Roles
and Delegation Model
3. Admin Forest for Active
Directory administratorshttp://aka.ms/ESAE
5. Shielded VMs for
virtual DCs (Server 2016
Hyper-V Fabric)http://aka.ms/shieldedvms
4. Code Integrity
Policy for DCs
(Server 2016)
2-4 weeks 1-3 months 6+ months
Move to proactive security posture