SLAITCONSULTING.com
Maryland Education Enterprise Consortium - 2017
SLAIT Consulting
SLAITCONSULTING.com
About SLAITSLAITisanInformationTechnologyConsultingServicesCompanyspecializingindeliveringcustomizedITServicesandSolutionstoclientsintheCommercial,State\LocalGovernmentandEducationsectors.
• Servingclientsforover26years
• $100Mrevenue
• 350+Resources
• HeadquarteredinVirginiaBeach,VAwithregionalofficesin:• Richmond,VA• Greenbelt,MD• Charlotte,NC• Raleigh,NCINNOVATIVE SOLUTIONS FOR
FORWARD THINKING COMPANIES
SLAITCONSULTING.com
Some of SLAIT’s Technology PartnersInnovative Solutions for Forward Thinking Companies
SLAITCONSULTING.com
Ransomware – Your Data Held Hostage
SLAIT Consulting
SLAITCONSULTING.com
Ransomware By the numbersInnovative Solutions for Forward Thinking Companies
§ Priortoattack4outof5organizationsareconfidentbackupcanprovidethemcompleterecovery• Lessthanhalfofvictimsfullyrecovertheirdata
§ Emailisthe#1deliveryvehicleforransomware§ Nearlytwo-thirdsofexploitkitshaveransomwarepayloads• Ransomwareisthemostpopularpayload
§ 600%growthinnewransomwarefamiliesin2016§ 4xjumpinAndroidransomware§ 230%percentjumpinJavaScriptransomwarepayloads
SLAITCONSULTING.com
Big BusinessInnovative Solutions for Forward Thinking Companies
BusinessModel§ Veryskilledgroupsmaintainandsellexploitkits
• Maintainlistofexploitsincludingzero-dayexploits• Packagetheabilitytoautomaticallyidentify
vulnerabilitiesanddeliverpayloadofyourchoice§ RansomwaregroupsuseEKtodeploytheirvariant§ Ransomwareasaservice– Someransomwaregroupsevensubcontracttheircombinedpackageforashareoftheprofits
Profits§ 209millionpaidtocybercriminalsinQ1- 2016§ AnglerExploitKit
• $60millionperyear§ Cryptowall 3– $321millionperyear§ Locky – 90,000victimsperday
• Researchindicatesaround2.9%ofvictimspaytheransomofbetween.5and1bitcoin($450).Thisworksouttobetween$200-$400milliondollarsayear
SLAITCONSULTING.com
Evolutionary CapitalismInnovative Solutions for Forward Thinking Companies
§ EveryransompaidisaninvestmentintheR&Dprocessoftheransomwareeconomy
§ Threatgroupstrackwhatmethodsaresuccessfulandwhatmethodsarenot
§ Threatgroupsalsotrackthesuccessofcompetitors,copyingandavoidingasappropriate
§ Continualprocesswherebyunsuccessfulmethodsdie-offandsuccessfulmethodsproliferate
§ Expectfutureransomwareto• Bemoreautomatedwithagreaterprevalenceofself-propagation
• Haveanincreasedfocusonlateralmovement andreducingC2dependency• EncryptwhatC2isnecessary
• Includetimedelayfeaturestoinhibitdatarestoreoptions
SLAITCONSULTING.com
Ransom Family Commonalities(AKA Kill Chain)
SLAIT Consulting
EmailCompromisedwebsites/ads
AnglerEKNuclearEK
OfficeMacrosFlash
WebrequestBittorrent
Tor
SelfProtectionDeletebackupsSetautorun
NetworkscansNetworkshareaccess
Baittheend-user Exploit
C2(sometimesbefore,sometimesafterencryption)
Localizedinfection NetworkInfection
TypicalProcess
TypicalVectors
SLAITCONSULTING.com
Evolution of RansomwareInnovative Solutions for Forward Thinking Companies
Previous• Cryptolocker• Cryptolocker2.0
• Cryptobit
2014• Crytodefense• Cryptowall 1.0• CBTLocker• Crytblocker• Synlocker• Torrentlocker• Crytowall 2.0
2015• Cryptowall 3.0• Telsacrypt 1.0• Vaultcrypt• Teslacrypt 2.0• Crytowall 4.0• Chimera
2016•Crytojocker•Droidlocker•Nanlocker•Locky•CTB-Lockerweb•Jigsaw•Teslacrypt 3.0•Teslacrypt 4.0•Teslacrypt 4.1•Samas•Cryptoxxx•Petya•Maktub•Cerber•KeRanger
SLAITCONSULTING.com
TrendingInnovative Solutions for Forward Thinking Companies
§Increaseintargetedattacksagainst•àHealthcareorganizations•à Lawfirms•à Paymentprocessingfirms§Attackerseekingsofttargetswithhighimpact§Criticalsystems/dataà expectationhigherpayout§Paymentperinfectedsystem§Ransomwareseekinglocalbackups§Exploitexpandedattacksurface§EncryptionofMBR§Changeindeliverymethodologyattackingpreviouslycompromisedsystems§Dropsbootloaderthencrashessystemtoforcereboot– encryptsuponreboot
SLAITCONSULTING.com
What the future holds - PredictionsSLAIT Consulting
§Moreplatformstargeted•AllflavorsofwindowsandAndroidexist•TargetedOSXattacks- 2016§Higherransoms– successbegetssuccess§MOREtargetedattacks– Seekingcriticalnetworks§InternetofThings=Significantexpansionofattachsurface
Prevention
Detection
Response
Test
Prevention
SLAITCONSULTING.com
What to doSLAIT Consulting
Prevention
Detection
Response
Test
Prevention
EmailGatewayFiltering§ .exe,.bat,.ps1,.js,.jse,.scr,.com,.osx,.jar,.vb,.vbs,.bas,.ws,.wsf,.shs,.pif,.hta,lnk• .doc,.xls,.rft
Domaingrouppolicies§ Blockmacros
• Opendownloadeddocumentsin“protectedview”• Opendownloadeddocumentsandblockallmacros
§ Restrictprogramexecution• Disableexecutionfromtemporaryand/oruserdatafolders
§ DisableWindowsScriptHost§ Showfileextensions
• (****.PDF.EXE)
RestrictaccesstonetworksharesMaintainexcellentbackuppractices
SLAITCONSULTING.com
What to doSLAIT Consulting
Prevention
Detection
Response
Test
Prevention
Maximizevisibility§ Effectivesecurityattheperimeter§ Effectivesecurityattheendpoint
IncreaseduserawarenessResources
§ IDRansomware:Ransomwareidentification:• https://id-ransomware.malwarehunterteam.com/
§ Anti-Petya LiveCD• https://hshrzd.wordpress.com/2016/20/anti-peyta-live-cd-the-
fastest-stage1-key-decoder/§ NoRansom:Decryptors forCoinVault,CrytXXX,etc.
• https://noransom.kaspersky.com§ Ransomwareoverview:RansomwareIOCs
• https://goo.gl/SfU0hv• https://docs.google.com/spreadsheets/d/1TWS238xacAto-
fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/htmlview?pli=1
SLAITCONSULTING.com
SLAIT ThreatManage USMSix Security Pillars in the SLAIT ThreatManage USM Platform
SLAIT24x7 Security
Operations Center
SIEM & LOG MANAGEMENT• LogCollection&Correlation• OTXThreatData• SIEMEventCorrelation• IncidentResponse
BEHAVIORAL MONITORING• NetworkIDS• Netflow Analysis• FullPacketCapture• ThreatCloud Integration
ADVANCED THREAT DETECTION
• AdaptiveThreatFabric• BehavioralAnalysis• DynamicSandboxAnalysis
VULNERABILITY ASSESSMENT• ContinuousVulnerabilityMonitoring• Authenticated&Unauthenticated
ActiveScanning
ASSET DISCOVERY & INVENTORY• ActiveNetworkScanning• PassiveNetworkScanning• AssetInventory• SoftwareInventory
ENDPOINT RESPONSE• “FlightDataRecorder”• LiveResponse• ThreatActorDetection/Remediation
SLAITCONSULTING.com
SLAIT ThreatManage USMUnified Security Management Framework
SLAIT Security Operations CenterAnalystsHunters
**Responders**
ThreatManage USM Sensors
ThreatManage USM ServersThreatManage USM Loggers
SECURITY DATA: Events, Alerts, and Logs (Firewall, IDS, AD, Endpoint)
ThreatManage CustomerAnalysts
RespondersEngineers
Customer assets to include licenses,
hardware, etc
SLAIT ThreatManage
Services
SLAITCONSULTING.com
CenterforInternetSecurity(CIS)• SANS– CIStop20CriticalSecurityControls(CSC)
1) Inventoryofauthorizedandunauthorizeddevices2) Inventoryofauthorizedandunauthorizedsoftware3) Secureconfigurationsforhardwareandsoftwareonmobile
devices,laptops,workstationsandservers4) Continuousvulnerabilitymonitoring5) Controlleduseofadministrativeprivileges6) Maintenance,monitoringandanalysisofauditlogs7) EmailandWebBrowserprotection8) Malwaredefense9) Limitationandcontrolofnetworkports,protocols,and
services10) Datarecoverycapability
11) Secureconfigurationsfornetworkdevicessuchasfirewalls,routersandswitches
12) Boundarydevices13) Dataprotection14) Controlledaccessbasedonneedtoknow15) Wirelessaccesscontrol16) Accountmonitoringandcontrol17) Securityskillsandassessmentandappropriatetrainingtofill
gaps18) Applicationsoftwaresecurity19) Incidentresponseandmanagement20) PenetrationtestsandRedteamexercises
SLAITCONSULTING.com
And when all else fail…RestoreInnovative Solutions for Forward Thinking Companies
§ Implementfrequentbackups– Limitdatalostbyensuringarecentrestorepoint§ Limitaccesstothesebackups– Asufficientlyadvancedattackercouldseektoeliminatethebackupsthemselves
SLAITCONSULTING.com
SLAIT ConsultingInnovative Solutions for Forward Thinking Companies
ArnoldE.Bell- [email protected],GreenbeltMDT:(301)987-1293|(800)761-6898slaitconsulting.com
Follow Us On Our Social Sites
LinkedIn: slait.it/linkedinslait
Twitter: @slaitconsulting
Facebook: SLAITConsulting