SLAITCONSULTING.com

Maryland Education Enterprise Consortium - 2017

SLAIT Consulting

SLAITCONSULTING.com

About SLAITSLAITisanInformationTechnologyConsultingServicesCompanyspecializingindeliveringcustomizedITServicesandSolutionstoclientsintheCommercial,State\LocalGovernmentandEducationsectors.

• Servingclientsforover26years

• $100Mrevenue

• 350+Resources

• HeadquarteredinVirginiaBeach,VAwithregionalofficesin:• Richmond,VA• Greenbelt,MD• Charlotte,NC• Raleigh,NCINNOVATIVE SOLUTIONS FOR

FORWARD THINKING COMPANIES

SLAITCONSULTING.com

Some of SLAIT’s Technology PartnersInnovative Solutions for Forward Thinking Companies

SLAITCONSULTING.com

Ransomware – Your Data Held Hostage

SLAIT Consulting

SLAITCONSULTING.com

Ransomware By the numbersInnovative Solutions for Forward Thinking Companies

§ Priortoattack4outof5organizationsareconfidentbackupcanprovidethemcompleterecovery• Lessthanhalfofvictimsfullyrecovertheirdata

§ Emailisthe#1deliveryvehicleforransomware§ Nearlytwo-thirdsofexploitkitshaveransomwarepayloads• Ransomwareisthemostpopularpayload

§ 600%growthinnewransomwarefamiliesin2016§ 4xjumpinAndroidransomware§ 230%percentjumpinJavaScriptransomwarepayloads

SLAITCONSULTING.com

Big BusinessInnovative Solutions for Forward Thinking Companies

BusinessModel§ Veryskilledgroupsmaintainandsellexploitkits

• Maintainlistofexploitsincludingzero-dayexploits• Packagetheabilitytoautomaticallyidentify

vulnerabilitiesanddeliverpayloadofyourchoice§ RansomwaregroupsuseEKtodeploytheirvariant§ Ransomwareasaservice– Someransomwaregroupsevensubcontracttheircombinedpackageforashareoftheprofits

Profits§ 209millionpaidtocybercriminalsinQ1- 2016§ AnglerExploitKit

• $60millionperyear§ Cryptowall 3– $321millionperyear§ Locky – 90,000victimsperday

• Researchindicatesaround2.9%ofvictimspaytheransomofbetween.5and1bitcoin($450).Thisworksouttobetween$200-$400milliondollarsayear

SLAITCONSULTING.com

Evolutionary CapitalismInnovative Solutions for Forward Thinking Companies

§ EveryransompaidisaninvestmentintheR&Dprocessoftheransomwareeconomy

§ Threatgroupstrackwhatmethodsaresuccessfulandwhatmethodsarenot

§ Threatgroupsalsotrackthesuccessofcompetitors,copyingandavoidingasappropriate

§ Continualprocesswherebyunsuccessfulmethodsdie-offandsuccessfulmethodsproliferate

§ Expectfutureransomwareto• Bemoreautomatedwithagreaterprevalenceofself-propagation

• Haveanincreasedfocusonlateralmovement andreducingC2dependency• EncryptwhatC2isnecessary

• Includetimedelayfeaturestoinhibitdatarestoreoptions

SLAITCONSULTING.com

Ransom Family Commonalities(AKA Kill Chain)

SLAIT Consulting

EmailCompromisedwebsites/ads

AnglerEKNuclearEK

OfficeMacrosFlash

WebrequestBittorrent

Tor

SelfProtectionDeletebackupsSetautorun

NetworkscansNetworkshareaccess

Baittheend-user Exploit

C2(sometimesbefore,sometimesafterencryption)

Localizedinfection NetworkInfection

TypicalProcess

TypicalVectors

SLAITCONSULTING.com

Evolution of RansomwareInnovative Solutions for Forward Thinking Companies

Previous• Cryptolocker• Cryptolocker2.0

• Cryptobit

2014• Crytodefense• Cryptowall 1.0• CBTLocker• Crytblocker• Synlocker• Torrentlocker• Crytowall 2.0

2015• Cryptowall 3.0• Telsacrypt 1.0• Vaultcrypt• Teslacrypt 2.0• Crytowall 4.0• Chimera

2016•Crytojocker•Droidlocker•Nanlocker•Locky•CTB-Lockerweb•Jigsaw•Teslacrypt 3.0•Teslacrypt 4.0•Teslacrypt 4.1•Samas•Cryptoxxx•Petya•Maktub•Cerber•KeRanger

SLAITCONSULTING.com

TrendingInnovative Solutions for Forward Thinking Companies

§Increaseintargetedattacksagainst•àHealthcareorganizations•à Lawfirms•à Paymentprocessingfirms§Attackerseekingsofttargetswithhighimpact§Criticalsystems/dataà expectationhigherpayout§Paymentperinfectedsystem§Ransomwareseekinglocalbackups§Exploitexpandedattacksurface§EncryptionofMBR§Changeindeliverymethodologyattackingpreviouslycompromisedsystems§Dropsbootloaderthencrashessystemtoforcereboot– encryptsuponreboot

SLAITCONSULTING.com

What the future holds - PredictionsSLAIT Consulting

§Moreplatformstargeted•AllflavorsofwindowsandAndroidexist•TargetedOSXattacks- 2016§Higherransoms– successbegetssuccess§MOREtargetedattacks– Seekingcriticalnetworks§InternetofThings=Significantexpansionofattachsurface

Prevention

Detection

Response

Test

Prevention

SLAITCONSULTING.com

What to doSLAIT Consulting

Prevention

Detection

Response

Test

Prevention

EmailGatewayFiltering§ .exe,.bat,.ps1,.js,.jse,.scr,.com,.osx,.jar,.vb,.vbs,.bas,.ws,.wsf,.shs,.pif,.hta,lnk• .doc,.xls,.rft

Domaingrouppolicies§ Blockmacros

• Opendownloadeddocumentsin“protectedview”• Opendownloadeddocumentsandblockallmacros

§ Restrictprogramexecution• Disableexecutionfromtemporaryand/oruserdatafolders

§ DisableWindowsScriptHost§ Showfileextensions

• (****.PDF.EXE)

RestrictaccesstonetworksharesMaintainexcellentbackuppractices

SLAITCONSULTING.com

What to doSLAIT Consulting

Prevention

Detection

Response

Test

Prevention

Maximizevisibility§ Effectivesecurityattheperimeter§ Effectivesecurityattheendpoint

IncreaseduserawarenessResources

§ IDRansomware:Ransomwareidentification:• https://id-ransomware.malwarehunterteam.com/

§ Anti-Petya LiveCD• https://hshrzd.wordpress.com/2016/20/anti-peyta-live-cd-the-

fastest-stage1-key-decoder/§ NoRansom:Decryptors forCoinVault,CrytXXX,etc.

• https://noransom.kaspersky.com§ Ransomwareoverview:RansomwareIOCs

• https://goo.gl/SfU0hv• https://docs.google.com/spreadsheets/d/1TWS238xacAto-

fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/htmlview?pli=1

SLAITCONSULTING.com

SLAIT ThreatManage USMSix Security Pillars in the SLAIT ThreatManage USM Platform

SLAIT24x7 Security

Operations Center

SIEM & LOG MANAGEMENT• LogCollection&Correlation• OTXThreatData• SIEMEventCorrelation• IncidentResponse

BEHAVIORAL MONITORING• NetworkIDS• Netflow Analysis• FullPacketCapture• ThreatCloud Integration

ADVANCED THREAT DETECTION

• AdaptiveThreatFabric• BehavioralAnalysis• DynamicSandboxAnalysis

VULNERABILITY ASSESSMENT• ContinuousVulnerabilityMonitoring• Authenticated&Unauthenticated

ActiveScanning

ASSET DISCOVERY & INVENTORY• ActiveNetworkScanning• PassiveNetworkScanning• AssetInventory• SoftwareInventory

ENDPOINT RESPONSE• “FlightDataRecorder”• LiveResponse• ThreatActorDetection/Remediation

SLAITCONSULTING.com

SLAIT ThreatManage USMUnified Security Management Framework

SLAIT Security Operations CenterAnalystsHunters

**Responders**

ThreatManage USM Sensors

ThreatManage USM ServersThreatManage USM Loggers

SECURITY DATA: Events, Alerts, and Logs (Firewall, IDS, AD, Endpoint)

ThreatManage CustomerAnalysts

RespondersEngineers

Customer assets to include licenses,

hardware, etc

SLAIT ThreatManage

Services

SLAITCONSULTING.com

CenterforInternetSecurity(CIS)• SANS– CIStop20CriticalSecurityControls(CSC)

1) Inventoryofauthorizedandunauthorizeddevices2) Inventoryofauthorizedandunauthorizedsoftware3) Secureconfigurationsforhardwareandsoftwareonmobile

devices,laptops,workstationsandservers4) Continuousvulnerabilitymonitoring5) Controlleduseofadministrativeprivileges6) Maintenance,monitoringandanalysisofauditlogs7) EmailandWebBrowserprotection8) Malwaredefense9) Limitationandcontrolofnetworkports,protocols,and

services10) Datarecoverycapability

11) Secureconfigurationsfornetworkdevicessuchasfirewalls,routersandswitches

12) Boundarydevices13) Dataprotection14) Controlledaccessbasedonneedtoknow15) Wirelessaccesscontrol16) Accountmonitoringandcontrol17) Securityskillsandassessmentandappropriatetrainingtofill

gaps18) Applicationsoftwaresecurity19) Incidentresponseandmanagement20) PenetrationtestsandRedteamexercises

SLAITCONSULTING.com

And when all else fail…RestoreInnovative Solutions for Forward Thinking Companies

§ Implementfrequentbackups– Limitdatalostbyensuringarecentrestorepoint§ Limitaccesstothesebackups– Asufficientlyadvancedattackercouldseektoeliminatethebackupsthemselves

SLAITCONSULTING.com

SLAIT ConsultingInnovative Solutions for Forward Thinking Companies

ArnoldE.Bell- CISOArnold.Bell@slaitonsulting.com6304IvyLane,GreenbeltMDT:(301)987-1293|(800)761-6898slaitconsulting.com

Follow Us On Our Social Sites

LinkedIn: slait.it/linkedinslait

Twitter: @slaitconsulting

Facebook: SLAITConsulting