The Best Ways to Stop Malware and Ransomware That No One Else Will Tell YouRoger A. GrimesData-Driven Security Evangelist [email protected]
Roger A. GrimesData-Driven Defense Evangelist
KnowBe4, Inc.
Twitter: @RogerAGrimesLinkedIn: https://www.linkedin.com/in/rogeragrimes/
• 30 years plus in computer security
• Expertise in host and network security, IdM, crypto, PKI, APT, honeypot, cloud security
• Consultant to world’s largest companies and militaries for decades
• Previous worked for Foundstone, McAfee, Microsoft
• Written 12 books and over 1,000 magazine articles
• InfoWorld and CSO weekly security columnist 2005 -2019
• Frequently interviewed by magazines (e.g. Newsweek) and radio shows (e.g. NPR’s All Things Considered)
About Roger
Certification exams passed include:
• CPA• CISSP• CISM, CISA• MCSE: Security, MCP, MVP• CEH, TISCA, Security+, CHFI• yada, yada
3
Roger’s Books
4
KnowBe4, Inc.• The world’s most popular integrated Security Awareness
Training and Simulated Phishing platform
• Based in Tampa Bay, Florida, founded in 2010
• CEO & employees are ex-antivirus, IT Security pros
• 200% growth year over year
• We help tens of thousands of organizations manage the problem of social engineering
5
Agenda• Two Best Ways to Stop Malware• Step-by-Step Instructions• Live Malware & Defense Demonstration
6
• Detect and Mitigate How Malware is Breaking In• Detect How Long Malware is Dwelling and Where
• How/Why/Where/How Long?• Early detection of it all
• No anti-malware defense is going to tell you this
Two Best Ways
7
• Officially known as the initial root cause exploit• You cannot stop malware if you don’t stop how it is breaking in
• You must focus on root causes as much or more than what breaks in or their names!
• Malware and hackers can break in using 10 different methods
How Malware Is Breaking In
8
Initial Root Cause Exploits
• 8/18/20
?
?
?What’s the number one root cause threat in your environment?• Programming Bug (patch available or not available)• Social Engineering• Authentication Attack• Human Error/Misconfiguration• Eavesdropping/MitM• Data/Network Traffic Malformation• Insider Attack• 3rd Party Reliance Issue (vendor/dependency/watering hole)• Physical Attack• Brand New Attack Vector (w/o current/default mitigation)
Ask Yourself 3 Key Questions:1. Can your team correctly answer what is the top root cause? 2. Is the answer consistent across all stakeholders? 3. Do you have data to back up the right answer?
The Data-Driven Defenders Approach
Risk Ranked Threat Perceptions: • Focuses on root causes• Local experience and data is highly valued• Relevance is a big deciding factor
Risk Ranked Defenses:• Mitigates root causes, not individual threats• More efficient resource utilization• Allows clearer cost/benefit considerations
#2Most Impactful
ExploitRoot Cause
Threat
Vendors#1
Most ImpactfulExploit
Root CauseThreat
MediumThreat
#3Most Impactful
ExploitRoot Cause
Threat
SmallThreat
MediumThreat
MediumThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
DefensesAgainst
#2 Most ImpactfulExploited Root
CauseThreat
Vendors
DefensesAgainst
#1Most Impactful
ExploitRoot Cause
Threat
MediumMitigation
Defenses Against
#3 Most ImpactfulExploited
Root CauseThreat
SmallThreat
MediumMitigation
MediumMitigation
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
SmallThreat
May decide that the cost of defending against small threats is not a good business decision
• Social Engineering
• Unpatched Software
• But don’t trust me,
measure your own risk
Biggest Initial Breach Root Causes for Most Companies
https://blog.knowbe4.com/70-to-90-of-all-malicious-breaches-are-due-to-social-engineering-and-phishing-attacks
Social engineering is responsible for 70% - 90% of all malicious data breaches
Social Engineering Methods
• Compromised Web Sites/Banner Ads
• SMS
• Instant Messaging
• Vishing (voice call phishing)
• In-Person
Social Engineering & Phishing
Social Engineering Methods
• Malicious URLs
• How to Spot Rogue URLs
• Article - https://blog.knowbe4.com/top-12-most-common-
rogue-url-tricks
• Webinar - https://info.knowbe4.com/rogue-urls
Social Engineering & Phishing
Top Exploited SoftwareUsually less than a handful of threats compromise the vast majority of real risk
Most attacked unpatched software is usually, Internet-facing/accessing and:Clients• Browser Add-Ons• Network-advertising Services/Daemons• OS• Productivity apps (Microsoft Office, etc.)Servers• Web server software• OS• Database• Mgmt software
What are your top unpatched threats?
Top Exploited SoftwareUsually less than a handful of threats compromise the vast majority of real risk
Most attacked unpatched software is usually, Internet-facing/accessing and:Clients• Browser Add-Ons• Network-advertising Serices/Daemons• OS• Productivity apps (Microsoft Office, etc.)Servers• Web server software• OS• Database• Mgmt software
What are your top unpatched threats?
15
Determining How Malware Breaks In• Antivirus/antimalware/EDR software might tell if it blocks and alerts during the
initial act of exploitation…but you usually don’t know where in the malware lifecycle detection happened, so:
• Know that most malware only breaks in using one method• Create/use a way of detecting or tracking first execution and where• Look at your logs• Do a little research• End-user may be able to tell you• Last resort: track by inventory
How Malware Is Breaking In
16
Determining How Malware Breaks In
• Most malware only breaks in using one method• Most malware is installed using:
• Social engineering (email and compromised web sites)• Unpatched Internet-facing software• Password guessing
• Malware exploit kits only use a few basic exploits each year
How Malware Is Breaking In
17
Determining How Malware Breaks InIf nothing else, do a little research• Review your daily/monthly anti-malware report• Research the exploitation vectors for the top 10 identified malware programs• You can use AV vendor reports, but your own information is better
How Malware Is Breaking In
18
Determining How Malware Breaks InDo a little research (example)
CheckPoint Top 10 Report
But let’s assume this is yourpersonal AV monthly report
How Malware Is Breaking In
19
Determining How Malware Breaks InDo a little research (example percentages shown for an example report)• Agent Tesla – 37%• Phorpiex – 24%• XMRig – 21%• Dridex – 9%• Trickbot – 3%• Ramnit – 3%• Emotet – 1%
98%
How Malware Is Breaking In
20
Determining How Malware Breaks InDo a little research (example)• Agent Tesla• Phorpiex• XMRig• Dridex• Trickbot• Ramnit• Emotet
How Malware Is Breaking In
21
Determining How Malware Breaks InDo a little research (example)• Agent Tesla – social engineering/unpatched Microsoft Office• Phorpiex• XMRig• Dridex• Trickbot• Ramnit• Emotet
How Malware Is Breaking In
22
Determining How Malware Breaks InDo a little research (example)• Agent Tesla – social engineering/unpatched Microsoft Office• Phorpiex – spam/social engineering, IM/Skype, removable media drives• XMRig – unpatched web server software• Dridex – spam/email attachment/social engineering• Trickbot – social engineering, unpatched software, network file shares• Ramnit – (we will say unknown just for this example)• Emotet – macro virus in email attachment/social engineering
How Malware Is Breaking In
23
Determining How Malware Breaks InDo a little research (example)
• Based on the percentages, if you are fully patched, then it means:
• 74% related to social engineering one way or another• Plus possibly some removable media exploits and network share issues
• 3% - 5% unknown
• If you are not fully patched, attribute up to 48% of the risk to unpatched software depending on what you find
How Malware Is Breaking In
3 x 3 Security Control Pillars
3 x 3 Security Control Pillars - https://www.linkedin.com/pulse/3-x-security-control-pillars-roger-grimes
For every high-risk threat you want to mitigate, create 3 x 3 controls
25
Determining How Malware Breaks InDo a little research (example)• Took me 45 minutes of research and simple math to determine• Use your own anti-malware reports• Try your best to determine root cause exploit based on evidence• Research what you can’t find or determine• Otherwise: Your top two root causes are likely to be social engineering and
unpatched software• But maybe one month it becomes unpatched video cameras (e.g. MVPower
exploit) or USB keys…so track each month and over time
How Malware Is Breaking In
26
The KnowBe4 Security Awareness Program WORKSBaseline TestingUse simulated phishing to baseline assess the Phish-prone™ percentage of your users.
Train Your UsersThe world's largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters. Automated training campaigns with scheduled reminder emails.
Phish Your UsersBest-in-class, fully automated simulated phishing attacks, hundreds of templates with unlimited usage, and community phishing templates.
See the ResultsEnterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI!
27
Security Awareness Training Program That Works
• Drawn from a data set of over four million users
• Over 17K organizations• Over 9.1M Simulated Phishing
Campaigns
• Segmented by industry type and organization size
https://info.knowbe4.com/phishing-by-industry-benchmarking-report
28
Determining How Long Malware Dwells and WhereSummary• Use an application control program in monitor/audit-only mode• Create a snapshot rule baseline from a clean image• Detect and report on newly executed programs• Copy new execution log events to centralized database• Whenever AV detects and removes malware, compare removal time to
origination time• Create reports and security workflows from this info
How Long and Where Malware Is
29
Determining How Long Malware Dwells and WhereApplication Control Programs• Allows you to whitelist and blacklist executables and other programs• Most allow monitoring/audit-only modes versus blocking/enforcement modes• Most can build rules by “snapshotting” a system• Most write events to security logs when new executions not on baseline occur
How Long and Where Malware Is
30
Determining How Long Malware Dwells and WhereApplication Control Program Examples• AppLocker and Windows Defender Application Control on Microsoft Windows• Most major AV programs have a version• Commercial versions: Beyond Trust, Carbon Black, Tripwire, Cisco, Ivanti• Open source versions: SE Linux, AppArmor, Fapolicyd• NIST SP 800-167 “Guide to Application Whitelisting”
How Long and Where Malware Is
31
Example Application Control Program DeploymentAppLocker• Been in Microsoft Windows enterprise versions since Windows 7/Windows
Server 2008• Early related Windows feature was Software Restriction Policies• Windows Defender Application Control (WDAC), released in Windows 10• WDAC is a far more serious application control program than AppLocker and takes much
more planning and administration to run• AppLocker does not promise a true security boundary, WDAC does• For our purposes, AppLocker is good enough
• Stand-alone, Group Policy, MDM (e.g. InTune, etc.)
How Long and Where Malware Is
32
Example Application Control Program DeploymentAppLocker• Run Gpedit.msc• Computer Configuration\Windows Settings\Security Settings\• Application Control Policies
How Long and Where Malware Is
33
Example Application Control Program DeploymentAppLockerAppLocker Rule Categories:• Executable Rules• Windows Installer Rules• Script Rules• Packaged app Rules (Modern apps)
Each can be enabled separately
How Long and Where Malware Is
34
Example Application Control Program DeploymentAppLocker
How Long and Where Malware Is
35
Example Application Control Program DeploymentAppLocker
How Long and Where Malware Is
36
Example Application Control Program DeploymentAppLocker
How Long and Where Malware Is
37
Example Application Control Program DeploymentAppLocker
How Long and Where Malware Is
Note: If you enabled enforcement mode you might want to say Yes here.
38
Example Application Control Program DeploymentAppLocker
How Long and Where Malware Is
39
Example Application Control Program DeploymentAppLocker – Start Application Identity (AppID) service
How Long and Where Malware Is
40
Example Application Control Program DeploymentAppLockerEvent Viewer
How Long and Where Malware Is
0 logged events
Any execution exceptions to AppLocker’s policy will be logged as 8003 events
41
Example Application Control Program DeploymentAppLockerMalshare.com Example
How Long and Where Malware Is
42
Example Application Control Program DeploymentAppLockerMalshare.com Example- Search for “ransomware”
How Long and Where Malware Is
43
Example Application Control Program DeploymentAppLockerMalshare Example
How Long and Where Malware Is
44
Example Application Control Program DeploymentAppLockerMalshare Example
How Long and Where Malware Is
45
Example Application Control Program DeploymentAppLockerMalshare Example – When It Executes
How Long and Where Malware Is
46
Example Application Control Program DeploymentAppLockerMalshare Example
How Long and Where Malware Is
47
Example Application Control Program DeploymentAppLockerPull all 8003 events toa centralized database
How Long and Where Malware Is
48
Example Application Control Program DeploymentPull all AV detection log events tosame centralized database
How Long and Where Malware Is
AV programlogs
AppLocker8003 events
Final Steps
Every time malware is detected:
• Compare AV detection date/time to app control first
execution date/time
• Create malware dwell time aging reports
• Develop security workflows
How Long and Where Malware Is
Final Steps
Security workflows
• Automate emails to victims notifying them of how long
the malware dwelled and what they need to do
• What applications did they logon to while exploited?
• What personal logons did they use while exploited?
How Long and Where Malware Is
Final StepsHow Long and Where Malware Is
Final Steps
Create reports and alerts of:
• Long dwell times
• Even minor dwell times on high-risk or high value assets
• Growing average dwell times
How Long and Where Malware Is
Final Steps
Security workflows
• Tie back to how malware got in to modify your training
and defenses
How Long and Where Malware Is
Demo -AppLocker and Live Malware Detection
How Long and Where Malware Is
55
Resources
» Learn More at www.KnowBe4.com/Resources «
12+ Ways to Hack Two-Factor AuthenticationAll multi-factor authentication (MFA) mechanisms can be compromised, and in some cases, it's as simple as sending a traditional phishing email. Want to know how to defend against MFA hacks? This whitepaper covers over a dozen different ways to hack various types of MFA and how to defend against those attacks.
Ransomware Hostage Rescue ManualGet the most complete Ransomware Manual packed with actionable info that you need to have to prevent infections, and what to do when you are hit with ransomware.
CEO Fraud Prevention ManualCEO fraud is responsible for over $3 billion in losses. Don’t be next. The CEO Fraud Prevention Manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.
Questions?
Tel: 855-KNOWBE4 (566-9234) | www.KnowBe4.com | [email protected]
Roger A. Grimes– Data-Driven Defense Evangelist, [email protected]: @rogeragrimes
https://www.linkedin.com/in/rogeragrimes/