Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RANSOMWARE
DAN BROWN
DETECTION ARCHITECT
Continuous Breach Prevention
MANAGED
HUNTING
ENDPOINT DETECTION
AND RESPONSE
NEXT-GEN
ANTIVIRUS
Cloud Delivered
2017 CROWD...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
What is Ransomware?
How Bad is it?
What can we do about it?
What will Tomorrow...
RANSOMWARE
WHAT IS IT?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
T
R
E
N
D
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
TYPES OF CYBER RANSOM ATTACKS
IaaV
Infrastructure-as-a-Victim
Data	E...
FILE ENCRYPTING RANSOMWARE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
A YEAR IN RANSOMWARE
Top	Families
• Locky
• Cerber
Infection	
Trend
• Large	In...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
COMMON ACTIONS
Directory	
Traversal
• Local	directories
• Mapped	shares
File	
...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FILE ENCRYPTION
File-based	vs	
File-less
• Use	of	known	good	(Powershell,	cmd....
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
OTHER ACTIONS
Deleting	
Backups
• Volume	Shadow	Snapshots
• Accessible	online	...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RANSOMWARE
HOW BAD IS IT?
RANSOMWARE TRENDS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NOTABLE ATTACKS IN PAST YEAR
§ SFC rail system
§ U.K. National Health Services...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
VOLUME BREAKDOWN
1H/2016 2H/2016
Worldwide Locky Cerber
U.S. Locky Locky*
* Mo...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHO?
Perpetrators
• ~75%	Developed	by	Eastern	
European	Criminal	Groups
Target...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
HOW?
Locky
• Widespread	Necurs botnet
• Dominated	Locky dissemination	in	2016
...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RECENT LULL
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NSIS EVASION
§ New NSIS installer based ransomware
§ Scripting and “in memory”...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RANSOMWARE
WHAT CAN WE DO ABOUT IT?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
BACKUPS
§ A secure, robust backup strategy is the single most important factor...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
IF YOU ARE ATTACKED
§ Ransom – to pay or not to pay?
§ Data recovery
§ Volume ...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PARALLEL APPROACHES
Prevention
Next-Gen	AV	(NGAV)
PE	File-based
Pre-execution
...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
BENEFITS OF PARALLEL APPROACH
§ Each approach has its own strengths:
§ NGAV: v...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EXPLOIT MITIGATION
§ Heap Spray blocking
§ Force DEP enforcement
§ Force ASLR ...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EXPLOIT IOA
§ Targeting a class of post-exploit actions in commonly exploited ...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INDICATORS OF ATTACK
IOA IOC
Information Behaviors Artifacts
Timeliness Realti...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT GOES INTO FALCON IOA
§ High performance, high-efficiency on-sensor correl...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EVENT STREAM PROCESSING (ESP)
§ Category of techniques used to efficiently pro...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT MAKES A USEFUL IOA?
§ Identifies behaviors that are uniquely malicious
§ ...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT GOES INTO FALCON IOA
§ Quality of event data
§ Beyond procmon, filenames,...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT GOES INTO FALCON IOA
§ Rapid Development and Deployment
§ Frictionless de...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
DEVELOPING IOAS
§ Research areas:
§ Behavioral machine learning
§ New sources ...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EXAMPLE: DROPPERS VS INSTALLERS
§ Question: Is this process an installer or a ...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RANSOMWARE IOA
§ What behavior is universal and unique to file-encrypting rans...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FALCON CLOUD DATA
§ Falcon provides cloud data to CrowdStrike analysts and cus...
RANSOMWARE
WHAT WILL TOMORROW’S
RANSOMWARE LOOK LIKE?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RANSOMWARE’S FUTURE
§ Larger targets = larger payoff
§ One-time attacks
§ Infr...
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Questions?
Please submit all questions in the Q&A chat
right below the present...
Próxima SlideShare
Cargando en…5
×

CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard Approaches To Stop It?

507 visualizaciones

Publicado el

Learn how to prevent & detect even the most complex “file-less” ransomware exploits

Ransomware continues to evolve as perpetrators develop new exploits with consequences that can be dramatic and immediate. The purveyors of ransomware continue to prosper with adversaries developing new strains such as Zepto and Cerber that are proving to be more challenging than ever. Other exploits can alter programmable logic controller (PLC) parameters and adversely impact mechanical systems. Clearly, new defense approaches are needed because organizations can no longer rely on backups and conventional security solutions to protect them. Join CrowdStrike Senior Security Architect Dan Brown as he offers details on these sophisticated new ransomware threats, and reveals recent innovations designed to offer better protection – including new indicator of attack (IOA) behavioral analysis methodologies that can detect and prevent even the most complex “file-less” ransomware exploits.

Attend this CrowdCast where Dan will discuss:
--The challenges of defending against dangerous new variants, such as Zepto and Cerber
--Real-world examples of ransomware in action and the sophisticated tactics being used by a variety of adversaries
--How the CrowdStrike Falcon cloud-delivered platform can defend your organization against new super strains of ransomware that use sophisticated malware-free tactics

Publicado en: Tecnología
  • Sé el primero en comentar

CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard Approaches To Stop It?

  1. 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RANSOMWARE DAN BROWN DETECTION ARCHITECT
  2. 2. Continuous Breach Prevention MANAGED HUNTING ENDPOINT DETECTION AND RESPONSE NEXT-GEN ANTIVIRUS Cloud Delivered 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHAT WE DO
  3. 3. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. What is Ransomware? How Bad is it? What can we do about it? What will Tomorrow’s Ransomware Look Like?
  4. 4. RANSOMWARE WHAT IS IT? 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  5. 5. T R E N D 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. TYPES OF CYBER RANSOM ATTACKS IaaV Infrastructure-as-a-Victim Data Encrypting Scareware
  6. 6. FILE ENCRYPTING RANSOMWARE 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  7. 7. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. A YEAR IN RANSOMWARE Top Families • Locky • Cerber Infection Trend • Large Increase in 2016 over 2015 • Currently lower volume than 2016
  8. 8. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. COMMON ACTIONS Directory Traversal • Local directories • Mapped shares File Encryption • Victim Files: Whitelist vs. Blacklist • Encryption: Strong vs. Weak • File access methods Notification of Ransom • Browser invoked with Web Page • Text file created
  9. 9. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FILE ENCRYPTION File-based vs File-less • Use of known good (Powershell, cmd.exe, javascript) • NSIS Installers Narrow vs Broad • Targeted paths • Victim file type Crypto Libraries • Custom libraries more stealthy • System libraries stronger, more reliable
  10. 10. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. OTHER ACTIONS Deleting Backups • Volume Shadow Snapshots • Accessible online backup deletion Boot Config Data • Disabling Windows recovery sequence • Disabling Windows startup repair Malicious Behaviors • Data theft • Password theft (e.g. RAA / Pony Stealer)
  11. 11. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RANSOMWARE HOW BAD IS IT?
  12. 12. RANSOMWARE TRENDS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  13. 13. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. NOTABLE ATTACKS IN PAST YEAR § SFC rail system § U.K. National Health Services § Indiana county gov § Apple ransom demand § “Turkish Crime Family” § Questionable credibility § Threatening to wipe data § Ostensible deadline of April 7
  14. 14. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. VOLUME BREAKDOWN 1H/2016 2H/2016 Worldwide Locky Cerber U.S. Locky Locky* * Mostly new Locky variants: Zepto, Osiris, etc.
  15. 15. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHO? Perpetrators • ~75% Developed by Eastern European Criminal Groups Targets • Europe and Asia more targeted • U.S. relatively less targeted
  16. 16. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. HOW? Locky • Widespread Necurs botnet • Dominated Locky dissemination in 2016 • Now disseminating “pump & dump” scheme email spam Cerber • RIG • Magnitude • PseudoDarkleech • Neutrino
  17. 17. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RECENT LULL
  18. 18. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. NSIS EVASION § New NSIS installer based ransomware § Scripting and “in memory” techniques § Intended to evade AV § IOA approach unaffected by obfuscation
  19. 19. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RANSOMWARE WHAT CAN WE DO ABOUT IT?
  20. 20. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. BACKUPS § A secure, robust backup strategy is the single most important factor § Ensure that backups are not susceptible to malicious encryption/deletion § Avoid using mapped drives, Windows shares, or similar mechanisms for backups § Offline and/or rolling § Backup restoration has its own cost § Previous Versions feature in Windows
  21. 21. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IF YOU ARE ATTACKED § Ransom – to pay or not to pay? § Data recovery § Volume Shadow Snapshots (Previous Versions feature) § www.NoMoreRansom.org/decryption-tools.html
  22. 22. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. PARALLEL APPROACHES Prevention Next-Gen AV (NGAV) PE File-based Pre-execution PE Files (exe,dll,ocx,…) Signatureless Indicators of Attack (IOA) Behavioral PE Files Exploitation Targeted TTP Fileless
  23. 23. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. BENEFITS OF PARALLEL APPROACH § Each approach has its own strengths: § NGAV: volume of coverage for known and some unknown malware § IOA: unknown malware by behavior and prevents malicious use of e.g. powershell § When only one approach identifies malware § Opportunity to improve IOA coverage of a class of malware § Opportunity to train ML on new/unknown samples § “Virtuous cycles”
  24. 24. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EXPLOIT MITIGATION § Heap Spray blocking § Force DEP enforcement § Force ASLR enforcement § Coming soon: § Null page blocking § Structured Exception Handling Overwrite Protection (SEHOP)
  25. 25. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EXPLOIT IOA § Targeting a class of post-exploit actions in commonly exploited contexts § Browsers / plugins § Document handling applications
  26. 26. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. INDICATORS OF ATTACK IOA IOC Information Behaviors Artifacts Timeliness Realtime After-the-fact Preventability Almost always Seldom Effort Req’d to Evade High Low Relevance Indefinite Typically short
  27. 27. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHAT GOES INTO FALCON IOA § High performance, high-efficiency on-sensor correlation § Quality of event data § Rapid development and deployment § High quality cloud data supporting analysis § Tools supporting IOA analysis and development
  28. 28. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EVENT STREAM PROCESSING (ESP) § Category of techniques used to efficiently process streams of data § Naïve approach § Centralize all data required for correlation § Perform retrospective queries periodically over centralized data § Result: Bottleneck § Slightly Less naïve approach: § Centralize all data required for correlation § Event Stream Processing on centralized data § Result: Slightly smaller bottleneck § Best approach*: § Perform correlation efficiently on endpoints when possible § Use cloud for correlation where necessary, e.g.: prevalence, first-seen, etc. § Result: Highly efficient behavioral detection and prevention * For more information, see: https://www.crowdstrike.com/blog/understanding-indicators-attack-ioas-power-event-stream-processing-crowdstrike-falcon/
  29. 29. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHAT MAKES A USEFUL IOA? § Identifies behaviors that are uniquely malicious § Identifies behaviors that can be blocked § Credential theft § Backdoors § Post-exploit behaviors § Web shells § Document droppers § Process migration / hollowing …
  30. 30. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHAT GOES INTO FALCON IOA § Quality of event data § Beyond procmon, filenames, command-lines, etc. § Code injection § Evidence of ROP § What process scheduled this task? § What process installed this service? § What process caused WMI to create a process? § What commands were executed from this shell? Among many others …
  31. 31. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHAT GOES INTO FALCON IOA § Rapid Development and Deployment § Frictionless delivery of new IOAs from the cloud § Rapid low friction development and revision cycle § Analysis tools that make IOA development broadly accessible to analysts § Data, data, data…
  32. 32. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. DEVELOPING IOAS § Research areas: § Behavioral machine learning § New sources of event data § Network § Inter-process and intra-system communication § Script engines § Experimental pattern-matching graph query language § Behavioral fingerprinting
  33. 33. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EXAMPLE: DROPPERS VS INSTALLERS § Question: Is this process an installer or a dropper? § IOA: 1. Process A creates executable E 2. Process A launches executable E à child Process B 3. Wait for exit of processes A and B § If process A exits first à Dropper § If process B exits first à Installer
  34. 34. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RANSOMWARE IOA § What behavior is universal and unique to file-encrypting ransomware? § More than one behavior = IOA correlation § Filesystem scanning § Patterns of file access § File modification / Encryption § Ransomware note dropping
  35. 35. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FALCON CLOUD DATA § Falcon provides cloud data to CrowdStrike analysts and customers § Indexed data (Endpoint Activity Monitor) § Fast query results § Large, rich event data set § Graph database (ThreatGraph™) § Links related data § Substantial speed improvement compared to “join” style queries § Contains “linking” events that represent relationships beyond just process/child
  36. 36. RANSOMWARE WHAT WILL TOMORROW’S RANSOMWARE LOOK LIKE? 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  37. 37. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RANSOMWARE’S FUTURE § Larger targets = larger payoff § One-time attacks § Infrastructure-as-a-Victim § SCADA / ICS / DCS § Public transportation § Connected cars § IoT § File encrypting ransomware § Unlikely to go away any time soon § Possibility of increases in other platforms such as Mac, Linux
  38. 38. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Questions? Please submit all questions in the Q&A chat right below the presentation slides Contact Us Additional Information Join Weekly Demos crowdstrike.com/productdemos Upcoming CrowdCast Topics Mac Prevention – April 12th Proactive Hunting – April 26th Website: crowdstrike.com Email: info@crowdstrike.com Number: 1.888.512.8902 (US)

×