SlideShare una empresa de Scribd logo

InnoTech 2017_Defend_Against_Ransomware 3.0

Michael Gough
Michael Gough

Defending Against Ransomeware and Malware and what you can do about it. Malware Archaeology LOG-MD

Tecnología
1 de 60
Descargar para leer sin conexión
Defending Against Ransomware and what can you do about it Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
The Problem or Challenge We all Face MalwareArchaeology.com
Europol experts • "Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen following the emergence of self-propagating 'ransomworms,' as observed in the WannaCry and Petya/NotPetya cases," write Europol experts in the agency's Internet Organized Crime Threat Assessment (IOCTA 2017) MalwareArchaeology.com
Costs and Growth • The FBI believes the total cost of ransomware broke the $1 billion mark in 2016 • Whatever the motivation, new ransomware increased by 54% in the second quarter of this year, according to McAfee. • The number of total new ransomware samples has increased by 47% in the past four quarters. MalwareArchaeology.com
The Numbers • 80% of security pros view ransomware to be a moderate or extreme threat today. This is from a study of nearly 500 practitioners among the Information Security Community on LinkedIn, conducted by Cybersecurity Insiders and Crowd Research Partners. • That survey showed that 75% of organizations affected by ransomware have experienced up to 5 attacks in the last year, and 25% have been hit by 6 or more attacks. MalwareArchaeology.com
The Numbers • The study showed that 39% of organizations say it takes them anywhere between several days to a few weeks to recover from a ransomware attack. • This lack of resiliency and the fallout from attacks this year highlight the lack of accountability for instituting the basics of IT security within organizations, says James Carder, CISO of LogRhythm. MalwareArchaeology.com
Email is #1 • Phishing IS our worst enemy MalwareArchaeology.com
Ransomware MalwareArchaeology.com
Malicious Email MalwareArchaeology.com
Malicious Email • Malicious Attachments – PDF, Word, Excel, . .js, .jse, .wsf, .wsh, .hte, .lnk, PS1, CMD, BAT, .vbs, .vbe, etc • URL’s in Email – Click HERE to see more • Then downloads the above file formats – Or sends you to a credential stealer webpage • Encrypted emails – Same as above but protected with a password to bypass ALL security controls • All new for 2017 – Word DDE – auto downloading malware when Office opens • Not to mention a Feature/Flaw of just receiving email MalwareArchaeology.com
So what can we do? MalwareArchaeology.com
Don’t Panic MalwareArchaeology.com
Why does the criminals approach work? MalwareArchaeology.com
Understand WHY it works • Email gateways do not block enough, or anything • Exchange and Outlook controls are seldom used • Don’t forget users check personal email (Gmail, Yahoo, Hotmail, Office365, etc.) • We do NOT do enough here and we should • It’s FREE, your email gateway and Exchange server already have the capability • Even Outlook has rules that can be enabled MalwareArchaeology.com
Take-Away #1 File Type Blocks MalwareArchaeology.com
Outlook Rules • You REALLY need to enable these • https://support.office.com/en-us/article/Blocked- attachments-in-Outlook-3811cddc-17c3-4279- a30c-060ba0207372 • Block these on your Email Gateway !!! • Drop these PLEEEASE MalwareArchaeology.com
What Gets By File Type Blocks? MalwareArchaeology.com
If we drop these, what is left? • Encrypted messages – These emails will get by ALL security solutions because they can’t inspect encrypted emails (It’s Haaarrd) • Emails with URL’s – URL’s are generally not malicious with new campaigns in the first few hours • They use Cloud Storage too • Users download and Double-Click MalwareArchaeology.com
What gets by file type blocks? • Documents that have URL’s • Encrypted Word/Office Docs that have Macros Encrypted Word/Office Docs with OLE objects that are scripts like the file types we dropped • NEW for 2017 – DDE Links in Word Docs – Auto opens a URL and downloads a malicious file • If the a file gets in this way, then we have to address what happens when a user clicks it MalwareArchaeology.com
Take-Away #2 Block Macros PLEASE !!!! MalwareArchaeology.com
Block Macros !!! • For corporate users – Office 2013 or 2016 required MalwareArchaeology.com
Or tweak the registry Office 2016 • HKCUSOFTWAREPoliciesMicrosoftoffice16.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 Office 2013 • HKCUSOFTWAREPoliciesMicrosoftoffice15.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 MalwareArchaeology.com
#WINNING • After adding these tweaks you will see this when you try and enable a macro and/or content • You can unblock if truly needed and trusted, create an exception group MalwareArchaeology.com
There are More Than Macros MalwareArchaeology.com
More than Macros • Macros account for a lot, but malwarians are morphing and evolving • We blocked more than 6000 emails between June and Dec 2016 • They have moved to encrypted documents • They have moved to documents with URL’s • They have moved to OLE objects in Word Docs • They have moved to using Cloud Storage to retrieve documents • NEW – They are using a DDE Feature/Flaw to auto download URL’s that have a file and get the user to click on the notification MalwareArchaeology.com
Why it Works MalwareArchaeology.com
Understand WHY it works • Windows is Sooooooo broken • The malwarians are taking advantage of the default configuration of Windows • What happens when you Double-Click is the enemy • Users have been trained to just click it – Click OK, click, click, click MalwareArchaeology.com
So how does it work? • Clicking by users • Yeah, Yeah, Yeah… User awareness training – It won’t be enough • How about this… • Change what happens when users Double- Click a suspect file type • Now there’s a thought… MalwareArchaeology.com
Take-Away #3 Deny the Double-Click MalwareArchaeology.com
Deny the Double-Click • Windows allows by default the execution of a file type by double-clicking and launching the execution program (Booooooo) • So how about changing the dangerous file types that launch the interpreters to launching a simple editor? • Yup, NOTEPAD to the rescue !!!!! • Finally a good use for Notepad MalwareArchaeology.com
Deny the Double-Click • This will NOT break the way these file types normally work. • Cscript ‘Logon.vbs’ will work fine • Double-Clicking ‘logon.vbs’ will just open Notepad • You WILL need to convince IT, they haven’t played with this due to FUD and lack of experience • Prove it by showing it works ! MalwareArchaeology.com
Default Programs MalwareArchaeology.com
File Type MalwareArchaeology.com
Windows Based Script Host • Get rid of it, they use it to execute malware • Consider .vbe, .vbs, .ps1 and .ps1xml too, but this is used in corporate environments • This only affects double-clicking the file, not using the file properly (cscript Good_file.vbs) MalwareArchaeology.com
Change to Notepad • Change ANYTHING that can execute a script to open Notepad MalwareArchaeology.com
So what happens? • Users will open files that have been blocked, but got by either via an encrypted email or a URL in an email or attachment • The user then downloads the malicious file type and double-clicks it… If it is one of the types that you have changed the File Association for, the malware script will FAIL !!! • #WINNING MalwareArchaeology.com
Take-Away #4 WARNING Windows 10 updates MalwareArchaeology.com
Windows 10 upgrades • Microsoft sometimes does full OS upgrades when they patch • This will reset your File Association changes • So use Group Policy (GPO) to set these • If a standalone system (Home, Pro, EDU) then use a script I created that will set these and more – Create a scheduled task to run the script on logon to set them each time you begin work MalwareArchaeology.com
Now What Can Get By? MalwareArchaeology.com
Take-Away #5 Word DDE Attack MalwareArchaeology.com
DDE Links • Word allows auto-execution of links to download content • This is now being exploited HEAVILY !!! • But easy to break! MalwareArchaeology.com
DDE Links • Turn this off !!!! • No need to automatically open links • The user can right-click and manually update if it is an Excel Graph for example • Disable using Group Policy • Or the script from my website which also sets malicious file types to use Notepad – MalwareArchaeology.comlogging MalwareArchaeology.com
The 5%-10% that Can Get By MalwareArchaeology.com
The Final Mile • Once you have done everything in this preso that is FREE • Now you can buy solutions that reduce the final 5% • Vendors are struggling with scanning documents that are encrypted • DDE is new and they are scrambling MalwareArchaeology.com
What can still get by? • Look at these, which you may have and are also FREE – Application Whitelisting - Complicated – Detect it and Respond – Logging and people • Maybe User Awareness can help as you can now focus the training since all the other ways they get in have been dealt with MalwareArchaeology.com
What can still get by? • Lots of email is known bad • Once a campaign is out for 4 hours or more, vendors start to add signatures to their advanced email filtering products to block known malicious emails • Add these solutions to your email gateway AFTER you have implemented what is already recommended – FireEye – LastLine – Cisco AMP – Etc… • EDR solutions might help AFTER you do everything in this preso since you will have reduced a ton of garbage MalwareArchaeology.com
Take-Away #6 New File Protection in Windows 10 - 1709 MalwareArchaeology.com
New Feature in Windows 10 • Microsoft has now introduced ”Controlled Folder Access” feature in its Windows Defender Security Center that is • Available for Windows 10 Fall Creators Update (v1709) • Basically folders that are protected with this wil be denied access to non-approved applications • Probably will NOT work with another AV solution MalwareArchaeology.com
New Feature in Windows 10 MalwareArchaeology.com
User Awareness MalwareArchaeology.com
User Awareness Teach users two things, and only 2 things 1. Don’t open emails that have encrypted attachments AND have the password in the body AND contain a few words and not descriptive 2. Don’t launch ANY .EXE files that you download from sources via email and links in emails or documents – EVER! MalwareArchaeology.com
What do we do with the attachments we receive? MalwareArchaeology.com
Evaluate them • Detonate them in a malware lab • Obtain the artifacts to see who else might have open the ones that got through • Analyze what the attachment does so you can better understand how to reduce them getting into your environment • 90% is FREE and you already have it • Just add some labor MalwareArchaeology.com
What do we use to quickly evaluate the malware? MalwareArchaeology.com
• The Log and Malicious Discovery tool • Audits your system and produces a report • Also shows failed items on the console • Helps you configure proper audit logging • ALL VERSIONS OF WINDOWS (Win 7 & up) • Helps you enable what is valuable • Compares to many industry standards • CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
• Collect 1-7 days of logs • 20+ reports • Full filesystem Hash Baseline • Full filesystem compare to Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery MalwareArchaeology.com
• More reports • Interesting Artifacts report • WhoIS resolution of IPs • SRUM (netflow from/to a binary) • AutoRuns report with whitelist and Master Digest exclusions • List of Locked files • More Whitelisting • Master-Digest to exclude hashes and files MalwareArchaeology.com
Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Script to set File Association, Break DDE and more – www.MalwareArchaeology.comlogging MalwareArchaeology.com
Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) MalwareArchaeology.com

Recomendados

MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 

Recomendados

MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 

Más contenido relacionado

La actualidad más candente

Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 

La actualidad más candente (20)

Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 

Similar a InnoTech 2017_Defend_Against_Ransomware 3.0

Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Phish training final
Phish training finalPhish training final
Phish training finalJen Ruhman
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers
2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers
2010-03 Yesterday's Trusted Web Sites are Today's Malicious ServersRaleigh ISSA
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
From velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatFrom velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatStefano Maccaglia
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Ransomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptRansomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptYash Diwakar
 
Internet security
Internet securityInternet security
Internet securityrfukunaga
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 

Similar a InnoTech 2017_Defend_Against_Ransomware 3.0 (20)

Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
App locker
App lockerApp locker
App locker
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.ppt
 
Phish training final
Phish training finalPhish training final
Phish training final
 
I Have My WordPress Site Now What?
I Have My WordPress Site Now What?I Have My WordPress Site Now What?
I Have My WordPress Site Now What?
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
 
2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers
2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers
2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers
 
CMS Joomla
CMS JoomlaCMS Joomla
CMS Joomla
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
From velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatFrom velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweat
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibility
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Ransomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptRansomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCrypt
 
Internet security
Internet securityInternet security
Internet security
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 

Último

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Último (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

InnoTech 2017_Defend_Against_Ransomware 3.0

  • 1. Defending Against Ransomware and what can you do about it Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 3. The Problem or Challenge We all Face MalwareArchaeology.com
  • 4. Europol experts • "Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen following the emergence of self-propagating 'ransomworms,' as observed in the WannaCry and Petya/NotPetya cases," write Europol experts in the agency's Internet Organized Crime Threat Assessment (IOCTA 2017) MalwareArchaeology.com
  • 5. Costs and Growth • The FBI believes the total cost of ransomware broke the $1 billion mark in 2016 • Whatever the motivation, new ransomware increased by 54% in the second quarter of this year, according to McAfee. • The number of total new ransomware samples has increased by 47% in the past four quarters. MalwareArchaeology.com
  • 6. The Numbers • 80% of security pros view ransomware to be a moderate or extreme threat today. This is from a study of nearly 500 practitioners among the Information Security Community on LinkedIn, conducted by Cybersecurity Insiders and Crowd Research Partners. • That survey showed that 75% of organizations affected by ransomware have experienced up to 5 attacks in the last year, and 25% have been hit by 6 or more attacks. MalwareArchaeology.com
  • 7. The Numbers • The study showed that 39% of organizations say it takes them anywhere between several days to a few weeks to recover from a ransomware attack. • This lack of resiliency and the fallout from attacks this year highlight the lack of accountability for instituting the basics of IT security within organizations, says James Carder, CISO of LogRhythm. MalwareArchaeology.com
  • 8. Email is #1 • Phishing IS our worst enemy MalwareArchaeology.com
  • 11. Malicious Email • Malicious Attachments – PDF, Word, Excel, . .js, .jse, .wsf, .wsh, .hte, .lnk, PS1, CMD, BAT, .vbs, .vbe, etc • URL’s in Email – Click HERE to see more • Then downloads the above file formats – Or sends you to a credential stealer webpage • Encrypted emails – Same as above but protected with a password to bypass ALL security controls • All new for 2017 – Word DDE – auto downloading malware when Office opens • Not to mention a Feature/Flaw of just receiving email MalwareArchaeology.com
  • 12. So what can we do? MalwareArchaeology.com
  • 14. Why does the criminals approach work? MalwareArchaeology.com
  • 15. Understand WHY it works • Email gateways do not block enough, or anything • Exchange and Outlook controls are seldom used • Don’t forget users check personal email (Gmail, Yahoo, Hotmail, Office365, etc.) • We do NOT do enough here and we should • It’s FREE, your email gateway and Exchange server already have the capability • Even Outlook has rules that can be enabled MalwareArchaeology.com
  • 16. Take-Away #1 File Type Blocks MalwareArchaeology.com
  • 17. Outlook Rules • You REALLY need to enable these • https://support.office.com/en-us/article/Blocked- attachments-in-Outlook-3811cddc-17c3-4279- a30c-060ba0207372 • Block these on your Email Gateway !!! • Drop these PLEEEASE MalwareArchaeology.com
  • 18. What Gets By File Type Blocks? MalwareArchaeology.com
  • 19. If we drop these, what is left? • Encrypted messages – These emails will get by ALL security solutions because they can’t inspect encrypted emails (It’s Haaarrd) • Emails with URL’s – URL’s are generally not malicious with new campaigns in the first few hours • They use Cloud Storage too • Users download and Double-Click MalwareArchaeology.com
  • 20. What gets by file type blocks? • Documents that have URL’s • Encrypted Word/Office Docs that have Macros Encrypted Word/Office Docs with OLE objects that are scripts like the file types we dropped • NEW for 2017 – DDE Links in Word Docs – Auto opens a URL and downloads a malicious file • If the a file gets in this way, then we have to address what happens when a user clicks it MalwareArchaeology.com
  • 21. Take-Away #2 Block Macros PLEASE !!!! MalwareArchaeology.com
  • 22. Block Macros !!! • For corporate users – Office 2013 or 2016 required MalwareArchaeology.com
  • 23. Or tweak the registry Office 2016 • HKCUSOFTWAREPoliciesMicrosoftoffice16.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 Office 2013 • HKCUSOFTWAREPoliciesMicrosoftoffice15.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 MalwareArchaeology.com
  • 24. #WINNING • After adding these tweaks you will see this when you try and enable a macro and/or content • You can unblock if truly needed and trusted, create an exception group MalwareArchaeology.com
  • 25. There are More Than Macros MalwareArchaeology.com
  • 26. More than Macros • Macros account for a lot, but malwarians are morphing and evolving • We blocked more than 6000 emails between June and Dec 2016 • They have moved to encrypted documents • They have moved to documents with URL’s • They have moved to OLE objects in Word Docs • They have moved to using Cloud Storage to retrieve documents • NEW – They are using a DDE Feature/Flaw to auto download URL’s that have a file and get the user to click on the notification MalwareArchaeology.com
  • 28. Understand WHY it works • Windows is Sooooooo broken • The malwarians are taking advantage of the default configuration of Windows • What happens when you Double-Click is the enemy • Users have been trained to just click it – Click OK, click, click, click MalwareArchaeology.com
  • 29. So how does it work? • Clicking by users • Yeah, Yeah, Yeah… User awareness training – It won’t be enough • How about this… • Change what happens when users Double- Click a suspect file type • Now there’s a thought… MalwareArchaeology.com
  • 30. Take-Away #3 Deny the Double-Click MalwareArchaeology.com
  • 31. Deny the Double-Click • Windows allows by default the execution of a file type by double-clicking and launching the execution program (Booooooo) • So how about changing the dangerous file types that launch the interpreters to launching a simple editor? • Yup, NOTEPAD to the rescue !!!!! • Finally a good use for Notepad MalwareArchaeology.com
  • 32. Deny the Double-Click • This will NOT break the way these file types normally work. • Cscript ‘Logon.vbs’ will work fine • Double-Clicking ‘logon.vbs’ will just open Notepad • You WILL need to convince IT, they haven’t played with this due to FUD and lack of experience • Prove it by showing it works ! MalwareArchaeology.com
  • 35. Windows Based Script Host • Get rid of it, they use it to execute malware • Consider .vbe, .vbs, .ps1 and .ps1xml too, but this is used in corporate environments • This only affects double-clicking the file, not using the file properly (cscript Good_file.vbs) MalwareArchaeology.com
  • 36. Change to Notepad • Change ANYTHING that can execute a script to open Notepad MalwareArchaeology.com
  • 37. So what happens? • Users will open files that have been blocked, but got by either via an encrypted email or a URL in an email or attachment • The user then downloads the malicious file type and double-clicks it… If it is one of the types that you have changed the File Association for, the malware script will FAIL !!! • #WINNING MalwareArchaeology.com
  • 38. Take-Away #4 WARNING Windows 10 updates MalwareArchaeology.com
  • 39. Windows 10 upgrades • Microsoft sometimes does full OS upgrades when they patch • This will reset your File Association changes • So use Group Policy (GPO) to set these • If a standalone system (Home, Pro, EDU) then use a script I created that will set these and more – Create a scheduled task to run the script on logon to set them each time you begin work MalwareArchaeology.com
  • 40. Now What Can Get By? MalwareArchaeology.com
  • 42. DDE Links • Word allows auto-execution of links to download content • This is now being exploited HEAVILY !!! • But easy to break! MalwareArchaeology.com
  • 43. DDE Links • Turn this off !!!! • No need to automatically open links • The user can right-click and manually update if it is an Excel Graph for example • Disable using Group Policy • Or the script from my website which also sets malicious file types to use Notepad – MalwareArchaeology.comlogging MalwareArchaeology.com
  • 44. The 5%-10% that Can Get By MalwareArchaeology.com
  • 45. The Final Mile • Once you have done everything in this preso that is FREE • Now you can buy solutions that reduce the final 5% • Vendors are struggling with scanning documents that are encrypted • DDE is new and they are scrambling MalwareArchaeology.com
  • 46. What can still get by? • Look at these, which you may have and are also FREE – Application Whitelisting - Complicated – Detect it and Respond – Logging and people • Maybe User Awareness can help as you can now focus the training since all the other ways they get in have been dealt with MalwareArchaeology.com
  • 47. What can still get by? • Lots of email is known bad • Once a campaign is out for 4 hours or more, vendors start to add signatures to their advanced email filtering products to block known malicious emails • Add these solutions to your email gateway AFTER you have implemented what is already recommended – FireEye – LastLine – Cisco AMP – Etc… • EDR solutions might help AFTER you do everything in this preso since you will have reduced a ton of garbage MalwareArchaeology.com
  • 48. Take-Away #6 New File Protection in Windows 10 - 1709 MalwareArchaeology.com
  • 49. New Feature in Windows 10 • Microsoft has now introduced ”Controlled Folder Access” feature in its Windows Defender Security Center that is • Available for Windows 10 Fall Creators Update (v1709) • Basically folders that are protected with this wil be denied access to non-approved applications • Probably will NOT work with another AV solution MalwareArchaeology.com
  • 50. New Feature in Windows 10 MalwareArchaeology.com
  • 52. User Awareness Teach users two things, and only 2 things 1. Don’t open emails that have encrypted attachments AND have the password in the body AND contain a few words and not descriptive 2. Don’t launch ANY .EXE files that you download from sources via email and links in emails or documents – EVER! MalwareArchaeology.com
  • 53. What do we do with the attachments we receive? MalwareArchaeology.com
  • 54. Evaluate them • Detonate them in a malware lab • Obtain the artifacts to see who else might have open the ones that got through • Analyze what the attachment does so you can better understand how to reduce them getting into your environment • 90% is FREE and you already have it • Just add some labor MalwareArchaeology.com
  • 55. What do we use to quickly evaluate the malware? MalwareArchaeology.com
  • 56. • The Log and Malicious Discovery tool • Audits your system and produces a report • Also shows failed items on the console • Helps you configure proper audit logging • ALL VERSIONS OF WINDOWS (Win 7 & up) • Helps you enable what is valuable • Compares to many industry standards • CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
  • 57. • Collect 1-7 days of logs • 20+ reports • Full filesystem Hash Baseline • Full filesystem compare to Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery MalwareArchaeology.com
  • 58. • More reports • Interesting Artifacts report • WhoIS resolution of IPs • SRUM (netflow from/to a binary) • AutoRuns report with whitelist and Master Digest exclusions • List of Locked files • More Whitelisting • Master-Digest to exclude hashes and files MalwareArchaeology.com
  • 59. Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Script to set File Association, Break DDE and more – www.MalwareArchaeology.comlogging MalwareArchaeology.com
  • 60. Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) MalwareArchaeology.com