topic Re: Ransomeware - questions in Tech Talk

Ransomeware - questions

JKWiniger — Sat, 04 Jan 2020 15:42:10 GMT

With so much ransomeware in the news I have often wondered if the companies that get hit and simply not following best practices or if there is something I am not aware of.

If you are doing your updates, have antivirus and malware which are geared towards ransomware, and have proper backups shouldn't that cover most of this stuff?

Granted there is always the new stuff that slips by but at the rates of occurrence this doesn't seem to be the case.

Thoughts?

John-

Re: Ransomeware - questions

rslade — Sat, 04 Jan 2020 18:30:20 GMT

> JKWiniger (Newcomer II) posted a new topic in Tech Talk on 01-04-2020 10:42 AM

> With so much ransomeware in the news I have often wondered if the companies that
> get hit and simply not following best practices or if there is something I am
> not aware of. If you are doing your updates, have antivirus and malware which
> are geared towards ransomware, and have proper backups shouldn't that cover most
> of this stuff?

No, I don't think there is anything you are missing. Yes, those countermeasures
should keep most people safe most of the time. (Particularly the backups. And
proper, multi-layered backups, most of them offline.)

> Granted there is always the new stuff that slips by but at the
> rates of occurrence this doesn't seem to be the case.

I'd agree. The extremely high rates of ransomware "hits" seem to me to indicate
two things: 1) most security plans are abysmal, and, given #1, 2) the blackhats
realize that the easiest way to make money these days is to produce and seed out
as much ransomware as possible.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The Tao of network protocols:
If all you see is IP, you see nothing. - Greg Minshall
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Ransomeware - questions

JKWiniger — Sat, 04 Jan 2020 20:54:47 GMT

I guess to me I felt like I must have been missing something for these things to be so basic but yet for so many places to be getting hit with ransomware. There are a lot of things that seem so simple to me that it leads me again to think I must be wrong, and hence has lead me to a touch of imposter syndrome at times.

This has been eye opening, thank you.

John-

Re: Ransomeware - questions

dcontesti — Sun, 05 Jan 2020 00:51:38 GMT

I think you got the basics down as all those thing SHOULD protect you. The operative word here is SHOULD but one must remember it only takes one machine to not be patched or the AV not be working (yup this happens) for Ransomware or any other virus/malware to take hold of your environment.

Patching can sometimes be difficult and even when one thinks they are 100%, someone pulls out a computer from under a desk that hasn't been patched in months or allows an unprotected device to attach to the network (they just want to take that spreadsheet home to work on, etc......). The problem is typically the human factor.

Along with the three you mention, I would add a strong dose of Security Awareness training especially on what is allowed and not allowed on your network, what patching means and why it is done.

my nickel

Re: Ransomeware - questions

AppDefects — Mon, 06 Jan 2020 02:57:20 GMT

The prevailing assumption in this thread is that organizations and many local government IT shops are doing the right thing (i.e., the "basics"). Well news flash they are not. They don't control user authentication and authorization with the basic philosophy of least privilege. There are lots of organizations that give there users "admin" on their local machines and over provision roles on databases. Can you say lateral movement? I new you could.

Re: Ransomeware - questions

Steve-Wilme — Mon, 06 Jan 2020 11:32:42 GMT

It's often patch delay time being exploited. Whilst you know there's a patch and it's in testing, you haven't fully deployed it yet. So if you're patching monthly, you need to consider moving to weekly or even daily! You need to consider what happens if you have a major incident that diverts resource, cover over holidays and what to do if staff are away ill. You need to consider how you can get remote machines patched and you need to posture check them when they come back into the office. Whilst companies are often trying to do the right thing, it's only by completing the work that malware is kept at bay.

Re: Ransomeware - questions

JKWiniger — Mon, 06 Jan 2020 12:42:49 GMT

On patching and updating, I have been wondering if it is possible to get disclosure from vendors about what libraries and sub systems and in their products. If I see there has been a vulnerability or bug found in one of these I don't always know if I am affected due to this lack of disclosure. Even if there is no patch available I would still be able to mitigate the risk in different ways, if I know I am at risk.

So am I missing anything on getting this disclosure?

John-

Re: Ransomeware - questions

4d4m — Mon, 06 Jan 2020 13:57:21 GMT

Whilst I agree that you need to follow the basics of protection and have good detection, and good incident response (some way to restore from backup that works and is operational etc.), there are two things to consider:

- some networks are massive and sprawling, and included mergers and suppliers and all sorts of third parties, going through a state of transition. So, it isn't that simple to know if it is all in a good state. I am not making excuses for people, but not all networks are equal

- in some ransomware attacks the attackers have come in quietly, monitored the infrastructure, and even replaced the software update management mechanisms, the ransomware part being the last visible step.

I think the most important thing is to have good fine grained configuration. You can have all the patching and malware protection, and backups, but if the configuration is weak then protections can be bypassed, restores can fail, businesses can be unprepared to communicate in an incident.

Best

Adam

Re: Ransomeware - questions

JKWiniger — Mon, 06 Jan 2020 15:19:59 GMT

That LEAST PRIVILEGE has stuck in my head and I just have to say that it is crazy how many times I have had vendors not specify the exact privileges needed on a service required for their product!

Re: Ransomeware - questions

rslade — Tue, 07 Jan 2020 19:11:23 GMT

> dcontesti (Community Champion) posted a new reply in Tech Talk on 01-04-2020

> I think you got the basics down as all those thing SHOULD protect you. The
> operative word here is SHOULD but one must remember it only takes one machine to
> not be patched or the AV not be working (yup this happens) for Ransomware or any
> other virus/malware to take hold of your environment.

And if you've got a backup, as backup to the other countermeasures, then you SHOULD be OK ...

Re: Ransomeware - questions

kevinkidder — Wed, 08 Jan 2020 21:08:23 GMT

I have a pentesting company that I have been operating for a while. I whole heartedly agree that there are many organizations that are not adhering to "best practices". The other statement being "abysmal state" is probably more accurate based on what I see on a daily basis.

In a recent conversation with a vendor, the sales person stated to me that "well, most companies are probably doing the basics, and this is where we come in, above that level." I replied "I'm going to have to stop you there. Based on what I've seen, you don't realize how low the low hanging fruit really is..."

In all seriousness, my experience has been that "size matters". Really small companies, say <100 employees may not have an IT person, and if they do, it is contractual, and a break-fix service only. There is no time being spent on security. At the other end of the spectrum, really large companies, >100K employees are many times disorganized and disjointed enough that they miss some of the critical "low hanging fruit" but making global exceptions as policy for a specific niche use case. As an example, "We need to ensure TLS 1.2 is in use on all assets. Response: Well, Bob in accounting has this check-pay system that is critical, and it can't use TLS 1.2, so leave TLS 1.0 on. Response: Ok, we can't disable TLS 1.0 anywhere."

Oversimplified and cynical, I know, but the reality is I have seen the conversations go that way when the agenda is more about political power struggle than solving the security issues for the good of the company.

Kevin

Re: Ransomeware - questions

Steve-Wilme — Thu, 09 Jan 2020 15:33:18 GMT

If your organisation really needs next to no downtime, then you may want to examine if automating deletion and recreation of servers from an offline pre-patched image via automation is a useful place to move to. Being able to blow away all suspected compromised server and rebuild them by firing a script, then restoring affected files from backups is a quick way back into service. It does however require a change to a more proactive automated approach, rather than trying to fix up legacy infrastructures.

Re: Ransomeware - questions

Jasperuk — Sun, 29 Nov 2020 11:39:42 GMT

My job involves me in cyber incident response in other organisations and helping advise on protective measures for the sector I work within. While I wholeheartedly endorse most of what I have read on this thread, I would emphasis more than anything that word “SHOULD” because I have multiple direct experience where the ransomware was not stopped by all the standard defences. Only this week I was also helping a UK National agency advise on backups to a major organisation for a determined ransomware attack against a high profile target. Why, because the last three major ransomware attacks in the sector had fully compromised the backups as well as the attacker compromising the hypervisor and the network appliances.

Having a backup is not good enough, you need a really good backup in depth strategy. As an absolute minimum you need the 3-2-1 approach - 3 backups, 2 local to your network geographically dispersed and in different network segments and 1 offline - that is off your network. If the attacker breaches your network serious enough you are not going to have any usable backup that is connected to your core network, an APT actor may have been in that network for weeks or months before triggering that ransomware attack - that is what happened in 2 of the major cases I have dealt with in last 12 months. When an APT is in the network that long you are backing up the attacker activity, hope you are building that assumption into your backup restore test plans as well. If your anti-malware defences failed to detect the attack, understand it is not going to catch it on checking the restore either - use something that will. An APT attacker in a worst case may be present in your offline backup but at least the offline backup gives you a chance to safely restore to a controlled environment for advanced detection and eradication in the event you have nothing left on the core network. Incidentally, remember I said this all should be your minimum prep. I feel our backup technology and approaches as an industry are currently lagging behind where it needs to be for robust protection from APTs - and they are increasing in number and sophistication.

On the subject of bandwidth capacity for those precious backups, if you have significant volumes to backup, lessons also show don’t use tape, use secure cloud backup vaults and if needed put in dedicated WAN connections just for your backup. These days in the UK a GB WAN connection is pretty cheap.

May I also say that nearly everyone assumes it will never happen to them until it does, and that is always too late. I sincerely hope no one reading this ever suffers a major ransomware event - one which takes out your whole organisation for months. The costs in material and money are devastating enough, the cost on the people impacted can go beyond all expectations, including and up to loss of life.

Hope this helps someone - stay safe 🙂

Re: Ransomeware - questions

JKWiniger — Mon, 30 Nov 2020 17:16:39 GMT

@kevinkidder This is a very good post and I like to think that I truly understand what you are saying. I have worked with companies of all sizes and the problems do vary. With most smaller companies they tend to have to trust whatever company the use to handle things, and when it's a vendor they do not have the clients but interest in mind but rather how they can make the most money. Sadly since so many small businesses do not understand the technology they are at their mercy. I was retained by a few places that did not have an IT person and I made it my job to guide them to the best technology choices I could find. At time I would bring in outside vendors for certain thing but I also kicked many out because I could spot the BS!

With the larger companies they seem to loose focus and get caught up in the reactive firefighter mode and let things slip. The have the best intentions but you really need a strong manager who understands the problems and the risks. Your TLS example to me should have been a matter of, ok contact the vendor and find out when they will fix this and if they will not inform them that you will be forced to start looking for a more secure solution. And if you wanted to be mean you could also mention that you would publicly disclose that they will not upgrade and that anyone who uses the product is at risk. Yup, I can be a jerk at times.

To me it's a matter of understanding. I have a friend who's company wanted to have a pen test done. My response is why would you waste the money when you don't have a security person to act on the result?!?

John-