Preventing ransomware by adopting a risk-based model
Adam Harrison EMEA Lead, IBM Security X-Force Incident Response
Colin Sheppard EMEA Lead, IBM Security X-Force RED Malware trends
Destructive attacks are estimated to cost an average of $239 million, over 60 times more than the average cost of a data breach.
Throughout 2019, X-Force IRIS responded to ransomware engagements in 12 different countries in 5 different continents and across 13 different industries.
IBM Security / © 2020 IBM Corporation 2 Potted History of Ransomware
RaaS
1989 2005 2012 2013 2014 2015 2015 2016 2017 2017 AIDS Trojan Archievu Reveton CryptoLocker CTB TeslaCrypt Petya SamSam WannaCr Cryptocurrenc s Locker Chimera Cryptolocke JigSaw y y Mining LowLevel0 r Service ZCryptor NotPetya Malware 4
IBM Security / © 2020 IBM Corporation 3 Evolution of Ransomware
Victim Targeting
Opportunist: • Drive by Download • Phishing campaigns
Increasing Sophistication: • Worm Capability
Targeted Attacks: • Targeted Attacks • Domain Compromise Predicated • Access Resale
IBM Security / © 2020 IBM Corporation 4 Evolution of Ransomware
Cryptocurrency Mining Malware
Activity levels tied to market conditions
Two Types: • Malicious mining via compromised websites, also known as cryptojacking.
• Malware-based cryptomining attacks on a user’s device. This activity relies on the device’s central processing unit (CPU) power.
IBM Security / © 2020 IBM Corporation 5 Evolution of Ransomware
Extortion Tactics
Not new but increasing • Reveton (2012) • Chimera (2015)
Requires an increased dwell time on the part of the malicious actor.
Combats the ‘Restore from Backup’ approach
IBM Security / © 2020 IBM Corporation 6 Recommendations 5 Use threat 4 intelligence to Implement understand risks to 3 Vulnerability and your organization Use in-depth table- Patch Management 2 top and cyber Processes range exercises to Build (or engage) prepare for 1 an expert incident potential incidents Resiliency Implement and response team test a robust backup policy, to include offline backups of key data.
Preparation
IBM Security / © 2020 IBM Corporation 7 WannaCry Timeline
March 14 Microsoft releases patch for CVE-2017-0144
April 14 Shadow Brokers release EternalBlue exploit
May 10 CVE-2017-0144 exploit released on ExploitDB
May 12 WannaCry attacks begin
May 13 Estimated 230k computers infected resulting in $4 billion in financial losses
IBM Security / © 2020 IBM Corporation 8 1.7m Average number of outstanding vulnerabilities in client environments
Source: : X-Force Red vulnerability management client statistics
IBM Security / © 2020 IBM Corporation 9 48% Percentage of vulnerabilities in client environments rated high or critical per CVSS
Source: : X-Force Red vulnerability management client statistics
IBM Security / © 2020 IBM Corporation 10 And it is getting worse
Application development at DevOps speed
Convergence of IT and OT
Growing number of mobile & remote devices
Migration to containers & microservices
Infrastructure
IBM Security / © 2019 IBM Corporation 11 Use threat intelligence to understand risk
CVE-2020-17084 CVSS 3: 8.8 CVE-2017-0147 CVSS 3: 5.9 Microsoft Exchange Server Remote Code Execution Windows SMB Information Disclosure No available exploits 14 known exploits No malware variants 56 malware variants
IBM Security / © 2019 IBM Corporation 12 3% Percentage of vulnerabilities in client environments that present a real risk
Source: : X-Force Red vulnerability management client statistics
IBM Security / © 2020 IBM Corporation 13 Shift to risk-based vulnerability management
IBM Security / © 2020 IBM Corporation 14 Traditional vulnerability Risk-based vulnerability management management
Prioritization based on static CVSS Prioritization based on dynamic threat score or scanner score. intel and business impact.
Fragmented visibility across Complete visibility across infrastructure, cloud, and IoT. infrastructure, cloud, and IoT/OT.
Focused on reducing the number of Focused on responding to discovered outstanding vulnerabilities. risk within target timeframes.
IT resistant due to crushing demand to Collaboration between security and IT patch everything. due to shared incentives.
IBM Security / © 2019 IBM Corporation 15