The Best Ways to Stop Malware and Ransomware That No One Else Will Tell You Roger A
Total Page:16
File Type:pdf, Size:1020Kb
The Best Ways to Stop Malware and Ransomware That No One Else Will Tell You Roger A. Grimes Data-Driven Security Evangelist [email protected] About Roger • 30 years plus in computer security • Expertise in host and network security, IdM, crypto, PKI, APT, honeypot, cloud security • Consultant to world’s largest companies and militaries for decades • Previous worked for Foundstone, McAfee, Microsoft • Written 12 books and over 1,000 magazine articles • InfoWorld and CSO weekly security columnist 2005 - 2019 • Frequently interviewed by magazines (e.g. Newsweek) and radio shows (e.g. NPR’s All Things Considered) Roger A. Grimes Certification exams passed include: Data-Driven Defense Evangelist KnowBe4, Inc. • CPA • CISSP Twitter: @RogerAGrimes • CISM, CISA LinkedIn: https://www.linkedin.com/in/rogeragrimes/ • MCSE: Security, MCP, MVP • CEH, TISCA, Security+, CHFI • yada, yada Roger’s Books 3 KnowBe4, Inc. • The world’s most popular integrated Security Awareness Training and Simulated Phishing platform • Based in Tampa Bay, Florida, founded in 2010 • CEO & employees are ex-antivirus, IT Security pros • 200% growth year over year • We help tens of thousands of organizations manage the problem of social engineering 4 • Two Best Ways to Stop Malware Agenda • Step-by-Step Instructions • Live Malware & Defense Demonstration 5 Two Best Ways • Detect and Mitigate How Malware is Breaking In • Detect How Long Malware is Dwelling and Where • How/Why/Where/How Long? • Early detection of it all • No anti-malware defense is going to tell you this 6 How Malware Is Breaking In • Officially known as the initial root cause exploit • You cannot stop malware if you don’t stop how it is breaking in • You must focus on root causes as much or more than what breaks in or their names! • Malware and hackers can break in using 10 different methods 7 Initial Root Cause Exploits What’s the number one root cause threat in your environment? • Programming Bug (patch available or not available) • Social Engineering • Authentication Attack ? • Human Error/Misconfiguration ? • Eavesdropping/MitM • Data/Network Traffic Malformation • Insider Attack • 3rd Party Reliance Issue (vendor/dependency/watering hole) • Physical Attack • Brand New Attack Vector (w/o current/default mitigation) ? Ask Yourself 3 Key Questions: 1. Can your team correctly answer what is the top root cause? 2. Is the answer consistent across all stakeholders? 3. Do you have data to back up the right answer? • 8/18/20 8 The Data-Driven Defenders Approach Defenses Against #1 Vendors Defenses Defenses Vendors #1 Most Impactful #2 #3 Most Impactful Against Against Exploit Most Impactful Most Impactful #2 Most Impactful #3 Most Impactful Exploit Exploited Root Exploited Root Cause Exploit Exploit Root Cause Root Cause Root Cause Cause Root Cause Threat Threat Threat Threat Threat Threat Medium Medium Medium Medium Medium Medium Mitigation Mitigation Mitigation Threat Threat Threat Small Small Small Small Small Small Small Small Small Small Small Small Small Small Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Small Small Small Small Small Small Small Small Small Small Small Small Small Small Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Small Small Small Small Small Small Small Small Small Small Small Small Small Small Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Small Small Small Small Small Small Small Small Small Small Small Small Small Small Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat May decide that the cost of defending against small threats is not a good business decision Risk Ranked Threat Perceptions: Risk Ranked Defenses: • Focuses on root causes • Mitigates root causes, not individual threats • Local experience and data is highly valued • More efficient resource utilization • Relevance is a big deciding factor • Allows clearer cost/benefit considerations Biggest Initial Breach Root Causes for Most Companies • Social Engineering • Unpatched Software • But don’t trust me, measure your own risk Social engineering is responsible for 70% - 90% of all malicious data breaches https://blog.knowbe4.com/70-to-90-of-all-malicious-breaches-are-due-to-social-engineering-and-phishing-attacks Social Engineering & Phishing Social Engineering Methods • Email • Compromised Web Sites/Banner Ads • SMS • Instant Messaging • Vishing (voice call phishing) • In-Person Social Engineering & Phishing Social Engineering Methods • Malicious URLs • How to Spot Rogue URLs • Article - https://blog.knowbe4.com/top-12-most-common- rogue-url-tricks • Webinar - https://info.knowbe4.com/rogue-urls Top ExploiteD Software Usually less than a handful of threats compromise the vast majority of real risk Most attacked unpatched software is usually, Internet-facing/accessing and: Clients • Browser Add-Ons • Network-advertising Services/Daemons • OS • Productivity apps (Microsoft Office, etc.) Servers • Web server software • OS • Database • Mgmt software What are your top unpatched threats? Top ExploiteD Software Usually less than a handful of threats compromise the vast majority of real risk Most attacked unpatched software is usually, Internet-facing/accessing and: Clients • Browser Add-Ons • Network-advertising Serices/Daemons • OS • Productivity apps (Microsoft Office, etc.) Servers • Web server software • OS • Database • Mgmt software What are your top unpatched threats? How Malware Is Breaking In Determining How Malware Breaks In • Antivirus/antimalware/EDR software might tell if it blocks and alerts during the initial act of exploitation…but you usually don’t know where in the malware lifecycle detection happened, so: • Know that most malware only breaks in using one method • Create/use a way of detecting or tracking first execution and where • Look at your logs • Do a little research • End-user may be able to tell you • Last resort: track by inventory 15 How Malware Is Breaking In Determining How Malware Breaks In • Most malware only breaks in using one method • Most malware is installed using: • Social engineering (email and compromised web sites) • Unpatched Internet-facing software • Password guessing • Malware exploit kits only use a few basic exploits each year 16 How Malware Is Breaking In Determining How Malware Breaks In If nothing else, do a little research • Review your daily/monthly anti-malware report • Research the exploitation vectors for the top 10 identified malware programs • You can use AV vendor reports, but your own information is better 17 How Malware Is Breaking In Determining How Malware Breaks In Do a little research (example) CheckPoint Top 10 Report But let’s assume this is your personal AV monthly report 18 How Malware Is Breaking In Determining How Malware Breaks In Do a little research (example percentages shown for an example report) • Agent Tesla – 37% • Phorpiex – 24% • XMRig – 21% • Dridex – 9% • Trickbot – 3% • Ramnit – 3% • Emotet – 1% 98% 19 How Malware Is Breaking In Determining How Malware Breaks In Do a little research (example) • Agent Tesla • Phorpiex • XMRig • Dridex • Trickbot • Ramnit • Emotet 20 How Malware Is Breaking In Determining How Malware Breaks In Do a little research (example) • Agent Tesla – social engineering/unpatched Microsoft Office • Phorpiex • XMRig • Dridex • Trickbot • Ramnit • Emotet 21 How Malware Is Breaking In Determining How Malware Breaks In Do a little research (example) • Agent Tesla – social engineering/unpatched Microsoft Office • Phorpiex – spam/social engineering, IM/Skype, removable media drives • XMRig – unpatched web server software • Dridex – spam/email attachment/social engineering • Trickbot – social engineering, unpatched software, network file shares • Ramnit – (we will say unknown just for this example) • Emotet – macro virus in email attachment/social engineering 22 How Malware Is Breaking In Determining How Malware Breaks In Do a little research (example) • Based on the percentages, if you are fully patched, then it means: • 74% related to social engineering one way or another • Plus possibly some removable media exploits and network share issues • 3% - 5% unknown • If you are not fully patched, attribute up to 48% of the risk to unpatched software depending on what you find 23 3 x 3 Security Control Pillars For every high-risk threat you want to mitigate, create 3 x 3 controls 3 x 3 Security Control Pillars - https://www.linkedin.com/pulse/3-x-security-control-pillars-roger-grimes How Malware Is Breaking In Determining How Malware Breaks In Do a little research (example) • Took me 45 minutes of research and simple math to determine • Use your own anti-malware reports • Try your best to determine root cause exploit based on evidence • Research what you can’t find or determine • Otherwise: Your top two root causes are likely to be social engineering and unpatched software • But maybe one month it becomes unpatched video cameras (e.g. MVPower exploit) or USB keys…so track each month and over time 25 The KnowBe4 Security Awareness Program WORKS Baseline Testing Use simulated phishing to baseline assess the Phish-prone™ percentage of your users. Train Your Users The world's largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters. Automated training campaigns with scheduled reminder emails. Phish Your Users Best-in-class, fully automated simulated phishing attacks,