The Best Ways to Stop Malware and Ransomware That No One Else Will Tell You Roger A

The Best Ways to Stop Malware and Ransomware That No One Else Will Tell You Roger A. Grimes Data-Driven Security Evangelist [email protected] About Roger • 30 years plus in computer security • Expertise in host and network security, IdM, crypto, PKI, APT, honeypot, cloud security • Consultant to world’s largest companies and militaries for decades • Previous worked for Foundstone, McAfee, Microsoft • Written 12 books and over 1,000 magazine articles • InfoWorld and CSO weekly security columnist 2005 - 2019 • Frequently interviewed by magazines (e.g. Newsweek) and radio shows (e.g. NPR’s All Things Considered) Roger A. Grimes Certification exams passed include: Data-Driven Defense Evangelist KnowBe4, Inc. • CPA • CISSP Twitter: @RogerAGrimes • CISM, CISA LinkedIn: https://www.linkedin.com/in/rogeragrimes/ • MCSE: Security, MCP, MVP • CEH, TISCA, Security+, CHFI • yada, yada Roger’s Books

3 KnowBe4, Inc. • The world’s most popular integrated Security Awareness Training and Simulated Phishing platform • Based in Tampa Bay, Florida, founded in 2010 • CEO & employees are ex-antivirus, IT Security pros • 200% growth year over year

• We help tens of thousands of organizations manage the problem of social engineering

4 • Two Best Ways to Stop Malware Agenda • Step-by-Step Instructions • Live Malware & Defense Demonstration

5 Two Best Ways

• Detect and Mitigate How Malware is Breaking In • Detect How Long Malware is Dwelling and Where

• How/Why/Where/How Long? • Early detection of it all

• No anti-malware defense is going to tell you this

6 How Malware Is Breaking In

• Officially known as the initial root cause exploit • You cannot stop malware if you don’t stop how it is breaking in

• You must focus on root causes as much or more than what breaks in or their names!

• Malware and hackers can break in using 10 different methods

7 Initial Root Cause Exploits

What’s the number one root cause threat in your environment? • Programming Bug (patch available or not available) • Social Engineering • Authentication Attack ? • Human Error/Misconfiguration ? • Eavesdropping/MitM • Data/Network Traffic Malformation • Insider Attack • 3rd Party Reliance Issue (vendor/dependency/watering hole) • Physical Attack • Brand New Attack Vector (w/o current/default mitigation) ? Ask Yourself 3 Key Questions: 1. Can your team correctly answer what is the top root cause? 2. Is the answer consistent across all stakeholders? 3. Do you have data to back up the right answer?

• 8/18/20 8 The Data-Driven Defenders Approach

Defenses Against #1 Vendors Defenses Defenses Vendors #1 Most Impactful #2 #3 Most Impactful Against Against Exploit Most Impactful Most Impactful #2 Most Impactful #3 Most Impactful Exploit Exploited Root Exploited Root Cause Exploit Exploit Root Cause Root Cause Root Cause Cause Root Cause Threat Threat Threat Threat Threat Threat

Medium Medium Medium Medium Medium Medium Mitigation Mitigation Mitigation Threat Threat Threat

Small Small Small Small Small Small Small Small Small Small Small Small Small Small Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Small Small Small Small Small Small Small Small Small Small Small Small Small Small Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Small Small Small Small Small Small Small Small Small Small Small Small Small Small Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Small Small Small Small Small Small Small Small Small Small Small Small Small Small Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat Threat May decide that the cost of defending against small threats is not a good business decision

Risk Ranked Threat Perceptions: Risk Ranked Defenses: • Focuses on root causes • Mitigates root causes, not individual threats • Local experience and data is highly valued • More efficient resource utilization • Relevance is a big deciding factor • Allows clearer cost/benefit considerations Biggest Initial Breach Root Causes for Most Companies

• Social Engineering • Unpatched Software

• But don’t trust me, measure your own risk

Social engineering is responsible for 70% - 90% of all malicious data breaches https://blog.knowbe4.com/70-to-90-of-all-malicious-breaches-are-due-to-social-engineering-and-phishing-attacks Social Engineering & Phishing

Social Engineering Methods • Email • Compromised Web Sites/Banner Ads • SMS • Instant Messaging • Vishing (voice call phishing) • In-Person Social Engineering & Phishing

Social Engineering Methods • Malicious URLs • How to Spot Rogue URLs

• Article - https://blog.knowbe4.com/top-12-most-common- rogue-url-tricks • Webinar - https://info.knowbe4.com/rogue-urls Top Exploited Software

Usually less than a handful of threats compromise the vast majority of real risk

Most attacked unpatched software is usually, Internet-facing/accessing and: Clients • Browser Add-Ons • Network-advertising Services/Daemons • OS • Productivity apps (Microsoft Office, etc.) Servers • Web server software • OS • Database • Mgmt software

What are your top unpatched threats? Top Exploited Software

Usually less than a handful of threats compromise the vast majority of real risk

Most attacked unpatched software is usually, Internet-facing/accessing and: Clients • Browser Add-Ons • Network-advertising Serices/Daemons • OS • Productivity apps (Microsoft Office, etc.) Servers • Web server software • OS • Database • Mgmt software

What are your top unpatched threats? How Malware Is Breaking In

Determining How Malware Breaks In • Antivirus/antimalware/EDR software might tell if it blocks and alerts during the initial act of exploitation…but you usually don’t know where in the malware lifecycle detection happened, so: • Know that most malware only breaks in using one method • Create/use a way of detecting or tracking first execution and where • Look at your logs • Do a little research • End-user may be able to tell you • Last resort: track by inventory

15 How Malware Is Breaking In

Determining How Malware Breaks In • Most malware only breaks in using one method • Most malware is installed using: • Social engineering (email and compromised web sites) • Unpatched Internet-facing software • Password guessing • Malware exploit kits only use a few basic exploits each year

16 How Malware Is Breaking In

Determining How Malware Breaks In If nothing else, do a little research • Review your daily/monthly anti-malware report • Research the exploitation vectors for the top 10 identified malware programs • You can use AV vendor reports, but your own information is better

17 How Malware Is Breaking In Determining How Malware Breaks In Do a little research (example)

CheckPoint Top 10 Report

But let’s assume this is your personal AV monthly report

18 How Malware Is Breaking In

Determining How Malware Breaks In Do a little research (example percentages shown for an example report) • Agent Tesla – 37% • Phorpiex – 24% • XMRig – 21% • Dridex – 9% • Trickbot – 3% • Ramnit – 3% • Emotet – 1% 98%

19 How Malware Is Breaking In

Determining How Malware Breaks In Do a little research (example) • Agent Tesla • Phorpiex • XMRig • Dridex • Trickbot • Ramnit • Emotet

20 How Malware Is Breaking In

Determining How Malware Breaks In Do a little research (example) • Agent Tesla – social engineering/unpatched Microsoft Office • Phorpiex • XMRig • Dridex • Trickbot • Ramnit • Emotet

21 How Malware Is Breaking In

Determining How Malware Breaks In Do a little research (example) • Agent Tesla – social engineering/unpatched Microsoft Office • Phorpiex – spam/social engineering, IM/Skype, removable media drives • XMRig – unpatched web server software • Dridex – spam/email attachment/social engineering • Trickbot – social engineering, unpatched software, network file shares • Ramnit – (we will say unknown just for this example) • Emotet – macro virus in email attachment/social engineering

22 How Malware Is Breaking In

Determining How Malware Breaks In Do a little research (example)

• Based on the percentages, if you are fully patched, then it means:

• 74% related to social engineering one way or another • Plus possibly some removable media exploits and network share issues • 3% - 5% unknown

• If you are not fully patched, attribute up to 48% of the risk to unpatched software depending on what you find

23 3 x 3 Security Control Pillars

For every high-risk threat you want to mitigate, create 3 x 3 controls

3 x 3 Security Control Pillars - https://www.linkedin.com/pulse/3-x-security-control-pillars-roger-grimes How Malware Is Breaking In

Determining How Malware Breaks In Do a little research (example) • Took me 45 minutes of research and simple math to determine • Use your own anti-malware reports • Try your best to determine root cause exploit based on evidence • Research what you can’t find or determine • Otherwise: Your top two root causes are likely to be social engineering and unpatched software • But maybe one month it becomes unpatched video cameras (e.g. MVPower exploit) or USB keys…so track each month and over time

25 The KnowBe4 Security Awareness Program WORKS

Baseline Testing Use simulated phishing to baseline assess the Phish-prone™ percentage of your users.

Train Your Users The world's largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters. Automated training campaigns with scheduled reminder emails.

Phish Your Users Best-in-class, fully automated simulated phishing attacks, hundreds of templates with unlimited usage, and community phishing templates.

See the Results Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI!

26 Security Awareness Training Program That Works

• Drawn from a data set of over four million users • Over 17K organizations • Over 9.1M Simulated Phishing Campaigns

• Segmented by industry type and organization size https://info.knowbe4.com/phishing-by- industry-benchmarking-report

27 How Long and Where Malware Is

Determining How Long Malware Dwells and Where Summary • Use an application control program in monitor/audit-only mode • Create a snapshot rule baseline from a clean image • Detect and report on newly executed programs • Copy new execution log events to centralized database • Whenever AV detects and removes malware, compare removal time to origination time • Create reports and security workflows from this info

28 How Long and Where Malware Is

Determining How Long Malware Dwells and Where Application Control Programs • Allows you to whitelist and blacklist executables and other programs • Most allow monitoring/audit-only modes versus blocking/enforcement modes • Most can build rules by “snapshotting” a system • Most write events to security logs when new executions not on baseline occur

29 How Long and Where Malware Is

Determining How Long Malware Dwells and Where Application Control Program Examples • AppLocker and Windows Defender Application Control on Microsoft Windows • Most major AV programs have a version • Commercial versions: Beyond Trust, Carbon Black, Tripwire, Cisco, Ivanti • Open source versions: SE Linux, AppArmor, Fapolicyd • NIST SP 800-167 “Guide to Application Whitelisting”

30 How Long and Where Malware Is

Example Application Control Program Deployment AppLocker • Been in Microsoft Windows enterprise versions since Windows 7/Windows Server 2008 • Early related Windows feature was Software Restriction Policies • Windows Defender Application Control (WDAC), released in Windows 10 • WDAC is a far more serious application control program than AppLocker and takes much more planning and administration to run • AppLocker does not promise a true security boundary, WDAC does • For our purposes, AppLocker is good enough • Stand-alone, Group Policy, MDM (e.g. InTune, etc.)

31 How Long and Where Malware Is

Example Application Control Program Deployment AppLocker • Run Gpedit.msc • Computer Configuration\Windows Settings\Security Settings\ • Application Control Policies

32 How Long and Where Malware Is

Example Application Control Program Deployment AppLocker AppLocker Rule Categories: • Executable Rules • Windows Installer Rules • Script Rules • Packaged app Rules (Modern apps)

Each can be enabled separately

33 How Long and Where Malware Is