Chapter 5. Protecting the Workforce

The majority of ransomware methods require some form of end-user interaction. Whether it is by the user going to a malicious website or clicking a link in a phishing email or even opening a compromised documents, this is primarily how hackers get in.

Therefore, we not only need to protect the data on our networks, but we must also focus on protecting our workforce—i.e., protecting your end users from themselves. You accomplish this using three main methods:

  1. Knowing the targets and their associated risks
  2. Learning how to prevent compromises through technology and vigilant operational processes
  3. Teaching and regularly testing your targets to ensure the lessons stick

These methods rely on not only you better understanding the overall environment you are protecting, but also the people involved. Not to mention really understanding your company’s business objectives. This not only helps you become a better defender of your workforce, but also aligns you more effectively with organizational goals. Ultimately that helps you not only do your job better, but prepares you for a more advanced position within your organization.

Knowing the Risks and Targets

Protecting against ransomware effectively requires that security teams start thinking differently. We can no longer think of our infrastructure and servers as the items to be exploited. We must realize that every employee of an organization that uses a computer, network device, tablet, or phone is a potential target, which is to say, all network users are targets. This also means anyone who uses your guest networks, your open WiFi, or connects to your applications through your portals or via the cloud is a potential target for this attack and may have some form of impact on your environment.

First, let’s consider the information itself; you need to spend some time getting to know not only your information, but what it means to the organization. This informs how you should classify said information. The risks to your various types of information may include but are not limited to:

  • Loss of employee or personnel records
    • salary data
    • payroll records
    • personal information
  • Loss of customer information
    • customer lists
    • buying habits
    • personal records
  • Loss of intellectual property
  • Loss of operational instruction sets for SCADA or ICS devices, which prevents your factories from making widgets
  • Loss of transaction information (e.g., encrypted cash registers cannot be used to sell widgets)
  • Loss of private medical records, which could result in delays to treatment, and possibly deaths

There are ways to look at your information architecture that will help you better understand the information risks you have. This will help you know the information targets being leveraged by these types of ransomware. And while information classification is a huge task, it will help you undertake the complex tasks associated with knowing the most important systems and the locations of your most critical information.

Tools like Veritas Data Insight and Spirion help you identify data on all systems and in a number of cloud services. This will help you better know what information exists on your network, in your clouds, in end-user box accounts, and the like.

This means that you not only need to know where the information exists within your environment, but also the overall value of each piece of information. It is also important to know the value of the information; otherwise you may spend $10,000 protecting a $5 piece of data.

Next, let’s discuss the risks to systems. Computer networks today are no longer just used for sending and receiving email and accessing databases. Today’s networks have a number of systems on them that perform a variety of tasks. This includes healthcare systems that monitor patients, industrial control systems that control robotics, and large-scale manufacturing systems. All of these systems are also at risk. One example of how malware affected a nontraditional IT system is Stuxnet and its infection of industrial control systems.

The best way to know the systemic risk is to complete an inventory of the systems you have, which is accomplished by using a systems management tool (see Figure 5-1 as an example). These types of tools allow you to take inventory of the devices that are connected to your networks and help you map how these devices exist—are they statically connected to the network, or do they float between networks like laptops and mobiles devices?

Figure 5-1. A view of the CMDB tool by Service NowTM

Lastly, when considering risks, you also need to think about the ingress and egress points to your network. This is often the first and easiest step to take because we all come from a background of controlling the flow of information into and out of our networks. By knowing how information flows into and out of our network, we know what control points we should be looking at when we are considering where we should begin looking for indicators of attack and compromise.

After getting these items together in a somewhat complete manner, you will better understand the risks to your information and how any number of systems compromised by ransomware could affect your organization.

After you have identified the risks, the next step is to identify the targets, which are almost always humans. While some types of ransomware do not target humans, like Samsam, the vast majority do.1 For those that do not target humans and instead target systems, vulnerability scans and patching programs will help you keep up to date on the technologies that can be exploited by remote ransomware that requires no human interaction. This is a simple proposition that will make it more effective for you to maintain control of those systems that are exposed to the Internet.

So how do you protect end users? It is not a solution for us to blame our users. Because those users are part of our organization: they make the products or deliver the services that are the lifeblood of our organization. Security is not their area of expertise; that’s why they hire people like us.

We need to know our human targets and what they have a propensity to do while on our networks. User-behavior monitoring helps us better understand the types of activities our end users regularly perform. Anomalies in this behavior will allow us to better understand when something isn’t right, like a user scanning shared drives for *.doc in the middle of a work day, or sending out encrypted packets to URLs that have no logical naming system. We should be able to recognize these aberrations in behavior and use this information to identify when someone has been compromised. Some great tools for user-behavior monitoring exist, including tools like CyberArk’s Privleged Session Manager, HPE’s Real User Monitoring, and Balabit’s Blindspotter. These tools help us track what our users do, and when they do them. They look at things like typing speed, login location and times, and data they access. This helps ensure that they are indeed the user they claim to be.

Many of these tools use language more within the realm of human resources than that of technologists and can include things such as:

  • Psychometric standards
  • Process monitoring standards
  • Data-based individualization standards

Because of the potentially sensitive nature of tracking user behavior, it is always best to work with your HR and compliance departments to make certain your are not violating any privacy laws or confidentiality agreements prior to testing these.

Learning How to Prevent Compromises

It has been said many times (even here) that any attacker with enough time and resources can compromise any network. And this is indeed the truth. If the information you are housing, or services you are providing, or product you are making has enough intellectual property risk, or is enough of a global security risk, someone will compromise your system. Locks on doors are meant to make it difficult for simple criminals from entering, and that’s what we intend to discuss here: how do we prevent the simple compromise, the basic ransomware attack?

Given that we are primarily talking about human interactions as the main methodology for intrusion and compromise by ransomware, the vectors discussed in Chapter 4 are really the main means of entry by the malware itself: email or web browser.

First, we discuss how to prevent attackers from using email to deliver ransomware.

Email Attachment Scanning

The first question is how do you check inbound email attachments to determine if they are part of a larger attack? Using tools that scan all inbound attachments is good for finding basic malware and SPAM, but standard signature scanning at the SMTP gateway isn’t enough. It has been shown that 91% of all cybercrimes begin with a single email.2 There are ways to use modern systems that will not only scan inbound attachments, but also detonate and execute them in a myriad of environments to determine if they are potentially malicious. This will help significantly filter out many of the basic and low-level attacks against your users. Another thing that must be done is creation of a culture of security. This is done by changing the way our users think about their inbound email.

After the snail mail anthrax and letter bomb scares of the early 2000s, a lot of of people changed the way they interacted with their real mail, being more careful about what they opened, how the opened it, and even whether they opened it at all. It is this same level of scrutiny (though not fear) we need with email.

One of the first questions we should always ask when we get an email with an attachment is, did I ask for this? Additional questions to be asked before opening any attachment: Am I expecting this email? Was there supposed to be an attachment? Does the attachment type match up to what I am expecting? For example, why would I be getting a spreadsheet as a PDF? Why would the accounting team be sending me a file in an older version of Excel? Is there a good reason for links and macros in the file to be enabled? By getting users to think about every file they receive that has somehow made it past the technological controls we put in place, we are effectively empowering them to be part of the solution, not part of the problem. We will cover how to keep minds active when clicking links later in the chapter.

But this only goes so far, because dedicated savvy attackers are now leveraging their positions in networks to anticipate what attachments and emails are expected, and crafting their intrusions to align with those expectations.3

So we want to make sure our end users are not only cautious about opening any attachments they may find, but also about following any links contained in those emails as well.

Tracking Down the Websites

Users should also question the names in the links in the emails they receive. For example, the code below shows the simple manner in which a URL link sent via email could be anchored to any text.

<a href="http://www.Istoleyourcreditinfo.badguy">Submit your expenses here</a>

The link in a simply crafted email with headers that appear to be from your finance department could catch around 5% of your end users. This is a good example of how to educate end users as well as a good place to begin to implement technological controls.

Systems like the FireEye EX, Symantec Mail Gateway, and others will be able to recognize email link mismatches and find indicators of attack in those inbound emails. This is a great way to prevent the attacker from ever even making it to your end users. However, no technology is perfect, and eventually some of these more impeccably crafted pieces of targeted attacks will make it through.

This is where browser protection comes into play.

DGAs

Let’s talk about domain generation algorithms (DGAs) for a moment. These are used by malware to create pseudorandom domains that are either unregistered or registered in bulk. If the domains are unregistered, there is a pretty good chance that you have already suffered DNS cache poisoning and need to take a look at how to secure your DNS servers.4 DNS cache poisoning is an attack where corrupt domain name system data is introduced into a DNS resolver’s cache, causing the name server to return an incorrect IP address, which results in diverting traffic to the attacker’s computer.

The appeal of conducting criminal activity with DGA infrastructures is pretty basic:

  • Static reputation-based blacklisting mechanisms are impossible to update at the speed at which DGAs can be generated.
  • Criminal organizations can create nimble command-and-control infrastructures that can be brought up and down as needed.
  • Traditional edge-based network filtering will often fail to find these outbound connections.
  • Domain name registration can be done as the ransomware is released or executed to provide just-in-time (JIT) connections, limiting the feasibility of reactive countermeasures.
  • Ransomware actors can propagate a large presence without ever exposing their command-and-control infrastructure because it is constantly on the move.

The biggest thing to note is that most DGAs are not like the sample referenced above, a string of words that could potentially make sense to someone. Instead, most DGAs leverage random characters to create meaningless garbled URLs that in all likelihood haven’t been registered. This means one thing you can look for in your outbound traffic and DNS lookup services is attempts to resolve meaningless domains. Another thing to look for would be an increase in searches for nonexistent domains, because the DGAs on the ransomware will cycle through all of the domains in their detection algorithms and usually not hit on the first one (usually that is). You can use these characteristics to your advantage.

When events are identified by your proxies, DNS servers, and the like, the correlation of outbound communications from internal systems are key to this detection. Are particular users or systems attempting continuously failing DNS lookups? Do you see a significant number of requests at the proxy from systems that are for gibberish domain names? These are signs that system may have been infected and is attempting to establish connections with DGA command-and-control channels. Blocking those communications and isolating those machines and users is imperative. Additionally the use of DNS security products and services, like OpenDNS or Infoblox, would help by scanning the outbound communications for the reputation of the domains used. You can also integrate DNS sinkholing, or routing all malicious and nonexistent domain lookups to an internal server that shows an IT security webpage, for example.

This is only one step you should take. By checking the registration data on the DGAs, you can find more detail about who is behind what has happened to your users, how to prevent additional outbound communications, and identify the type of infection, as well as how to remove, reduce, and prevent the spread of the infection. Using basic information association techniques will allow you to identify things like registration email addresses, physical addresses, or names to more find out what other domains they have. These indicators of compromise now can be searched through open source intelligence sources (OSINT) to determine who the campaign is being run by, who the actors are, and what tools they typically use as part of their criminal schemes. This allows you to move from a reactive posture to a preventative posture by simply knowing what other types of attacks could be coming and where they would be coming from.

Another method of compromise uses malvertisements in legitimate websites, as discussed on Chapter 4. Protection against these threats includes leveraging everything from ad blockers on you corporate browsers to using browsers that disable execution of JavaScript, or inspect JavaScript in sandboxes prior to execution client-side. In fact, some of the more effective proxy systems today can actually prevent malvertisements from ever making it to the end-user devices.

Proxy Systems

Proxies are servers that act as intermediaries for requests from client devices seeking resources from other servers.

Given the propensity for virtual systems being used to detonate malware, most malware and ransomware variants are system aware. They look for the telltale signs that a device is indeed bare metal or used by a human. Some samples of this code were shown earlier in Chapter 4. This means you need to not only attempt to detonate malware as it comes in via email in virtual sandboxes, but you should use a technology that has bare-metal systems for use in malware detonation or create a segregated network of real machines where all code can be used on your network by stripping all attachments from inbound email, and then executing them on live systems in a segregated protected network to make sure they’re safe. The problem with the second method is that most companies do not have the scale nor the speed with which to execute a piece of code, determine its intent, and then place the file into a folder accessible by end users in a reasonable amount of time.

Links in the body of emails, but also links contained in the attachments of the emails themselves, must be checked. Checking all links in inbound email using again either a technology designed for that purpose or building a secured network to follow these links really are the only ways to know what is on the other end of them. You should also inspect all outbound network connections and requests either by using a proxy server or monitoring your DNS server for suspicious requests and halting those outbound HTTP queries.

Testing and Teaching Users

We must not only create technology blocks to prevent the ransomware from infiltrating our networks, we must also empower and enable our users to be more effective at recognizing those scams when they appear in their email, on their desktops, and in their webpages.

Security Awareness Training

Security awareness training is the first step to engaging your end users and ensuring that they are not only capable of detecting incoming ransomware, but understand how to work more securely in the world in general.

Typically this is an annual exercise run through your HR department, with some oversight by the IT security team. We instead posit that this is your best chance to not only partner with a part of the business you seldom work with outside of investigations, but also show value to your organization in an engaging way that has a solid, long-term impact and raises your overall visibility in the organization.

Short courses or videos on topics such as phishing and disabling macros are good ways to teach end users about potential threats with shorter, more topical subjects that don’t require half their day or clicking through a bunch of slides. 

Many organizations take advantage of Cyber Security Month as the impetus for these exercises and then provide continuous training through the year.

Another easy way to raise awareness across the organization is to have an annual Capture the Flag (CTF) event. A CTF is played by having teams or individuals attempt to exploit or hack a variety of computers on a simulated network and attempt to capture specific pieces of data, or “flags.” By creating a lot of buzz around a public event where all members of your user base, security, IT, admin, sales, etc., participating in a CTF event can help increase understanding of the threats that exist, as well as create engagement between security and other departments. This could be as simple as a two-hour presentation in the company cafeteria, to a weekend-long event with multiple levels, and a live scoreboard showing every team’s progress toward the goal of complete internal compromise. It’s also easy to get people interested in participating by having a prize for the winning team.

There are a number of different services that facilitate this type of exercise, including SANS Symantec, and Booz Allen Hamilton. This exercise is a great way to teach people that attackers aren’t some kind of magicians who make things break randomly, but instead are real people with skills and tools.

Ongoing training throughout the year including short videos with quizzes along with other policy-based reminders of acceptable use and what not do can be taught using the same learning management systems you use for new products, or sales training. This not only gives you a chance to provide continuous training, but also to partner more closely with HR, the team that typically manages the corporate learning management system to get a feel for who has been trained and who has not. You can then limit network access or remote work capabilities to those who have not yet completed specific training modules.

In the end, the security awareness and training must be more than just digitally signing a policy and watching a slide show every year. Short, engaging training and video presentations on topics such as how to recognize a phishing email can provide training to continuously to your end users in a way that doesn’t impede their ability to work, but does provide a constant reminder that the adversaries are out there, and they need to maintain a state of vigilance when dealing with anything they receive, either via email, SMS, or voice call.

Phishing Users

Another training exercise some organizations use are phishing exercises to test the impact of end-user training.

There are two major types of phishing used to test your end users: technological exercises, which can be deployed by you (or a third party); and social-engineering-based exercises that use human interaction to encourage users to perform tasks that could put them at risk.

Social-engineering attacks outside of standard phishing campaigns are much more complicated and can take on a variety of forms. These are often longer, more protracted campaigns that include reconnaissance against your end users’ social media accounts, their industrial partnerships, and connections, as well as their various personal charity groups. It is best for all involved that something like this is conducted by a third party who has limited access to the end users’ daily work habits. Additionally, it is also important that you have coverage from both your legal and HR teams prior to engaging in this type of exercise. In most cases, these more in-depth detailed exercises are really targeting key employees, members of the executive leadership team, key stakeholders in large revenue generating projects, or holders of specific company trade secrets.

How Do You Show the Value?

One question that comes up time and time again is how you show the value of your security spend. In the case of user education and testing, you can easily show the return on your investment in education and exercises by trending over time the failure rates of your users to your sponsored phishing campaigns.

This can be done by assigning levels of complexity to the campaigns themselves and running the tests discussed above against a mixed group of end users. Additionally, you can take into account whether there has been an increase in reported phishing attempts by your users, which will show increased user awareness and accountability.

Users’ susceptibility to click phishing links or to download malicious files can be measured over time, and in conjunction with the training exercises you deploy across your organization.

The following methodology describes a simple way to demonstrate value:

  1. Begin with an uninformed phishing assessment against your employees. This acts as your baseline for your team.
  2. Kick off your CTF exercises and the awareness programs company wide.
  3. Begin your educational program, delivering training to end users.
  4. Send another phishing assessment company-wide with the same level of complexity.
  5. Continue the education process for all users.
  6. As the numbers of users who click the links, enter passwords into the forms, or download the attachments goes down, increase the complexity of the phishing emails, making them more targeted, more specific, and less obvious.
  7. By taking routine samples of your organization and end users, you will be able to show a continued decline in the click-through rates. This will show the value of your spend by showing continued decrease in risk of human error over time.

By modifying this simple playbook, you can not only engage your users, but also create a program that effectively trains them to become better at defending your organization’s network and information.

Post Ransomware

What do you do if all your protections and end-user training and assessing have failed? As digital defenders, we must be 100% perfect every time to ensure the sanctity of our networks, information, and systems. However, criminals only need to be right once, which is why we need to know what do we do after a ransomware incident has been detected, investigated, eradicated, and remediated.

Post-incident follow-up is very important. Often organizations will decrypt files and be done, but that’s only part of the process. Ransomware is rarely installed alone on a workstation. It is more likely, as it is with Locky, that there are other information stealers dropped on the box.

Once the files are decrypted, disconnect the infected box from the network. The next step is to conduct a forensic analysis of the infected machine to understand how the box was infected (the SANS Investigative Forensic Toolkit [SIFT] is a well-documented and freely available set of tools to get people started; it is available on the SANS website). If the organization does not have the resources for that type of investigation, then the security team should conduct a thorough scan of the box using a security scanner that will do file inspection to detect things like Microsoft Office documents with embedded malware. If reverse engineering the ransomware is out of the question, it is imperative that you understand how the attack took place. When the investigation is complete, back up all the files and wipe the box, including resetting the basic input/output system (BIOS).

After the analysis has been completed, share an overview with the users in the organization. Not everyone wants or needs to know the technical details, but they need to know how the attack worked so that they can avoid making the same mistake. If the original attack came in the form of an embedded macro in a Word document, remind users not to open Microsoft Office documents that originate outside the network. If the attack came in the form of a drive-by that took advantage of a known vulnerability in Google Chrome, make sure updating Google Chrome to the latest version is a priority.

These should not be one-time communications. The security team should be communicating regularly with users of the organization about the latest threats, techniques, and procedures the hacker teams are using to deliver ransomware to victims. Increasing the knowledge and awareness of users on the network helps stop them from engaging in behavior that can result in a successful ransomware attack.

Summary

In this chapter, we covered some of the ways to begin to think about how to protect your end users through education and assessment along with technology. This protection and engagement is not a one-time investment—instead it is a continuous improvement process where new technologies are tested and their efficacy evaluated against existing protections. The educational component should not be overlooked: it is the most important piece of the ransomware protection program.

By educating your end users and creating a culture that encourages good security hygiene and adoption of best practices, you will enable them to be accountable for their actions. This is one of the smallest investments in terms of dollars, but one of the easiest ways to track return on investment.

But it is also important to understand that no amount of user awareness, testing, or education will get your failure rate to zero. You must always have technical controls in place to back up all of the investments you make in training and testing your users. Whether intentional or not, they remain the easiest way for a criminal organization to infiltrate your network; and just like in any defensive posture having savvy soldiers (i.e., users) is only good when they have effective weapons (i.e., technical controls) supporting them.

1 Fahmida Y. Rashid, “Patch JBoss now to prevent SamSam ransomware attacks,” Infoworld Tech Watch, Apr 19, 2016.

2 Kim Zetter, “Hacker Lexicon: What Are Phishing and Spear Phishing?” Wired, April 7, 2015.

3 Trista Kelley and Michael Riley, “Swift Warns of Hack Attack on a Bank After Bangladesh Heist,” Bloomberg Technology, May 13, 2016.

4 Allan Liska and Geoffrey Stowe, DNS Security: Defending the Domain Name System (Syngress, 2016).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.216.205.123