Someone I love is gone. Depression claimed another star from our infosec universe. He was funny, brilliant, so very special. There was so much more to him than most will ever know. I will forever be glad for what we shared. But now there is only grief, loss and pain increasing with each moment as the reality takes hold. Please make it not be true.
Welcome! To recap. We’ll be working through this book together to learn and grow our Blue team skill. Cuz the best offence can be a proactive defence. This book is a fantastic resource, especially for those who are starting out, or need a good overall reference. Based on my real-world experience,I believe it should be a desk reference, and part of any security curriculum. I am going to go on Amazon and say that infact!
Now. Chapter 1: Creating a Security Program. That does not just magically happen. And yet, we really wish it could because everyone needs a good security program in place. If you’ve ever tried to clean your kid’s room, you’ll understand how daunting this can be. Where do you begin? Well, as our insightful authors Amanda and Lee point out, we don’t need to reinvent the wheel. They’re right. They refer to the NIST framework, which I can tell you I get to use on an almost daily basis when doing security audits (let’s not go there, ok?) You want to work from best practices, existing and proven standards that are used to hold organizations accountable ie compliance standards. Good news! Amanda and Lee will take us through all that fun in Chapter 8.
So Point 1: Have the right team in place. You need the right people in the right role to make the right decision. The book recommends establishing 4 main teams: Executive, Risk, Security and Audit. I will tell you from experience that if you don’t have Exec buy in from the get go, you will find yourself spinning your wheels. How do you get that? Speak to the suits in their love language – Risk. And you need Audit to bring the flowers &b chocolates to their door. And yes – this is from my daily reality. Plus, audit lets you put everything down, and organize it, which makes it easier to track things, and reorganize things. Because you cannot secure what you don’t know.
Point 2: Set a Baseline. I love talking about threat intel (holding back – self-control) and how to make it relevant. This is how you make it relevant. What’s your normal? That’s your baseline. Because how else will you know something went bump in the night? The attackers are wery wery quiet. And believe me, they are in your network like those darn carpenter ants are in the woodwork. So this will be a fact gathering mission, and you want to do it well, Plus set it up with automation, and updates. SInce Asset mgmt is the next chapter, so we’ll leave that alone for now.
Point 3: Threat/Risk Assessment. This is challenging, and a learning process for those starting out. The concept of risk and being able to articulate it to business is way hard, I’ll be honest, and I am very good with words. What we in security think is a threat has to be explained in terms relevant to the organization we serve. That’s the crux right there. It’s not what we think so much as what they understand. And true – unless it negatively impacts the organization’s bottom line or existence then even if we think it is a risk, it isn’t. So, you need a parlay with the suits to know how the organization is defined in terms of threat and risk. Then, when Patch Tuesday comes, you can look at what is critical and determine if that is critical to your organization and why as you justify the need to make adjustments to your regular patching cycle (real world). 4 steps process: Assess, Mitigate, Monitor, Prioritize.
Point 4: Practice and Prepare. Are you as ready as you think? So, I like to talk about why everyone, everyone needs a good Disaster Recovery/Business Continuity plan in place. And that means one that has been tested, so that people know how it works, and how they work with it. Let your inner kid come out for this because you need to play “What If” to do this right. There are things called Table Top Drills that are so good especially for addressing ransomware and DDoS scenarios. Or Sharknado. Lol! As stated in the book “testing of tabletop exercises and drills can serve as a proof of concept”. Amanda and Lee are right on the money by stipulating your need participants from across the org like HR, Legal, Marketing, Finance etc. Infact, they provide such a good explanation you should be able to go do one.
Now, I love that the book has used a great tool, the Intrusion Kill Chain, to explain how to think through an event scenario. I happen to be a HUGE fan of the Cyber kill chain (Lockheed Martin), the extended cyber kill chain, and ATT&CK matrix by MITRE.
Point 5: Learn and Grow. The chapter finishes by encouraging us to expand our knowledge and skills through home labs and projects, CTFs, conferences and mentoring. I have done all of these and YES! It’s not hard to do and so rewarding you’ll want to make time. Because my friends, learning never stops in InfoSec. To paraphrase the wise and wonderful Leslie Carhart aka @hacksforpancakes (on the July 11 Down the Security Rabbithole podcast) “It never stops. This job never stops. And if you want to be good at it, if you really want to be good at it, you can’t stop.”
Because it’s not just what we do, it’s so much about who we are. Til next time!
Time to do some learning. There are things we can be doing better. Things we can be doing right. And with the help of two very good friends, Amanda Berlin and Lee Brotherston, we are going to batten down these hatches and secure the *&$@ out of our fortresses.
As stated in the Foreward, “the red teams get all the glory.” And it’s true. For blue teams it feels lonely and unappreciated, but there is so much truth in this:
“Doing defense is a vital, noble and worthwhile pursuit”
It’s easy to get turned around by hype. We follow the direction the noise is making, and tbh vendors make a lot of noise. What we need to do, and have known for so long, is not to be dazzled by the shiny, blinky boxes. As so well said by Andrew Kalat:
Security Vendors will often define the problem set as the problem they can solve with their technology, not necessarily the problem an organization actually has.
So here’s to taking a more holistic view, as this excellent guide advocates, and understanding how all the pieces need to work for this particular machine. We’ll share Chapter 1 next.
This wasn’t just another ransomware attack. It marks a pivot. Because these are the games nationstates play. With collateral damage and no impunity because attribution is hard. We left brick and mortar behind some time ago, when the battlefield moved to cyberspace, where there are no boundaries. Moreover, whatever previous rules of battle we followed do not apply.
There was a one-two punch, with the events out of the Ukraine Thursday morning. Absolutely things were connected and we need to remember that going forward. Bigger picture. Because a lot is at play right now. From my vantage point, as a Poli Sci grad, cyber security is intrinsically tied to whatever is going on in the larger arena. National security. Global security. The whims of the powers that be dictate their machinations of technology, which has become their new and shiny arsenal. They’ve been at it for a while now, but unlike conventional physical battlefields, we don’t witness what plays out until we’re impacted.
What’s critical to me is that this attack was presented as ransomware to throw us off. As described by The Grugq:
This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of “ransomware.”
This was actually a targeted attack against Ukraine, using malware that was highly destructive. This attack was never about making money. It was all about taking down systems and taking away access to essential service, as per this illustration from the blog post by The Grugq :
Think CIA – confidentiality, integrity, accessibility. Ransomware and wiperware go after accessibility. And in our world, downtime can equal death, figuratively as well as literally (think hospitals and critical infrastructure). As Leslie Carhart says:
Blood is in the Water -Not only have criminals found that ransomware is a great money-making scheme, but nation states and terrorist organizations have realized pseudo-ransomware makes a misleading and effective weapon. A weapon that can cause collateral damage, globally.
There have been some excellent reviews of what this attack was about, and how the Eternal Blue exploit released via ShadowBrokers was yet again leveraged against unpatched systems. Key takeaways were:
- Unpatched systems will continue to be our undoing and exploited. We’re more at risk now because of that cache of exploits being lobbed at us monthly via the ShadowBrokers.
- Lateral movement within networks works for attackers and infection spread. Segment. Segregate. Flat networks are an attacker’s dream.
- Multiple infection vectors. There were as many as 4 ways for the target to be compromised.
- Backup and test how those restore. Don’t assume anything. And keep backups off the main network
- Windows. Everyone uses it. Powershell. Sysinternals. AD. PSExec. Let’s keep learning about these because the attackers sure as heck know what they can do with them.
We know what er are not doing well. It’s catching up with us. Let me end with these words of wisdom by Leslie:
Defense in depth, including human threat hunting and effective detection and prevention at many points, is key. This will involve policy and financial buy-in from many lagging organizations at a new level.
And this sums it up:
These blog posts say everything I could ever want you to know, only better. Please read them:
The Grugq: Pnetya: Yet Another Ransomware Outbreak .
Leslie Carhart @hacksforpancakes: Why NotPetya Kep Me Awake (And You Should Worry Too)
Cisco Talos Blog: New Ransomware Variant Netnya Compromises Systems Worldwide
First and foremost: backups. Test them. Make sure the restore is what you need it to be.
Have an Incident Response plan in place specific to cyber and ransomware. Have a DRP that is specific to this. Designate one person, one, to be your crisis spokesperson because not everyone should have the talking stick.
I have taken this directly from the National Cyber Security Center in Britain, which suffered a big hit to its hospitals with WannaCry:
For Home and Small Business Users:
To update your version of Windows:
- If you are using a currently supported version (Windows 7, Windows 8, Windows 8.1 or Windows 10), run Windows Update and apply any updates.
- If you are using Windows XP, Windows Vista or older versions of Windows, download the WannaCry security update from here and install it.
Note: We strongly recommend that you do not continue to use unsupported operating systems, but instead upgrade to one which receives regular security updates from the vendor.
2. Run antivirus
- Make sure your antivirus product is turned on and up to date. Windows has a built in malware protection tool (Microsoft Defender) which is suitable for this purpose.
- Run a full scan to make sure your computer is currently free of all known malware.
3. Keep a safe backup of your important files
- Regularly create a backup copy of your important files (such as photos, documents, and other files that can’t be replaced). If you have backups of files that you can recover, you can’t be blackmailed.
- Make sure that this copy is kept separate from your computer. If it’s on a USB stick, or a hard drive, or on any type of removable media, do not leave it connected (or anywhere on your network) or it may also be attacked by ransomware.
- You should consider using cloud services to back up your files. Many cloud service providers (for example, email providers) offer an amount of cloud storage space for free.
- To protect against misleading filenames, tell Explorer to show file extensions
What to do if you get ransomware:
If a small business has been a victim of ransomware and are worried about the infection spreading to other parts of your network, these steps may help guide your actions:
- Immediately disconnect you computer, laptop or tablet from network. Turn off your Wi-Fi.
- Safely format or replace your disk drives.
- Whilst you’re still disconnected from your network, directly connect this computer to the Internet.
- Install and update the operating system and all other software.
- Install, update, and run antivirus software.
- Reconnect to your network.
- Monitor network traffic and/or run antivirus scans to identify if any infection remains.
Files encrypted by the WannaCry attack have no way of being decrypted by anyone other than the attacker. Don’t waste your time or money on services that are promising to do it.
The NCA encourages industry and the public not to pay the ransom. If you do:
- There is no guarantee that you will get access to your data.
- Your computer will still be infected unless you complete extensive clean-up activities.
- You will be paying criminal groups.
For Enterprise and Larger Organizations:
Deploy the patch for MS17-010 on Windows systems
If you are running a supported version of Windows and have been applying patches automatically from Windows Update as recommended by the NCSC, then you should already be protected against this malware.
If updates have not been applied automatically, the patch for this specific vulnerability can be found at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx or via Windows Update for currently supported operating systems.
For legacy platforms such as Windows XP, Server 2003 and Windows 8, an out-of-band patch has been made available by Microsoft. This patch cannot be applied via Windows Update, and must be installed specifically in this case. This patch is available from https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
If it is not possible to apply this patch, disable SMBv1
As SMBv1 is a vector by which the malware spreads, this can be disabled to prevent further infection if specific systems within an organisation become affected. Guidance for Windows systems is available at https://support.microsoft.com/en-us/help/2696547
If the above is not possible, you may be able to block SMBv1 ports on network devices and host-based firewalls on workstations. These ports are:
- UDP: 137 and 138
- TCP 139 and 445
If this is not possible, isolate the use of legacy technology as much as possible within your organisation
If it is not possible to completely disable SMBv1 or apply the necessary patches, then the devices still vulnerable to MS17-010 should be isolated within your enterprise network to the maximum extent possible. The use of network segregation techniques, other approaches for minimising the chances of compromise, and limiting the subsequent harm, are described in the NCSC’s guidance for obsolete technologies.
Ensure antivirus products are updated
Antivirus vendors are increasingly able to detect and remediate this malware, therefore ensuring that any on-host and boundary antivirus products in use within your organisation are up-to-date with will likely provide additional protection.
Work done in the security research community has prevented a number of potential compromises. To benefit, ensure that your systems can resolve and connect on TCP port 80 to the following domains:
Unlike most malware infections, you should not block these domains. Note that the malware is not proxy aware so a local DNS record may be required. This does not need to point to the internet, but can resolve to any accessible server which will accept connections on TCP port 80.
As variants of WannaCry emerge, additional domains and alternative command-and-control mechanisms are being observed. Additional information can be found on the Cyber Security Information Sharing Partnership (CiSP) platform.
Stemming from a series of cyber attacks against banks and utilities in Ukraine, now ransomware is spreading to other countries. This appears to be a Petya variant leveraging the Eternal Blue exploit. Sound familiar? It’s WannaCry take 2.
Countries so far: Russia, Ukraine, India, France, Spain and UK.
Per Costin Raiu, security researcher with Kaspersky Lab: “We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry’s first hours.” MalwareHunterteam told Motherboard “they believed the attack was from the same malware family as the one identified by Raiu.”
More updates to come. Please follow standard ransomware security practices.
Get an IR plan and playbook together if you don’t already have one. And make sure it addresses cyber attacks and incidents specifically. Appoint a crisis spokesperson. Because not everyone should have a turn with the talking stick!
Collaborate and communicate so we can act on this asap, get people on board and systems secured.
Just listening to Kevin Mandia live, speaking about global affairs and international cybersecurity. I am in heaven. This is beyond amazing!
Thank you to our friends at DarkReading who made this opportunity possible for Haydn and I to speak at this conference. ALL the learning!