ransomware: the impact is real

www.nicsa.org | #WebinarWednesdays

Ransomware: The Impact is Real

October 11, 2017


Presenters:

Ike Barnes, US Secret Service

Brian Fay, Threat Investigation-Hunting, U.S. Bank

Nick Sherwood, VP Cybersecurity, OppenheimerFunds

Moderator:

Ron Plesco, Principal, Cyber Services, KPMG LLP

Panel


Presentation Navigation

• Cyber Threat State of Play

– Ransomware and Cyber Threats

• Risk Governance

– Risks posed to Financial Firms

• Data Integrity

– Balancing security and customer experience


Cyber Threat State of Play


Ransomware Introduction

• Ransomware is malware that infects computers, networks, and

services.

• Victim’s computer is infected with malware.

• Malware encrypts victim’s data and/or systems, making them

unreadable.

• Actor demands payment to decrypt files or network.

• Variations of ransomware evolve.


History Lesson…This isn’t new!


Stages of Ransomware


Who are the targets?

Ransomware attacks by industry.

Source: Kaspersky 2016 Security Bulletinhttps://securelist.com/kaspersky-security-bulletin-2016-story-of-the-year/


The Cyber Threat Landscape 2017-2018

9

Types of Attacks

DDOS

(Distributed Denial of Services

Attack Vectors

Attack Targets

Business Exposures

Highest threat areas

PoS Desktops & Laptops Mobile Devices Services Network Applications Web Sties Call Center Employees3rd Service

Providers

Bankcard Data PH Data (Personally

Identifiable Information)

Business Records Trade Secrets

Reputational Customer

Sentiment & Trust

Vendors &

EmployeesShareholders Sales Lawsuits Regulatory

Penalties

Ransomware

Email

Consumer DataPII Data (Personally Identifiable

Information)

3rd Party Service

ProvidersWeb Sites

Viruses Ransomware TheftDDOS

(Distributed Denial of Service)

PII Data (Personally Identifiable

Information


New Threat Actors and Who They Target

Malware Developers

Feed other organizations

with tools that are needed

Energy SectorFood and Agriculture Government

Facilities

HealthcareFinancial Nuclear Sector Water SectorTransportation Sector

Chemical Sector Commercial Facilities Communications Critical Manufacturing Dams Sector Defense Sector Emergency Services

Hacktavists

Anonymous, LulzSec,

TeaMp0isoN

Nation State

Intelligence agencies and cyber

warfare operatives

Organized Crime

Russia, E-Europe, China,

Africa

Middle East,

North Korea

Corporate Espionage

Industrial espionage,

economic espionage, espionage


Phishing

• The delivery mechanism for various types of malware and cybercrime

attempts.


Risk Governance


What are the risks to financial institutions?

• Critical Data loss/destruction

– 15% of companies targeted with ransomware found their data

completely unrecoverable.

• Operational impacts

– 85% of ransomware victims were forced offline for over a week.

33% of ransomware related compromised resulted in

inaccessibility for a month or more.

• Regulatory fines

• Reputation Loss


What Steps Should We Take?

• How to assess if you are prepared:

1. What is our most valuable data? Do we back that data up? How often?

Is this data protected through extra measures?

2. Do we have a solid, documented and tested cyber incident response

plan in place?

3. If critical data is encrypted, what workarounds are in place? How would

this affect our bottom line? How would this impact our ability to conduct

day to day operations?


Identify

• Identify critical data/systems.

• Robust security awareness training.

• Identify attack vectors for DM distribution.

• Identify systems with enterprise wide reach.

• Conduct ongoing information security risk assessments.

• Perform security monitoring, prevention, and risk mitigation.

• Participate in industry information-sharing forums.

• Identify alternative communications channels for incident responders.


Data Integrity


Protecting Your Systems

• Focus on awareness and training.

• Keep patches updated.

• Set anti-virus and anti-malware to automatic update.

• Manage privileged (Administrator) accounts.

• Implement principle of least privilege.

• Disable MS Office macro and use Office Viewer software in e-mail.

• Implement software restriction policies.


Protect• Types and categories of security controls

– Preventive, Detective, Corrective

• Enhance controls

– Strategic

• Institute a data security program to manage risk

• Segregate and rotate duties

– Technical

• Application-generated data integrity controls

• Automatic updates to anti-virus software

• Monitoring controls

• Backup Solutions

– Offline backups


Detect• DM detection in the enterprise

– Risk, Signature, and Behavior-based detection

• Principal means of detecting DM

– Drive by Downloads

• Pro-active monitoring

– Phishing

• Technical and policy related techniques coupled with consistent training

– Social Engineering

• Reports to call centers and security staff (physical)

• Regular meetings with security staff to outline behaviors

• Detecting data integrity attacks

– Application-generated data integrity controls


Respond

Defining a security incident

Containment

Isolate systems

Search for additional compromise

Validate data integrity downstream

Collect evidence

Communicate with affected parties, law enforcement, and regulators

Intrusion response

Focus on people and technologies

Creating a Computer Security Incident Response Team

CSIRT or equivalent team’s interactive role


Recover• Operational considerations

– Inventory IT operations

– Well documented plans/guides

• Exercised prior to attack

• Technology considerations

– Wiped data needs to be reinstated from separately maintained backup systems

– Applications and source-code reinstalled from trusted sources

– Bare Metal Recover for lengthy compromises

– Replace inoperable OS

• Long-term recovery

– Document all procedures, maintain forensics

– Share threat indicators and context where possible with industry partners

– Incorporate lessons learned immediately


Backups

• Backups are critical; if infected, backups may be the best way to

recover critical data.

• Robust backup and restore procedures.

• Secure backups offline/airgap.


What To Do If Infected

• Isolate infected computer.

• The US Government does not advocate paying.

– Paying ransom emboldens the adversary.

– Ransom payment funds illicit activity.

• Contact law enforcement.

Q&AQUESTIONS & ANSWERS SESSION


ransomware: the impact is real

Economy & Finance