Kill Two Birds With One Stone: Ransomware & Privileged Access Abuse
While security awareness programs, regular updates to anti-malware, application whitelists, and data back-up cover your security basics, organizations need to understand that ransomware is just one form of exploit that can easily be replaced by another. According to Forrester, an estimated 80 percent of data breaches are tied to privileged access abuse.
By implementing Identity-Centric Privileged Access Management (PAM) based on Zero Trust principles, organizations can address the number one cause of today’s data breaches — privileged access abuse — while minimizing the impact of a ransomware attack.
Watch this CyberCast on-demand to learn the best practices to minimize your exposure to ransomware while protecting against credential-based cyber-attacks. During this session we discussed:
- Ransomware trends
- Business continuity considerations
- Preventive measures
- Identity-Centric PAM as a multi-purpose solution
SPEAKERS
Raun Nohavitza, Vice President, Cloud Operations and IT, Centrify
He leads the Infrastructure, Business Applications and Helpdesk teams, and is responsible for corporate Information Security.
Dr. Torsten George, Cybersecurity Evangelist, Centrify
He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 25 years.
-
Katy Martin (00:01:42):
It's definitely not business as usual these days, at least not for most of us, but for actors are taking full advantage of these uncertain times by launching a wave of new cyberattacks, leveraging tactics. But just phishing, ransomware and credential stuffing. Now, ransomware attacks alone skyrocketed 148% in the past month. Crazy according to VM carbon black threat research. So, at the same time, many organizations are being forced to downsize, staff, delay planned IT security project. So more than ever, it's important to focus on the right defense strategies that ensure the biggest bang for your buck. You provide your eyes with some insight. We want to share some best practices. We're going to try to help prevent or at least limit your exposure to ransomware attack. And we thought it would be best to hear from some battle tests that I teach practitioners. So, we've included, um, uh, Raun with us. He's our VP of cloud operations at here at Centrify and a cyber security evangelist expert. Dr Torsten George, can I go ahead and pass it over to you guys?
Torsten George (00:03:05):
Sure. Thank you so much Katie. Really excited to be here today. It's obviously a topic that for the last year we heard a lot about readiness and as you just mentioned the current situation attracts a lot of threat actors to kind of intensify their efforts. So Raun, as a practitioner, maybe it's helpful to share with our audience what ransomware is and what makes it really different from malware.
Raun Nohavitza (00:03:37):
Sure. So, for the folks who may not be familiar with the different types of malware. So ransomware, which will specifically be talking about today is really designed to get in and block a system from access by the normal user until money is paid to the actor. So you've got some, some bad actor who's coming in with a piece of software that's going to usually encrypt and block access to your files. The problem of course is that it's a huge impact for business, right? If your files get blocked, it could be, you know, losing sensitive data. Some businesses have shut down completely over this.
Torsten George (00:04:19):
Very good. So, what are kind of common ways that ransomware is delivered?
Raun Nohavitza (00:04:26):
It's been around for a while. It's not new. And like a lot of malware, it's traditionally it's been around through spam emails and clicking malicious websites that a user might click on sometimes on malformed ads and things like that. But, we're in a war, right? And things have escalated. And so, as defenses have gone up, so have the tools and the processes that these guys are using to try and get this in front of people and social engineering. So now you see a lot of phishing, a lot of spearphishing, where people are targeting individuals. They already have the access that they want and they're getting an email into them and asking them, getting them to click on a link and launch the software that way.
Torsten George (00:05:16):
Interesting. Yeah. Like I just experience a very unique attack a couple of weeks ago where I received an email, it referenced one of my usernames. And even one of my passwords that was once compromised in an attack on, on a bank. So ,it appeared, Oh, I know who you are, I know your password, so they get my attention. And then they claimed that they installed malware on my computer system and were able to take over control of the camera and took compromising pictures of me that they would send to all my context if I would not be willing to pay
Torsten George (00:06:23):
It started with $1700 bucks in a went up to $2000 books and I ignored it. But they also had a link included in the email saying, if you're not familiar how to pay with Bitcoin, click here. So quite an interesting approach of phishing attack combined with the threat of a ransom and malware. So it was quite an interesting, they, they get definitely more and more creative. I mean, can you describe to us kind of the autonomy of a ransom word tech? What are hackers doing? How does this work step by step?
Raun Nohavitza (00:07:05):
Well, sure. Okay. And so we've got a slide up here that illustrates this. So, you know, generally this is starting with like a phishing email that has a link in it, a malicious link that is going to take the user to a website. And again, they're very good at using the social engineering to get people to click that link, just like you were talking about. And people click, and as soon as they click it, it's going to unload that malware onto their system. And, if there's a, there's browser bugs to be exploited, they will be exploited and that that software will come down. Sometimes they'll get people to download things completely. Once it's running on the system, like a lot of other malware, this may have a callback to command control center.
Raun Nohavitza (00:07:55):
So, it'll, it'll start up and it'll go out and talk to a server on the internet. And it'll usually use things like tour which is an anonymous networking system, open source kind of anonymous proxy. And it'll connect through that so that you can't trace it and it'll go back to its server and get its instructions. And those instructions are going to be encrypt everything and show the user a screen that says pay now or else you'll never get your files back. Then after that, a lot of times that screen that you see will say, please click here to pay, like you said in your email. But you know, it's the one Bitcoin that wants some untraceable currency. And, you know, in generally they'll do all that communication between the end user and themselves through this Tor network, through the command and control down to the software that's running.
Torsten George (00:08:58):
Very interesting. So obviously always interested to see the audience has the same pain points that we're talking about here. So, question to the audience. Did your organization encounter ransomware attack in the past? So, your choices here are, yes. no, and you might not know because it might not share that with you, uh, if they're successful in kind of, uh, detecting and preventing it. But while we're waiting for the answers, Raun, can you share with us how often you have encountered ransomware in your career?
Raun Nohavitza (00:09:38):
Sure. Yeah. I've had a couple of, of encounters. They were usually within my kind of previous life as doing contracting work, a lot of times you get called after these things happen,
Torsten George (00:09:52):
right.
Raun Nohavitza (00:09:56):
And some of my colleagues have had some direct experience that I've helped them with remediating. And of course, we've also done a lot of prep work, but I've seen the effect of this on a business and it is really not pretty, especially if your business is not set up with good preventative measures.
Torsten George (00:10:19):
Okay. Very good. Let's, let's take a look at the results here. Wow. Almost 41% have encountered ransomware attack. Wow. That's a huge number. Uh, that's, that's quite significant, but it shows, uh, that the pace has picked up and I mean, almost every week we hear also about new variants of ransomware or unwise that,
Raun Nohavitza (00:10:46):
Oh, well, you know, there's, there's this stuff's available on the internet, right? All the tooling that you want is for hackers, you know, calm, script kitties, right? They go get their scripts and they run the scripts. It's pretty easy now as a malicious actor for you to go ahead and get your hands on this tooling and modify it and tweak it to your needs. And so, you know, I would say even more than your standard malware, which is already kind of in that same boat, ransomware is very specified, right? It's for this purpose and they have targets in mind, especially when they combine that with spearphishing. They already have very specific targets in mind, and they're going to tailor it to what they want.
Torsten George (00:11:32):
I think it's no longer just the ransomware that's available in the dark web, but there are real complete operation center that you can rent. This weekend I want to run a ransomware attack. Oh, that's rent the entire infrastructure for it. Uh, three hours. That's all I need. So, it's kinda crazy. Uh, yeah. So, um, things have gotten really crazy.
Raun Nohavitza (00:12:00):
Yeah. So, and because they're always changing them, even just even manually. It's like a signature-based detection of course isn't going to work for something like this. Sometimes heuristics help. But I know that you've done some research on some of these different variants, so maybe you can talk a little bit about the different kinds that you're aware of.
Torsten George (00:12:21):
Sure. I mean, I could talk for hours as we sat there, so many out there, but I think I wanted to reference three that really stand out. One is CryptoLocker and that burst into the scene in 2013 and it really opened the age of ransomware on a bigger scale. CryptoLocker spread fire attachments to spend messages and really use the RSA public key encryption to seal user files, the demand, the cash, in return. And this kinda hit its spike and kind of late 2013, early 2014 where it had infected half a million systems, worldwide. But at the time it was very primitive, very unsophisticated. And so it was easy to crack. There was a white hacker association called operation Tovar. Uh, these were white Hackers that got together and really took down the command and control center and truly took apart that ransomware attack very quickly.
Torsten George (00:13:34):
But again, it really emerged and evolved over the time. And so one other example is, again, GandCrab that came into light and 2018, uh, it's really heavily and, you can see there are different ways that ransomware operates. In case of GandCrab, it really focused on Microsoft office macros, VB scrubs power shell to really avoid detection and leveraged, uh, ransomware as a service infrastructure. So, it was rented out basically. And, it really targeted consumers the amounts that were asked for ranging between 500 to $600. But it, it had quite a bit of impact and with the help of Europol and the Romanian police that were able to take down that operation. And then I think the biggest impact from a ransomware perspective that we have seen happen in mid 2017 were two major and intertwined, uh, ransomware attacks spread across the globe.
Torsten George (00:14:50):
A lot of people still talk about it. Uh, the first of those two major attacks was called WannaCry. And if you sit in front of a computer and you can't access your data yet, you want to cry. So a perfect name for that. So it was easily the worst ransomware attack that the industry has seen. Within days there were a quarter million systems infected. It’s spread across hundreds of countries. But the real interesting part about WannaCry was really that it really leveraged leak tools by the NSA and took advantage and the leak tool was EternalBlue. And it took advantage of a vulnerability in Microsoft SMB protocol. So, it leveraged that to enter into a network environment. And it really had huge impacts. It shut down businesses, uh, worldwide. So, it had a major impact and it was followed by what we call it, not Petya, but, in reality, that ransomware was Petya.
Torsten George (00:16:04):
Um, but cos it was mortified and it leveraged again, a third EternalBlue package. Then researchers called it NotPetya. And it had less of an impact because people were more prepared for it. But it really showed that, obviously, these ransomware emerged, almost on a daily basis. And as you said, these scrappy script kitties, they're out there, they're kind of making modifications. And immediately if you tried to do core antivirus as your defense strategy, it might not detect it. Correct. It passes by you. So it's important to stay vigilant.
Raun Nohavitza (00:16:47):
Yeah. So, I mean, and I remember the last couple there from all the, the efforts, you know, we're, of course we're headquartered in the Bay area, so a lot of people were talking about the, the WannaCry when that came out because it was California was big target. A lot of companies in California where it's pretty, pretty hard. And so there was a lot of discussion around good preventative measures and how to protect yourself against those things. But it did have an impact on some, some folks. And we were talking about some of that.
Torsten George (00:17:18):
Yeah, I mean, it was interesting times, quite frankly. I was very close to it because the company I worked with at the time, we had warned about the vulnerabilities and the Microsoft SMB protocol and we had seen early indications about WannaCry. So, three months before it really hit we had to media coverage. One of our red team members, uh, kind of talked about the risk and the tremendous impact that would have on businesses. And, uh, it was ignored. And then when the crisis hit, I mean I was on the phone 20 hours a day. Correct. Trying to provide input, trying to provide guidance. We had on a meta sploid we had an exploit kit that we published to help people deal with this, uh, quicker. Um, and we even got into a situation where Hackers then leveraged that exploit kits, modified it to start their own attacks. So you have to be extremely careful what you're doing there. But it was, it was, uh, it was really a nightmare. Yeah. And a lot of companies, we had, uh, clients that we saw in Europe, they had to shut down their entire operations for a couple of weeks. And there, there are other examples out there that, that really point to the major impact that can have.
Torsten George (00:18:46):
There were a couple of things that we wanted to talk about here. Did you want to get into the, some of the more the impacts on some of the companies that we might be familiar with? Yeah, I mean I can give you a few examples that have made a lot of headlines, especially in 2019 when we saw an uptick in ransomware. One of the first that got hit was the weather channel here in the US, it really knocked off their live show that they had planned for early in the morning and they had to pull out some recorded session about Canadian reality shows to kind of replace that live program. But it's really showed that the weather channel was quite prepared cause they were very quick in serving up different content and not rely on the live show.
Torsten George (00:19:43):
And then they were back up in the live program within hours. So, they were extremely well prepared. They had a backup system in place, so you have to give them credits. Obviously, the city of Baltimore was not as lucky. They got hit on May 7th, which shut down their entire government computer systems. And really the very end that was used there was called Robinhood. It's really encrypted all the data drives and for each effected computer, the attacker asked for 13 Bitcoin at the time that was about $75,000 per machine and the city did not pay. They tried to recover, but the recovering efforts really took a months. And if you talk about a city where you go to DMV to get your license, to make an appointment, all of these things that we typically take for granted, now we see in the current situation, we can’t that that for granted, the city of Baltimore and the citizen really experienced major impact.
Torsten George (00:21:03):
So the cost itself was estimated to be 10 million, but then of the lost income for the city alone made up another $88 million. So a total of $18 million in impact from a ransomware attack. And then last but not least, another example for anybody that's an audience from, from overseas. Uh, there was ESCO, which is one of the largest suppliers of airplane parts. Uh, they suffered a ransomware attack and it really shut down all of their manufacturing plants across three different countries. They had to send their all their workers or 1400 workers home for two weeks to recover on that and obviously added a major impact on the entire supply chain. So, it didn't just impact them it attacked all of their customers. And so as, as we face currently these unprecedented times and people work from home, we really have seen that, that the wave has even increased, that they're far more attacks. Katy mentioned it during the introduction, 148% increase in ransomware in the months of March alone. So that shows you how impactful that is. It's really stunning.
Raun Nohavitza (00:22:29):
Yeah. And we're seeing, I mean, we're seeing a lot of changes recently in the ways that the things are happening. I mean, ransomware has a long history, but we are seeing some changes and maybe you can talk a little bit about, you know, what we're seeing is the differences in the way these things are being carried out now.
Torsten George (00:22:48):
So, first of all, quite frankly, we talk about Oh, increase and increase, till 2019. And the reality, the number of ransomware that were hit had dropped significantly from 48% in 2017 to just 4% in 2018 and only in 2019 it picked up and it probably was driven by some cities giving into the ransom request and then paying for it and then triggering a whole domino effect of copycats. But what really changed is when we talked about Wannacry earlier that was targeted at mass spread and it was very a shotgun approach trying to hit as many people as possible. But what really changed was over the last 18 months, is really, instead of mass attacks that now a threat actors target specifically high value IP organizations where they can now ask for more ransom, course, it has a higher impact. So in reality, we see an uptick in the amount and the average amount of ransom, but it's very targeted attacks that can result in far create a damage than what we have seen in the past. So that's, that's really what, what the trends that we see. But I mean, we have you on the line today, which is great. So let's get a little bit more practical. Course, you have done that to do that day in and day out. What should you do if you're falling victim of a ransomware attack, pay or pay not?
Raun Nohavitza (00:24:35):
Oh boy. That's a good question. You know, and it's, I mean, the reality is it's going to come down to some business decisions. Um, the, you know, uh, you know, one thing we'll talk a little bit about is, um, you know, working with your local authorities and we have, I think we have some, some points on that for our folks, but, um, you know, if you, if you talk to the FBI and the U S you talk to the FBI, you know, they're going to have some very specific advice for you. Um, and one of those pieces of advice is going to be you don't pay. And of course, there's a lot of reasons for them to tell you that. And so there are good reasons, right? Um, you know, paying ransom is it's a trust issue. Do you know that your data's really going to be recovered?
Raun Nohavitza (00:25:18):
Are you ready to promote this style of, uh, criminal business model, right? Ultimately, it's going to be a cost/benefit analysis. It's more and more a cost/benefit analysis, right? If you were prepared for this sort of thing and recovery is an option for you and it's not as costly, then, that's going to be a more attractive choice. If you were not prepared and your business is going to be effectively shut down, then certainly the payment starts to become an attractive choice. But regardless, I personally recommend and that you work with your, the appropriate authorities. I think that's the right part of something that should be in your plan.
Torsten George (00:26:14):
Okay. Very good. Well, let's see what our audience, our audience thinks is the second poll question here. So, what you give in on the ransomware demand. So if you're a threat actor that you're dealing with, is that the clear yes or a maybe if insurance covers the costs and absolutely not. You're standing steadfast against that. What do you think? I mean, for me it's, it's again, it's tricky question. Obviously, business can be impacted, uh, on the other hand, and we'll always have to keep in mind that if you give in, first of all, there's no guarantee that you get to encryption keys that really unlock everything. But more importantly, we saw that in mid of 2019, we're three cities in Florida decided, without even thinking about it, they gave in within days and paid the ransom. It immediately triggered a new wave.
Torsten George (00:27:14):
There are copycats. I mean, especially in today's uncertain times where people have lost a lot of money, they're looking for ways to make up for that loss. So, if I hear, Hey, it's so easy and I find all these tools, on the dark web, let me try it out. What's the biggest risk for me here? So it's, it's really tough to, to make a call here, but 70% of people would not give in. That's the American spirit. That's great. I love it. Love it. That's, that's good. So you're following exactly the advice of yet the FBI there.
Raun Nohavitza (00:27:57):
So, business-minded people though as well. Maybe it will cover me.
Torsten George (00:28:03):
And, and the insurance industry has picked up on that. I mean, they're, they're making some money there. So, giving, giving the uptick and ransomware attacks. Raun, what basic steps should our audience consider minimizing the risk of being victimized? And I mean, there are two things, correct? There are two dimensions. One is business continuity and then prevention. But let's first talk about business continuity. What can be done there? What is the thing that, that people can think about?
Raun Nohavitza (00:28:40):
Sure. So, you know, I'd say the good news here when dealing with ransomware is that a lot of the preventative measures are just general best practices, you know, with a couple of considerations and tweaks. So, it's the first thing to think about is the maturity of your disaster recovery practice. Right? is your data backed up? are you doing secure backups? You know, are they, are they air gapped and, or, or are they secured in a way such that an actor or a process couldn't get at them? Because we do see instances of ransomware that will go after your backups. Right? And that has happened. Um, you know, do you, uh, do you simulate or recovery, do you go through, you know, practice recovery? I can't tell you how many in my consulting days, I can't tell you how many customers I helped that were like, yeah, we take backup. Can you, can you restore for us? And the fact that you were never working right. So, nothing on the, on the backups. Uh, so you got to go through the right process.
Torsten George (00:29:47):
I think especially the point about secure backups is very important. I mean, I was recently at a summit when you still were allowed to travel. And we ask people and they, Oh yeah, we have now an online service that backs up all of our data. Is that network attached? Oh yeah, we, we've done that physically real time. And I do, you know, that then it doesn't really help them. They what? And, and so that's why you still see, uh, this, this, uh, truck show up in front of a lot of more sophisticated, mature companies and they still take backup tapes and put it into safe. Correct. That's why you still have that business going. But I mean these were kind of a business continuity consideration. Obviously, you want to be, and there will never be a hundred percent protection, but what are preventative measures that, that people can kind of take if they wanted to have a chance to prevail here?
Raun Nohavitza (00:30:50):
Sure. So, we have a list here. This is basically the same thing that the US interagency technical guidelines would tell you. This is a place where I would maybe add a little bit because sometimes government guidance will, you know, it'll lag a little bit in terms of industry. So, it's good to see this stuff. I think these are the basics you should be doing, but maybe there's a few extra layers to put in. You know, security awareness, I think, is key. As we talked about earlier, you've got… social attacks are huge right now. And because they work, right? People do spearphishing because it works. People click the links. And so getting your employees aware of that and what telling them what to look for.
Raun Nohavitza (00:31:40):
Maybe even using training tools, that sort of thing. Implementing a program where they're aware is very important. You know, regular patching is very important. Regular change management process and make sure your, your applications and your operating systems are fully patched on a regular basis. Antivirus and anti-malware are important. Those are the basics. As we mentioned before, this stuff is not going to be picked up by something that's looking for signatures. So, I would always layer in and you've got to have the basics. You got to have anti-malware, you got to have antivirus, but I would layer in something with your heuristics as well. Um, you know, next gen antivirus, uh, tooling is a, I think a must have these days. Um, application point listing is very important. I highly recommend that approach.
Raun Nohavitza (00:32:31):
Don’t just allow everything outbound anymore. You gotta really lock it down. So, spam filtering and mail management is important. I would add that, you know, have good hygiene on your mail config to protect yourself, but also your, your customers and your partners. Um, you know, make sure your, your SPF records and DKM is set up and DeMark set up so that you're able to assure that not only are you protecting your own name, but you know, for your customers and partners receiving mail that they know with certainty that it's from you. And that that protects, it protects your name and it protects your customers and partners. Um, and then, you know, of course there's least privilege and access control. Uh, you, you want to make sure that people only have access to the things they need. You know, we talked about the, uh, the fact that all of these processes, they need an identity, uh, to get started. It doesn't matter if it's virus or malware or ransomware or whatever. It needs something, it needs an identity to run ads. It's running as a thing or a user and that, that entity, whatever it has access to, that malicious software now has access to. So it's really important to limit exposure and limit risk. You limit access. Um, and I, I think we can talk a little bit about that.
Torsten George (00:33:57):
Hmm. It's very good to me. And just to comment a security awareness. I know every company for compliance reason nowadays does that to check that a control box. But I think for instance, what we do at Centrify is the same at my wife's company. It's not just security awareness but simulation because people might read a document but they don't apply it unless they get exposed to it. Correct. So, having a simulation that that really opens the eyes of an employee that they really take this seriously is very important. At my wife's company, that's quite brutal. First time they get a red screen saying you have been hacked, uh, read your manual again. Second time they have to meet with their supervisor , third time they have a meeting with the CEO, which is quite embarrassing. There's no fourth time, meaning the fourth time they are out of the door. So, it's, it's quite stringent how they do it. But that's the only way how people start paying attention to it. But, Raun, I look at these six buckets here and obviously in today's times CIOs are asked to cut down to spend less, to achieve more. Out of of these preventive considerations, is there one measure that can kind of be used more on a universal level where I get, uh, a big, uh, bang for my buck and return? Is there anything that stands out here?
Raun Nohavitza (00:35:35):
Well, you know, good access control, least privilege I think is going to give you your biggest bang for your buck. Um, the, uh, you know, there's a lot of, uh, exploits these days that, uh, they're taking advantage of passwords and you know, the credentials that are leaked on the dark web and other places, you know, compromised credentials is, is the number one thing, right? I mean, this is like, you know, I think Forrester was saying it was like 80% of security breaches now are, are from compromised credentials and, and you know, we saw that with a number of things over the last couple of years that have been big in the news. But it's, uh, it's true, it's all out there. People, uh, every time there's a breach, uh, you know, there's tons of just passwords floating around and so people use that.
Raun Nohavitza (00:36:23):
Um, so, so for me, I think that this is, you know, focusing on access control is, is the way to kind of kill two birds, so to speak. You've got, you know, it, it really is, to me, it's a couple of things. You've got to have a least privilege so that any given identity can only get access to what the bare minimum that it needs to do to do the work and then MFA on top of that. Right? And so, making sure that credentials alone, leaked credentials alone can never actually get into an account or into an application, I think is, is key. Um, and if you do those things, then you know, you have killed two birds, right? You've addressed, uh, leaked, uh, credentials and privileged access abuse and you've addressed the limitations, uh, limiting melt malware and what it has access to.
Torsten George (00:37:18):
No, very good. Yup. Makes sense.
Raun Nohavitza (00:37:23):
So, uh, you know, we, we actually, obviously we spend a lot of time thinking about this in our organization, in least privileged and, and MFA and best practices. So, you know, maybe you can share some of the best practices from, from our thoughts. Um, and that would apply here.
Torsten George (00:37:42):
True. I mean, we talked about 80% of today's data breaches are tied back to privilege, excess abuse. And so it's about the administrators. They're holding the keys to the kingdom and that's the main target of, of attackers. And so one of the first things that you want to do is with NIST as well as Microsoft propagate as a clean source, as a secure admin environment that allows me to get into the network without exposing it, for instance, to infections. And so typically, if I use a workstation right now that is network attached and I'm exposed to ransomware, I'm spreading it. So, it's, it's obviously a bad thing to do. And so instead of doing that, you should really leverage a web browser, HTTPS connection, to gain excess through a jump box, a gateway, a proxy to enter into that environment.
Torsten George (00:38:46):
That's the far safer away. You're not network connected. And quite frankly, now that we're all working from home, it's even more important. I mean, obviously since May, there was a lot of talk about, Oh, let's turn on the VPN. This, for our administrators, first of all, it's tough to do cause VPN. So not very scalable by just snapping your finger. There are hot words. It plays a role. You have to install clients, all of these things. So, at the end of the day, it's, it's really about you having to, look at ways to do that in a more secure fashion. Again, VPN is, is attached to the network. It also gives me access to an entire subsegment, which is terrible. I mean, people Hackers ransomware can move around and so it's really, really bad. And so from that perspective, again, the same technology, the same underlying technology should be leveraged for remote access, where you really take a jump box that allows you targeted excess right into that machine.
Torsten George (00:40:11):
So that's, that's another best practice that should be applied. And then obviously if I'm a database administrator, I am, I'm assigned to manage database A why should I need access to database B? So, you can create so-called identity zones, uh, and really defined by my role who I am, that I only have specific access to systems, And I should lay on top of it. As you mentioned, multi-factor authentication. I think multifactor authentication is really low hanging fruit. I was a few months ago at, at a cyber security summit, I was on the stage with a ? team member and he was also as a red tag team member that tries for living to heck and to organization what is the biggest deterrent for you? And he said multifactor authentication, 99% of Hackers would be deterrent. They would be discouraged to move forward because they don't have the second factor and they move on to the next potential victim.
Torsten George (00:41:21):
Only really very sophisticated States, funders, attacker would try other methods to bypass that. But this is a low hanging fruit. This is what people should be doing and should be thinking about. The other thing is really one of the fundamentals. I mean, when you, when you get a computer, one of the first things that that happens is there's a route account, an admin account that's being created and often that's still being shared. I have gotten into organization where there is an extra spreadsheet on the wall right next to the refrigerator and it includes all the shared accounts. And that's again, something that hackers take advantage of. And that trend some more can also, as you said, run the leverage is credentialed. It's to, can take advantage of. So, one of the things that is a first step is vaulting away those credentials and not exposing them any longer to people.
Torsten George (00:42:27):
And then obviously we talked about limiting privilege. Gartner calls it, it's at zero extending privilege. You can call it least privileged. There are different terms out for it, but the reality is we're right now on a webcast. Why would I need credentials to access that database that I am assigned to? I'm talking with you, so why would I need that? Right, right now, But if somebody would come from my, as my credentials while we're talking, that would be able to do everything that they wanted and that's not the right approach. That's not the secure approach. So, it's really assign minimum privileges or entitlements. If I need it more, I should request them. And then the access request should be granted based on the context. Meaning if there's an excess request to access a database, I should be looking at, Hey, is this within the maintenance window? No, it's not. Okay. That's a little bit suspicious. Is there a ticket assigned to it? and Let's say a servicenow that indicates that there's an emergency right now that would require that access? No, it doesn't exist. So it's suspicious activity and now I should either monitor that closer, meaning sending an alert to my sec ops team and then shoulder surf to really see what that person is doing, uh, or some see decline the excess. So these, these are really things that, that can be done very easily. Um, so I just I want to talk to that point real quick.
Raun Nohavitza (00:44:06):
Can you go back to your slide — the one where you had the secure remote access? Because you know, this was my experience, years ago when I was really getting into security and our methodology for doing this stuff. This was kind of an aha moment for me, right? We've had in IT and Ops, we've had various methods for remote access over the years. But, I find still, and I know we have a kind of a varying level of expertise probably in our attendees today, but I find that there's still some people who don't really…they're not familiar with the concept of the remote access through a jump box or managed access with an MFA layer on top of that.
Raun Nohavitza (00:45:02):
And that they're way more familiar with a VPN. Like, you know, they're used to MFA, okay, maybe I've got proxies and things for web apps, but if I need to get to a system, how am I going to SSH, how am I going to RDP? I need a VPN for that. Right? Well, you don't. You don't need that and if you use a kind of a jump box methodology that's with a portal with MFA on top of it, then you can limit access to a single machine that that person needs access to. And if you have a management system around that, you can actually check out access. You can give them access without giving them the password. You know, those two things in combination, using an MFA, consolidated access with a single system access point and only granted to users that who needed. That combination, I think, really raises the bar for malicious access. All these things that we're talking about before where you've got, you know, you gotta watch out for your backups, and don't have them connected because these tools, they'll go and they'll find what's connected. You can imagine, if your VPN is up, it's going to go across that VPN connection. It's going to port scan, it's going to find everything that you're connected to. This is not using a VPN. It can't do that. So, to me this is a key point on, on a way to raise the bar.
Torsten George (00:46:32):
so, from a technical perspective, but also from a business perspective. I see in the chat window there was a question coming in from Sue Shaun from New York life. How quickly can this process be set up? And quite frankly, it's very powerful. Course again, as a mentioned, this type of approach, I don't have to issue a laptop. So, if I did not work from home before and I had a regular static workstation, now that I have to work from home, Raun would have to issue to me a laptop that includes a VPN client. It’s a nightmare. Correct. You have to ship it out. It takes time to order. And nowadays the supply chain is impacted. Here, I could have used my private computer, used HTTPS, meaning a browser without any client. I can even be in a hotel. I can use anybody's machine to gain access in a secure fashion.
Torsten George (00:47:29):
So to answer the question on how quickly can that be set up, we are providing a cloud-based service. You can even try it out on AWS marketplace, there is a free tier available. It takes 30 minutes to have it set up. You can discover stuff, discovering your systems, you can look down the passwords. If you want to do the remote access, it's a matter of hours. It's not a matter of days, months, or even years. It can be done extremely quickly. And so, these are really the benefits. And again, you can apply these best practices. You can really kill two birds with one stone. Today's topic was about ransomware, but again, you see how powerful it is to really apply privileged access controls because it really addresses both concerns. But, let's go back to more practical aspects, uh, around what do you do if you're infected with ransomware?
Raun Nohavitza (00:48:36):
Okay, well, so you, so you had an attack, right? You're infected. You've got to deal with it. Now, you've got to get back to the basics and to be very tactical about things. Um, there's, there's a small handful of things you should be doing. You should be isolating effected systems. Uh, you know, immediately time sensitive, uh, you should be powering off systems. I mean you're kind of in emergency mode at this point, so you should definitely be taking things offline. if you've got secure backups or if they're almost secure, secure them, you know, take them and make sure your air gapped on your backup data. Uh, change passwords, please, you know, make sure you rotate your credentials, and this means keys that were exposed as well as passwords, right? If you have something that you think was out there, rotate it.
Raun Nohavitza (00:49:30):
then, you know, there's of course, there's some cleanup measures that depend on the different types of, of thing that you're dealing with, but you should, if you have backups of systems, you may end up needing to restore those. there's some registry keys and things that you can look forward depending on, on the very end they're working with. But the last thing that I would say, and I said it to the beginning is, you know, contact your, your correct agency. and this is kind of the only part of on my list. That's, that's not, you know, tactical technical, right? It's get in touch with the appropriate authorities and, and, and that may differ depending on where you are. But Thorsten, I think you have some, some information on this.
Torsten George (00:50:13):
Yeah, I mean, there are two aspects to it. If I'm, I'm a victim of a ransomware attack, I should report it. So, from a reporting perspective, who do I call? Do I call 911? probably not. So, you should get touch possibly with, with the FBI, they have their cyber task force and they have their internet crime complaint center. So, filing a formal complaint there. another option is, believe it or not, we always, when we hear United States secret service, we think about, Oh, they're protecting the president, but they have the electRaunic crime task force and they have local field offices. And so, you can also turn to them to report, the incident. And then obviously you want to give early indications. course attackers typically move within a vertical. So you want to share information so that, that your peers are not impacted.
Torsten George (00:51:14):
And so from that perspective, it's good to, be part of an information sharing and analysis center. for instance, the banking industry has their FSI sec, but healthcare, utilities, they have their own, information sharing and analysis centers. And it's really great working with your peers on this. They have great takes tricks and tips that they can share. So, it's really good. And then secondly, when it comes to assisting you and, and mitigation efforts, you can always contact the department of Homeland security and their computer emergency readiness team. so, cert is not just publishing vulnerabilities, but they're really helping you and mitigating threats. And then obviously kind of look at NIST. They have a cyber security framework. They have a documented mitigation effort. there are the NSA IED top 10 information insurance mitigation strategies. So, there are a lot of great resources out there to help people really tackle the ransomware epidemic.
Raun Nohavitza (00:52:42):
I think we got through a lot of our material that we had for today.
Torsten
Yeah. So, let's, let's see if we have a, there are a lot of questions that came in. I'm not sure that we can cover all of them. there's one from Kevin who says, I would like to add zero trust be at least privilege is a foundation of it. Completely agree. Kevin, you have a great point. We're living in a world of zero trust. Zero trust is a security framework that was initially developed by John Kindervaag when he was still with Forrester research and collaboration with NIST. and since NIST has evolved quite a bit, they initially focused on kind of data, my core segmentation, but nowadays it's more holistic and so I completely agree that assuming always that a threat actor already is in your network is nowadays something that you should do and you should structure your defense strategies accordingly.
Torsten George (00:54:02):
The perimeter simply has dissolved. We all moved workloads into the cloud so it's no longer controllable. And so, we have to structure our defense strategies accordingly. And zero trust can help on a worldwide basis. There are now 11% of organizations that have implemented zero trust into their security architecture. So very good point. So, there's a question, always a question that comes up. What do you recommend to balance security and work life? Users complain a lot that there's too much security trying to access that data. So, you probably get those complaints quite often. I mean, what's your take on them?
Raun Nohavitza (00:54:56):
Oh, boy. So, I do get those complaints a lot. I try, as a professional, to put some of those usability considerations up front when I'm implementing security. We're living in times where you don't have to…you have options now. Security has come a long way in terms of tooling and making things more user friendly and still being secure. It used to be that you had to jump through a million hoops and all that, but there's, there's usually ways to do what you're trying to do in a more straightforward fashion these days. I try and put those considerations up front, but at the bottom, you know, there's always going to be a few steps that are necessary, that are business reasonable, for your organization. And at some point, you just have to take a hard line at this. You know, I'm sorry, you have some complaints. We try our best. But for the security of the company, you have to follow this process. You shouldn't ignore completely the considerations because at some point those, you've gotta be able to have your users do, do work and do business.
Torsten George (00:56:26):
Yeah. I worked in the IAM space 15 years ago and one of the things that we heard, for a user adoption was really, there was cumbersome, and at the time I would say it was cumbersome cause you got your onetime password and then email, then you had to transfer that over to different UI, and you typed it in wrong cause you could not cut and paste it. It didn't allow that to do so. And you had to try multiple times and it was very, very cumbersome for the end users. And so, adoption was a big problem at the time. But nowadays we're all carrying the smartphones around with us. So, pushing a basic alert to your phone and using the phone as an authenticator, it's a matter of three seconds. I click on a button and I'm in. So things have gotten so much better so that, at least among our customer base, I rarely hear complaints about that. It really impacts the end user. There's too much. So, if you pick the right methodologies, the right ways to implement it, I think, it's a little bit less impacted. It was what we saw in the past.
Raun Nohavitza (00:57:54):
We were talking about earlier that, you know, that I pulled our slides back to… the whole jump box to a single system, a solution is actually, pretty user friendly. And in fact, I mentioned using SSH and RDP and to get in. Our methodology allows you to use your native client if you want. And so, it's not that big of a change for people. I think you can be secure without it being that much of an impact. But there were a couple of questions on Bitcoin. I just want to address, there were a few things in here. There's a lot of questions like, whether or not it's traceable and, how do people actually use it?
Raun Nohavitza (00:58:40):
So, Bitcoin is a cryptocurrency, which means that it uses cryptography and blockchain to keep track of its transactions. It is fundamentally untraceable. It's meant to be untraceable. There are advanced methods that law enforcement will use to figure out how payments are being made. But a lot of times it starts with it coming out of Bitcoin and into currencies, you know, real country dollars or current currencies. And they'll start there and figure out who are the people who are moving back into dollars so they can actually go and buy things with it. But fundamentally Bitcoin itself is, is not traceable. It's because it's anonymous and the transactions are stored in an anonymous encrypted computer in an anonymous way. There are ways to get Bitcoin. There are exchanges just like there's exchanges with any currency. And so you can go to one of these exchanges and exchange your currency for Bitcoin. And of course, when that happens, those things in and out of Bitcoin, those are all very traceable. And so, a lot of times law enforcement will latch onto that as a way to start their investigation.
Torsten George (01:00:03):
Very good. I know we probably have time for one more question. An interesting question from Douglas for your personal computers. Have you seen a lot of attacks, or are most of the attacks focused on company computers? As we talked about earlier, the trends initially kind of some somewhere was, was very broad shotgun approach trying to hit any machine that there might be out there. And so they did not discriminate by if it's a consumer or if it's a corporate user. Um, over last two years, uh, attackers have been really more focused, more targeted than obviously gun after, um, uh, high value organizations where they know that they can ask for more ransom. If I do one attack on a city and they have to pay me a couple millions compared to if I have to reach 5,000 thousand users to get from them 500 bucks, it's obviously more attractive to me to go after the organizations.
Torsten George (01:01:13):
However, under the current unprecedented times where a lot of people work from home and due to the fact that there are organizations might not have been able to equip them with the necessary it devices. Hackers are now taking advantage of that. And definitely also going off to personal computers and we talked about it, if your it team instructed you to download to the VPN client on your machine, your machine is exposed to run somewhere and you know, network attached through the VPN, you're spreading ransomware, uh, that would, that would not happen if you would use of as a CLI, a proxy, a gateway connector, like we're propagating as a best practice. So that's been a shift towards more focused on company computers. But I think we will see a spike again attacking personal computers right now under these unprecedented,
Raun Nohavitza (01:02:20):
I would just add to that that, you know, in general, malicious actors don't, they're not picking computers to attack, right? They attack people, right? They find the organization that they want and they find the targeted individuals in those organizations often and they attack people. And it doesn't matter what systems they're using, they're, you know, they're taking advantage of the fact that now, nowadays we use multiple systems. You know, we're using mobile devices and home systems as well as our work computers. And so it's important that those things that you, you know, you've got good hygiene and good security across all of your devices in your environment.
Torsten George (01:03:03):
Yeah. So, we're in tough or even past the top of the hour. So, Raun and great to have you here. It's always great to team up with a real practitioner and really share some of the insights that you gained throughout your career. I hope that everybody kind of took some nuggets away that they can apply in their day to day operations. And again, uh, thank you very much for joining us today. We really appreciate you taking the time out of your busy schedule, especially on it today is unprecedented times and we hope you will stay safe and healthy and hope to join soon for any of our other webinars again, we have coming up also for anybody on the line out of the government world. On May 28th, we will be talking about government compliance and how to use an identity centric approach to PEM to meet many of your government regulations. So, I hope you will be able to join us then and thank you again.
Raun Nohavitza (01:04:14):
Thanks everybody.