Shelly Giesbrecht: The Trouble With Ransomware

all right i think i'm going to get started just in the interest of time um i might go too fast and be a little short but uh but hopefully it'll be right close so thank you so much uh for joining today i hope everybody can hear me hope everybody can see the screen okay uh maybe just give me a thumbs up or a yes in the chat if uh if everything looks good

perfect thank you so much excellent all right so welcome to the trouble with ransomware and if you were expecting a talk about ransomware today i'm going to disappoint you because this talk really isn't about ransomware it's about all the things that come before that all the things we don't necessarily see and all the things that sort of slide through our network uh like uh uh well like a really creepy guy slides into your dms sorry to the creepy guys out there so what you don't know really can hurt you and i think that's what we see a lot as an instant responder when i go to clients um we generally arrive when something's happened that they see

that is very very evident in the environment and that tends to be ransomware these days let's see if i can get the thing to advance there we go all right so me uh i'm shelley guthriex i am a manager with the instant response services team at crowdstrike i've been at crowdstrike for about 15 months and prior to that i was uh the managing lead of the customer facing instant response team at cisco uh for three and a half years um i've been in the industry for about 20 years um started out right here in calgary um working downtown and about 15 of those i've spent in security as a response so i've probably met a few of

you along my travels uh and uh i've seen some stuff now every time i see stuff in this in this presentation think about another s word but also you know that that it infers the same meaning but i'm gonna keep it nice and clean today so i've seen some stuff in my years uh and i've maybe seen your stuff because i've seen a lot of stuff uh i i do have to give credit for that line it's a it's from a colleague of mine uh who goes uh on twitter by the name of litmoose she's amazing please follow her if you're on twitter um and uh and she says that a lot except she uses the other s word

um but we've seen some stuff uh and uh as you can tell i'm a lover of the of bow ties and dogs and i'm usually wearing red shoes but i'm in my house today so you don't get to see the red shoes you can find me on twitter uh and my blog that i rarely update but it is there uh so today we're gonna talk about the stuff that pre is the precursor for ransomware what happens in our networks before that happens and yes david wong i have seen your stuff uh i will ask that if you want to ask questions in in in the chat absolutely do so as i gets heard i'll probably stop looking at

the chat but i think my moderator colleen is going to maybe uh let me know if there's a question that needs answering other than that um i am available for for any questions you can absolutely dm me after the fact uh and i'll try to get to any questions that you have okay so today i am going to talk a little bit about ransomware uh but i also want to talk about sort of the adversaries that we're facing these days some of the evolution of that um in in the last two to three years because it's come leaps and bounds um in the last three to five years but particularly the last two years and then we're going to talk about big

game hunting and what that is um we're going to talk a little bit about some minor attack phases um and how those are usually seen i'm hopefully going to tell some stories as we do that uh and some recommendations for each of those phases all right ransomware when ransomware started out a few years ago it was it was devastating to those individuals that got hit with it and it usually was those individuals it was people at home opening up you know the zip file from fedex uh or or from the uh the revenue canada um and and and their own computers and their own pictures were getting hit and they were being asked for bitcoin and

they didn't even know what bitcoin was um but it's becoming increasingly more complex in the last couple years um we've seen ransomware as a service develop so we have sort of a parent organization that develops the ransomware and they sell that uh the access to that ransomware to affiliates those affiliates then take put their own spin on it maybe have their own ransomware around some note uh maybe using their own ways to get into the network initially um and and are more difficult to deal with um so when we are saying negotiating when i say we i mean we as a as an entire industry are negotiating with ransomware operators sometimes we're dealing with the top level folks and sometimes we're

not so the sophistication level really really changes depending on who you're talking to backwards okay we're also seeing some really interesting custom compiled ransomware for specific targets uh i see a lot of organizations data uh over the course of a year and we see some very interesting um you know common pieces of malware and then we see some stuff that's really targeted and that is is very interesting in and of itself something we've seen since last year since about the beginning of this year from about december last year until now is data extortion so previously with ransomware we saw we encrypted your data and you should pay us some money so you can have the

keys and then all of a sudden one of the threat actors said we encrypted your data and we want you to pay us to get a decryption key but we also took some and if you don't pay us we're going to make it public data shaming is is the newest the hotness if you will in the ransomware world uh and once one thread after do that the other ones thought this is fantastic and they all started doing it it's very rare that they're not doing it uh from from a threat actor perspective and then obviously branching out what sort of capabilities um preventing the use of network communications for instance uh not allowing the other thing that

we've seen at the the defray ransom where the freight 997 ratsome wire for instance is looking for um esxi or virtual uh virtual hosts uh or sort of the the actual hosts for for virtual machines and hitting it at that level um which is much more difficult to uh to troubleshoot and to remediate what's interesting also too is the ransoms are going up so in 2019 uh a threat actor that crossbar calls wizard spider who is the perpetrator of the riot or rook ransomware however you say it have collected a hundred million dollars in u.s and bitcoins um it's huge an absolutely huge industry but there's so much before that that we need to talk about

because ransomware's bad but it's not the only thing so we've all seen the miter attack framework you know starting with initial access and working right up through all the different steps uh to some sort of actions on objectives whether that be exfiltration ransomware some sort of damage to the network maybe just sitting and waiting and seeing what else comes along and those first initial steps are uh where we really don't do well most organizations don't do well um and so until we see something really noisy like i said the most calls we get are folks with ransomware because all of a sudden it's available in your network to see all of a sudden things that aren't available like your

files uh make users sit up and ask what's going on and until then a lot of times we don't see it we don't understand that there's actually something going on and there has been for possibly days weeks or even months and the adversaries are fast so this is uh probably a slide that's about two years old um and and so those times have changed a little bit uh but i think this is from late 2018 and at crosstalk we use um animals to describe some of our adversaries so uh bears are russian uh or russian nation state actors uh kolima's are uh north korea pandas china uh kittens are iran uh and spiders are cyber criminals

so you'll notice um that the spiders are the slowest but are they anymore two years later are they anymore uh bears 18 minutes and 49 seconds was the hot was the fastest that we clocked uh a breakout time so that's initial access to some sort of action on objective that's incredibly fast but generally speaking nation state actors lots of backing lots of money to be able to do that so it is uh probably you know obvious that that that's going to be fast spiders on the other hand 9 hours 42 minutes that seems well it might be fast depending on your detection capabilities but from a scale perspective that seems mighty slow compared to say

those bearers but the truth is is that that ecosystem it is making it in the ecosystem of cyber criminals which includes both the nation state adversaries as well as sort of the normal just criminals if you will they're evening the playing field a little bit i'm going to talk about that in a minute the biggest thing you need to understand is knowing your adversary so behind all of the the cool comics that we have the fun names um and the malware even are people who are perpetrating these acts uh so we need to understand that you know what the what the intent is um and what your risk profile is from an organizational perspective um you may be uh opportunistically

targeted or you may be specifically targeted based on your industry based on data that you hold based on mergers that you're going to be making intellectual property that you have and all those things we have to think about from a risk profile perspective and then understand perhaps what sort of adversaries might be targeting your organization i'm going through these slides far too fast i'm going to have to slow down all right so big game hunting it is not uh a picture of uh the trump sons standing over the poor body of some some creature that they've shot that is in fact still getting hunting which is awful but in this case what we're talking about

is a switching tactics from the original sort of uh targeting that we were seeing in ratsever to start with which was individuals home users small businesses the ransomware actors started to up their game i believe it was originally indirect spider who is the perpetrators of the bit payment of malware um they changed their tactics to organizations large organizations they saw an opportunity to go for high value low volume targets so less organizations targeted but much more high volume and and so they're getting much higher ransoms as it goes forward being able to ask for more money the data might be more valuable uh from a ransomware's perspective and we saw that change in in about two years ago in in

what the targeting was so now we're seeing very large organizations um that are being targeted as opposed to individuals at home i think um it's been a while since i've heard of individuals getting getting hit with ransomware although it does happen um it is much more likely to happen within a corporate setting these days okay so as i said there's an ecosystem of cyber criminals and that includes our nation state actors our hacker adversaries from the um the hacktivist communities etc and so forth um and one of the reasons that there's an ecosystem is they they are you know their their business their their trading information we see um from uh initial access for instance

being offered on the dark web um in the last year i've had a couple of customers that have had been notified by three letter agencies um or four letter agencies depending on where you're from um regarding uh the fact that access to their environments were being offered for sale uh by certain threat actors uh on the dark web so sometimes they come right out and say i've got access to x companies information and sometimes they say i got access to a company whose um you know gross uh income last year was this much who have this many employees uh and are in this industry uh and you can generally speaking get fairly accurate about who that

particular uh target is based on that information um and it's being sold and the interesting part is it's not that expensive um gaining access to a network and selling the access for dollars a thousand dollars it's not expensive to get access to a large company's uh uh information if if a threat actor has a foothold um and that particular isn't interested in doing the further steps all they're interested in doing is what they're good at which is gaining access in some way maybe they have an explant that they're using on a particular type of vulnerability that's been very lucrative for them they're going to do it again and again again put all these systems up or networks up for access for sale

um and and then they move on they move on to the next thing they move on to the next vulnerability that they find um and the next group that buys that and picks that up are the ones that actually try that access that get in and start looking around and maybe that organization uh that cyber criminal organization is the one that maybe um gains persistence or gains some sort of credentials within the environment uh we're seeing that um with access via a number of remote systems um citrix vpn rdp etc go in find some access find some credentials um and maybe they drop the initial payload um and and and start some some initial some

initial malware like for instance we were seeing a couple of years ago with riot we first saw emote and trickbot before we even saw rioc uh and those were groups that moved through we did this now you do this we'll sell you access so that you can do this um and so we're seeing those kind of evolution where there's an ecosystem they're selling and buying information they're selling and buying credentials they're selling and buying access to networks and because there's this business and it's a big business um there's never uh when we're going into an investigation we're always looking for multiple threat actors likely because it today we it's very rare that we're seeing one uh

one actor carry out an entire an entire life cycle of an attack all right so let's get into some miter attack uh framework phases uh initial access um a partner of ours that we work with quite quite frequently is codeware and they recently released a blog that has just a great amount of information but one thing that really stuck out to me um was the number one way that cyber criminals are getting into our networks these days is remote desktop protocol open to the internet every time i go into a client for an instant response and they tell me no we don't have rdp open to the internet i would say 90 of the time

they're wrong somebody opened up a port to their homework station a vendor that they deal with opened up rdp for themselves to make it easier for them to support whatever function they do within the organization it happens um and and it's way more common than we think um if you have showdown it's awesome to go in and and just look for open rdp and see what's out there because it's in the millions it's incredible how many organizations have rdp open and likely don't know about it um i actually worked with an organization several years ago that used rdp as part of their business solution it was on it was intentional unfortunately it was used against them

in a very large ransomware attack and that in that case again the threat actor had access to their network was moving around laterally was finding what they need and then finally did their ransomware we also have users still opening phishing emails that's not going to change um and unfortunately that's just one of those things that we deal with as as it security professionals but the other large one is software vulnerabilities in perimeter devices and that's been huge over probably the last year fortinet pulse vpn uh citrix and others and various and sundrings i'm not gonna i can't remember it off and off the head but those are the three that stick out to me that i've seen

the most and and it's i'm gonna say that i'm gonna put out a caveat here and say i'm not blaming any of those vendors for for what's happening with that this is unpatched systems uh this is systems that are way behind in their firmware or at least behind at the point where there's a vulnerability that a threat actor has been able to take uh take advantage of um so those are still really huge things out in in the network so some recommendations uh from initial access um i think and i'm gonna be appreciative of the choir with probably every and all of these recommendations but it's amazing to me how much common sense is not common

so multi-factor authentication for all remote access i can't uh i can't even say this strongly enough how many organizations i go to see and i say to them do you have multi-factor authentication place and they go oh yeah we do that is it for webmail well no we haven't got to webmail yet or do you have it on for everyone well just for the it admin users now there's inherently something wrong with that statement because it's usually your it admin users who are a little bit more careful about their credentials it's your normal users who are more likely to click on something be socially engineered go to a compromised website maybe your executive users as well so

not having mfa for the users that are more likely to be taken advantage of um seems counter-intuitive but there it is patch your stuff and remember i said that about the stuff word what i'm really intending is something else to patch everything um and i talked about those perimeter devices uh i there's just too many times that i've gone into an organization and said oh what are you using that type of vpn and what's your firmware let's look that up oh look it's it's vulnerable it's been vulnerable since 2017 and it hasn't been updated and unfortunately this happens a lot we say do you store your logs no okay well all the evidence of that exploit

has now completely rolled off your system and i can't tell you what your initial entry vector was happens every day users will always click on fishes they absolutely will um but i think there's a few things that we can do one of those is empower them to report um there tends to be some embarrassment around i accidentally clicked on that and then something happened but i didn't want to tell anybody um and then there's just like i didn't really care and so i clicked on it anyways um we were working on a case just this week where we couldn't figure out what the initial entry vector was the customer's uh employee swore he did not open

uh his personal mail um and and there was and there wasn't a problem with uh and he didn't open anything from his uh from his corporate email either well it turns out a week later getting into the getting into the investigation he did in fact forward an email from his personal gmail to his corporate account containing a zip file from someone like fedex not the real fedex and there they have you know the start of of an infiltration from a threat actor which ended up being ransomware at the end of the day uh so we want to empower those folks to report one of the ways i used to do it back in the day was actually

um one publicly uh um encourage people uh and and pat them on the back but also send nice things like five dollar gift cards if they actually found a phishing email um that was interesting from a malicious actor perspective if they just sent a spam they didn't get a gift card but if they sent us one that was like oh yes that could have been bad then you get a five dollar gift card from starbucks you'd be amazed at how many emails you get can be a little unwieldy but they're taking an interest in how they protect the in the organization i can't say strongly enough but getting a good email gateway to help you out

with these things um and and ensure that it's catching as much as you possibly can before it gets to your users um and anything that that might be going out as well we're seeing a lot more real uh uh and and hard to detect phishing so one organization gets compromised one user gets compromised and emails that are sent out from that real user's account by the threat actor to partner businesses uh to to to partner organizations um or to customers are then infecting those organizations as they move forward so it is getting more and more difficult to tell but it's about training our users and empowering them to be more to be more assertive in looking at their

email and and be critical of what they're seeing um there is no good macro um i will die on that hill there is no good macro i don't care what your finance department tells you about the macros that they need uh in in their spreadsheets there is no good macro so please disable all and every macro ever and i'm going to say this probably more than 11 times in in this in this presentation but everything that we're doing we need to be monitoring it um we need to be logging we need to be monitoring all of these things and if we're not looking then we've failed before we even started we can put technology in place we can

have highly trained people we can have good process around what we're doing but if we don't actually look at the data that we're collecting look at the consoles that we uh have put technology in place for um then it's all useless we may have not spent the money we may have not have trained those people because it doesn't matter um threat actors generally speaking uh like to work really strange hours and so if we're not looking between the hours of 6 p.m and 6 a.m we're missing stuff and if your organization is unable to uh doesn't have the resources to be doing that 24x7 monitoring and i highly recommend you look into having somebody else help you out with

that okay i'm not gonna do every uh step of the minor attack framework because i simply don't have time for it um but i'm going to try to cover the ones that i think are really important um once they're in they're going to do a few things and one of those is if they come in with a regular user account they're going to try to escalate their privilege i think what's interesting for me is that there isn't a really tough way you know they're i mean gaining privilege is hard but it also isn't um there's a number of different ways to do it uh that come down to different types of code uh like say

mimikats a little applications like password dump or wce and then just using exploits as well for unpatched systems um one of the things that we see quite often before we see for instance maybe cats being used in an environment we see this um on almost almost every customer that we have a a malware attack with that maybe cast was used we see just before that there is a registry key called w digest if you don't know what it is i'm not going to go into it today but highly recommend you look it up but essentially it is recommended for legacy operating systems that that be enabled uh it needs to be a zero i think

which in modern windows operating systems it is uh we see uh time and time again uh when a threatener wants to use uh many cats that they change that to a one and when we see that we know we're going to see baby cats right off the right off the bat because when you turn it to one what it means is is that credentials that were not being saved in memory are suddenly being saved in memory again legacy operating systems like windows uh 2003 like windows xp uh they uh automatically would just let credentials float around remember once we typed it into the computer until that machine was rebooted those credentials were floating around our memory

and were accessible to anybody that was able to pull those out with more modern operating systems that's been turned off by default but that's where we see thread actors coming in and changing that that key uh and then we see maybe cats executed say hours or days later once uh they've had the opportunity to collect some more credentials now if a a user account with administrator privilege logs in during that time then they're able to grab those out of memory and use those whether it's a local admin account or whether it's a domain admin account and then game over right there but it's a local admin account um we're seeing far too many users that one have local

admin uh on their desktops but two local admins that are shared across the internet so if we have a desktop local admin password for instance that is shared across your entire enterprise for all of your desktops it's the same local living password well guess what once they have one they can move laterally very very easily the other thing that we see quite a bit we do compromise assessments uh and one of the things we specifically look for is files that have password in the name or pass and let's face it our users are terrible at letting uh passwords uh just sit around in files because it's easier that way right if i write it down then i will forget it

but the last one i think is the most interesting which is um when we have people move from job to job when we do mergers when we uh move people from ou to ou to group to group they gain privilege in ways that are is unexpected um and so something when we look immediately at a particular user we say well that user should be absolutely fine they're only in this group and that group doesn't have admin privileges maybe it doesn't have any privileges on this system but maybe that group or that user got added to another group on a different computer that does have it in privileges so when that threat actor moves laterally they gain

that access and then they're able to then privilege and escalate farther than that so some recommendations number one please remove local admin privilege as far and wide as you possibly can and number two is use microsoft labs if you have shared uh a local admin password across your enterprise you're just making it easier for the for the threat actor to actually move laterally very very easily i'm going to talk about lateral movement a little bit longer uh but it's it but it's trivial for them to be able to do that and then audit paths to admin privilege um we started doing this this year as part of a lot of ir engagements where we wanted to understand how easy

it would have been for the threat actor to privilege escalate um using a tool called bloodhound or sharpound is it is the uh is the actual executable that we run i think and it collects data about what the paths to admin privilege might be and kind of draws you a really nice map actually it's reasonably easy to use you can do it fairly cheaply inside uh basically download it set it up and away you go and and it's a very interesting uh map to look at to understand that there may be ways to administer a privilege that you hadn't intended because like i said cleanup hadn't been done groups were out there that were intended

to be in certain groups etc we had a customer the other day where the guest account was in the administrator uh group on more than half of their workstations now not disabled and in an administrator group those are some best practice things that i think made me roll my eyes but it happens and sometimes it's an error sometimes it's just legacy we want to make sure that that kind of thing doesn't happen i can't stress this more but default logging isn't enough um on workstations particularly with legacy operating systems anything older than windows 10 uh powershell logging isn't turned on by default we want to make sure that we're logging as much as we can

transaction module um and i'm forgetting one um script block logging we want to make sure that all of those things are on so that we're having as much visibility as we can on what's happening in our endpoints not all of us in the luxury and i've got endpoint detection and and response tooling on there as a recommendation but not every organization has the resources um to to be able to to deploy an edr product we and i get that so do other things to set yourself up for success that you can do for low or no cost which is for instance you know throwing out a gpo there across the enterprise to turn on the powershell

logging install sysmon and configure it to capture more information for you the more information the better if we can understand what's going on and even if you're not sending those logs for instance if you install cismod and configure it for every system in your environment even if you're not collecting and centralizing all of those logs they're there um and should be there for at least you know a certain time period you want to obviously play with the size of the files on on your on your endpoints to make sure that you're getting as much data as you might need uh without causing any issues on the from a disk based perspective um but if you're not even if you're not

picking those up and centralizing them somewhere you'll at least have something to look at and you'll notice i'm going to talk about monitoring again we're doing this logging because we're doing it right but we want to make sure that we're looking at those logs so how do we do that how do we set that up again 24x7 monitoring optimal if we can't do that let's figure out a regular time that we're looking at logs that we have a process um that's in place uh to make sure that at least we're looking for patterns of behavior uh within our environment that don't make sense okay next one that i'm going to talk about is discovery and this kind of encompasses a lot

discovery or let's face it reconnaissance i love this little character this is an explorer because that's what our threat actors do they're exploring your network i like to say this a lot but networks are very often like the best cookie which is crispy on the outside and soft and gooey on the inside great for cookies not so great for networks all of us have firewalls that's pretty much ubiquitous these days everybody's got a firewall lots of people have ips or ids awesome might even have some web application firewalls excellent but do we have that type of visibility on the inside of our network and the truth is likely not hey shelly it's it's colleen sorry to introduce before

you move on to this adam had a question asking do you think we should be logging and monitoring things yes absolutely that's an excellent question um logging and monitoring right so vlogging is great um we need that information we need to collect it um we at least need to have it there on our endpoints if we need it but again if you're not looking at it um you're missing that detail you're not giving your opportunity to unless unless all you're keeping it for is for the inevitability when you do have an incident if we're looking every day we're going to detect something if we're only looking when we have an incident then we're looking at prospectively that's

good and in fact i'm always grateful when we go to help an organization and they have logs but usually by the time i get there um something bad has already happened so if you're looking every day if you're doing that monitoring if you've set up a process by which um you're looking for for unusual behavior absolutely so great question adam okay

of course he was but it's still a great question okay so let's imagine that our network is in fact kind of gooey on the inside uh a threat actor is going to easily figure out what's going on your network and you're not going to see it and here's why um the tools aren't stealth they're they're making lots of noise we have we have native tools unfortunately that make it harder for us to see them in because they hide in all the noise and everything else going on our network so powershell any of the local tools like arp ipconfig who am i any of the net tools net.exe you can do a huge amount of discovery

just using tools that are already there living off the land right um and also bring your own tool we see uh just in a case i worked recently we saw a threat actor bring an entire suite of looked like homegrown tools batch scripts etc to do reconnaissance um across the network they're part of our collection now that's fantastic we appreciate that um but they'll bring their own but again they're not quiet and the output we usually see thousands uh hundreds if not thousands of output files um as they're running these across networks um and and they just leave them there they're not hiding them they're still there um and then we have commercial tools right so we see the use of things like

nmap um and advanced sport scanner angry ip scanner is always a favorite netscan just tons of things and they bring in their own or their or they're using the one that you have it's always nice when you leave them a good tool to use um and they're not quiet but we're not seeing them because we're not looking so some discovery uh recommendations one understanding what normal is and i think this applies to pretty much every phase understanding what normal is key we want to look for patterns of behavior in our network that don't make sense that make it look like there's a threat actor actually looking around our network so for instance network traffic um if we

understand what normally is connecting to what we can look for patterns that don't make sense why is this system connecting to this system and why is it why is there a connection from a country that we don't do business with all of those things well not only north south across our firewall but also east-west across the inside of our networks how about user behavior um why is this one user suddenly connecting to 80 machines that they normally would not do that's always an interesting data point and how about what commands are being or processes are being run on our endpoints uh so 46.88 is the event id that is for sort of normal process creation uh and

if you have sysmon uh installed on endpoints it's event id number one and has a whole lot more information than just the 4688 so i highly recommend it um and if we aren't looking for that process creation then we're not seeing again those living off the land items that that threaters use over and over again is it normal for instance for your sysadmins to be using some of those tools and that's a really interesting question to ask uh we go in we say hey we saw this on your network oh no our systems use uh powershell to do that oh okay um and i was actually just using a case the other day where we saw a bunch of really unusual

looking powershell commands but it turned out that was normal and they were actually able to tell us that reasonably quickly because they understood what was normal in their network they were very very quick to be able to say nope that's something that we do on a regular basis to enumerate this great but when we don't know that we could spend days chasing our tails and and and the investigation going nowhere because it's something that a assisted man that's on vacation has set up but nobody knew about it and it's running all over the place causing noise and and maybe diverting our attention from what's really going on what's authorized on your network um how many and i'm gonna virtually have

you put up your hands you don't necessarily have to do it in the chat how many of you know exactly what remote admin or remote access tools are running on your network because i would guarantee you that the number is really low we see time and time again organizations that have remote access or remote admin tools running on their network that are legitimate tools even not even not even tools that you would consider malicious in in in any shape or fashion simply that are there that should not be there um log me in that isn't there when uh go to meeting is your corporate tool or uh you know back in the day we saw some

pc anywhere you see teamviewer gameware all the time we say is this normal on your network and they go oh geez i don't think so we do have some vendors that i'm not sure what they use and then there's that vendor that's using rdp that you didn't know about but that's a whole other thing so if you're not looking again you're missing out you're missing out on all these things that are happening on your network um and that's another really you know stuff way of me saying you should be monitoring these things you should be looking for these things um netflow is amazing i went through many years as a security admin where i'd say to

my network administrators an apologist to the network administrators out there but i'd say i really want to collect netflow off these devices and they'd go oh no we couldn't possibly do that because that device will fall over if we start trying to collect net flow off of it and to me that the the answer to that question is we're not architecting our networks properly to be able to get the information that we need because netflow isn't just um a really cool thing for security people it's also a pretty cool thing for network people as well we should be able to use that information and the reason that the tool is there is so we can get that

information and use that to the betterment of our network to the betterment of our security posture so netflow get your folks to be doing it collecting it it's small it can be compressed it can be put on a server so you can look at it later or you can create a process for looking at it daily weekly we need to be logging and monitoring user behavior events what are they accessing what have they logged into and looking at that data on a regular basis and that process execution data um again i highly recommend setting up sysmon so you're getting that much more uh context around some of those process executions if you're not collecting it into a centralized store

for all of your systems which is a lot understand what your critical assets are whether those are your domain controllers your exchange servers or whether those are your applications databases critical crown jewel servers and put those somewhere understand what that smaller subset is and put those somewhere and be looking at those on a regular basis and how about blocking unauthorized binaries if you're not expecting a tool to be used on your network let's make sure that we're not allowing it to be used if team if team viewer is your is your remote admin tool of choice then log me in should not be allowed in any shape form or fashion and of course you know edr is nice if

you've got it um but all of these things there are other things that we can do for lower or or no cost that will help us out from that visibility perspective all right uh lateral movement um should not be like fred astaire what i mean by that is threat actors should not be able to dance like fred astaire lightly beautifully with grace across your network it should be like me dancing i'm not going to do it but my wife will tell you i shouldn't it's not easy it's not pretty to look at and i really should just sit down why isn't why do we make this easy for threat actors we have big flat networks i don't know how many

organizations i've talked to where you would think from their size or from the things that they're doing that they should have segmentation in place and they go well no it's a big flat network we've got our control systems over here so that our mins can easily get to those from their desktops and we want to do a little face palm with that right or alternatively i've said to organizations do you have network segmentation in place and they go oh yeah waiting vlans our users over here our servers are over here do you have access control lists in place to make sure that those users can't get into this vlan or this feeling well no we just put them

there well that's not helping anybody unpatched systems are obviously uh the one of the best ways to move laterally because if they're unpatched that means they've got little lots of vulnerabilities and a threat actor is easily able to move laterally from system to system using you know for instance uh the the shadow brokers uh uh eternal blue it's still out there we still see it um and and it's not patched and of course local admin i've talked about it already not gonna belabor the point but it's everywhere no restrictions on system access should certain systems be able to contact certain systems and the answer usually is no it just hasn't been actioned so some recommendations i think it's

obvious network segmentation with access control put different things that don't need to talk to each other in different parts of your network not only is that more efficient but when a threat actor tries to move laterally in your environment and in fact say this section over here they're not able to get to your crown jewels over here or they're not able to get uh past your dmz uh into uh your user network because that's not allowed that hasn't been you know that that that's been blocked off and you're logging the cac out of it patch your stuff uh i have dealt with more than one uh client in the last year who has more than one with those 2000

windows 2003 boxes still sitting in their environment when i say more than one it's a large number they cannot patch those boxes obviously so the recommendation is figure out how to protect them then segment them off put jump hosts around them do something to ensure that they are protected because generally speaking the reason that those 2000 boxes are still around is because they're running something incredibly critical to the environment so let's treat it that way and let's make sure that threat actors can't get to them here's the good news uh i have yet to see a 2000 box get infected with ransomware because i don't think it'll run on there but prove me wrong we want to remove

local admin privilege wherever we find it uh and obviously again using laps and that's our that's a a duplicate recommendation but it it just it just fits everywhere and how about actively managing admin privilege so we want to make sure that the admin privilege that's available in our environment is understood that we're actively looking at how it's being used and that we're removing it when it shouldn't be there we did a where we discovered a uh admin account had been active uh when i say active that had been created um uh for about three months and had never been logged into so it's just sitting there waiting for a threat actor to to discover it and use

it just because it's a legitimate account and i think the last thing that i i think that doesn't get as much press as it should is host firewalls um we don't turn host firewalls on in general on desktops inside the environment because why would we why would we need a firewall inside the environment and for laptops frequently we have a gpo that says once it's outside the corporate walls you can use the firewall but inside don't worry about it we don't need it but what a great way to make sure that systems that shouldn't be connecting to other systems can't on what protocols should your workstations be able to connect to each other via smb

probably not and what systems should be able to hit the dc so we can use our host firewalls on the dc's to limit uh the ability of certain ips uh to to hit the to hit those systems for instance our critical assets we can do the same thing let's stack those defenses on top of the network segmentation together and provide a much better way for us to understand and block what's going on in our network but last we need to be looking for it right all those things that we put in place we need to be monitoring for them we need to be looking for them or else we're not going to see it i run it at a time here all right data

exfiltration what left my network um if you didn't see by now you're probably not going to um and this is literally the hardest thing um to to uh tell every time i go into a client's organization they ask me was data accessed staged and exfiltrated and the answer frequently is i don't know and that's not because we're not good at what we do we're excellent at what we do it's because it is one of the hardest things to prove the best thing to have is full pcap how often does that happen one out of a hundred full pcap is unheard of um even larger organizations really aren't doing it would i love them to do

it yes is the storage unwieldy absolutely and expensive right uh a nicely well configured dlp notice i said well configured because that's a big thing again dlp it's expensive um it needs to be well configured it's a tough thing so those two things very very difficult netflow is great though it might not tell us exactly what left the environment but it's going to tell us how much and where it went from an ip perspective so let's get on that train and we need to understand what normal looks like not only from a northwest perspective or self-protective but east-west what should be talking to what what normally talks to what uh and if there's a spike in that

then we can see that right away um how about enabling file auditing to find out what's accessing what particularly under critical assets if you've got critical intellectual property you might want to know what's act you know what files were accessed on that system and be monitoring that's that that information from the netflow to the event logs um to that keycap if you have it um nice nice if you have it pcapper didn't happen um please be monitoring that all right i think i'm right on time which is awesome um you i i had to throw in a picture of my dog this is ruby in her halloween costume um and uh i thank you all for joining me

today i'm always thrilled to speak at besides events particularly in calgary um so i'm going to stick around on chat if anybody wants to ask any questions but i thank you very much for your time and i hope you're having a great time at b-sides and shelly there was one question about any resources you can recommend that cover well-configured dlp ah welcome figure dlp um i don't know that i do um it's not a technology that i see very often believe it or not in the wild so i'm gonna say if you do have dlp um please contact your vendor support there are some experts out there i am not one of them