Ransomware Unlocked | Ashwini Siddhi | Nullcon Webinars 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] hello all uh welcome to the nalgon webinar series uh my name is sakshi and i am part of the nalcon tv so let me briefly introduce what nadgan is the nulcon conference is a unique platform for security companies and evangelists to showcase their research and technology to the community we have been running nulcon security conferences since 2010 where information security is discussed in detail among the industry government and tech community so in this work from home environment we keep continuing to share knowledge and connect with our global community by running multiple online events like webinars workshops training and resume eclipse in the upcoming time we are going to have some exciting sessions on information warfare digital bank robbery threat modeling for mobile communications and many more also happy to let you know that we have announced our nulcon security training in the online edition which will happen from 23rd september to 26th september more information will be put out in the zoom chat box and uh coming to our guest speaker today we have with us ashwami is going to share with us her thoughts on ransomware ashwini is a security engineer and with industry experience in areas like application security security architecture secure design and net network security ashwini is currently working as secure design service lead with the product security office at dell emc to provide leadership and strategic direction to secure design review and threat modeling services to shift security left and implement a secure design or life cycle on behalf of everyone i welcome ashwani to this session and before we go ahead a few instructions for the audience our talk duration is about 30 minutes and after that we will have a question and answer session uh if you guys have any questions you can drop them in the chat box and uh we will answer them at the end of this session and i request you all to keep your mic on you during the session to avoid any kind of disturbances and without any further delay i request ashley to take charge of the session hey thank you sakshi um hey all um i'm ashwini siddhi here i know she gave a really long intro of me so i just want to say that i work for delhi emc and i'm the threat modeling service owner so if you anytime really want to connect or talk about threat modeling or secure design please reach out to me on linkedin um and that's you know quite um away from the topic that we're talking today ransomware uh ransomware is like caught the fancy of all of us in the security industry right it's we have the pandemic going on and ever since the pandemic the ransom there is another sort of pandemic happening in the virtual world so i think it's it's an interesting discussion how it has evolved where we are today with ransomware and what we can do with ransomware and all of that so i thought it would be a good session to talk about and also maybe gather your inputs and feedback and what do you think about it and all of that so without much ado let's begin talking ransomware let me know when you can see my screen you should be able to see my screen right yes we can see awesome that's great so ransomware right i mean uh it might look like a new phenomenon because the last three years is so much happening and we've been hearing about uh colonial buyback and jbs hacks so many such attacks right but ransomware has been around for a really long time but the first reported ransomware was way back in 1989 wherein it was actually a physically propagated ransomware when i say physically propagated there were people attending the aids conference out there in some part of the country some part of the world and this man actually came out and distributed floppy disks so these discs were intended to tell the users whether they are susceptible to aids or not but it also had an embedded ransomware within it and but the thing is when when the users went back and used it in their pcs and turned it on nothing really happened right they turned it on the first time second time third time nothing really happened so like the 90th time when the system was powered on and powered off there was actually something that happened the files were hidden the directories were hidden some of them were encrypted and there was a message displayed asking them to make a payment as in payment not online but sent the money to a po box somewhere in panama so that was way back in 1989 and you know we've come a long way from it and when i say it's obviously the hackers so the first ransomware attack as you can see was not really efficient the wait time was so much more longer you had to wait like 90 times for somebody to cover on the system and then the attack would be realized and also the fact that you know the payment is not really um secured it could be easily traceable and it's not a virtual mode of payment with the onset of cryptocurrencies around 2013 it made things so much more easier to you know demand the payment without actually being tracked that's when we started having all these um escalated attacks as you can see yes we started off with the aids trojan and then eventually moved on to wannacry crypto lockers golden eye and all of that and now we've reached the stage where we have you know dark side and evil yes if you've read the latest news dark side and we will have actually vanished from the dark web and we do have somebody similar to treville and dark side which is called black matter that is coming up maybe it's just an offshoot of the game whatever but when we put this together right i mean i was really focusing on rail and dark side the ransomware landscape is evolving so much that maybe i put up these slides and talk about dark side today tomorrow there's already a new gang and there's a new attack and they're talking about something so this is what the timeline of ransomware looks like and the sophistication as you can see as evolved multi-fold and the number of attacks again have gone up 400 percent in the last year that these numbers come from fbi and every six seconds it started off in 2020 with about 30 seconds um every 30 seconds there was a ransomware attack but now we have like every six seconds there's a ransomware attack so it's that frequent and maybe not all of them are much publicized right yes we know the latest attack was with accenture the lockpit ransomware and it was quite publicized and all of us knew about it but the smaller companies may not always be so publicized and all of that so we don't really know the number of attacks that are happening every second every single day so it is so much prevalent across the world and especially in the us in the recent times because uh rival has had about 500 attacks on small and medium companies in the us itself in the last year 2020 and 2021 put together so that's quite a number right for answer that so it just means that it's as easy as just walking about the street and you know picking up some points or something like that so it's that prevalent and that easy to attain ransoms these days uh and you must have heard of the dark side and driven these are the kings of ransomware as they're called especially because of the casino attack uh uh i'm sure all of you would have read the case right so it is regarding the msb service providers so there was an open vulnerability which was not really patched and these attackers used one of these vulnerabilities to propagate this malware and more than 60 msps and more than 1500 businesses across the world were impacted because of it and you know anything from sweden supermarket to kindergarten new zealand all of them were impacted so these hacker groups claim that they don't really go about attacking or in convincing public but as you can see that's not the case right i mean even with colonial hack it was supposed to be attacking businesses but eventually the impact was with the public they had to face the want of not having oil etc reveal did say that they didn't intend the shutdown of colonial pipe um attacks but the organization did say that they had to voluntarily shut down because their billing systems were attacked and they did not know how it would propagate further so they did not know what really the impact could be so as a safety measure they went about pulling all their systems offline because that's what we do the first time there's a ransomware attack you know the first thing we do is okay let's put everything offline so that's what uh colonial pipe did and so many people were inconvenienced because of that so it's even if they claim that they are very charitable they contribute to children's project across the world water related projects across the world and they claim to be a political it's not really the case right eventually it is uh the public and the common man that is getting in convince so it is a new sense it is more than a new sense right if you could say that when it is a state-sponsored activity it is more or less a cyber war that is moving in the wings and with by then going and talking to putin and you know actually threatening him that with these attacks arising out of his soil that he's actually going to send a physical army to russia and also the fact that he put a 10 million bounty on all of these hackers is clearly an indication that this is not just a regular cyber attack this is not something like a regular hacker getting into a system and trying to get something out of it right it is beyond that it has political annotations it has so much more outcomes than a regular attack would happen yes with the travel x attacks when we will attack them the shares fell so much that the company actually went into losses they also attacked the white house when trump was the president they actually broke into the crypto uh provided by nsa and all of that and they actually managed to gather some tax evasion schemes files uh which was so confidential that somebody actually agreed to pay for amount for to get these files back though that didn't happen we don't really know if the amount was paid or not all of that is extremely confidential but they do claim that somebody was ready to pay up up front all of the money all of the ransom that they demanded and same goes for um you know the ireland healthcare attack right you must have heard of this uh ireland healthcare attack it was conducted by a not so famous or not as infamous as darkseid or evil it was conducted by a group called ponti uh i believe they were sort of testing what was happening with their ransomware and if they really could do it or not suddenly they had an attack of conscience and they didn't really want to go ahead with collecting the ransom instead they actually gave away the decryptors for free so uh despite that you know it took more than 72 days to try to decrypt all of the files and get back the patient records and all the documents related to health all of that it took so long that people who had their appointments who had their surgeries were inconvenienced that they actually started suing the ireland healthcare system because of this because they were not maintaining their systems uh up to mark that any ransomware attacker could come in and you know get into their systems and demand ransomware so this is one of the other examples i mean we could constantly go about talking you know it's it's a day's topic so much is happening we could talk about the guest attack we could talk about accenture's lockpit we could talk about colonial pipe we could talk about the jbs shutdown we could talk about ireland and brazil's code system and fujifilm travel x so much so the list goes on so that's not the whole point here we're just talking about what the problem is and how we can best look at it and what we can do about it so to actually understand what is what is that we can do best to avoid us getting into such a situation i think it's very important for us to know what is the anatomy of a ransomware attack right seventy percent of these attacks have still been through fishing so phishing is still the easiest way to get into a network um so it's just send out a mail with authority with uh probably relates to your emotions and also um you know have some sense of urgency and then ensure that the user clicks right away and then you download the malware and you know it unpacks and executes uh on the systems but it's not necessarily the only attack surface there are alternate attack surfaces like brute forcing rdp and other zero day vulnerabilities when we talk about the kesaya attack it was the zero day while navarro is right i mean it is a supply chain attack with zero day vulnerabilities and rival has claimed that the route forcing into a network has venus favorite way of achieving a ransomware attack and yes rdp because most most of these attacks are related to windows but that doesn't mean that it's not possible on linux hello kitty for vmware has been an example of ransomwares across different operating systems if somebody is not really able to brute force or rdp into the system or even zero day vulnerabilities these ransomware attackers actually go and buy credentials right there are small time hackers who post credentials in the dark web or maybe they actually reach out to somebody who's working in the organization you know who most people have a price right so you know you they could be bought for a certain price and you know the credentials actually obtained from these people so it's as easy as that you know with phishing with brute forcing rdp and zero day vulnerabilities it gives them so many options and considering that they're sophisticated they're evolved and they work as a professional service when i say professional service they work as ransomware as a service right it's not necessarily that the team that is building this ransomware itself goes and deploys this ransomware they could work in a way that they just sell their ransomware to somebody who reaches out to them and this person or this group tries to deploy it to their target or it could be that somebody uh goes for a different model where the people who made the ransomware also go about trying to hack into the network and get into uh and also install the ransomware at the same time so they have different models in which in how they function really it's not one model that they follow but most times it is they have like a team of developers they have more than 10 pen testers like a really huge group of pen testers and this forms their core technical team and they gain about 20 to 30 of whatever ransomware is uh received whatever ransom is received from their targets the rest of the 70 percent go to their affiliates or distributors so these distributors are the ones that are out there who actually post communications on the dark web who probably contact these targets and at times you would also need a support system right for these ransomware maybe you come from russia and maybe you're trying to attack some organization in france so you need a translator you need a support that they can call or reach out to you and you can also have negotiation so it's not as simple as i give you some amount and then you just pay it right away there are discussions there are negotiations there are translators involved there are supports people involved there are call centers involved so they function as a fully professional organization and provide this ransomware as a service itself i i it's a great business model yes but i wouldn't go to the extent of saying that you would have to learn from these people but yes it's a great way that they perform in terms just technically how good uh the ransomware payloads are and also about how well organized it is they don't directly communicate with each other despite having so many team members it is known that they don't physically or in person communicate with each other they always communicate over the dark web etc so they're not really traceable right you don't know although they most of them claim to come from a certain region it's it's always known that even if their next door they probably wouldn't be talking to each other at least about the ransomware so it was clearly called out by the evil head who was actually giving out interviews to one of the russian media persons so i think i will share the link of this interview with you it's a really interesting read it gives you an overview of what these hackers are thinking where they're coming from and you know why what is their motivation to do this and and talking about motivation right it's money yes they want to make as much money as possible they've already made a lot of money level alone has made about 100 million in a year the last year and they can go up to billions if they want to and that is what they want to do but eventually they also say money you can make as much as you want but what matters to them is reputation um i don't really know what reputation they're talking about here but they're really concerned about making an impact um having their name known so maybe they have vanished from the web of as reveal and but they're gonna for all you know they've come back as black matter so not necessarily that they're known as rebel right it could be anything they just want to be well known to make a lot of money and to have some sort of a reputation of inconveniencing a lot of people uh yeah so that's with how they get into the system so what happens once they get into the system right so they get into the system and they bypass all the access controls uh on the machine let's say and they create a log file so this is the typical log file which um let's say is a log dot user id dot text and once they've created this log file to log all activities they also go about first they start from the recycle bin they start deleting items especially the ones related to security and event logging apps they start deleting them one by one they also start renaming uh the appropriate files accordingly when i say appropriate they're only concerned about certain files right they're not looking at encrypting all of the files they're they're only looking at some of the files so whichever ones uh the ransomware is written to target right okay so i taking a step back so once you bypass the access controls they also have a check a check that checks uh on the system for a language whether it's a russian whether it is romanian whether it is syrian arabian they have languages from about all the common wealth of independent states if the language is from any of these countries romania kazakhstan azerbaijan georgia if if etc right so if it comes from any of these countries the malware does not execute so they're very uh clear about not executing in that particular region so it is only targeted outside of these regions and if you ask them for their favorites um the favorites at least of reveal has been the us that's what they claim and the next close on wheels come france then belgium and then canada so that is what their attack loose list looks like the favorites yes india has been attacked there has been not by rival but there has been uh attacks on telangana uh power grid uh which is shared by ahmed pradesh also that has been won in haryana also but nothing beyond of that right that is mostly being um about these power grids at least with respect to the government-led organizations etc so real checks for all of these things and once the malware is installed it unpacks and the log file is created and it uses the mac address of the system to generate a user id and it uses this particular user id to encrypt all of your files and the best thing about the even ransomware is that it has three keys that it uses one is the file key one is the system key and one is an affiliate key when i say the file key it is a combination with the hard-coded rsa key and also one of the other keys is randomly uniquely generated while the malware unpacks and executes so they use a combination of this and the key is using the encryption salsa 20 which is closely related to charge r20 right so it's both of them are stream ciphers so this this is what gives them that capability they use the stream ciphers and then they encrypt the required files and once encrypted they also leave behind the readme dot text so the readme dot text for uh you know communica gives them details on where they should go about and contact and what is the ransomware that they need etc also all these details are written out there but this is mostly the skeleton or the schematics of how an attack would look like with any ransomware uh i spoke about salsa 20 and charter 20. that is with the naval and dark side ransomwares but lockpit uses aes and there are different sort of encryption news right there are so many ransomware itself in the industry the ransomware industry so the major factor that distinguishes these ransomware are the fact that their encryption is different otherwise more or less the entire workflow the entire anatomy of an attack looks the same so it's only the encryption that really differentiates them there are some ransomware attacks arising out of europe which don't check for uh location settings like russia and all of that but they are not as impactful and they've not actually made as much noise as the ones coming out of russia has made and though they claim to be a political we don't really know darkseid and treville are related to each other because both of their ransomware encrypter is written in c it doesn't see it's basic yes but they want to evolve to using c plus plus uh that's what was told and also the fact that these uh transformers right i mean what they currently do just look encrypts certain number of files what they really want to do is do a complete denial of service like the sancrip ransomware does so they want to make sure that the complete system is down and you're not really able to log into anything so that is their aim and the hacker group actually claims to be working on it something that they're really looking forward to so you can know that ransomware based on this discussion is of two types wherein you just lock out the system uh and cause a complete denial of service or you just encrypt certain files and encryption could be of again for two reasons right i mean they take some amount of files they have access to they encrypt it and leave it at your system where you can't really access them but at the back end they've already taken a copy of it so they have access to it so if it is confidential they could threaten to put it out on their dark web uh rivals blog which is called the happy blog and send out all your personal details etc all that right so we've been told that most people pay because of this damage of reputation rather than actually details of data getting out in the system so they've also tried they've also had happen when i say had apple they've managed to gather some schematics related to a new product they were developing they've also gathered details from madonna some celebrity related items and they've threatened to put it out but then things happened and you know maybe they got the ransomware and maybe they didn't uh they didn't really post it the thing about these big companies like accenture or maybe any other companies they don't really acknowledge the fact that you know there was a damage that really occurred because of this ransom where they come out and say no nothing happened we have the best secure systems and we've got it at itself but you know we really know about all of those claims so considering all of these and you know the fact that they're so sophisticated and so many variants of these ransomware do you really think you should be paying ransomware at least that's what the colonial pipe did right they went up front and paid the 70 million in cryptocurrency although if we i did try to get back more than 60 of it back but do you really think it's a good solution no right the usc treasury did come back and say that you know actually put out a website and stop ransomware and actually clearly called out that you know don't pay ransomware despite that businesses still pay for it but it does not make sense to pay for it just because you have a cyber insurance that covers for ransomware it does not make sense because you've paid for the ransomware right you paid for the decryptor key but you know do you really get the decryptor key back that's one thing and do you get the right one back even if you get the right one back does it really work for you no reveal themselves have acknowledged that it does not always work why not because they clearly write in the readme text that if you've used a third-party software to somehow recover your ransom somehow recover your files it's always going to fail when the actual key is going to use it is going to change the bits related to the keys which is stored in that file and that is gonna impact how you recover your file so and for all you know like we will banish the you know they could just put out a ransomware and suddenly vanish one day and even if you wanted to pay a ransomware there's no way for you to pay ransomware and get the ransom sorry and get the keys back so it's not about money there's so much more that we should be doing and that is why nist has a framework around this i know this has a framework like all of you must know right cyber security framework but this is applicable to ransomware too so what should we ideally be doing to prevent this right the first step is always the most difficult to identify what we really need to protect and when i say identify we need to identify all our assets in the organization all the systems check whether they're patched etc and once we identify it's you know we might identify it at a system level okay i have this laptop grade i have the system great that's what most organizations do but it's beyond that right when there is a ransomware attack you might want to regain your certificates your network configurations your hardware configurations golden images your source codes any algorithms that you have written certificates it could be all of these configurations your ad ldap users configuration your documents which has a playlist which could also be your ransomware playlist it could also be about who you would contact in terms when such a event happens such an incident happens so you have a number of things that you will need to cover and currently most organizations don't do that yet so this is what the identify stage does you need to identify what really needs to be protected from ransomware and what is that exactly that you should be backing up the whole protection framework for ransomware depends on backing your critical data so the fact that you identify the right data to back up becomes important with respect to ransomware so we know that most people don't do this that's why they you know they're ready to go about and pay ransomware they don't want to acknowledge that they have not taken care to back up all of that identify in the first place and then back up and second comes protect and and this is a very difficult task right no matter how good you are at no matter what process you have and what processes you have in place n number of things you can do all your sdl in rightly you can have network security you can have your app security done right despite that there is going to be always some patch that you will have to apply there is going to be a zero day vulnerability so you need to have a continuous and evolving process to how you would want to protect your systems right and most of these attacks at least some of the attacks that we will claim they could get into the network under three minutes because they use some basic vulnerabilities they hadn't closed a certain port or some unused services on citrix or on pulsar etc which could have taken care in like you know a 30 minute job so such things were not really taken care of so protection becomes important in terms of all angles do your secure development do your secure design do your threat modeling yes and you know your testing and it's not a process where you just go do all these verification activities the loop has to be closed right come back and fix whatever has been identified what we've seen is that people do these activities as some sort of a compliance and do not come back and close the loop in protecting things in mitigating or fixing things and also ensure especially because on windows don't use smb version one too late even after wannacry which happened because uh you know they were using sme v1 still people use smb v1 v2 if you know so don't use it use the latest version don't use older versions of rdp ensure you follow the best practices of rdp this becomes specially important in terms of windows machines so and then comes the detect aspect um all of us are very good at detection the first thing we would say yes we have our ids and ips systems in place in the network so they are really enough not really right because we would want systems we would want a mechanism that identifies unintended encryption in the system that's what a ransomware does and how many of us even know such a two lexus or such our facility capability is present right there's something called as a crypto guard etc which identifies these unintended encryptions within the system and rules it back immediately so we'll have to identify systems that use ai and ml and you know identify unended encryption or something that is constantly changing a file name or renaming it to some other extension or some other text or constantly deleting something we'll have to identify such system such activity and then put a stop on it right away we need to use um systems like crypto guard etc currently this is a major gap i we don't if we have this in place i think most ransomware attacks could be prevented then and there and we wouldn't really have to be in the place of actually paying an attacker for this if if accenture were to be believed if they're telling us the truth which i hope they are then i think they are good with this detect mechanism because they claim that they have cutting edge detection capabilities and they were able to detect this activity and that's how they could roll over and save themselves from a ransomware attack and respond again depends you know it's about what you would do you have a ransomware playbook cyber attacks are more a number than naturally disaster these days and a disaster recovery plan does not work as a cyber recovery plan so you will need to have a different ransomware playbook different contacts who would come into the picture what is that we are backing up what is that we are taking from backing up how many days would we wait what how would we sanitize the production that was impacted and how will we get data from a backup system and all of these things will need to be called out teams will need to be trained so that they don't panic when it actually happens and it needs to be tested the rtos rpos all of that captured correctly and then work around the response plan for it where an alert is generated and what you do about it all right so the most thing that most people do in response to this is go offline which is great yes make sense go offline which is great but it's not just one thing right uh colonial pipe did go offline but what happened they still went ahead and paid the ransom ransom so just going and going offline is not the solution so how we want to respond should be documented and you should be better prepared as to how you want to respond and then comes the most important aspect which is which is what we will look at in more detail that is the recovery so i did say recovery is not really disaster recovery right it is different so what is different about it so the difference with cyber recovery is the fact that it is isolated if you had your production connected to your disaster recovery or any recovery right if your production is compromised it will eventually propagate to your recovery systems and it will also uh compromise the system so that's what happens and reveal is not done to not know that they don't we don't use recovery systems right they're very well aware that all organizations use recovery which is like the norm right it's it's common sense to use a disaster recovery so they do know that and also the fact that for a successful attack you should have a you should be able to consolidate all data all tapes all last storage servers all of that you know in one place and then have access to them so that is a basic of an attack so if you would still have your recovery connected to your production it makes no sense the whole point is that have an isolated solution which is outside of your production when i say outside of production it has to be both physical as well as logical it's not not just location but in a different network itself and how they're connected and when required etc all of that need to be taken care of and immutability most most disaster recovery systems are not immutable when i say immutable you can go about changing data in those disaster recovery systems i could be the super admin of the disaster recovery system and i could actually go about changing data then what sense i could be bought right so what what sense does it make to have this fancy solution when i'm not even able to protect from insider attacks etc so i need to have a solution which even cannot be overwritten by the admins and system users etc so that is one of the principles that i would need to keep in mind and intelligence yes you can have all all of these things isolation immutability and hackers are constantly evolving right most most people look at this as just a security job whereas the hacker is not looking at it as a job for them it is more than that we can't afford to look at it just like a job but considering some of us did think that and there's a gap and malware or ransomware actually propagated to the cyber recovery also so what happens in that case how do you recover from it so do you have intelligence to identify that so that also defines your cyber recovery principles so isolation immutability and intelligence together define your cyber recovery solution maybe just having one or two is great as disaster recovery but they don't become your cyber recovery solution it is mandatory to have all three of these principles in place to achieve your cyber recovery solution which again i want to call out is a lot different from your disaster recovery solution so um okay i'm not stopping here for questions i know a lot of you might have questions related to isolation immutability and intelligence uh but i think i will talk about this and i'll take questions at the end of it uh the isolation immutability and intelligence aligns to the sheltered harbour initiative in the u.s well sheltered harbor initiative is something in the finance industry it talks about resiliency of all the systems hanging handling banking and stocks and all of those things and it came about in 2015 and it also came about this set of guidelines and principles so that the general public right they have some amount of confidence in investing and also know that these systems are resilient so they came about these principles and immutability isolation and intelligence aligns to the sheltered harbor initiative when you're looking for a cyber recovery solution in your system it becomes important to know which of your providers which of the vendors are there actually aligned to sheltered harbor initiative so let's talk about a typical implementation so you have a data center and you there the production's there and you also have a regular backup which is being collected right so your cyber recovery world is in a different location logically as well as physically uh the best thing is it is in a cage all right so it's so that nobody really enters it and all of that why i will come to that later so this cyber recovery board consists of a backup server it consists of a cyber recovery server and it also has a monitoring and reporting system also where you can continuously patch these systems you can lock and copy data so it is logically somewhere else and it only connects to your backup if you can see that it doesn't really connect to your production so it has to connect to your backup and and when i say connect to your backup it it has to be an automated air gap air gap is something where your network interfaces are disabled in such a way that most times these two systems are not communicating with each other so the data center and your cyber recovery world are two independent uh entities that are not communicating with each other because there's no network interface and there's no connection to talk to each other even when they're set up they're set up in such a way but you bring in a vendor who specializes in air gap solutions so that they let's say install a diode or something else on each of these entities that enables communication and and it's configured in such a way that only when you set a policy the policy runs and only during that the air gap opens and the backup is copied from a data center to the cyber recovery world so that's how it typically functions and takes all the backup regularly maybe every 12 hours it could be a full backup incremental backup whatever so that's how it functions let's say there's an actual ransomware attack that happened in production so what now okay so the air gap is closed there's it's no way going to really connect to the cyber recovery world but the production needs data from cyber recovery how would i connect to cyber recovery to recover this data so there's a ransomware playbook obviously and based on the ransomware playbook this production is sanitized you know you you run all your tools uh to ensure that it's deleted of all the malicious items on your desktop and all your systems and all of that and then there's this cyber recovery world which has the latest backup so the latest secure backup when i say secure backup it means that there has to be a full content analysis of the backup itself because you know there could be a slight chance that while the air gap was operational the ransomware propagated and came and sat here in the cyber recovery world so it becomes important to analyze that backup itself the full context analysis and i'm not just talking about metadata or header details but the full context analysis and and also compare with the previous version of the good backup and based on that comparison analyze you know use again heuristics machine learning ai to understand if it is compromised or not and then save a good copy of a backup already and when required you ensure that the air gap is open and the backup just goes from cyber recovery world to the data center backup and again restore to the production systems so you should know that right it is a unidirectional communication so when data is coming from the data center it is coming through a different channel whereas when data is going back to production is it's using a different channel so not using the same channel reduces your attack surfaces and is a best practice to follow and it's communication between backup to backup it can't be that some other system is trying to connect in between you you will not be able to introduce any other system uh within this communication channel uh or to either of these backups so that's how you would try and recover from a typical ransomware attack and what makes this solution better i mean yes on paper it looks good but there could be so many things that could go wrong with the cyber recovery vault itself so what are those things that you know is actually a solution differentiator multi-factor authentication you you can't have a cyber recovery solution which does not have multi-factor authentication right you you can't let if a hacker is able to brute force into production he or she would be able to brute force into cyber recovery too so you should be having multi-factor authentication with brute force as well as reverse brute force protection and also ensure that you're using lease privileges and segregation of privileges when i say segregation maybe have a different security officer and an admin uh that makes sense right because somebody is just taking care of security rules whereas somebody is just taking care of the admin activities so so that they don't really so that one person is not a malicious insider and causing harm to the entire solution so enforce complete mediation across the cyber recovery world so that is important despite having a cyber recovery solution and when we talk about immutability again it has to be a right ones read many that is the worm immutability only so there is no point having right many so it's your integrity is not maintained out here so it's important to have a warm immutability which is aligned to the security exchanges act in the u.s which talks about your backups being readily accessible for two years with immediate access and for the next six years with you know which can take some time and which is somewhere in the back up so your worm immutability should align to all of these compliances only then it makes sense you can claim to have warm immutability but if it does not align to these compliance it doesn't matter right maybe you're really saving it but you're not going to get that certification saying that your cyber recovery ready so it's important to have it and also its backups can there are so many different vendors out there some stores their backup and entries and some have a different format if your cyber recovery solution does not work with all of these backups you you will not have the scalability in your solution you will in case there is an attack on that particular backup software you will not be able to change it you will not be able to uh scale your systems um you know or evolve from the existing infrastructure so it's important to that your cyber recovery solution is also provides multi-vendor support and like i said your solution should align to sheltered harbor initiative and it should also validate all of the backup set uh to aid integrity like i said if the malware propagates to your backup too there's no point in having that cyber recovery solution so it's important before you give the backup back to production it's important to analyze it and then understand it and also you know if there's a key associated with store the key so that you'll be able to detect it in the future again within a less period of time and then only send the data back so that's important and there's also something called as the no more ransomware database where all of the keys of ransomwares are stored about so many different companies have used this database uh to unlock their ransomware so i think it will be a good contribution to that database if you can identify the keys of a ransomware and provide it so that other companies who for whatever reason don't have a cyber recovery solution etc can use the keys on that database and try to save themselves from this ransomware attack and the next stage would be automated air gap i mean i think it looks this looks like unicorn to me because yes ransomware you should be aware that your production systems are sanitized completely and only then you would want to go ahead and take a backup of the data but i think an ideal solution would be to have an automated air gap where you have no manual intervention but it's still secure enough that once a ransomware attack has happened and the systems has been sanitized uh there's an automated air gap opening which brings in your backup i think this will require a lot of security controls in place to be very confident about but i think is a good solution differentiator and i think it's really great to have in a solution especially in something like cyber recovery because you don't want to the average wait time in recovering from ransomware attacks has been about 73 days so you don't want to your business to stop for those 73 days right you would want it to be much quicker so i think with automated air gap we will be able to reduce that timeline so it will be good to have that air gap too so this is what i had in terms of cyber recovery and how we could recover using this solution in terms of an ongoing ransomware attack so do you have any questions at all i know i think i will ask for them because i wanted to give you time for some questions and answers considering it's a friday i'll stop sharing and you can let me know if you have any questions uh thank you ashwani for this amazing informative session i am sure our participants must have found some important knowledgeable inputs from it um if anybody has any questions they can drop it in the chat box okay no questions that's good okay so yeah it looks like there are no questions uh so i would like to thank you once again and uh thank you all for your participation in today's webinar session uh we have our next session by shivam shankar singh and anand where they discuss their upcoming book uh how information what shapes your world uh it is happening tomorrow that is 58th august at 11 a.m and thank you so much that concludes our session bye everyone

Info

Channel: nullcon

Views: 197

Rating: 5 out of 5

Keywords: ransomware, infosec, information security, security research, security researcher, dell, dell emc, critical infrastructure

Id: xWtjNp_E3Dk

Channel Id: undefined

Length: 49min 57sec (2997 seconds)

Published: Wed Sep 22 2021