Malware and Ransomware Defense Strategies

Questions and Answers

What is the primary goal of detecting how malware breaks in?

To identify the initial root cause exploit (correct)

To understand the type of malware

To detect the malware itself

To detect the dwell time of the malware

According to Roger Grimes, what are the top two ways malware breaks in for most organizations?

Denial of service and physical attacks

Human error and insider attacks

Social engineering and unpatched software (correct)

Programming bugs and zero-day vulnerabilities

What is the recommended approach to detect how long malware has been dwelling in the system?

Conduct regular system updates and patching

Monitor system configurations and user activity

Use an application control/whitelisting tool in audit-only mode (correct)

Analyze antivirus/malware detection reports

What is the primary purpose of taking regular system snapshots in AppLocker?

To establish a baseline for malware detection

What is the purpose of taking a baseline snapshot of authorized programs?

To detect unauthorized program executions

What is the benefit of cross-referencing malware removal events with first execution times?

To determine the dwell time of the malware

What type of ransomware can be used to demonstrate AppLocker's capabilities?

Cryptic ransomware

What is the primary goal of implementing application whitelisting?

To prevent unauthorized program executions

What do App Locker 803 events indicate?

When a program was allowed to run but would have been prevented from running if the App Locker policy was in force

What is the recommended approach to understand the typical infection vectors of malware?

All of the above

What is the time between when malware was first executed and when it was detected and removed by antivirus software called?

Malware dwell time

What is the main difference between detecting how malware breaks in and detecting dwell time?

The goal of the detection

What is recommended to turn on for all computers in an organization?

App Locker

What can be used to obtain malware samples for demonstration purposes?

Malshare.com

What can be created to automate the process of detecting and removing malware?

A security workflow

What type of devices are vulnerable and should be kept fully patched and isolated from other devices on the network?

IoT devices

Study Notes

Malware and Ransomware Defense

• Roger Grimes has 33 years of computer security experience, written 12 books, and over 1,000 magazine articles

• The two best ways to stop malware are:

  • Detect how malware is breaking in (the initial root cause exploit)
  • Detect how long malware has been dwelling in the system before detection and removal

• The top 10 ways malware breaks in:

  • Programming bugs/unpatched software
  • Zero-day vulnerabilities
  • Social engineering (emails, websites, voice/SMS phishing)
  • Authentication attacks (password guessing, pass-the-hash)
  • Human error/misconfigurations
  • Eavesdropping on network traffic
  • Denial of service/traffic malformation
  • Insider attacks
  • Third-party reliance issues
  • Physical attacks

• For most organizations, the top 2 ways malware breaks in are:

  • Social engineering (70-90% of breaches)
  • Unpatched software (20-40% of breaches)

• To detect how malware is breaking in:

  • Analyze your own antivirus/malware detection reports
  • Research the top detected malware to understand their typical infection vectors
  • Interview users, check logs, and review system configurations

• To detect dwell time (how long malware was present):

  • Use an application control/whitelisting tool in audit-only mode
  • Take a baseline snapshot of authorized programs
  • Monitor and log new program executions that deviate from the baseline
  • Cross-reference malware removal events with first execution times

• This allows identifying how malware got in and how long it was present before detection

• Recommendations:

  • Implement application whitelisting (e.g. AppLocker, Windows Defender Application Control) in audit mode
  • Take regular system snapshots to establish a baseline
  • Analyze logs to track new program executions and correlate with malware removals
  • Combine this with robust patching, security awareness training, and incident response### App Locker Demo

• App Locker is a free utility from CIS Internals that can be used to monitor and control executable files on a system.

• To enable App Locker, use gpedit.msc and configure it to audit only, then create executable rules and generate a baseline.

Malware Demonstration

• Malware samples can be obtained from Malshare.com, a website that provides tens of thousands of malware samples for demonstration purposes.
• Cryptic ransomware is a type of malware that can be used to demonstrate App Locker's capabilities.

App Locker Event Log

• The App Locker event log shows operations, new events, and 803 events that indicate when a program was allowed to run but would have been prevented from running if the App Locker policy was in force.
• The 803 event log is used to identify when malware was executed and when it was detected and removed by antivirus software.

Malware Dwell Time

• Malware dwell time is the time between when malware was first executed and when it was detected and removed by antivirus software.
• By collecting App Locker 803 events, antivirus program logs, and other data, it is possible to calculate the dwell time of malware on a system.

Security Workflow

• A security workflow can be created to automate the process of detecting and removing malware, including sending automated emails to victims and generating reports on dwell time.
• The workflow can also be used to identify how malware got into the system and modify training and defenses accordingly.

App Locker Configuration

• The App Locker service should be set to automatic to ensure that it is always running.
• App Locker can be configured using Group Policy and Active Directory.
• It is recommended to turn on App Locker for all computers in an organization, as it does not degrade performance significantly.

Frequently Asked Questions

• App Locker can be used on Windows servers, and it is recommended to use it on servers more than workstations.
• Linux and Apple devices can also be hacked, but they are typically less targeted by ransomware.
• IoT devices are vulnerable and should be kept fully patched and isolated from other devices on the network.

Malware and Ransomware Defense

• Roger Grimes has 33 years of computer security experience, written 12 books, and over 1,000 magazine articles.

Top Ways Malware Breaks In

• The top 10 ways malware breaks in include:
  • Programming bugs/unpatched software
  • Zero-day vulnerabilities
  • Social engineering (emails, websites, voice/SMS phishing)
  • Authentication attacks (password guessing, pass-the-hash)
  • Human error/misconfigurations
  • Eavesdropping on network traffic
  • Denial of service/traffic malformation
  • Insider attacks
  • Third-party reliance issues
  • Physical attacks
• For most organizations, the top 2 ways malware breaks in are:
  • Social engineering (70-90% of breaches)
  • Unpatched software (20-40% of breaches)

Detecting Malware Ingress and Dwell Time

• To detect how malware is breaking in:
  • Analyze antivirus/malware detection reports
  • Research top detected malware to understand typical infection vectors
  • Interview users, check logs, and review system configurations
• To detect dwell time:
  • Use application control/whitelisting tool in audit-only mode
  • Take baseline snapshot of authorized programs
  • Monitor and log new program executions that deviate from baseline
  • Cross-reference malware removal events with first execution times

Recommendations

• Implement application whitelisting in audit mode
• Take regular system snapshots to establish baseline
• Analyze logs to track new program executions and correlate with malware removals
• Combine with robust patching, security awareness training, and incident response

App Locker Demo

• App Locker is a free utility from CIS Internals to monitor and control executable files on a system
• To enable App Locker, use gpedit.msc and configure in audit-only mode, then create executable rules and generate baseline

Malware Demonstration

• Malware samples can be obtained from Malshare.com for demonstration purposes
• Cryptic ransomware can be used to demonstrate App Locker's capabilities

App Locker Event Log

• App Locker event log shows operations, new events, and 803 events
• 803 event log indicates when a program was allowed to run but would have been prevented from running if App Locker policy was in force

Malware Dwell Time

• Malware dwell time is time between when malware was first executed and when it was detected and removed by antivirus software
• By collecting App Locker 803 events, antivirus program logs, and other data, it is possible to calculate dwell time of malware on a system

Security Workflow

• Security workflow can be created to automate process of detecting and removing malware
• Workflow can also identify how malware got into system and modify training and defenses accordingly

App Locker Configuration

• App Locker service should be set to automatic to ensure it is always running
• App Locker can be configured using Group Policy and Active Directory
• Recommended to turn on App Locker for all computers in an organization, as it does not degrade performance significantly

Frequently Asked Questions

• App Locker can be used on Windows servers, and it is recommended to use on servers more than workstations
• Linux and Apple devices can also be hacked, but they are typically less targeted by ransomware
• IoT devices are vulnerable and should be kept fully patched and isolated from other devices on the network

Description

Learn from Roger Grimes, a computer security expert, about the best ways to stop malware and the top 10 methods malware uses to break into systems.