Malware and Ransomware Defense Strategies

Malware and Ransomware Defense

• Roger Grimes has 33 years of computer security experience, written 12 books, and over 1,000 magazine articles

• The two best ways to stop malware are:

  • Detect how malware is breaking in (the initial root cause exploit)
  • Detect how long malware has been dwelling in the system before detection and removal

• The top 10 ways malware breaks in:

  • Programming bugs/unpatched software
  • Zero-day vulnerabilities
  • Social engineering (emails, websites, voice/SMS phishing)
  • Authentication attacks (password guessing, pass-the-hash)
  • Human error/misconfigurations
  • Eavesdropping on network traffic
  • Denial of service/traffic malformation
  • Insider attacks
  • Third-party reliance issues
  • Physical attacks

• For most organizations, the top 2 ways malware breaks in are:

  • Social engineering (70-90% of breaches)
  • Unpatched software (20-40% of breaches)

• To detect how malware is breaking in:

  • Analyze your own antivirus/malware detection reports
  • Research the top detected malware to understand their typical infection vectors
  • Interview users, check logs, and review system configurations

• To detect dwell time (how long malware was present):

  • Use an application control/whitelisting tool in audit-only mode
  • Take a baseline snapshot of authorized programs
  • Monitor and log new program executions that deviate from the baseline
  • Cross-reference malware removal events with first execution times

• This allows identifying how malware got in and how long it was present before detection

• Recommendations:

  • Implement application whitelisting (e.g. AppLocker, Windows Defender Application Control) in audit mode
  • Take regular system snapshots to establish a baseline
  • Analyze logs to track new program executions and correlate with malware removals
  • Combine this with robust patching, security awareness training, and incident response### App Locker Demo

• App Locker is a free utility from CIS Internals that can be used to monitor and control executable files on a system.

• To enable App Locker, use gpedit.msc and configure it to audit only, then create executable rules and generate a baseline.

Malware Demonstration

• Malware samples can be obtained from Malshare.com, a website that provides tens of thousands of malware samples for demonstration purposes.
• Cryptic ransomware is a type of malware that can be used to demonstrate App Locker's capabilities.

App Locker Event Log

• The App Locker event log shows operations, new events, and 803 events that indicate when a program was allowed to run but would have been prevented from running if the App Locker policy was in force.
• The 803 event log is used to identify when malware was executed and when it was detected and removed by antivirus software.

Malware Dwell Time

• Malware dwell time is the time between when malware was first executed and when it was detected and removed by antivirus software.
• By collecting App Locker 803 events, antivirus program logs, and other data, it is possible to calculate the dwell time of malware on a system.

Security Workflow

• A security workflow can be created to automate the process of detecting and removing malware, including sending automated emails to victims and generating reports on dwell time.
• The workflow can also be used to identify how malware got into the system and modify training and defenses accordingly.

App Locker Configuration

• The App Locker service should be set to automatic to ensure that it is always running.
• App Locker can be configured using Group Policy and Active Directory.
• It is recommended to turn on App Locker for all computers in an organization, as it does not degrade performance significantly.

Frequently Asked Questions

• App Locker can be used on Windows servers, and it is recommended to use it on servers more than workstations.
• Linux and Apple devices can also be hacked, but they are typically less targeted by ransomware.
• IoT devices are vulnerable and should be kept fully patched and isolated from other devices on the network.

Malware and Ransomware Defense

• Roger Grimes has 33 years of computer security experience, written 12 books, and over 1,000 magazine articles.

Top Ways Malware Breaks In

• The top 10 ways malware breaks in include:
  • Programming bugs/unpatched software
  • Zero-day vulnerabilities
  • Social engineering (emails, websites, voice/SMS phishing)
  • Authentication attacks (password guessing, pass-the-hash)
  • Human error/misconfigurations
  • Eavesdropping on network traffic
  • Denial of service/traffic malformation
  • Insider attacks
  • Third-party reliance issues
  • Physical attacks
• For most organizations, the top 2 ways malware breaks in are:
  • Social engineering (70-90% of breaches)
  • Unpatched software (20-40% of breaches)

Detecting Malware Ingress and Dwell Time

• To detect how malware is breaking in:
  • Analyze antivirus/malware detection reports
  • Research top detected malware to understand typical infection vectors
  • Interview users, check logs, and review system configurations
• To detect dwell time:
  • Use application control/whitelisting tool in audit-only mode
  • Take baseline snapshot of authorized programs
  • Monitor and log new program executions that deviate from baseline
  • Cross-reference malware removal events with first execution times

Recommendations

• Implement application whitelisting in audit mode
• Take regular system snapshots to establish baseline
• Analyze logs to track new program executions and correlate with malware removals
• Combine with robust patching, security awareness training, and incident response

App Locker Demo

• App Locker is a free utility from CIS Internals to monitor and control executable files on a system
• To enable App Locker, use gpedit.msc and configure in audit-only mode, then create executable rules and generate baseline

Malware Demonstration

• Malware samples can be obtained from Malshare.com for demonstration purposes
• Cryptic ransomware can be used to demonstrate App Locker's capabilities

App Locker Event Log

• App Locker event log shows operations, new events, and 803 events
• 803 event log indicates when a program was allowed to run but would have been prevented from running if App Locker policy was in force

Malware Dwell Time

• Malware dwell time is time between when malware was first executed and when it was detected and removed by antivirus software
• By collecting App Locker 803 events, antivirus program logs, and other data, it is possible to calculate dwell time of malware on a system

Security Workflow

• Security workflow can be created to automate process of detecting and removing malware
• Workflow can also identify how malware got into system and modify training and defenses accordingly

App Locker Configuration

• App Locker service should be set to automatic to ensure it is always running
• App Locker can be configured using Group Policy and Active Directory
• Recommended to turn on App Locker for all computers in an organization, as it does not degrade performance significantly

Frequently Asked Questions

• App Locker can be used on Windows servers, and it is recommended to use on servers more than workstations
• Linux and Apple devices can also be hacked, but they are typically less targeted by ransomware
• IoT devices are vulnerable and should be kept fully patched and isolated from other devices on the network