Understanding Ransomware: Why It Matters and How It’s Changing
Check out these key moments from our recent webinar, Understanding Ransomware: Why It Matters and How It’s Changing, featuring experts in the cybersecurity field:
- Pouya Ghotbi, Associate Director of the Master’s in Cybersecurity program, St. Bonaventure University
- Brian Kellogg, Director of Technology, Infrastructure, and Security, St. Bonaventure University
Learn more about the online Master's in Cybersecurity program at St. Bonaventure University.
Katie Macaluso: I'm sure we'll still have a few more joining us as everyone gets in. But I know we have a full presentation planned for today, so I do want to go ahead and get started quickly here. I'm Katie. Welcome again. Thank you for joining us today for our webinar. This webinar today is presented by the online graduate cybersecurity programs at St. Bonaventure University. Before we jump in, and go ahead and switch to that slide, we do have a few quick housekeeping items.
All attendees are muted for this webinar. So if you do have any concerns, please use the chat box, if you can't hear us or anything like that, and we'll get that resolved. Also, if you have any questions throughout the presentation, there's a Q& A box on your screen as well. We'll likely save all those questions for the end, but we will reserve time to do so at the end of the presentation. And then I do have a note here, this event is being recorded for future viewing. So we will send out an email with that recording link tomorrow.
So with that said, let's go ahead and switch over to the speakers for today.
With us today we have Pouya Ghotbi, an accomplished security professional with over 20 years of experience in IT and cybersecurity. His area of expertise is secure digital transformation for top tier global organizations. Pouya is a Security Risk and Compliance Advisor for Amazon Web Services, and the Associate Director of the Master of Cybersecurity Program at St. Bonaventure University.
And then we also have with him Brian Kellogg, who is Director of Technology, Infrastructure, and Security at St. Bonaventure University. He has worked in various roles including Help Desk, Server Admin, Network Engineer, Developer, Security Analyst, Lead Threat Hunter and Vice President of Engineering at LEO Cybersecurity.
So thank you all so much for joining us today. I'm going to go ahead and pass this over to Pouya to go ahead and get us started.
Pouya Ghotbi: Thank you so much, Katie.
And, Hi, everyone. Ransomware is a word that we're hearing all the time these days. I think it was around 7th of May, that we all heard in News about an attack on Colonial Pipeline. Some of you on the East Coast actually have been affected by that particular attack, with the fuel prices rising or certainly shortage of supply, for few. And then that was when a lot of people have started talking about ransomware.
And then, for the past couple of years, we can see a massive increase on ransomware attacks. So a lot of my students and a lot of people in industry, they were asking about, what is ransomware? Why we can see a lot of ransomware attacks these days, what motivates attackers to do ransomware? And how does it actually work? So the intention for today's webinar is to walk you through what ransomware actually is, how does it work?
And what are the tools and techniques that we're going to use to prevent and mitigate ransomware attacks. And then that would be the first half of the webinar. And the second half, Brian is going to take us to through a case study with the Kaseya attack, one of the recent ones that was global, and it was massive, including like everyone was involved to mitigate it, even FBI was involved. So, that would be very interesting story to hear.
So Alex is a security consultant, and the board have asked him to put together a plan to basically mitigate ransomware attacks. So they know that there's a lot of ransomware attacks happening, and they just want to be able to prevent those attacks.
And in case those attacks happen, remediate the company from those attacks. He's facing a lot of challenges. He doesn't know where to start. He doesn't even know how exactly ransomware works. So today, we're going to see what his journey is and how he's going to come up with that plan. So just to give you an idea on how ransomware works, I have downloaded and you can see in this video, I have downloaded a sample ransomware and I just want to show you how it works.
So you can see there a lot of files that a normal user may have. You may have documents, you may have photos, you may have all sorts of things. So the rants of a sample that I've got here, if you just run it, and this can be anything, it might be a piece of software that you download, you may need a PDF editor, you just go online, you download it, you don't even know what it is.
And as soon as you run, this is how ransomware works. As soon as it runs, it starts encrypting all the files on this machine. So you will notice, immediately what happens after it runs and it is successful, the extensions of those files have changed.
And one of the first things that changes is the background.
Because what the attackers want to do, they just want to show you that or grab your attention. And then there's a text file on the desktop that explains what exactly happened, and what are the steps that you have to take to pay the ransom.
So if we now try to open this file, it doesn't matter what you do, even if you change the extension of the file, none of that is going to work.
So you can see, you change the extension back to PDF, but you can't really read these files because they're all encrypted.
So typically what happens, the extension of the file is usually a reference for that particular victim. So when you go back, you try to pay the ransom, they know who the customer is, what key is being used for encryption of data. So this is what it looks like, it actually looks quite simple. But what happens behind the scenes and how this attack is initiated and executed is there's a lot of complexity behind it. But at a high level, let's see how it works, how a ransomware attack works.
So what happens there is an initial foothold, the victim downloads the ransomware. And that download might be through different means, like it might be an email that comes through with an attachment or a link, and the user clicks on the link or downloads the attachment, opens the attachment. It might be an exploit in a particular software vulnerability that hasn't been fixed. And attackers use those vulnerabilities to drop the ransomware into the machine.
Or you might be warned that it goes through the network from one machine to another and infects the whole network. After they've landed, the first thing they do, the two tries to communicate back to the command and control server. So this is the server that attackers use to distribute and generate this public key. So if you're familiar with the encryption, with asymmetric encryption, we've got a public key and a private key.
So what they do they keep the private key to themselves, they push the public key down to the ransomware tool, and the ransomware tool uses that public key to encrypt the data. After the data is encrypted, then the instructions that you saw in the video, usually it's a text file, it guides the users to how to go and pay that ransom. Usually, typically using cryptocurrencies, because that's the kind of track no one can track them really.
And then after the ransom is paid, the attackers will hand out the private key back to the victim and the victim can use that private key and a tool, a decrypted tool to basically decrypt and get the data back. So at a high level, this is how a ransomware work. So now, if you look at the evolution of ransomware and the history of ransomware, it's actually quite old.
It goes back to 1989. That's where the first time this idea, excuse me, came to someone's mind that we can encrypt someone's data or a disk completely. It wasn't commercial, and it wasn't really something that attackers looked at, because there was no economy behind it and we will talk about the economy in the next slide. But it was around 2014 that the ransom CryptoLocker which was one of the first well known ransomware came out and Locky.
So they were the two main ones that a lot of people were looking at. But although it was early days of ransomware, attackers didn't really want to gain a lot of financial advantage of this ransomware, it was more targeting individuals and their machines. But then around 2017, that's when WCry and NotPetya, the mass ransomware attacks and incident changed the world.
And if you look at what's happening in the past couple of years, it's becoming a massive industry. And attackers are using ransomware to essentially earn money. That's one of the main reasons that they do this. So if you joined us in the previous webinar that we had around, basically Darknet and what are the transactions have that happens in the Darknet, the data that is being sold in the Darknet, you realize that sometimes attackers steal data and they try to sell that data.
But sometimes it's not really valuable. It takes a lot of time and effort to go in to steal the data and sell it, while it may not be as valuable as they think. But in case of ransomware, it is quite simple. Like if you're a company that your business is really important to you and business continuity is very important to you. And then ransomware attacks hits you and you need to restore your services as soon as possible, you may prefer actually to pay that ransom and get your data back.
That means the turnaround to get the money is much faster. That's why we can see a lot of ransomware attacks these days. The other thing that probably around the last year that has changed is there's been again, another change of direction for ransomware attacks. We will talk about different type of ransomware attacks. But essentially what attackers are doing now, when they get into the machine, they steal the data, and they encrypt the data, both at the same time.
So they've gotten leverage, and they're forcing organizations to pay the ransom faster, so that it's now getting even more complex. So talking about the economy around ransomware, we've got some shocking stats here.
And this is only related in United States. And if you look globally, what's happening, it's even worse. So a couple of stats I want to go through which is interesting. Average downtime due to ransomware is 21 days. That means if an organization is hit by ransomware attack, on average, it takes 21 days to recover and go back to normal operations. But to fully recover, it actually takes around a year, 287 days on average it takes for an organization to fully recover.
In 2020, around $350 million have been paid as ransom to attackers. So you can now see the economies now boosting for attackers. And this is like around 300% increase. And I'm sure in 2021, it's going to be even more than that. And an average payment is around $300, 000 that they're asking an organization to pay. So think about it from an attacking point of view, you've got a ransomware tool that you're dropping, you developed it once, it's very hard to be detected initially, if it's zero day and no one knows about it, and you can collect a lot of money in the first go.
The other aspect that I want to talk about is in 2020, around 2,400 US based government agencies, healthcare facilities, schools, were victims of ransomware. So, these are the verticals that we see a lot of movement and a lot of, basically a targeted attacks. And the reason for that is, think about a hospital, if a hospital you know operation is disrupted, especially in the time like COVID now, the effects can be fatal.
The chances of the victim paying ransom in an organization like healthcare or government is even higher, or schools. So that's why we see a lot of movement, but that doesn't mean that it's targeted to those verticals. We can see ransom every single vertical, every type of companies, energy companies that we talked about, Colonial Pipeline, that there was an attack.
Kaseya that Brian's going to talk about. It's a supply chain attack. So they target a service company, that service is a lot of other companies, that's why it makes it easier for them to go and get access to other networks. One other thing about economy I just want to mention is in the Darknet, and in the attackers community, there is now ransomware as a service. So that means you can just, if you're an attacker, you've got a particular goal that you want to achieve.
You can go and rent ransomware, like use ransomware as a service, and other attacker is going to run it for you. There's the whole business behind it. So when you think about attackers, they're not individuals. They're not script kiddies sitting and trying to attack you. They're formalized organizations, and they've got a lot of motivation and proper business plan behind what they do. But a lot of people are confused and say, " But I've heard of malware, how malware is different from ransomware?" Let's try to clarify this before we move forward.
So malware is a generic term. All types of malicious programs, we typically call them malware. Whereas ransomware is a type of malware that's going to specific target. So the two main types, Crypto and Locker. So Crypto is a type of malware that we talked about, it encrypts the disk locker, prevents users from accessing the systems. Therefore, by paying ransom that we can go back and sort of get access back to your systems.
The chances of recovering from Locker is more than Crypto. But like in some cases, attackers prefer to use Locker or Crypto, or in other cases both at the same time. Malware is typically, it infects system files and directories of registry and that sort of things. A ransomer is more around encrypting files. Malware can replicate itself between files and programs, whereas malware blocks access to those files.
So it's not the intention of ransomware to replicate itself, but what we can see with the new generation of ransomware, they've got a mix of that as well. They land, they replicate themselves, and after establishing the network, they start encrypting the data. Malware, Piggybacks on malicious links, emails, attachments, social media messages. Ransom is pretty much the same, a lot of social engineering attacks are used for ransomware.
Because one of the aspects of it is like if I can get access to an employee within an organization, and usually through social engineering, it might be easier, then my chances of encrypting the organization's data is higher. Then again, for malware you've heard different terms: virus, Trojan, Spyware, Adware, but Ransomware is a new type of malware. Talking about how ransomware works, I just want to clarify a little bit around the life cycle.
And this is supposed to be attack life cycle not attach. So there's an initial distribution, that we've got the ransomware, someone clicks on a link, or there's an attachment in an email, and then the machine is infected. After infection, communication to the command and control server, we talked about that. Then it searches for the files on the operating system. So it grabs a full list of files on the operating system and what needs to be encrypted.
The interesting thing about ransomware is it won't encrypt system files that are required for the system to run. Because they still want you to be able to access those instructions. So they don't want to encrypt everything, they want to encrypt documents and data that potentially are important to you, but in a way that you can still operate. And once you've paid the ransom and you get the keys, you are able to decrypt the files. So, that File Search is quite important.
The other thing I was wanting to mention is the initial, like the early generations of ransom where they as soon as they hit, they encrypt but they don't do it now. So they do the file search, they probably replicate themselves, and then after they've established and they make sure that they're not detected, then they start encrypting. And the reason behind that is, if they encrypt a machine, as soon as they land in a network, then that means now that the organization knows about the ransomware.
And then they can contain it and we'll talk about prevention and mitigation, but eventually what happens if they detect it early, the chances of them paying ransom is less. Because if you lose five machines in your level you probably won't care. But if you lose all the machines within your network or the sensitive machines, you probably pay that ransom. So they want to remain undetected, they want to make sure that they've got access to all the machines as far as much as possible, then they start encryption, and then after that it's just a ransom.
Talking about ransom demand, there's a whole industry, I was talking to Brian before on this topic. There's a whole industry behind paying ransom, and the companies that they actually negotiate on behalf of organizations. A lot of the times, let's say a smaller organization or even bigger organizations, they may not have access to cryptocurrencies to pay, or they may not know how to communicate or negotiate with attackers. Brian's going to talk about that a little bit more.
So an interesting sort of image that you can see here, the Ransomware Families.
This is between 2019 and 2020. So these are the main families of ransomware that we have out in the world. And each ransomware family, the way they work is different. The tactics and techniques they use are different. Knowing what type of ransomware has hit an organization is going to help with mitigation. But eventually, at the end of the day, all of them they encrypt data. How they do it, how they learn how to do the file search, that's the difference.
So you've got a QR code. Even for those of you that are watching this later on recorded you can scan this QR code. Go to this particular article and learn about these ransomware families, very interesting. All right.
So one of the aspects that is very important when it comes to ransomware is how do we know and what do we need to know to be able to protect against ransomware? So we typically refer to these as threat intelligence. So what we want to know is the tactics, the techniques and the procedures that typically is referred to as TTP, used by particular attack vectors, or particular ransomware families, for example.
Knowing that's going to help us to identify and detect those attacks as early as possible, and then mitigate those attacks as well. So to obtain those threat intelligence, there are different sources. You've got security vendors, if you're using any security tools, they typically have a threat intelligence source, and they provide these as part of the offering or as part of the tools that you're using.
And there are Threat Intel feeds as well. Some of them are open-source, some are commercial, you can go and buy. But one particular one that I wanted to highlight here is MISP, so Malware Intelligence Sharing Platform project. So this is an open- source project, there are a lot of contributors, even their government agencies they contribute. You can see a screenshot of that particular platform there that you can go and utilize these feeds to identify and detect ransomware attacks as early as possible.
It will also help you with the mitigation. So typically, what comes with these threat intelligence sources is something called Indicators of Compromise or IOCs. They will tell you things like the IP addresses that potentially these ransomware are coming from, potentially the IP addresses of the command and control servers that they're talking to. So let's say they launch a ransomware attack and then we detect this attack in part of the world, let's say here in Australia.
Then we know what our IP address is, the command and control server. If we have that Intel, and then we are a company in the United States, and we're using this Threat Intel, as soon as we see a traffic to that particular IP address, we can block that communication to the command and control server. And by blocking that, that means we stop ransomware from getting access to the public key that it needs to encrypt the files. So if you can break the attack key chain at any point, that will help us to stop the attack.
Email addresses that are used for phishing, domain names that these attackers use, and a lot of other information around that ransomware. The other aspect or the other tool that I wanted to sort of point is Security Information and Event Management or SIEM tools. So SIEM tools are tools that basically collect all the events and all the logs within the organization, and then they correlate and try to identify potential attacks or potential breaches.
So SIEM tools are a very important tool, and typically, these are the tools that you feed your Threat Intel to them, and it helps them to identify and detect those attacks. All right.
So we did talk about encryption. I want to briefly touch on decryption and how the decryption works. So once the files are encrypted, typically attackers when you pay the ransom, they give you a decryptor. So the decrypted tool is a tool that knows how to use that key, the private key that they provide to you, and how to decrypt those files, because typically the encryption methods that they use, there's a lot of obfuscation that they use so it's not as simple as just having the key and using let's say open SSL or another tool to decrypt.
But some security vendors like, I've got a train micro here, about Kaspersky. A lot of security vendors, they've got generic anti ransomware tools. So these are decryptors that potentially work on some of more generic ransomware. So even if you don't have the keys, they may have some generic decryption keys that they have in their inventory. And then you can try, you can just see if you can decrypt your file using those anti ransomware tools.
So what happens after an attack happens, and then they get access to the private keys, then they have this collection of private keys, and they potentially use those private keys to try to decrypt. But are they talking about the negotiation? So part of that negotiation is trying to get access to the decryptors, potentially from another source. So those negotiators what they do, they may tell you, " Okay, you don't need to really pay the ransom, I will go and talk to another victim that is probably using the same key potentially in this particular vector, and then I'll grab a key from somewhere in the Darknet and then I'll get you to decrypt your files." But none of that is guaranteed.
You never know if they've used a unique key for you, or if it's a generic key. So that's why that threat intelligence is quite important. What's important from a mitigation point of views is as soon as you get the key and the decryptor, you need to basically deploy it as soon as possible and decrypt the files and then clean up the systems. What does that mean? That means you need to have tools that you have in place, that this is part of your mitigation plan, to be able to distribute those decryptors.
For example, SCCM is a tool that a lot of organizations use. As long as you're ready to go, because otherwise copying the file like that decryptors and deploying into all the machines within an organization might be time consuming. I like to use these quotes all the time. " It's not a question of if, but when a cyber breach will occur." A lot of organizations think that, "Oh look, this is this has happened to others, it will never happen to me.
But that's not true. Every organization, there's a threat and everyone will be breached at some point. The problem is a lot of organizations or breach already, and they don't know. With ransomware, you probably quickly know because your files are encrypted and you can't access them. But this is quite important. And that brings me to the point that there's a cyber security framework put together by NIST.
So NIST is the National Institute of Standards and Technology. And they've put together this framework that sort of helps organizations to have a proper plan to identify attacks, how to implement protections against all sorts of cyber threats, how to detect those threats. But this is very important, but it's not enough, more importantly, how to respond. And this is where a lot of organizations go wrong with respond and recover plan.
They put a lot of protection, they put... and I'll talk about protection and mitigation in the next slide. They put a lot of tools for detection and protection and identifying attacks. But what they forget is incident response and recovery, how would you recover? And Brian's going to talk about this a little bit in more technical terms. But this is quite important, looking at this framework, every single step in this framework is critical and crucial for organizations.
So at a high level, how can we protect our organization?
And how can we remediate if a ransomware attack happens?
The first step most important one is email protection. So luckily, now a lot of organizations are using Office 365, Microsoft is putting some email protection services on top of that. Sometimes it may not be enough, so you may need other tools. But what is important is you need to have an email security tool, as well as a web security tool that are aware of these attacks and these attack vectors.
And when we say threatening form, that means we need to have the Threat Intel source. We need to make sure that these tools have access to those sources, and they can detect those attacks as soon as possible. So an email comes through, they detected being a phishing attack, or a malicious attachment to the email and blocked that attachment. That's quite important. The second aspect is security awareness and training. And there is a difference between awareness and training.
So training is when you put your employees through a training program, you tell them that ransomware is there, you need to be careful, you shouldn't click on links, and that's very good. But it's not effective. It's not fully effective. The reason for that is a lot of people think that, "Oh okay, this happened to other organization, but it will not..." Or, " This happened to other people, it will not happen to me." So awareness is when you put together practical campaigns, for example, you send intentional phishing emails, and you see how many people are actually going to click on that.
And the results are usually surprising, like I was working with a massive financial institution, and they ran this campaign. 30% of their employees clicked on the link, and they have a lot of training in place. A lot of training in place, and so you would think that people won't, or people are busy, or they're working from home and the dogs are around, and the kids is crying. So they get distracted and they see an email, they just click on the link.
So awareness is good, because during those campaigns, you make sure that they see what it may look like, and now they've got a memory, a practical memory of what potentially can happen. So part of that, related to that is knowledge checks. So making sure that you've got this regular cadence with employees and making sure that they know exactly what trends are there and what's happening. Remediation plans is another one that is quite important.
Talking about Alex and you know how he had this journey, and the problems he had, remediation plan is quite important. You need to have a plan in place when ransomware attacks, how would you respond to that? And I think Brian's going to talk about that as well. Backup is quite important in case of ransomware, because if you don't want to pay the ransom, you should be able to recover your files from your backups having a robust backup strategy that is tested.
A lot of times I've seen organizations, they do have backup strategies, they've got a backup system, and they think it works. But then ransomware hits, they go to recover backups, and they just don't work, there's been a problem in the system, they've never checked it. So that is quite important. Other aspects, again, at a high level is network segmentation. That means breaking network into different segments, if ransomware or any type of other attacks for that purpose, hit store organization, you can contain that attack easier to that part of the network.
Last but not least, isolation and containment. That means if I detected my machine to be impacted and affected, then how can I contain this machine or this part of the network and isolated from the rest of the network. Typically, with isolation and containment, there are two levels of isolation and containment you can do, sometimes you do it at host level. And these are endpoint protection systems.
As soon as they detect an attack, or a ransomware attack, they contain the host making sure that that particular malware or ransomware can't get into other machines. So they do that host level. But if you want to do that network level, you need potentially firewalls, so that you block access to that part of the network completely so that malware or ransomware can't get out of that part of the network.
All right, so that's all I had to say.
With that, I want to hand over to Brian to talk about a very interesting case study about Kaseya and what happened in this particular ransomware attack. Brian, over to you for the interesting part of the webinar.
Brian Kellogg: Thanks, Pouya. There's a lot I want to talk about.
So my mind's going all over the place. And to tie off to some of the things that Pouya said, the cases that I've worked, the breaches that I've worked, it's not uncommon to find more than one threat actor. That's when you find a threat actor, and you bring in say, Mandiant, FireEye, or professional services to handle it, it's not uncommon to find more than one threat actor in an environment. So the idea that, not if, but when you will be reached as a threat hunter, our guiding principle is to always assume breach.
And we just haven't found the evidence yet. So that's what drives a threat hunter to keep looking for that evidence. Obviously, you want to guard against bias, where you're not just seeing things that aren't there. But always assume breach is a threat hunter's modus operandi. But the baseline I don't want to talk about, Kaseya is an IT software vendor, and they sell to MSPs and MSSSPs. So MSP is Managed Service Provider, and MSSP is a Managed Security Service Provider. And you can have companies that do both of those. And Kaseya also sells directly to the end customer itself.
That's why there's such an interesting target. Because if they can compromise Kaseya, and especially with what they did in this case, if they compromise the actual update of the Kaseya products, they get access to tons of customers. And they not only get access to the Kaseya's customers but customers of Kaseya's customers. So it just trickles all the way down. And also to build on the idea of paying for the ransom, there's been times where you actually pay the ransom, you get the decryption key, but the decryption is so slow, you have to restore from backup anyways.
So there's times where companies will pay the ransom and you still get stuck hoping your backup will actually work. And I'm also going to talk about more indicators of compromise but less fungible ones, ones that won't change as much from a perspective of a threat hunter. That's really my interest and where my experience lies. And so the fungible IOCs are ones like file hashes, IP addresses, domain names. Those things change quickly, they get turned over quickly.
And a lot of times, when you get those list of IOCs, they're usually only good for what we call retroactive hunting, meaning going back to your history of logs, and seeing it in your log, you saw those domain names, and those IP addresses and those file hashes. Because usually, by the time those are published, the threat actor has changed all those. And so they're great for threat active hunting, and sometimes they're good for real time hunting too. But usually, it's the retroactive stuff that that applies to, which is good, because then you can tell someone in our environment, or still is.
And as we're talking about IOCs, there's a term that gets thrown around all time called LOLBins, Living Off the Land bins, and this is how a lot of malware and ransomware gets on. And so what I see in these attacks is not a lot of new stuff going on. How malware gets on, how ransomware gets on in an environment is pretty much the same. It's still targeting the same techniques and tactics. So if you can catch malware, if you can catch spyware or whatever, you're going to catch ransomware. So the difficulty is for the threat hunter or whoever's watching the environment is to figure out okay, we saw this activity, what is it really signify?
Is this just common commodity malware, or is this a bigger threat like ransomware? So although we can identify it, now we got to classify it as a threat Hunter. So we talked about this a little bit already, that Kaseya is obviously a vendor to vendors and a vendor directly to the end users. And so that obviously makes them very interesting to a threat actor, and how the threat actor got through Kaseya as far as what I can find is they compromised one of their web portals.
There was a known zero day in that web portal, and they were actually in the process of fixing it, unfortunately, but it got compromised, they got popped before they could actually roll out the fix.
And then they dropped the malicious payload, then they use what's SQLi injection, which is just basically taking advantage of a database.
And if you've ever done any exploit stuff, one of the things like take the OSP, the Offensive Security Professional, one of the things that you'll find is you can use database to write a binary to the file system and then execute that binary. And so that's why I ask you why to get actual access to the underlying operating system is right in that database. That's one method that can be used. I don't know if that's what was used here, though. And then talked about this still a little bit.
We'll get into this a little bit more, so I don't want to spend too much time here. But AV Exclusions, if you're used to working in IT like I have, you get software you can install, and all of them want AV Exclusion. So we'll talk about why that's probably not a good idea anymore, and why we need to push back against third party vendors. And vendors really need to take more responsibility in making sure their stuff works with AV. And then this is the meat of what I want to talk about here in the next few slides.
So TTP, we saw this already in a previous slide, Tactics, Techniques, Procedures. It's an acronym used all time by threat hunters. And it's just basically saying, how do threat actors work? How does malware work? And how can we identify that? And there's lots of perspectives that we can look at this from, and another phrase you'll hear threat hunter say constantly is Context is Everything. So in one business, an activity that we may catch either on the network or in a host with command line or whatever, it can be completely benign, just because that's how their business operates.
They have software that has to do whatever. Whereas in another context, it could be evil. What a threat hunter needs to understand is one, the broad context of the business. But also broadly what is benign and what is evil. And then there's this gray in between, that a threat actor has to take that knowledge and apply it to understand, okay, this is out of my environment, but is it really evil? Is it really something I need to worry about, or is it just something I need to be aware of, let somebody else know, " Hey, I need to take care of this. It is just a security misconfiguration or something of that nature, something that could be tightened down that's not running as it should, pretty nice." So what we see here is the, and I don't know how to pronounce it, it's.
It is a group and this is how they actually got on systems. And this is one of the command lines that they run. So from a threat hunters perspective, there's a few things here that stand out to me that I can catch, and the systems that I've worked in, that I would get. You see this first part here that was doing the... Sorry, go, then. This is missing the picture. Sorry, guys. Oh, there we go.
Sorry. So the first part here where you see that ping command, so you get the command prompt running the ping command to the local host. That's not totally abnormal. There are software installers that do this. And they do this just to institute some kind of pause in the installation process. But what's a little more interesting is that-N right there with that 5693, to me, that telling me right there that some random number was chosen. So there's some value here that they're just choosing a random number out of the pause, the rest of these commands that are tied together.
And this is command prompt on Windows. So the app signs, those ampersand signs are basically tying multiple commands together. And that's interesting to me as a hunter as well. In fact, I can write a rule, will tell me look for this number of ampersands in a command, and depending on that number, there's certain thresholds I can look for that become more interesting to me. The larger the number, the more interesting this command line is to me. That's something that I can key in as a hunter and I can automate. And that's something that I love to do, is automate threat hunting.
And after that, we see that Windows PowerShell command, and Set- MpPreference there in the second line, the second word in there. They're using that, that is a PowerShell command lit to disable Windows Defender. And you see the disable instructions after that. There's about five of them there, is basically disabling Windows Defender, all of its protection. And as we go down through the command, we see a copy command here, this will become a little more interesting in another slide.
That copy command is it's what we talked about previously, LOLBin, Living Off the Land bin. And basically what that is, is how can I as a threat actor or as a pen tester, how can I use stuff already on an operating system to get to implement what I will need, instead of downloading binary, which will probably be seen as noisy, how can I use something that already exists on the operating system? That's LOLBin, Living Off the Land bin.
In this case, they're using CertUtil. exe. And the reason they're using that is it can decode Base64 encoding. And they're writing a binary file and Base64, which is just a real simple encoding. They're writing that to a directory. And then they're going to decode it, so they can run that as a real binary. CertUtil will do that for them. And that already exists on the operating system, and it's a very common tactic that they use. So that's another thing as a threat Hunter, I can write a rule and automate and key in on.
That right there should make alarms go off if someone's copying CertUtil to some other directory. Now, the downside of that copy command is census is Windows cmd.exe. A lot of tools will not... actually log command lines will not log that copy, because it's a built in command of cmd.exe. So you really got to know what tools you're working with, for what you can actually look for and catch. So they're copying that CertUtil command out of this normal working directory system 32 into the Windows directory.
So they're going to run up from that Windows directory. Now that cert. exe, anything that gets copied to the Windows directory as a common attack or tactic, and that is another thing that should tip people off that something not so nice is going on. So in the organizations I've worked in, in the startup I've worked in, there's a simple rule that I always write, and that's looking for new files being seen and seen with those. Because when I see that and I see them executed, there's something interesting going on. Not all the time because there's legit stuff that still does that like PsExec, which is a command line administrative tools used by some places, but still a very interesting thing that's going on.
And now you see them at the second line from the bottom, the third line from the bottom where they're running cert. exe decode. And again, that's that copied CertUtil.exe decoding that Base64 encoded agent, that CRT file. And then at the very end after that last amp, the last few ampersands, you see the Delete, they're just cleaning up after themselves. If you didn't log a lot of these file creations, they're going to delete these files, and you'll probably never know that they were there. So you're going to lose some of the steps in the compromise tree here that occurred.
This is some source code that someone's SOPHOS labs, reverse engineered this, and I can't remember exactly where it came from, to be honest.
But the two things I really want to look at is if you look where it says Drop to Windows, and underneath that you see V8 = Drop to Windows, there's two file names at the ends of those lines. One is mpsvc. dll, and the other is MsMpEng.exe, these are files associated with Windows Defender. They are legitimate files, these are old files that were exploitable, they had an exploit in them that allowed you to do something called DLL side loading. And what they're doing is they're including this in the payload that they're delivering to the endpoints they want to encrypt.
They're writing them again to that C Windows directory, and they're killing the current Windows Defender, they're running this Windows Defender, and then they're side loading that mpsvc.dll so then they can do all stuff they need to do to actually encrypt the M station. So they're actually taking legit when those files that had exploitable code in them, and copy them to the C windows directory to run them, so that they can then exploit it and deliver the rest of the payload.
This is another command that they're running. And again, this is another one that shouldn't be caught. And that's basically it is to say it is allowing network discovery of every device they infect. And I'm not completely sure, and I haven't looked into why they're doing this, but I guess it's still like an inventory and they can look around and see what devices they've compromised already on the network to get account. And maybe shore that up with stuff that's actually called command and control traffic talking back to the infrastructure they control on the internet.
But I'm not exactly sure why they're doing that, to be honest. The other thing that REvil does is it does something called in- place encryption. That's going to take files and encrypts, and that's going to read them and write them as it encrypts back to the same sectors on the hard drive. Meaning that sense it's writing over the file is encrypting, there's no sector level recovery of the file. So they're making sure that you can't go back and do forensics on the hard drive and actually pull back the unencrypted files. And they're not doing any data exfiltration.
So data exfiltration is basically stealing your data. Usually how that works is, the bad guy is going to stage it somewhere inside your network. And then when they're ready, they're going to compress it, and then upload it somewhere via some means usually FTP, or SFTP, or something. The other thing they do is they do something with MUTEX. So MUTEX is just a fancy term, it's used in programming quite a bit as basically a way that you can share a resource across multiple processes.
So one resource can tell, " Hey, this other resource is accessing this, don't try to access it to work till we're done." In this case, it's basically telling other versions of REvil that may be trying to get on the host, " Hey, this host has already infected, don't affect it a second time." So this is another indicator you can look for, to see if a device is already compromised by this ransomware. Hackers use trolling stuff like this all the time, if you looked at that, it got Trump and other stuff, Black Lives Matter.
They do stuff like this all the time.
So mitigation and Controls. There's no silver bullets, if any vendor's trying to sell you a silver bullet, be very skeptical. It's really comprehensive and it's understanding your business, the business you're working in, what its needs are, how much money it has to spend, what expertise do you have on staff to maintain stuff. There's something in threat hunting called fumbling. And fumbling means you want to be able to instrument your systems, your auditing, your logging in such a way that you can find mistakes by an attacker.
And so mistakes by an attacker are, for example, trying to brute force accounts. They don't know the passwords already, so they're going to try to brute force accounts, connecting to file shares that users don't know about. We'll talk about honey pots here a little bit. So fumbling is just stuff that's odd that other users should not be trying to do, it's just stuff that stands out, for example, users and their files chairs, they usually get them mapped directly, so they don't have to go and map them or find them. So stuff that users just are not doing on a day- to- day basis.
And if you see stuff like that, that's called fumbling. The attackers are poking around trying to find things that most users are not trying to get at. So honey star, that means honey anything. This includes network honey pots, honey docs, honey accounts, and there's some others I'm forgetting about too. But so network honeypot is just a VM or even just a small hardware device that you can stick out there that's just waiting for network connections to be made. And there's a few different kinds of honeypots.
They call it, I can't remember the term exactly. It's high interaction honey pots, low interaction honey pots, and medium interaction honey pots. So high interaction will actually allow an attacker to... it pretends to be more than just simple something to connect to, like it will pretend to be a file share and allow some interaction with it and capture those packets, and then record it so threat hunters can review it. Low interaction is just looking for the network connection itself and seeing if anyone's trying to connect that actually capturing data or interacting with the attacker in any other way.
Honey docs are documents that you can stick out in certain folders. And if they steal them, and they open them and they don't open them in a protected environment, they call back to some server that you set up on the internet to let you know, " Hey, someone opened this document." And the fact that it's a document that shouldn't ever be open is an interesting event. And the same with honey accounts. They are just generic accounts that you set up, you make them look real. And if anyone ever tries to log into them or touch them in any way, that's really interesting event. One of the things that attackers will do, again, it depends on context.
In the case of REvil, they really don't try to hack accounts, but they'll scan through your Active Directory and touching accounts to see what accounts are there. And so if these honey accounts get touched, that's a really interesting event. And a lot of Windows event logs will include a source IP address of who touched it, or even a device name that you can trace that back to. Unfortunately, they don't all the time, but they can. And there's a bunch of other handy stuff too, that you can do to try to catch the stumbling attackers.
Refuse to exclude. Again, going back to AV. As someone responsible for structure now, I don't assume stuff in AV anymore. So if a vendor asked me to do that, I just tell them, " No, if your stuff isn't going to work, then you guys need to figure it out." Now, obviously, you can't do that every aspect, there's stuff out there that just got to run for business purposes, especially if you're working in operational technology environments, for sure. And I understand that. But at the end of the day, I think in most traditional IT stuff, I push back now.
I just don't exclude. And as long as it's not that important, I don't even tell the vendor, I just install it. And if it doesn't work, then I'll work with a vendor to try to figure it out, but still not excluded. Off limit devices. So in this case, with Kaseya, they are an IT software vendor that's running stuff on your systems, it's highly privileged. It is probably running with local admin or domain had many even on some cases, which makes it even more interesting for attacker.
But one of the methods that a lot of places will use now is they won't install something like that on every device. For example, domain controllers may be off limits completely for all third party software. And I've known some places that includes the antivirus too. But that's again, a business decision you have to make when you weigh risk and do risk analysis on your own. Critical servers. Same idea with domain controllers, maybe there's some servers you're just not going to automate a software on stuff to automate tasks and such. Junk boxes, which are devices used by server and network admins to do elevated work.
So if you need to be a domain administrator, instead of running your domain creds on your local device, you got to go to this junk box first, which is usually like a very controlled and hardened windows station that you can then use to run your stuff for your domain creds and such. And that goes also with endpoints for users of greater concern like your domain administrators, maybe you don't install automation software and other stuff that may introduce more risks than what you're comfortable with.
And then the last one is one that I'm very much in favor of in places I've worked is I really don't want to buy something if I do something with built- in tools already. For example with Windows, if I do it through group policy, it may take me longer. But I want to understand how to do that, I want to do it with group policy, instead of buying something. With Linux, I know it's pain, but maybe we're in SC Linux to learn how to secure Linux a little better, using the firewalls that are already built into the operating system and such.
So knowing what you have and how to use it better can be helpful. But again, it comes back to context, what expertise you have on hand, what other stuff's going on? And there's just no one size fits all answer for everybody, unfortunately.
Pouya Ghotbi: Awesome. Thank you so much, Brian, that was really, really good.
I was just going to highlight very quickly, and I know we're a little bit over time as well. So all this stuff, first of all, these are the references. Again, if you're watching this now, or you're watching this recorded later, you can just scan these and go and check those references. But considering time, I just want to quickly hand over to Marcos so he can talk about our program and now University.
And the reason for that is I can see we've got a couple of our students on the webinar, and potentially some prospective students.
The stuff that we covered today, and similar things in cybersecurity, we've got this very interesting program, which is very practical and very close to the industry. And you can learn all of this with us, and then you can earn your master's degree in software security that Marcos is going to walk us through now. Over to you, Marcos.
Marcos Baez: Thank you, Pouya. Yes, just to touch on those programs. First and foremost, some of our rankings as a university. Just recently, the U.S. News and World Report ranked us as one of the top three best value universities in the state of New York. I think that speaks very highly to our combination of tuition, as well as the quality of our programs and our curriculum as well. We are one of the 385 Best Colleges as ranked by the Princeton Review.
And then we're also a top 20 online master's program in cybersecurity, which the securitydegreehub.com was recently ranked as, as well. So let's just touch on some of our rankings. Pouya, if you want to go on to the next slide, you might get into some of the program details here.
So what makes us unique at the graduate level, is we do have two options for our students.
We have a track of the master’s track, of course, for students who are seasoned in the field, whether that's through their previous degrees, or working experience. So with the Master of Science in Cybersecurity, it can be completed in as little as 18 months, for a total of 10 courses minimum. And again, as Pouya mentioned, it's very technical program, mostly lab-focused. So if you're looking to really enhance your technical skills, that's the focus of our program.
And then on the opposite end, if you're someone who is looking to break into the industry, maybe you're looking for that career change, we do offer a Graduate Certificate in Cybersecurity, that really allows those type of students to develop the foundational skills to eventually pursue the master's program as well, if they decide to do so. And it can be intimidating getting into this field, but rest assured these courses were designed for individuals with no background in the industry, in the field.
So as long as you're willing to dedicate the time necessary to be successful, you should have no issue in these courses. In terms of Next Steps and Admissions Requirements, it's a fairly simple process here.
Maybe compared to some other schools you may have looked at, all we really look for students to do is submit an application, which shouldn't take you more than 15 minutes to do so.
We would require you to obviously have a Bachelor's degree from an accredited institution. Again, it can be in any field based on us having the Graduate Certificate option. We would require transcripts along with that degree, that being said, to be sent over to us. A copy of your resume as again work experiences factored in to potentially waiving courses, a police clearance due to the ethical nature of the subject matter. You want to just ensure there's no conflicting items in your background that may relate to cyber security.
And then lastly, the GMAT or GRE exam, which can be required of similar programs is not a requirement here, again, very much simplifying the admissions process. And all in all, if this is something you may find yourself interested in moving forward with, the next step would be scheduling some time to speak with me by phone to outline the admissions process and help you get started towards enrollment.
Pouya Ghotbi: Awesome. Thank you so much, Marcos. I also encourage everyone, we had a webinar, for those of you that are looking at a career change, looking at cyber security as a hot new sort of area to move in. We talked about the market, the pathways and everything. Please go and check our website and watch that webinar as well. Over to you, Katie, to close off. Thank you.
Katie Macaluso: Wonderful. Yeah, thank you all. I think I did just drop in the URL in the chat if you're interested in taking a look at the website for more information. But otherwise, we want to thank you all so much for joining us today. As I mentioned at the beginning, we did record this, so we will send that out to you tomorrow, along with more information about how you can reach out if you have additional questions or want to learn more about the program. So thank you again to our speakers. Amazing presentation. And thank you again for joining us, have a great rest of your day. Bye, bye.
Pouya Ghotbi: Thank you so much, everyone.