Be Vewy Vewy Quiet

Be Vewy Vewy Quiet
Had an opportunity to hear David Girard, Breach Detection Team Leader at Trend Micro, speak. Here is a brief summary of a lively discussion. First, he pointed out that between 2012 and 2015, the dominant problem his team was most often engaged with was that of advanced persistent threats (APTs). However, in January 2016 the ransomware threat leapfrogged ahead. Ransomware and business email compromise (BEC) are the biggest threats followed by APT now.
Most ransomware is delivered by spearphishing/spam (71%) with 18% being delivered by exploit kits/drive by downloads. In 2015 there were only 29 ransomware families. In 2016 that number exploded to 246 families (an 846% increase). Spearphishing is now directed at IT staff instead of executives because IT staff tends to have elevated privileges in the environment.
The ransomware itself has evolved and seems to be human directed after initial infection and communication with command and control servers. Humans then seem to direct the ransomware to seek out repositories of critical data such as exchange servers, file servers, database servers, and source code repositories.
Sometimes the attackers use symmetric encryption, sometimes asymmetric. Often a separate key is generated for each host that is compromised. This is to complicate attempts by defenders to extract private keys from RAM to enable mass decryption. Attackers don’t seem interested, yet, in using other methods (which I will not detail) to thwart defenders.
Outbound communicate to C&C is done using ssh more often than SSL because most commercial SSL decryption technology does not deal with ssh tunnels.
Trend’s tiger team tends to categorize ransomware based on infection vector, means of payment, typed of data encrypted, method of encryption, and self-destruct capability.
Anti-sandboxing capabilities are getting better. Attackers attempt to detect things like the number of icons on a desktop, ARP cache contents, packaging attachments within multiple lavels of zip of encryption (protected zip within protected zip), and command and control servers ignoring certain ranges of originating IPs (if not on target list, do not allow connection to C&C. Do not allow connection from TOR exit nodes).
Ransomware authors are also using PowerShell, bash, batch files, etc. during lateral movement to evade machine learning and application control.
Using Yara rules to hunt for indicators of compromise/ransomware is fruitless because of quick mutation rate. Mutex names and looking for specific strings is somewhat better. Network src port and destination ports that differ from baseline of normal activity is best.
This led to a wonderful analogy of hunting for ransomware being akin to hunting for rabbits. You must set your traps along the trail between the rabbit hole (patient zero) and the food source (critical data store). This is best accomplished using a span or mirror port to avoid detection by the attacker. And you must check your traps once per day lest they deteriorate or you miss out on finding the ensnared rabbit.

My favorite advice from the talk is that you should never, ever pay the ransom. If you do, you simply turn yourself into a qualified customer for more abuse. Second, if you respond quickly to the ransomware demand, the price is often hiked since they know you are willing to pay.
Avoid uploading your file immediately to virusTotal as the bad guys are known to have access. Therefore attackers can see that they’ve been detected and thus behave more stealthily.
Definitely using a strategy of least privilege — such as with privileged access management (PAM) instead of granting every IT person local or domain admin rights — is helpful. So is disallowing execute privilege to attached devices such as USB.
My favorite quote from the talk: “Of course you found nothing [when you scanned your computer using AV], it’s a zero-day.”
My favorite prediction for the future is that some automobiles will have their user’s ability to start the car locked out by encryption.