1 / 26

Ransomware: Avoidance and Recovery Strategies

Join Jason M. Wesaw, Roger Rader, and Markus Lassfolk as they discuss the impacts of ransomware attacks, how they happen, and effective strategies to prevent and recover from them. Learn valuable insights from real-world examples and gain practical knowledge to safeguard your organization. Don't miss this session!

greaves
Download Presentation

Ransomware: Avoidance and Recovery Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Welcome to session: Ransomware- how to avoid it or recover from it. Presented by Jason M. Wesaw, Roger Rader, Markus Lassfolk

  2. Who’s who? • Jason M. Wesaw (Government Manager) • Roger Rader (Actionable Data Specialist) • Markus Lassfolk (TrueSec, CTO)

  3. What is this session all about? • What happened? • How did it happen? • How did we get up and running again? • What could have been done to prevent it?

  4. What happened?

  5. More attacks coming

  6. What was effected? • All Servers • All File shares • All Databases • All Backups • All Clients • Basically Everything

  7. How did this impact the Government? • Police • Dental • Pharmacy • Health Cervices • Enrollment • Education • Elders program • Physical Security • Email • Phones • Internet • Everything besides pen and paper

  8. To pay or not to pay? • FBI • TrueSec • Insurance Company • Council • Government Team

  9. How and why did it happen? Security review in October 2017 Security review in December 2017 Enabled logging end of December 2017

  10. This is in no way unique for Pokagon! • This is basically how 80-90% of all IT environments look like • Our PEN Testers usually gains Domain Admin access in less than 1 hour in a normal environment and 3-4 hours in Military environments. • Third-party vendors are the worst! • You need to protect everything, while an attacker just needs one hole

  11. 254 Not Disabled < 180 Days 317 Password Never Expired (166 excluding Service Accounts)

  12. How did we get up and running again and how long did it take? • Disable all Remote Access and shutdown everything • Client backups of all turned off clients • Recover Active Directory to save SID’s and AccountNames, o365 connections. • Deploy new Servers - System Center – Management, Client Deployment, Infra first • Implement security features - Microsoft Baselines- New Role Based Accounts - Disable NTLM - Complex Password Policies - MFA • Enable user accounts and password reset • Office 365 Sync • Restore Data • Fix issues related to Security Hardening • Third Party Applications and Consultants

  13. From a non technical point of view, what happened? At the Point of Impact • Lead • Good • Plan your fight, fight your plan Daily business • Communicate • Simple is Best

  14. What can you do to not end up in the same situation? Educate IT Personal and users Educate Third-party vendors Verify job done by Third-party vendors Require smart cards or 2FA for privileged accounts Secure remote access (RDP, VPN) Restrict usage of privileged accounts Enable alerts for suspicious behavior Enable extended logging – not just failed logons! Enable account lockouts Segment and isolate environment by function Ensure integrity of backups, separated accounts, offline storage Read logs! Implement for example Microsoft ATP

  15. Blocked Attempt

  16. Summary Security is not fire and forget Everyone in the organization need to be security aware Tools and technology can only protect you so far Make it hard enough for the attacker to choose an easier target Get rid of all “noise” in logs Actively read logs and enable real alerts Be up to date with Microsoft and third-party patches Don’t accept when a vendor says something requires Domain Admin, or reduces your security

  17. Questions? Security is not cheap but being proactive is cheaper than fixing problems…

  18. Thank you for attending! For more info contact: per.kimblad@truesec.comTrueSec.com Meet us! Booth 31 If you think its expensive to hire a professional to do a job, wait until you hire an amateur! /Red Adair

More Related