260 likes | 272 Views
Join Jason M. Wesaw, Roger Rader, and Markus Lassfolk as they discuss the impacts of ransomware attacks, how they happen, and effective strategies to prevent and recover from them. Learn valuable insights from real-world examples and gain practical knowledge to safeguard your organization. Don't miss this session!
E N D
Welcome to session: Ransomware- how to avoid it or recover from it. Presented by Jason M. Wesaw, Roger Rader, Markus Lassfolk
Who’s who? • Jason M. Wesaw (Government Manager) • Roger Rader (Actionable Data Specialist) • Markus Lassfolk (TrueSec, CTO)
What is this session all about? • What happened? • How did it happen? • How did we get up and running again? • What could have been done to prevent it?
What was effected? • All Servers • All File shares • All Databases • All Backups • All Clients • Basically Everything
How did this impact the Government? • Police • Dental • Pharmacy • Health Cervices • Enrollment • Education • Elders program • Physical Security • Email • Phones • Internet • Everything besides pen and paper
To pay or not to pay? • FBI • TrueSec • Insurance Company • Council • Government Team
How and why did it happen? Security review in October 2017 Security review in December 2017 Enabled logging end of December 2017
This is in no way unique for Pokagon! • This is basically how 80-90% of all IT environments look like • Our PEN Testers usually gains Domain Admin access in less than 1 hour in a normal environment and 3-4 hours in Military environments. • Third-party vendors are the worst! • You need to protect everything, while an attacker just needs one hole
254 Not Disabled < 180 Days 317 Password Never Expired (166 excluding Service Accounts)
How did we get up and running again and how long did it take? • Disable all Remote Access and shutdown everything • Client backups of all turned off clients • Recover Active Directory to save SID’s and AccountNames, o365 connections. • Deploy new Servers - System Center – Management, Client Deployment, Infra first • Implement security features - Microsoft Baselines- New Role Based Accounts - Disable NTLM - Complex Password Policies - MFA • Enable user accounts and password reset • Office 365 Sync • Restore Data • Fix issues related to Security Hardening • Third Party Applications and Consultants
From a non technical point of view, what happened? At the Point of Impact • Lead • Good • Plan your fight, fight your plan Daily business • Communicate • Simple is Best
What can you do to not end up in the same situation? Educate IT Personal and users Educate Third-party vendors Verify job done by Third-party vendors Require smart cards or 2FA for privileged accounts Secure remote access (RDP, VPN) Restrict usage of privileged accounts Enable alerts for suspicious behavior Enable extended logging – not just failed logons! Enable account lockouts Segment and isolate environment by function Ensure integrity of backups, separated accounts, offline storage Read logs! Implement for example Microsoft ATP
Summary Security is not fire and forget Everyone in the organization need to be security aware Tools and technology can only protect you so far Make it hard enough for the attacker to choose an easier target Get rid of all “noise” in logs Actively read logs and enable real alerts Be up to date with Microsoft and third-party patches Don’t accept when a vendor says something requires Domain Admin, or reduces your security
Questions? Security is not cheap but being proactive is cheaper than fixing problems…
Thank you for attending! For more info contact: per.kimblad@truesec.comTrueSec.com Meet us! Booth 31 If you think its expensive to hire a professional to do a job, wait until you hire an amateur! /Red Adair