Showing posts with label ransomware. Show all posts
Showing posts with label ransomware. Show all posts

Cyber Security - Ransomware Guidance For Financial Firms.

     


    DFS Ransomware Guidance - Financial Sector.


    The Department of Financial Services (DFS) of New York released a letter outlining how regulated organizations need to cooperate to thwart and lessen ransomware attacks. 

    The letter outlines nine controls that need to be implemented by regulated companies. 

    Both regulated financial institutions and the MSSPs (Managed Security Service Provider) who supply them with services should take note of the letter. 

    MSSPs will need to demonstrate how they can assist their customers in following DFS's guidelines in order to engage with regulated businesses.


    Fighting ransomware requires technology that codifies efficient procedures, such as those suggested by DFS, promptly interprets data from various security instruments, and coordinates the necessary reaction.


    DFS Analysis of Financial Services Ransomware Attacks.


    The advisory letter states that the "good news" is that most ransomware assaults can be avoided, which is unusual when discussing ransomware. 

    This is due to the fact that ransomware perpetrators often utilize the same methods. 


    Attackers gained access to the target's network in the 74 recent assaults that the DFS examined by using: 

    1. phishing, 
    2. remote desktop protocols, 
    3. or unpatched vulnerabilities. 


    In order to launch their ransomware, the attackers would then increase their privileges, often by acquiring and decrypting encrypted passwords.

    The advice letter points out that there are well-known defenses worth considering against the ransomware attackers' common tactics that might assist shield their intended victims.



    DFS's Ransomware Security Controls for Financial Services Companies Subject to Regulation


    The letter outlines nine particular measures that regulated businesses are required to put in place wherever feasible. 

    The first seven concentrate on avoiding ransomware while the latter two discuss preparing for a ransomware occurrence. The nine controls are listed below:



    1. Anti-Phishing education and email filtering.


    The advice emphasizes the need of employing both technical and educational tools to safeguard against phishing emails.


    2. Patch and Vulnerability Management.


    According to the recommendations, businesses should have a written program for controlling vulnerabilities that includes regular security fixes and upgrades.


    3. Two-factor identification.


    According to the advice, employing MFA for user accounts is successful at preventing hackers from entering the network and growing their rights.


    4. Turn off RDP Access.


    The guidelines advise regulated companies to limit access to remote desktop protocol to whitelisted sources and deactivate it wherever feasible.


    5. Password administration.


    Access control and password management are essential for limiting dangerous threat actors, including ransomware.


    6. Manage Privileged Access.


    According to the recommendations, businesses should rigorously guard, audit, and limit the usage of privileged accounts, and individuals should be granted the least amount of access necessary to carry out their tasks.


    7. Response and monitoring.


    According to the recommendations, businesses need to have ways to keep an eye on their systems and react to any questionable behavior. 

    EDR and SIEM are among the proposed techniques.


    8. Backups that have been tested and separated.


    The advice stipulates that regulated organizations should store several backups, at least one set of which should be separated from the network, in the first control that deals with preparing for an incident (the first seven addressed preventing an occurrence). 

    Businesses should routinely check their ability to recover systems using backups.


    9. An emergency action plan.


    Companies should develop incident response plans that particularly target ransomware, according to the recommendations for the second incident preparedness control.


    ~ Jai Krishna Ponnappan

    Find Jai on Twitter | LinkedIn | Instagram


    You may also want to read and learn more Cyber Security Systems here.


    Cyber Security - MALWARE'S MALICIOUS ACTIVITIES.

     


    Malware effectively codifies the harmful behaviors that an attacker intends to carry out. 



    The Cyber Kill Chain Model may be used to analyze cyberattacks, as illustrated in Table. 

    It represents (iterations of) stages that are generally involved in a cyberattack. 

    Reconnaissance is the initial phase, in which an attacker locates or attracts possible targets. 

    This may be done by searching the Internet for susceptible machines (computers that execute network services like sendmail and have known vulnerabilities) or sending phishing emails to a group of users. 

    The next step is to acquire access to the targets, for example, by providing crafted input to trigger a vulnerability in the susceptible network service software, such as a buffer overflow, or by embedding malware in a web page to compromise a user's browser and take control of his machine. 



    This relates to the Cyber Kill Chain Model's Weaponization and Delivery (of exploits) stages. 


    Once the victim has been hacked, another piece of malware is often downloaded and installed; this corresponds to the Cyber Kill Chain Model's Installation (of malware) stage. 


    This malware is the attacker's main workhorse and can perform a variety of tasks, including: 


    confidentiality – it can steal valuable data, such as user authentication information and financial and health information; 

    integrity – it can inject false information (e.g., send spam and phish emails, create fraudulent clicks, etc.) or modify data; and 

    availability – it can send traffic as part of a distributed denial-of-service (DDoS) attack. 


    Because there are toolkits (e.g., a key-logger) freely available for carrying out many 'standard' activities (e.g., recording user passwords), and malware can be dynamically updated to include or activate new activities and take part in a longer or larger 'campaign' rather than just performing isolated, one-off actions, most modern malware performs a combination of these attack actions. 


    In the Cyber Kill Chain Model, these are the Actions on Objectives. 



    Botnets are a kind of malware that has been operating for a long time and is well-coordinated. 


    A botnet is an attacker-controlled network of bots (or hacked computers). 


    Each bot is infected with botnet malware, which connects with the botnet command-and-control (C&C) server on a regular basis to receive instructions on particular destructive operations or malware upgrades. 

    For example, a spamming botnet's C&C server sends each bot a spam template and a list of email addresses every day, resulting in the botnet sending a significant number of spam messages. 

    If the botnet is disrupted as a result of detection and response activities, such as the current C&C server being taken down, the botnet malware is already designed to contact an alternate server and may receive updates to switch to a peer-to-peer botnet. 

    Because there are numerous bots in various networks, botnets are often fairly loud, i.e., reasonably simple to identify. 


    Botnet C&C is an example of the Cyber Kill Chain Model's Command & Control stage. 


    Unlike botnets, malware used by so-called advanced persistent threats (APTs) usually targets a single organization rather than attempting large-scale assaults. 

    It may, for example, seek for a certain kind of controller in the organization to infect and cause it to deliver incorrect control signals, resulting in machine failures. 

    APT malware is usually designed to last a long time (thus the label "persistent"). 

    This means it not only gets frequent updates, but it also avoids discovery by reducing the volume and intensity of its activity (i.e., 'low and sluggish'), moving across the organization (i.e., 'lateral motions,' and hiding its traces. 

    Instead of sending all of the stolen data to a 'drop site' at once, it can send a small piece at a time and only when the server is already sending legitimate traffic; once it has finished stealing from one server, it moves to another (e.g., by exploiting trust relationships between the two) and removes logs and even patches the vulnerabilities in the first server. 

    When analyzing a cyberattack using the Cyber Kill Chain Model, we must look at each step's activities. 

    This necessitates familiarity with the assault strategies involved. 

    The ATT&CK Knowledge Base is a significant resource for analysts since it chronicles the most up-to-date assault strategies and procedures based on real-world observations. 


    The Eco-System Below Ground.


    Malware assaults in the early days were mostly annoyance attacks (such as defacing or spraying graffiti on a company's website). 


    Malware assaults have evolved into full-fledged cyberwars (e.g., attacks on vital facilities) and sophisticated crimes in recent years (e.g.,ransomware, fake-AntiVirus tools, etc.). 

    There has also evolved an underground eco-system to support the whole malware lifecycle, which includes creation, deployment, operations, and monetization. 

    There are individuals in this eco-system who specialize in certain aspects of the malware lifecycle, and by giving their services to others, they partake in the (money) benefits and rewards. 


    The quality of malware increases as a result of this specialization. 


    For example, an attacker may employ the top exploit researcher to create the section of the malware that compromises a susceptible machine remotely. 


    Specialization may also help to give believable denial or, at the very least, reduce culpability. 


    For example, a spammer merely 'rents' a botnet to transmit spam and is not responsible for infecting machines and converting them into bots; similarly, an exploit 'researcher' is simply experimenting and is not responsible for building the botnet as long as the malware was not released by him. 

    That is, although they are all responsible for malware-related harm, they individually share just a fraction of the overall burden.





    ~ Jai Krishna Ponnappan

    Find Jai on Twitter | LinkedIn | Instagram


    You may also want to read and learn more Technology and Engineering here.

    You may also want to read and learn more Cyber Security Systems here.







    Analog Space Missions: Earth-Bound Training for Cosmic Exploration

    What are Analog Space Missions? Analog space missions are a unique approach to space exploration, involving the simulation of extraterrestri...