Ransomware Protection Playbook
Реклама. ООО «ЛитРес», ИНН: 7719571260.
Оглавление
Roger A. Grimes. Ransomware Protection Playbook
Table of Contents
List of Tables
List of Illustrations
Guide
Pages
Ransomware Protection Playbook
Introduction
Who This Book Is For
What Is Covered in This Book?
Part I: Introduction
Part II: Detection and Recovery
How to Contact Wiley or the Author
Part I Introduction
Chapter 1 Introduction to Ransomware
How Bad Is the Problem?
Variability of Ransomware Data
True Costs of Ransomware
Types of Ransomware
Fake Ransomware
Immediate Action vs. Delayed
Automatic or Human-Directed
Single Device Impacts or More
Ransomware Root Exploit
File Encrypting vs. Boot Infecting
Good vs. Bad Encryption
Encryption vs. More Payloads
Ransomware as a Service
Typical Ransomware Process and Components
Infiltrate
After Initial Execution
Dial-Home
Auto-Update
Check for Location
Cybercriminal Safe Havens
Initial Automatic Payloads
Waiting
Hacker Checks C&C
More Tools Used
Reconnaissance
Readying Encryption
Data Exfiltration
Encryption
Extortion Demand
Negotiations
Provide Decryption Keys
Ransomware Goes Conglomerate
Ransomware Industry Components
Summary
Chapter 2 Preventing Ransomware
Nineteen Minutes to Takeover
Eighty Percent of Ransomware Victims Suffer a Second Attack
Good General Computer Defense Strategy
Understanding How Ransomware Attacks
The Nine Exploit Methods All Hackers and Malware Use
Top Root-Cause Exploit Methods of All Hackers and Malware
Top Root-Cause Exploit Methods of Ransomware
Preventing Ransomware
Primary Defenses
Comprehensive Anti-phishing Ebook
Everything Else
Use Application Control
Flu-Shot!
Antivirus Prevention
Secure Configurations
Privileged Account Management
Security Boundary Segmentation
Zero Trust
Data Protection
Block USB Keys
Implement a Foreign Russian Language
CISA Ransomware Readiness Tool
Beyond Self-Defense
Geopolitical Solutions
International Cooperation and Law Enforcement
Coordinated Technical Defense
Disrupt Money Supply
Fix the Internet
Summary
Chapter 3 Cybersecurity Insurance
Cybersecurity Insurance Shakeout
Ransomware Wasn't the Only Problem
Did Cybersecurity Insurance Make Ransomware Worse?
Cybersecurity Insurance Policies
What's Covered by Most Cybersecurity Policies
Recovery Costs
Ransom
Root-Cause Analysis
Business Interruption Costs
Customer/Stakeholder Notifications and Protection
Fines and Legal Investigations
Example Cyber Insurance Policy Structure
Costs Covered and Not Covered by Insurance
The Insurance Process
Getting Insurance
Cybersecurity Risk Determination
Underwriting and Approval
Incident Claim Process
Initial Technical Help
What to Watch Out For
Social Engineering Outs
Make Sure Your Policy Covers Ransomware
Employee's Mistake Involved
Does E&O Cover Employee Mistakes?
Work-from-Home Scenarios
War Exclusion Clauses
Future of Cybersecurity Insurance
Summary
Chapter 4 Legal Considerations. This chapter and book should not be considered legal advice
Bitcoin and Cryptocurrencies
Pseudo Anonymous vs. Anonymous Identities
For More Information on Bitcoin and Blockchains
Ways Cybercriminals Can Cash Out Their Ill-Gotten Gains
Can You Be in Legal Jeopardy for Paying a Ransom?
Innocent Parties
Author's Perspective on the “Fairness” of Law
Consult with a Lawyer
Try to Follow the Money
Get Law Enforcement Involved
Get an OFAC License to Pay the Ransom
Do Your Due Diligence
Your Ransom Payment May Be Tax Deductible
Is It an Official Data Breach?
Preserve Evidence
Legal Defense Summary
Summary
Part II Detection and Recovery
Chapter 5 Ransomware Response Plan
Why Do Response Planning?
When Should a Response Plan Be Made?
What Should a Response Plan Include?
Store Your Ransomware Response Plan Offline
Small Response vs. Large Response Threshold
Key People
Communications Plan
Should Your Ransomware Response Plan Be Stored Online at All?
Keep the Plan Updated
Let Legal Be the Outside Communicator
Public Relations Plan
Reliable Backup
Ransom Payment Planning
Critical Communication About Ransomware Extortion
Cybersecurity Insurance Plan
What It Takes to Declare an Official Data Breach
Internal vs. External Consultants
Plan for Compromise
Cryptocurrency Wallet
Always Use Reliable Cryptocurrency Sources
Response
Checklist
Definitions
Practice Makes Perfect
Restrain Your Cowboys
Summary
Chapter 6 Detecting Ransomware
Why Is Ransomware So Hard to Detect?
Detection Methods
Security Awareness Training
AV/EDR Adjunct Detections
True Story
Detect New Processes
AV vs. EDR
Application Control May Be Cheaper in the Long Run
Anomalous Network Connections
New, Unexplained Things
What About Fileless Malware
Unexplained Stoppages
Aggressive Monitoring
Example Detection Solution
Summary
Chapter 7 Minimizing Damage
Basic Outline for Initial Ransomware Response
Weighing Cost-Benefit of Mitigations
Stop the Spread
Power Down or Isolate Exploited Devices
Disconnecting the Network
Prior to Network Disconnection
Disconnect at the Network Access Points
Practice Makes Perfect
Suppose You Can't Disconnect the Network
Initial Damage Assessment
What Is Impacted?
Ensure Your Backups Are Still Good
Check for Signs of Data and Credential Exfiltration
Check for Rogue Email Rules
What Do You Know About the Ransomware?
First Team Meeting
Determine Next Steps
Pay the Ransom or Not?
Recover or Rebuild?
Recovery versus Rebuild
Be Calm in the Storm
Summary
Chapter 8 Early Responses
What Do You Know?
Get on the Same Page
A Few Things to Remember
Encryption Is Likely Not Your Only Problem
Reputational Harm May Occur
Firings May Happen
Be Careful of Accepting Blame
It Could Get Worse
Do Not Disrespect a Ransomware Gang Under Any Circumstances
Major Decisions
Business Impact Analysis
Determine Business Interruption Workarounds
Did Data Exfiltration Happen?
Can You Decrypt the Data Without Paying?
Ransomware Is Buggy
Ransomware Decryption Websites
Ransomware Gang Publishes Decryption Keys
Sniff a Ransomware Key Off the Network?
Recovery Companies Who Lie About Decryption Key Use
If You Get the Decryption Keys
Don't Give Trust Easily
Save Encrypted Data Just in Case
Determine Whether the Ransom Should Be Paid
Not Paying the Ransom
Paying the Ransom
Recover or Rebuild Involved Systems?
Determine Dwell Time
Determine Root Cause
Point Fix or Time to Get Serious?
Early Actions
Preserve the Evidence
Remove the Malware
For Windows Computers
Change All Passwords
Summary
Chapter 9 Environment Recovery
Big Decisions
Recover vs. Rebuild
Retain Evidence
In What Order
Tiers
Restoring Network
Lab Testing
Restore IT Security Services
Reenabling the Internet
Restore Virtual Machines and/or Cloud Services
Restore Backup Systems
Restore Clients, Servers, Applications, Services
Lower-Priority Assets Recovered First?
Conduct Unit Testing
Rebuild Process Summary
Watch Out for Malicious Email Rules
Recovery Process Summary
Recovering a Windows Computer
Should You Use Safe Mode?
Recovering/Restoring Microsoft Active Directory
Summary
Chapter 10 Next Steps
Paradigm Shifts
Implement a Data-Driven Defense
Magnum Opus
Focus on Root Causes
Rank Everything!
Get and Use Good Data
Heed Growing Threats More
Row the Same Direction
Focus on Social Engineering Mitigation
Comprehensive Ebook on Fighting Social Engineering
Track Processes and Network Traffic
Improve Overall Cybersecurity Hygiene
Use Multifactor Authentication
Hacking Multifactor Authentication
Use a Strong Password Policy
Everything You Want to Know About Password Attacks and Defenses
Secure Elevated Group Memberships
Improve Security Monitoring
Secure PowerShell
Secure Data
Secure Backups
Summary
Chapter 11 What Not to Do
Assume You Can't Be a Victim
Think That One Super-Tool Can Prevent an Attack
Assume Too Quickly Your Backup Is Good
Use Inexperienced Responders
Give Inadequate Considerations to Paying Ransom
Lie to Attackers
Insult the Gang by Suggesting Tiny Ransom
Pay the Whole Amount Right Away
Argue with the Ransomware Gang
Apply Decryption Keys to Your Only Copy
Not Care About Root Cause
Keep Your Ransomware Response Plan Online Only
Allow a Team Member to Go Rogue
Accept a Social Engineering Exclusion in Your Cyber-Insurance Policy
Summary
Chapter 12 Future of Ransomware
Future of Ransomware
Attacks Beyond Traditional Computers
IoT Ransoms
Mixed-Purpose Hacking Gangs
Future of Ransomware Defense
Future Technical Defenses
Ransomware Countermeasure Apps and Features
Ransomware Heuristics
Canary Files
Blackholing
Encryption Key Capturing
AI Defense and Bots
Strategic Defenses
Focus on Mitigating Root Causes
Geopolitical Improvements
Systematic Improvements
Use Cyber Insurance as a Tool
Improve Internet Security Overall
Summary
Parting Words
Index
About the Author
About the Technical Editor
Acknowledgments
WILEY END USER LICENSE AGREEMENT
Отрывок из книги
Roger A. Grimes
Wess didn't call it ransomware then. You don't make up entirely new classification names until you get more than one of something, and at the time it was the first and only. It remained that way for years. Little did we know that it would be the beginning of a gigantic digital crime industry and a huge blight of digital evil across the world in the decades ahead.
.....
When the trojan's program payload ran, before the ransom instructions were shown, it did some rudimentary symmetric encryption to the files and folders. It would move all the existing files and subdirectories into a new set of subdirectories under the root directory, rename them, and enable DOS' “hidden” attribute features on each file and folder, which made them seem to disappear. All the files and folders would also be renamed using “high-order” extended ASCII control characters, which made everything appear as being invisible. Even if the DOS hidden attribute was discovered and turned off, the file and folder names looked corrupted. If the impacted user tried to do some common exploratory commands to see what happened, the malicious code brought back a fake DOS screen with fake results to confuse the user.
The main set of malicious subdirectories were created using extended ASCII character 255, which is a control code that looks like a space even though it is not. But like a space, it would not display on the screen or when printed. For all intents and purposes, all the files and folders appeared, to most users, to have disappeared or at least badly corrupted. But, importantly, none of the files were actually encrypted (unlike today's ransomware programs). The names of the files and folders were just renamed and moved.
.....