Ransomware Prevention
Go based Ransomware/Malware
BlackCat
RobbinHood
Nefilim
EKANS
Zebrocy - Russian state-sponsored group APT28 created a Go-based version of their Zebrocy malware last year.
WellMess - Russian state-sponsored group APT29 deployed new upgraded versions of their Go-based WellMess malware last year.
Godlike12 - A Chinese state-sponsored group deployed Go-based backdoors for attacks on the Tibetan community last year.
Go Loader - The China-linked Mustang Panda APT deployed a new Go-based loader last year for their attacks.
GOSH - The infamous Carbanak group deployed a new RAT named GOSH written in Go last August.
Glupteba - New versions of the Glupteba loader were seen in 2020, more advanced than ever.
Nim based Ransomware/Malware
Rust based Ransomware/Malware
Buer
Dlang based Ransomware/Malware
C
C++
.NET
C#
Java
Objective-c
Python
Perl
Javascript
Powershell
WebAssembly
Delphi
RAT (Remote Access Trojans)
Cobalstrike
Remcos
Nanocore
Crypto Miners
Data exfiltration
Rclone
7zip
Malicious behavior
deleting backups and logs
Changing firewall
Azure Credentials
Which programming languages are hard to reverse engineer
Analyzing ELF files and PE
Win32 API's
References:
Wazuh
- HIDS
- OSSEC
MISP
- Threat Intellegence
Zeek/Suricata/Snort
- IDS/IPS
PFSense
- Firewall
Perimeter security logs collected from PFsense and Zeek (span port )
using file beat to forward data to Elkstack(log stash)
AD/DC
- Winlog Beat
- Metric Beat
Linux server
- Audit Beat
- Metric Beat
- File Beat
SOAR
- The Hive
Siemplify
SoC Architectures
Log Collection
Log Parsing
Events
Threat Intel (ingest)
Threat detection
Alerts
Threat investigation
Incident Response
Forensics
Netflow
Switch spanport -> zeek ids - different logs
Switch spanport -> suricata -> json (Event.log)
Switch spanport -> Moloch/arkime -> pcap
NSM distribution
Security onion
SELKS
CAPESStack
HELK
ROCK NSM
Host Data collections
Event Generation
OSSEC
Sysdig for container security
Windows sysinternals
sysmon
Osquery
Wazuh
Data Shippers/aggregators
Beats
Filebeat
Winlogbeat
Audit beat
Packetbeat
Journalbeat
Functionbeat
Heartbeat
DIY beats
LogStash
Nxlog
Fluentd
Nifi
SIEM
Graylog
Apache metron
Alien vault
Sigma
Jupyter
Sguil
Evebox
Incident management
TheHive
Sigma
Preparation:
Offline backups availability and integrity check
Maintain and Audit golden images and build templates
Use of Infrastructure as a code to deploy images
Manage IaC in versions for audit purpose
Storing application source code or executables as backup
Removing and replacing outdated hardware
Using multi cloud solutions and maintaining cloud backups, using immutable storage solutions
Audit cloud environment
Develop and audit incident response, communication and breach notification plan
Develop Cyber incident response playbook
Build and implement Zero Trust Architecture
Prevention and Mitigating:
Develop surface discovery plan and audit attack finding
Monitor deep web notification/credential monitoring services
Periodical vulnerability Scans (review CISA Know vulnerability list)
External
Internal
VPN Infra
Periodical patch management
Assets security
BYOD
All devices on hybrid infrastructure
Protocol, port and service usage metrics
RDP
Have visibility to configuration and change management
Implement MFA
Disable weak protocols
SMB v 1 and v 2
Audit SMB traffic
Implement SMB signing and audit
Blocking external access
SMB
TCP 445
UDP 137
UDP 138
TCP 139
Implement SMB encryption with Universal Naming Convention (UNC) hardening
Log and monitor SMB and RDP traffic
Initial Access:
Implement
Phishing resistant MFA and password less MFA
IAM
PAM
Change default creds
Restrict use of root or system admin users s
Password minimum length and policies
Password rotation
Password management tools
Failed login attempts metrics and audit
Disabling saving passwords to browser using Group Policy
Local Administrator Password solution (LAPS)
LSASS : implement attack surface reduction rule
Windows credential guard
Use Windows PowerShell Remoting, Remote Credential Guard, or RDP with restricted
Admin Mode
Separation of admin and user accounts
Conduct security awareness training
Email attachments known bad
Disable office macros
Disable Windows Script Host (WSH)
Review malware infections
Ex: s QakBot, Bumblebee, and Emotet
Phishing email metrics and BEC scams
How many blocked
How many bypassed
EDR implementation
Windows Defender Application Control (WDAC), AppLocker
Application allow listing
Implement of EDR on cloud
Threat intel and feed into security stack
Security awareness training
Protective DNS
Sandboxed browsers
Monitor
Seo poisoning
Drive by download
Malvertising
Restricting PowerShell usage and alerts
Keywords:
CISA
MSISAC
FBI IC3
NSA
ZTA
References:
Last updated
Was this helpful?