# Ransomware Prevention
Go based Ransomware/Malware
* BlackCat
* RobbinHood
* Nefilim
* EKANS
* Zebrocy - Russian state-sponsored group APT28 created a Go-based version of their Zebrocy malware last year.
* WellMess - Russian state-sponsored group APT29 deployed new upgraded versions of their Go-based WellMess malware last year.
* Godlike12 - A Chinese state-sponsored group deployed Go-based backdoors for attacks on the Tibetan community last year.
* Go Loader - The China-linked Mustang Panda APT deployed a new Go-based loader last year for their attacks.
* GOSH - The infamous Carbanak group deployed a new RAT named GOSH written in Go last August.
* Glupteba - New versions of the Glupteba loader were seen in 2020, more advanced than ever.
Nim based Ransomware/Malware
Rust based Ransomware/Malware
* Buer
Dlang based Ransomware/Malware
C
C++
.NET
C#
Java
Objective-c
Python
Perl
Javascript
Powershell
WebAssembly
Delphi
RAT (Remote Access Trojans)
* Cobalstrike
* Remcos
* Nanocore
Crypto Miners
Data exfiltration
* Rclone
* 7zip
Malicious behavior
* deleting backups and logs
* Changing firewall
* Azure Credentials
Which programming languages are hard to reverse engineer
Analyzing ELF files and PE
Win32 API's
References:
Wazuh
\- HIDS
\- OSSEC
MISP
\- Threat Intellegence
Zeek/Suricata/Snort
\- IDS/IPS
PFSense
\- Firewall
Perimeter security logs collected from PFsense and Zeek (span port )
using file beat to forward data to Elkstack(log stash)
AD/DC
\- Winlog Beat
\- Metric Beat
Linux server
\- Audit Beat
\- Metric Beat
\- File Beat
SOAR
\- The Hive
Siemplify
SoC Architectures
Log Collection
Log Parsing
Events
Threat Intel (ingest)
Threat detection
Alerts
Threat investigation
Incident Response
Forensics
Netflow
Switch spanport -> zeek ids - different logs
Switch spanport -> suricata -> json (Event.log)
Switch spanport -> Moloch/arkime -> pcap
NSM distribution
* Security onion
* SELKS
* CAPESStack
* HELK
* ROCK NSM
Host Data collections
Event Generation
* OSSEC
* Sysdig for container security
* Windows sysinternals
* * sysmon
* Osquery
* Wazuh
Data Shippers/aggregators
* Beats
* * Filebeat
* Winlogbeat
* Audit beat
* Packetbeat
* Journalbeat
* Functionbeat
* Heartbeat
* DIY beats
* LogStash
* Nxlog
* Fluentd
* Nifi
SIEM
Graylog
Apache metron
Alien vault
Sigma
Jupyter
Sguil
Evebox
Incident management
TheHive
Sigma
Preparation:
* Offline backups availability and integrity check
* Maintain and Audit golden images and build templates
* Use of Infrastructure as a code to deploy images
* Manage IaC in versions for audit purpose
* Storing application source code or executables as backup
* Removing and replacing outdated hardware
* Using multi cloud solutions and maintaining cloud backups, using immutable storage solutions
* Audit cloud environment
* Develop and audit incident response, communication and breach notification plan
* Develop Cyber incident response playbook
* Build and implement Zero Trust Architecture
Prevention and Mitigating:
* Develop surface discovery plan and audit attack finding
* * Monitor deep web notification/credential monitoring services
* Periodical vulnerability Scans (review CISA Know vulnerability list)
* * External
* Internal
* VPN Infra
* Periodical patch management
* Assets security
* * BYOD
* All devices on hybrid infrastructure
* Protocol, port and service usage metrics
* * RDP
* Have visibility to configuration and change management
* Implement MFA
* Disable weak protocols
* * SMB v 1 and v 2
* Audit SMB traffic
* Implement SMB signing and audit
* Blocking external access
* * SMB
* * TCP 445
* UDP 137
* UDP 138
* TCP 139
* Implement SMB encryption with Universal Naming Convention (UNC) hardening
* Log and monitor SMB and RDP traffic
Initial Access:
* Implement
* * Phishing resistant MFA and password less MFA
* IAM
* PAM
* Change default creds
* Restrict use of root or system admin users s
* Password minimum length and policies
* * Password rotation
* Password management tools
* Failed login attempts metrics and audit
* Disabling saving passwords to browser using Group Policy
* Local Administrator Password solution (LAPS)
* LSASS : implement attack surface reduction rule
* Windows credential guard
* Use Windows PowerShell Remoting, Remote Credential Guard, or RDP with restricted
Admin Mode
* Separation of admin and user accounts
* Conduct security awareness training
* Email attachments known bad
* Disable office macros
* Disable Windows Script Host (WSH)
* Review malware infections
* * Ex: s QakBot, Bumblebee, and Emotet
* Phishing email metrics and BEC scams
* * How many blocked
* How many bypassed
* EDR implementation
* * Windows Defender Application Control (WDAC), AppLocker
* Application allow listing
* Implement of EDR on cloud
* Threat intel and feed into security stack
* Security awareness training
* Protective DNS
* Sandboxed browsers
* Monitor
* * Seo poisoning
* Drive by download
* Malvertising
* Restricting PowerShell usage and alerts
Keywords:
CISA
MSISAC
FBI IC3
NSA
ZTA
References:\
download:
Stop Ransomware | CISA:
Cross-Sector Cybersecurity Performance Goals | CISA:
Public-Power-Cyber-Incident-Response-Playbook.pdf:
Zero Trust Maturity Model | CISA:
CSI-MITIGATING-CLOUD-VULNERABILITIES\_20200121.PDF:
KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) - Microsoft Support:
Overview of Server Message Block signing - Windows Server | Microsoft Learn:
Manage Windows Defender Credential Guard (Windows) | Microsoft Learn:
Exchange Online Protection feature details - Service Descriptions | Microsoft Learn:
CISA Insights - Cyber: Enhance Email & Web Security:
How DMARC Advances Email Security:
Malicious Domain Blocking and Reporting (MDBR):
Macros from the internet are blocked by default in Office - Deploy Office | Microsoft Learn:
CSI\_Selecting a Protective DNS Service\_U00117652-21.PDF:
Microsoft Office 365 Security Recommendations | CISA:
csi\_keeping\_powershell\_security\_measures\_to\_use\_and\_embrace\_20220622.pdf:
Best Practices for Securing Active Directory | Microsoft Learn:
BloodHound, Software S0521 | MITRE ATT\&CK®:
Securing Active Directory Administrative Groups and Accounts | Microsoft Learn:
Albert Network Monitoring and Management:
KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) - Microsoft Support:
download:
6 Incident Response Steps to Take After a Security Event:
:
Election Security Spotlight – Malware Analysis: