I. Background

1. Domestic and foreignextortion attacksituational

The number of ransom attacks remains high globally. A visualization of the amount of cyber ransom losses in the international cyber liability insurance market from "Selected Trends in the International Cyber Liability Insurance Market from the Renewal of the January 1, 2022 Rollover" incyber securityThe share of overall insurance losses has been increasing, and the industry's loss structure has changed radically from below 301 TP3T in 2019 to nearly 801 TP3T in 2021.

Losses from ransom attacks come mainly from business interruption, ransom payments,data breachThree aspects. According to IBM's 2023 report, The Cost of a Data Breach, the average global ransom payment is $1.7 million, the average global cost of business interruption is $2.65 million, and the average global cost of a data breach is $4.2 million.

The domestic ransom attack on the enterprise is not a few, but all choose to deal with the secret and strictly prevent leakage. In recent years, the banking industry, securities industry regulators, have issued requirements and notices to prevent ransomware attacks, while company leaders have repeatedly emphasized the need to do a good job of protection. Recently, we have received a more detailed guide issued by the regulator.

2. Status of the ransom attack industry

Why do attackers choose ransom attacks?

First, high reward and low risk: ransom attacks can often yield high rewards in a short period of time. Ransom attacks are relatively low risk compared to other forms of cybercrime. The use of cryptocurrencies for ransom payments can effectively evade tracking by financial institutions and law enforcement agencies, increasing the likelihood that attackers will go unpunished.

Second, it is broadly targeted and easy to implement: ransom attacks have a wide range of targets and can be directed at individual users, businesses, healthcare organizations, government agencies, and so on. Ransom attacks usually use sophisticated ransomware tools that are often easy to obtain and use.

Third, information is irreplaceable: for some organizations and individuals, their data may be irreplaceable, especially when it comes to unique intellectual property, customer information, research data, etc.

Fourth, lack of defenses: some organizations and individuals lack effective backup strategies andsafety protectionmeasures, making them more vulnerable to ransom attacks.

3. Status of industry ransom attacks

Emergence of domestic firmsinformation securityWhen incidents occur, most of them adopt the strategy of blocking the news and eliminating the impact. As a result, it is rare to see cases of ransom attacks in public information, but related incidents can often be heard sporadically in security circles. As a result, when the security team reports to the company leaders, there are few or no clear and detailed cases, which cannot benignly drive the construction of enterprise security and the development of the security industry.

For example, a security was blackmailed during non-opening hours and the disposal was completed before the market opened by working overtime 24 hours a day over the weekend.

two,on-the-spot exercisereasoning

1. Doubts and misconceptions in the face of ransom attacks

Some of the common queries, can there be antivirus to defend against ransom attacks? Can there be a defense against ransom attacks with tech gurus? Can I defend myself against ransom attacks if I have a contingency plan? Can you defend against ransom attacks if you have a sandbox rehearsal? Can a comprehensive information security protection system defend against ransom attacks?

Some common perceptions, to continue to study the ransom attack samples in the terminal to kill the virus; to use the "four-step approach" to cover the gateway, traffic, terminal, the establishment of ransom attacks in-depth protection system; ransom attacks on the premise of being breached, you should focus on the matter, do a good job in the contingency plan ... ...

Only when a ransom attack occurs do we realize that no one reads the so-called specification, that the contingency plan doesn't work, that we can't remember the operational procedures, that no one answers the phone, that the samples bypass the antivirus, and that the samples can also bypass theEDR, it turns out that the command parameters will not work, it turns out that the network blocking does not take effect, it turns out that the personnel capabilities are such that it turns out that the results are such that ......

2. The best program to face ransom attacks

Some considerations in the face of ransom attacks: companies need to make choices that are appropriate for them based on major factors such as regulation, company, budget, personnel, and time. As for the securities industry, regulation has clear requirements for ransom attack prevention, and there are rumors of incident cases, for the elimination of large security risks companies are generally supportive of the budget is not a big problem, but personnel and time is extremely scarce.

Some options for facing ransomware: one is to just lie down; the other is to formulate a ransom attackEmergency Responseprogram; third, develop a ransom attack emergency response program and conduct a sandbox exercise; and fourth, develop a ransom attack emergency response program and execute a live exercise.

The best ROI program is that the security team pulls together operations and maintenance, research and development to engage in real-world exercises, but pay attention to risk control. The actual combat is always the most effective and grounded method, I believe many peers know the 721 rule, 70% growth from the actual combat.existcyber securityof the world, just because something didn't go wrong doesn't mean the outcome was good.The fact that you weren't attacked and didn't end up in trouble only means you were lucky.Having it attacked but disposed of properly is what makes it really good.

Real practice with real guns builds realextortionstargetLine of Defense.

III. Practical exercise program

Taking the "real gun" as the starting point, we followed the principles of realism, controllability, and advanced technology to develop and implement a highly reproducible extortion drill.

1. Objectives of the practical exercise

Ransom attack live drill is the closest to the real situation, the best results, the most can improve the team's ability to combat, but the most difficult and costly is also an indisputable fact. Therefore, before we start planning a ransom drill, we need to clarify the objectives of the ransom drill again. We summarize the objectives of this extortion drill as follows:

1. 1. 1. Evaluate the effectiveness of ransom protection measures at this stage, defense effectiveness;

      2. Assessing the true level of security team response to ransom attacks (a bit of a float on a day-to-day basis);

      3. Discover security risks that can be exploited by ransom attacks and fix them in a timely manner;

      4. Evaluate emergency response capabilities and business recovery in the face of ransom attacks;

      5. Evaluate the operability and effectiveness of ransom attack emergency response programs;

      6. Raise awareness of ransom attack security among company employees.

2. Principles of practical exercises

Technological Advancement.In order to maximize the effect of real-world drills, the ransom attack drills use real ransom gangs as imaginary enemies to assess the real protection capabilities in the face of ransom attacks. We try our best to use real ransom attack techniques and samples, adopt the intrusion method combining manual + automated tools, use social worker form of delivery, and the samples have strong anti-killing ability.

3. Practical exercise process

Develop a ransom attack practical exercise plan, dividing the entire ransom exercise process into four stages: planning, preparation, execution, and conclusion:

planning stage

In this phase, we start by defining the objectives of the exercise and pulling together a consensus with all parties involved;

The second step is based on the existing asset segments, network topology and security products deployed in the location and coverage of the security status quo assessment, to this point we should have a general understanding of the weak points in the entire network architecture and the security level, which will help the subsequent development of contingency plans;

Based on this, we need to determine the time of the exercise, determine the scope of the exercise to be conducted such as office area, testing area, etc. with the objective of the exercise, and develop a script for the exercise, as well as initially determine the TTP of the attacker;

Then there is the confirmation of personnel and resources. It is necessary to set up the command department of the exercise, under the attack and evaluation group, defense group and resource scheduling group, and to confirm the personnel, including whether to arrange the "mole", "actors" and so on. Confirmation of resources for the exercise should be as detailed as which network segments and assets are available for use.

Ultimately, the exercise plan and timelines are dropped in the form of an executable form.

preparatory phase

At this stage we are divided into two groups, the attacker's main goal is to prepare for the success of the attack, while at the same time doing a good job of perfect risk control, and the defense group needs to develop contingency plans.

The attacker first needs to establish a simulation environment, we end up with a combination of virtual terminals and real terminals, both appropriate to build the virtual environment required for the exercise, but also retains part of the real environment, can simulate the invasion process of extortion and the process of emergency response of the branch units, but also able to peddle the effect of the exercise, to ensure that the process of the various phases of the smooth running of the process. Next is to prepare relevant attack tools and techniques according to the TTP of the planning stage, to verify the effectiveness and controllability of the simulated virus, and at the same time, taking into account the controllability and visualization of the rehearsal tempo, it is necessary to deploy and test the support platform, to realize the virus one-key placement and cleanup, as well as real-time display of the effect of the rehearsal process; throughout the entire preparation stage is the risk control, including the control of simulated viruses, the safety of rehearsal personnel Throughout the entire preparation stage is risk control, including simulated virus control, security of exercise personnel and exercise white list and other mechanisms.

After the defense has developed the emergency plan, it will be revised under the guidance of the emergency assessment team and finalized for output.

Implementation phase

After the preparation is completed, the attack team will "as promised" by the near source, email phishing and other ways to attack into the exercise simulation environment, delivery of simulated ransomware virus, and at a predetermined time to start spreading.

During this period, the defense team will use the deployed security devices to detect the attacks. After the outbreak of the simulated virus, the ransom drill officially enters the emergency response process, and the effectiveness of the security level and emergency response plan at this stage will be thoroughly tested.

Throughout the execution phase, the Emergency Assessment Team scores the defense's emergency response capabilities and guides the defense through the emergency response process, in addition to collecting and analyzing data and information from the entire exercise.

Wrap-up phase

Based on the results and data of the drill, we will produce the Ransom Drill Attack Report, Ransom Drill Emergency Response Report, and Ransom Drill Summary Report. Through the reports and review sessions, we will summarize and assess the effectiveness and value of the ransom drill, and use the results and data as a guide to propose improvement and enhancement measures for enterprise security, and to update and improve the enterprise's security defense architecture and strategy.

IV. Effectiveness of practical exercises

On the whole, it seems that our mindset has gone through a change from "I think I can" to "I think I can" in this practical exercise, and the problems exposed under the practical exercise are very comprehensive.

1,Contingency planningI think I can

The "theoretically possible" path has long since been littered with pitfalls.

In the preparation stage, we have formulated and revised the "Ransom Attack Security Management Specification", "Ransom Attack Emergency Response Procedure", "Ransom Attack Emergency Operation Manual", "Ransom Attack Vertical Defense Program", prepared the Ransom Attack Emergency Response Toolkit, and even did the sandbox rehearsal in advance, and also generated the "Ransom Attack Sandbox Rehearsal Report". In addition, it must be mentioned that in the ransom attack rehearsal, it is also important to confirm the controllability of the samples.

But norms, programs, processes, manuals, and toolkits never equal effectiveness, and sometimes they don't even have anything to do with it. As adults often say, it's fine in theory, you make sense, but not necessarily in practice.

2. Shouldemergency managementI think I can.

At this stage, some problems start to appear, but at this point we still feel that "it's not a big problem":

Alarm bypass. There are many prerequisites for a security system to be effective, such as having a real security system, assets to be covered, policies to be updated, alarms to be operational, people to be online, etc., but in this exercise there was a clear alarm bypass.

Improper disposal. Emergency response occurs very rarely in the day-to-day work and practical experience is difficult to gain. Due to the lack of experience, there can be a very serious disconnect between theory and practice. For example, how to remotely troubleshoot after a network outage.

Blocking is too slow. The process of emergency blocking requires multi-team coordination, and the minimal use of the channel once it is established leads to problems such as phone calls and staff vacations when they are actually contacted.

3,investigate the origin of sth.I thought I could

Being attacked is not scary; not being able to find the source of the attack and not knowing what is attacking me is the most frightening. The problems that arose during the tracing stage are a wake-up call:

Cannot be detected. The problem still appears in the practical experience, when ransom attacks bypass the security system protection, it requires security personnel to have a deep enough understanding of ransomware and rich experience in emergency response to be able to quickly troubleshoot it. Although asking GPT can solve part of the problem, the effect is limited.

Incomplete evidence collection. Improper disposal can lead to the loss of critical samples, processes, and evidence, and sample behavior should be analyzed in a timely manner after obtaining samples. At the same time, forensics is a great test of security personnel Linux and Windows skills. Improper forensic operations such as: directly let the user shut down, reboot, can not handle their own failure to borrow third-party capabilities in a timely manner.

Recovery is not possible. Backup is the most effective way to deal with ransom attacks, otherwise you can only decrypt it yourself, or ask for help from security vendors, or pay ransom to the attackers. However, sometimes backups are not taken in time, and backups can be encrypted.

V. Summary and outlook

The rewards of the practical exercise were all-encompassing and ended up largely meeting expectations.

1, no practice of the theory and waste paper is no difference

It is impossible to have a global view without going through a complete exercise. An unproven contingency plan is a waste of paper. People who have not really been hit by the blow, the mentality can not really zero, and it is impossible to break the inherent cognition. Do security to keep an empty cup mentality, practice first theory to follow up. No investigation is no right to speak, and investigation is practice.

2. It is difficult to pass without regular practice

Do once can only solve the problem of not understanding, three times can only solve the problem of will not, ten times can solve the problem of skillful, and a hundred times to solve the problem of proficiency. Adhere to the real battle drill, adhere to the review and summarize. Real confrontation with real scenarios in order to really win the battle.

Source reference:

https://mp.weixin.qq.com/s/yHJhWBpMj4vd-3XNHzcrtA