I’m pleased to start off 2015 as the new (ISC)² executive director. As someone who has been entrusted with information security responsibilities throughout my career, I welcome the opportunity to speak out about the challenges we face on behalf of those working to keep our cyber world safe.
During my past two years as COO at (ISC)², I’ve seen the organization make positive strides toward establishing a member focus; however, this is a sustained commitment with more work to be done. I want to build on the momentum of our successes while continuing to evaluate areas that we need to improve so that we’re continually striving for excellence in everything we do.
As the new (ISC)2 executive director, I want to continue on the path of success we’ve achieved under the leadership of Hord Tipton, whose boundless energy and enthusiasm for all things information security and (ISC)2 are unrivaled in the industry. I understand that I have big shoes to fill.
My own background includes 14 years working with the U.S. Coast Guard before moving to the U.S. Department of Interior, where I ultimately served as deputy CIO. At both organizations, I was fortunate to work with some true visionaries who understood the role IT could play in these large, disbursed organizations with diverse missions. The last ten years of my government career, I served at the senior executive level before joining (ISC)2 in 2012. My full bio can be found on the (ISC)2website at https://www.isc2.org/management-team.aspx.
Having worked in the profession and having dealt with the challenges of managing large infrastructure as well as the challenges associated with information security, I come into this role with passion and sincerity to advocate for the profession. I also have a sense for the hard work that goes into this across the board – not just the security roles, but IT professionals that may monitor and manage infrastructure that hosts or provides access to enterprise information assets.
I think there are some parallels between public service and a not-for-profit that’s membership oriented. We’re here on behalf of you – the global membership. The investments and decisions we make should stand up to the questions and transparency we need to demonstrate to our members and always need to deliver value.
I take my new responsibility of being the leader and public face of this organization very seriously. My first order of business will be to continue to advance our global partnerships to ensure a smooth transition and to continue building rapport with the lifeblood of our organization – the global (ISC)² membership. There’s certainly more work to be done on behalf of the membership to advance our mission globally, and I plan to roll my sleeves up to further that cause.
We have a broad range of initiatives underway, so I will ensure those projects come to fruition. It’s not always about adding new ideas to the pipeline. I’ve always respected people and organizations that demonstrate the ability to make great ideas a reality. During my tenure as executive director, I plan to advance the goals and objectives that our Board of Directors has put forth for the organization and its 100,000-plus global membership.
I look forward to this exciting new challenge of becoming the leader of (ISC)². Let’s make 2015 a prosperous and progressive year!
In recent years, the cybersecurity world has observed various changing trends in the malware landscape. From plain viruses and worms through DDoS botnets and banking Trojans, criminal organizations and malware authors are always trying to ramp up their attack abilities to adapt to the advancing security market and stay ahead of detection and prevention technology.
One of the most recent evolutions of this cat and mouse game is encrypting ransomware, which has lately become very popular with cyber criminals. The figure below shows the number of encrypting ransomware variants that have been spotted in attacks around the world, according to the date they were spotted on:
An encrypting ransomware is a malicious piece of software that infects a computer and encrypts all of its valuable files. The ransomware reaches the computer by way of exploiting a vulnerability (typically in a browser or a document reader), or via a downloaded executable run by an unsuspecting user. The malicious payload then encrypts valuable files on the machine (e.g. documents, images, certificates, etc.), requesting payment for their decryption within a certain time-frame.
The key needed for decryption is uploaded to a remote C&C server and is not stored on the local machine, making remediation very difficult. Removing the malware is not enough, since the bulk of the user’s files are encrypted and cannot be recovered without the key. Thus, if the victim chooses not to oblige within the given time-frame, the files remain encrypted with very little hope of recovery.
The effectiveness of this threat has contributed to its popularity among cyber criminals, which use it to infect individuals and organizations alike.
Looking at Things Differently
Most of the publications on encrypting ransomware focus on the infection methods, the encryption algorithm, or the C&C server communication. In this post, we look at ransomware from another angle, by analyzing the file operations they perform on the files they encrypt. A high-level overview using simple methods can provide significant insight into malware behaviors — insight that might otherwise go unnoticed when delving into the little details.
We can divide encrypting ransomware into three categories, based on the way they access and modify files:
Write-in-place
Rename-and-encrypt
Create-encrypt-and-delete
As part of our ongoing research into battling these pieces of ransomware, we analyzed many samples and variants, coming from different origins. We present a summarized study of some of the samples we analyzed, one for each of the aforementioned techniques.
Write-in-place
The ransomware in this category operate in the following manner:
Create a temporary file
Read the original file
Encrypt the data and write it to the temporary file
Read the encrypted data from the temporary file
Write the data back to the original file
Delete the temporary file
Ransomware of this type includes CryptoLocker, CryptoWall, CryptoDefence and DirCrypt.
Note that process memory can be used as the temporary storage area instead of a temporary file, and the malware still belongs to this category.
As an example, let us analyze a sample of the DirCrypt ransomware (md5:0e5e8f6edd2c1496614bb6a71ba3f256), which uses the process’s memory as its temporary workspace, as depicted below:
Open the file using CreateFile
Get the file size and data length using GetFileInformationByHandle
Read the file’s data (piece by piece), encrypt the data in memory, and write it back to the same file
Finally, close the file, as shown below
Upon opening the encrypted file, the user is faced with this message:
Rename-and-encrypt
Ransomware belonging to this category operate as follows:
Rename the original file.
Read the renamed file.
Encrypt the data and write it back to the renamed file.
Rename the file again to the original name (+ some extension).
Ransomware such as Onion/CBT/Critroni exhibit this method of operation.
This type of sequence is more complex than the first technique presented, since the file is renamed before the encryption. The defender might therefore need to keep track of all the different names a file may have.
An analysis of an Onion ransomware sample (md5: 10a472ec4a6687f1c432c639effbae00) shows the following actions being performed on the files to be encrypted:
Open the file using CreateFile
Rename the file using SetFileInformationByHandle to a file in a Temp directory, named 0.tmp
Get the file size, and data length using GetFileInformationByHandle
Read the renamed temp file, encrypt the read data, and write it back to the same file
Set a new file size with SetFileInformationByHandle
Rename the file again, this time to the original name, in the original path, with “.ctb2″ extension with SetFileInformationByHandle
Note that the malware uses GetFileInformationByHandle and SetFileInformationByHandle to preserve the original timing attributes of the file.
After all files of interest had been encrypted, the following message appears:
Create-encrypt-and-delete
The operations performed by malware in this category are:
Create a new file
Write the encrypted data to the new file
Delete the original file
Ransomware such as ZeroLocker and TorrentLocker use this method when encrypting files.
This technique is the hardest to identify as a malicious activity, since the API calls by themselves can’t associate the events of creation, writing and deletion together and show that they correspond to the same files. Furthermore, legitimate operations, such as moving files between different hard drives, might produce similar logs.
Analysis of a sample of the ZeroLocker ransomware variant (md5:3772a3deeb781803a907ed36ee10681d) shows that for each of the files in a set of predetermined directories, the following actions are performed:
Open the file using CreateFile
Create a new file in the same location, with the same name and an additional “.encrypt” extension
Get the file size and data length using GetFileInformationByHandle
Read the original file, encrypt it, and write it to the newly created file
Delete the original file using SetFileInformationByHandle
At the end of this procedure, the ransomware creates a directory named “ZeroLocker” with two files. One of the files contains the following message:
Conclusions
In this post we examined the methods of operation for several common ransomware samples. The first method, write-in-place, is the most simplistic method in terms of file operations. The second method, rename-and-encrypt, is very similar to the first method, but adds the complexity of tracking all the different names a file may possess.
The last method, create-encrypt-and-delete, is the file operation method, used by ransomware, that is the most challenging to identify. This stems from the fact that the file operations involved can be seen in everyday use-cases, and it is hard to relate them to malicious activity that aims to encrypt files on the machine.
Palo Alto Networks has been researching a solution in Advanced Endpoint Protection that, based on our lab tests, would have blocked the ransomware families mentioned above and prevented malicious activity. We hope to share more details of this solution in the coming months.
When the finger pointing about attribution stops, the recent Sony breach will endure as one of the three most significant cybersecurity events of 2014 because it once again highlighted a number of critical gaps in the ability of individual organizations to defend themselves against targeted attacks. A breach of this magnitude can make us all wonder, how are organizations supposed to defend themselves when attacked by a nation state, or a highly organized criminal group with deep pockets and high levels of know how?
Think about it this way. If an organization’s headquarters or a branch office were under physical attack by armed assailants, they normally would call the police, who would dispatch the SWAT teams and other resources needed to physically protect the organization from further harm. But in today’s world of advanced cyberthreats, when an organization is under siege, there generally is no such protection offered to them.
Organizations must defend their information assets in today’s threat landscape. And here are four steps they should take immediately.
First of all, organizations must develop a stark sense of reality about what they can do well and what they cannot in cybersecurity. CIOs, CISOs, and security leaders must revisit the organizational structure and skills of their security teams and IT staffs that have any responsibility for securing information assets. This analysis involves a deep review of what currently are or can be core competencies for the organization, and where they might need help from outsiders. Important questions to ask include:
What is the right structure for the security team?
What skills are required and where are the gaps?
If we need to have these skills in-house, do we need training and certifications?
Which additional skills should we hire, and which should we outsource to service providers who are more experienced in these areas?
Foster deeper collaboration within your industry and across industries. We all know that the bad guys share information freely and across borders and do not have to play by the rule of law. So, it is critical for the good guys to have more opportunities at all levels to collaborate both electronically and in person to share information and intelligence about current attack techniques and emerging threats. We need more effective collaboration forums than we have today. Better collaboration will help alert companies to the latest threats and help them identify the right solutions and service providers. There is some great collaboration happening in certain industry sectors today—the financial services is the most successful example—but we need a significant increase in information sharing and collaboration—and this change requires more trust among practitioners and changes to regulatory and legal frameworks. One of the missions of ISACA’s Cybersecurity Nexus(CSX) is to create additional collaborative environments going forward for practitioners at all levels to share information.
Take a back-to-basics approach by focusing on protecting that which matters most to the organization with solid security controls. More organizations should implement effective governance and controls frameworks, such as the U.S. NIST Cybersecurity Framework and ISACA’s COBIT framework. When an organization fully commits to implement a model framework, it has a much higher likelihood of success in protecting its crown jewels—with the added benefit of not having to reinvent the wheel. If a company focuses on good controls based on accepted standards and frameworks, some of the cyber risks they are facing would be greatly reduced.
Do not just create good contingency plans and incident response plans—practice them. It is critical to involve a wide variety of players across the organization—not just IT and security. Communications, legal and senior management all must be involved—and so must the necessary outside service providers who augment an organization’s key cyber skills. For incident response plans to be effective, the internal and external ecosystem must be well understood, and all parties must be ready to act. Given what we all observed in 2014, practice may not make perfect, but it sure will help a lot.
Last, but certainly not least, it is critical that security practitioners understand the relationship between their organization, its people, its IT assets and the kinds of adversaries and threat actors they are facing. It is only through this analysis can the right cybersecurity program be designed and implemented where budget, skills, intensity, and performance all are balanced at the appropriate levels.
Eddie Schwartz, CISA, CISM
President, White Ops, Inc.
Chair, ISACA’s Cybersecurity Task Force
Our Enterprise Security Platform brings network, cloud and endpoint security into a common architecture, with complete visibility and control, ensuring your organization can detect and prevent attacks while safely enabling an increasingly complex and rapidly growing number of applications.
Head here to see a document highlighting survey results from Forrester Research that illustrate the total economic impact of the platform and its fundamental advantages over a collection of point products.
