Month: May 2016

Today in Amsterdam, Palo Alto Networks joined more than two dozen other companies and organizations in signing a “Coordinated Vulnerability Disclosure Manifesto.” The Manifesto is a declaration signaling that cooperation between organizations and the cybersecurity community can be helpful in finding and fixing ICT vulnerabilities. In coordinated vulnerability disclosure, vulnerabilities are reported to the owner of the information system, affording the organization the opportunity to diagnose and remedy the vulnerability before detailed information is disclosed to third parties or the public. This helps to minimize opportunities for cyber criminals to exploit these vulnerabilities.

Palo Alto Networks is joining this Manifesto because we think it is the right approach on two levels. First, we believe this type of coordination is simply good for cybersecurity. As the complexity of, and dependency on, ICT products and services is increasing, and cyber criminals continue to become more sophisticated, vulnerabilities are also increasing. Cooperation between those who might find a vulnerability and those who can fix it is invaluable—and all societies reap the benefits of a more secure digital infrastructure.

Second, on a broader level, this Manifesto concretely demonstrates proactive industry leadership to improve cybersecurity. As cyber challenges become more complex, effective responses require both industry and government actions. As industry, we can and should spearhead initiatives to improve the ecosystem both individually, as companies, and together—that is simply good corporate citizenship. This cooperative approach is part of the DNA of Palo Alto Networks and why we co-founded the Cyber Threat Alliance, a group of cybersecurity practitioners from organizations that have chosen to work together in good faith to share threat information for the purpose of improving defenses against advanced cyber adversaries across member organizations and their customers.

The Manifesto was released as part of a high-level meeting on cybersecurity, hosted by the Dutch Ministry of Security and Justice, May 12–13, titled “Enabling Partnerships for a Digitally Secure Future for the EU.” The meeting brings together more than 200 senior European Union (EU) and other government officials responsible for cybersecurity, CEOs and board members of security and ICT-related organizations and critical infrastructure, and international organizations. I am pleased to personally be part of the two-day conversation. As its title suggests, the meeting aims to push attendees not only to acknowledge the challenges of cybersecurity but also to look ahead, better understand the developments and difficulties we face, and act accordingly.

The time is right for this push. The EU is announcing and executing on a range of initiatives and proposals regarding cybersecurity and other digital issues. Implemented well, these initiatives have tremendous potential to drive the digitization of Europe’s economy, help European companies become more globally competitive, and contribute to better cybersecurity and resilience both in the EU and globally. These include the Network and Information Security (NIS) Directive, which is expected to go into effect shortly and will be implemented over the subsequent 21 months, and the Digital Single Market’s “Public Private Partnership on Cybersecurity,” which aims to boost the European cybersecurity industry. Strong cybersecurity is the fabric needed to help make successful all of the proposals in the EU’s Digitizing European Industry Package that was just released April 19, including enabling the Internet of Things (IoT) in Europe; building a world-class public cloud and data infrastructure for research, science, and engineering; and increasing cross-Member State e-government services.

The Manifesto and the May 12–13 high-level meeting continue the Netherlands’ leadership in cybersecurity matters, which Palo Alto Networks profiled in our April 2016 blog. We commend Rabobank and CIO Platform Nederland for initiating this Manifesto, for so many organizations signing it, and for the Dutch National Cyber Security Center (NCSC) for strongly encouraging it. Both the meeting and the Manifesto are a testament to Dutch leadership; however, they have impacts far beyond the Netherlands. Their message stressing public-private partnerships as the path to more effective cybersecurity is also certainly applicable worldwide. On July 1, Slovakia assumes the EU presidency. Palo Alto Networks looks forward to supporting their forthcoming efforts, and the efforts of all EU policymakers, to improve cybersecurity throughout the EU for the benefit of the global digital infrastructure.

Rene Bonvanie

[Palo Alto Networks Research Center]

With ransomware on the rise, executives have many questions on their minds. What do I need to know about ransomware? To what extent is ransomware covered by cyber insurance? And most importantly, what can be done to prevent these attacks from happening in the first place?

At Ignite Conference 2016, Gus Coldebella of Fish & Richardson, Erin Nealy Cox of Stroz Friedberg and Sean Duca of Palo Alto Networks provided a C-level view of the latest attack vectors. Watch what this panel of experts had to say about the rise of ransomware in this short video now on Security Roundtable:

Page URL: https://www.securityroundtable.org/what-the-c-suite-needs-to-know-about-the-rise-of-ransomware

Subscribe to Security Roundtable to stay updated on best practices, use cases and expert advice for executives navigating cybersecurity risks.

Cristina Salmastlian

[Palo Alto Networks Research Center]

If 2015 was the year of the healthcare breach, 2016 is shaping up to be the year of ransomware.

By this time last year, 105 healthcare breaches had been reported to the U.S. Department of Health and Human Services (HHS) for a total of over 92 million lost records, compared to “only” 81 breaches and 3.5 million records so far in 2016. Good news, right? Well, sort of.

Unfortunately, this seemingly positive trend does not reflect the actual threat landscape in the healthcare industry. Healthcare organizations subject to HIPAA only need to report breaches to HHS if 500 or more patient records are exposed. Many types of cyberattacks on hospitals, like ransomware, impact systems and possibly patient care, but do not result in breached records and hence are not reported to HHS (although there are currently opposing views on whether a ransomware attack should be reportable under HIPAA).

Ransomware is a type of malware that restricts access to files or systems with encryption until the victim (the hospital) pays the ransom for the key to unlock them. In a previous post I outlinedhow hospitals can track down the infected PC when an infected PC somewhere on the network encrypts the contents of an entire department shared drive.

As a former security operations lead for a hospital network, I responded to numerous ransomware infections firsthand as a result of targeted phishing campaigns against the hospital. The incident response team followed the same procedure for each incident: isolate the infected PC and restore the corrupted (encrypted) files on the department shared drive from backup. In such isolated instances, there was no impact to clinical operations and patient care. However, the story would have been different in the case of widespread infection on the network.

Several healthcare providers in Washington, California and Kentucky were publically impacted in 2016 by what appears to be widespread ransomware infection across many different devices in a short amount of time.

Prevent and Minimize the Impact of Ransomware

There are many things that your healthcare organization should be doing to minimize the impact of successful ransomware attacks. Here are a few tips to get you started:

Effectiveness	Mitigation Type	Activity
High	Minimize Impact	Develop and execute a plan for an end user awareness program Yes, I know it’s difficult to get approval to send regular hospital-wide security advisories, but smarter end users will surely result in fewer ransomware incidents.
High	Minimize Impact	Review / Validate Server Backup Processes Some organizations don’t realize their backups are compromised or were configured improperly until it’s too late.  You may need them to restore service. Start with your File Servers that host network shares for critical hospital departments Ensure you have backups that are not accessible by end users – ideally off-site.  Backup administrator roles should be assigned sparingly, used sparingly and regularly audited. Test your backups regularly to validate they can be restored properly.
Medium	Minimize Impact	Review network drive permissions to minimize the impact that a single user can haveEnd User Privilege Reviews Assign a project manager to organize an effort to evaluate permissions that users have on mapped network drives. Implement the principle of least privilege to minimize the impact that any single user can have on the organization’s network shared drives.  This process could turn into a large, complex effort, so start with network drive locations used by critical departments (Emergency, Organ Transplant etc). Administrator User Privilege Reviews Audit privileged roles used by the Server, Backup & Network Teams to validate appropriate access. Ensure administrators are assigned normal restricted accounts, separate from their highly privileged accounts. Require administrators to only use their highly privileged accounts when they need them. Remove automatic network drive mappings from administrative accounts, where possible. Restrict administrative accounts from receiving email.
High	Prevention	Disable macro scripts from MS Office files using AD Group Policy According to Microsoft, 98% of Office-targeted threats use macros. Disabling macro scripts from MS Office files will stop ransomware such as Locky. Office macros are usually not required for the majority of PCs used in healthcare environments. Enable macros for exceptions or certain departments only.
High	Prevention	Review your monthly patch management processes Many hospitals struggle to patch their systems within 30 days of Microsoft’s “Patch Tuesday” monthly patch release.   Review your patching processes and look for opportunities to remove roadblocks. Consider deploying an advanced endpoint product that prevents exploits due to missing patches and malware.
Medium	Prevention	Evaluate your inbound spam / malware protection Ensure you are configured to block inbound mail as per recommendations from your email server vendor (i.e. block executables in attachments etc)
High	Prevention	Deploy a next-generation firewall to protect the hospital network Ensure your firewall automatically blocks known threats based on a threat feed that constantly updates. Ensure your firewall provides sandboxing capabilities so you can stop unknown threats (URLs and executables) before they reach the endpoint. Sandboxing is the best way to detect new variants of ransomware that constantly appearing in the wild. Configure your firewall/proxy to require user interaction for hospital end users communicating with websites uncategorized by the network proxy or firewall (i.e. click a “proceed” button). Many uncategorized websites are used in targeted phishing campaigns to distribute malware.
High	Prevention	Deploy advanced endpoint protection to protect the endpoint Traditional antivirus is not effective anymore against advanced malware like ransomware which continuously changes to avoid detection. Your endpoints need advanced protection capable of stopping processes that exhibit malicious behavior, rather than checking for individual known bad files.   Whitelisting can work for some organizations but most hospitals need to permit hundreds of applications across their departments so it is often difficult for IT to manage the list.Behavior-based malware detection tends to be very effective, and also lightweight on the endpoint.

These suggestions range from low-tech to high-tech and vary in cost, but all contribute to create a hospital environment that is highly resistant to ransomware with the least amount of manual management. Decide for yourself which combination of mitigating activities is best for your environment.

If you want to read more about the history of ransomware – take a look at The Rise of Ransomware, a recent paper from our threat intelligence team, Unit 42.

Matt Mellen

[Palo Alto Networks Research Center]

There has been much media coverage of ransomware over the past several months. The healthcare industry has been in this spotlight most recently, but financial services is certainly not immune to this threat. Back in mid-2014, a U.S. brokerage house fell victim to CryptoWall, which both encrypted and exfiltrated data from that institution. Although there have not been many public disclosures of ransomware incidents at financial institutions as of late, CryptoWall ransomware was one of the top 3 threats to the industry in both 2014 and 2015 based on research by Unit 42, the Palo Alto Networks threat intelligence team. In late 2015, the U.S. Federal Financial Institutions Examination Council (FFIEC) and the Financial Services Sector Coordinating Council (FSSCC) issued separate alerts on cyber extortion and destructive malware, respectively. So it’s clear that the financial services industry needs to be prepared to address such malicious attacks.

Ransomware is essentially malware that encrypts data on personal computers and network drives until a payment made to the perpetrator. The ransom demanded is usually a small monetary amount to increase the likelihood of payment. Ultimately, this may boil down to a business decision over the time and effort required to restore files from back-ups versus the cost of the ransom to obtain the decryption key from the attacker. For more details about the evolution of ransomware, please see the new report on ransomware trends from Unit 42.

To protect themselves from the impact of ransomware, financial institutions should conduct regular back-ups of data on PCs, shared drives, and any other storage systems. Moreover, the data on the back-up system needs to be verified to ensure there are no surprises when restorations are warranted. This should already be a recurring practice as part of business continuity plans, but it’s worthwhile to validate this since viable back-ups are integral to any ransomware remediation actions.

Preventing infection by ransomware is an even better course of action. It eliminates lost productivity and impact to business operations, as well as the overhead associated with removing the malware and restoring the encrypted data files. By establishing defenses at multiple layers of the network, the following steps will significantly improve an institution’s ability to prevent ransomware attacks from being widely successful.

• Scan and block suspicious files (e.g., portable executables) in all inbound e-mail or web-browsing sessions
• Prevent the ingress of malware by using intrusion prevention systems (IPS) for known threats and sandbox analysis for zero-day threats
• Block outbound traffic to malicious URLs or sites, which may be part of the attack lifecycle for ransomware
• Prevent exploits and malware execution on PCs and servers with endpoint protection capabilities above and beyond anti-virus and host IPS
• Contain any threats by segmenting the internal network to limit lateral movement and to minimize the fault domain

The Palo Alto Networks Next-Generation Security Platform offers a multi-layered approach to prevent ransomware from infecting financial services institutions. These capabilities can be part of an overall defense plan against ransomware. To learn more about how this works, visit our Financial Services resource page.

Lawrence Chin

[Palo Alto Networks Research Center]