Business webinar replay: How to protect your business against ransomware

[Visual] The screen opens displaying a slide tile that says, ‘The webinar will start shortly’. The host, Hadyn Green appears in a small window at the top right-hand corner. Throughout the video, the webinar slides change to match what the speaker, Sam Leggett, is discussing. At times Hadyn, the host will cut in – as each speaker speaks, they appear in the top corner.

 

[Audio: Host/Hadyn] All right, we're about 140 people, I think we can think we can start now. Good morning, everyone. My name is Hadyn. I'm from CERT NZ.

[Slide change]

And we're today presenting a webinar on ransomware.

[Slide change]

So I'm Hadyn in the comms and engagement team here at CERT NZ and also here with me also on video is Sam Leggett. He's a senior analyst and our threat and incident response team.

Just a quick rundown of what CERT NZ is.

[Slide change]

So we're a government cyber security agency. We look after individuals and small businesses. And we provide a whole bunch of services that that can help people when they've been hit with a cyber incident. So, we can help with the actual incident response, all the technical details as well as the communications details.

And we've also created this website Own Your Online which has a whole bunch of guides for businesses and individuals. We can go through see what the latest threats, how to mitigate against them, and protect yourself.

So, that's a little bit about who we are.

[Slide change]

And I'll let Sam work through today's agenda, but very, very quickly, just before that, we've got a couple of buttons down at the bottom there of the Zoom call.

So, Q & A, if you hit that, chuck any questions you have inside that Q & A box, that's the one to this one to click instead of the general chat. We're not monitoring the general chat. So, we won't answer any questions that come into that one.

And the other thing is that this webinar is being recorded, for better or worse, and it'll go on our website, as well as a transcript of this and all the links. So don't worry if you don't see a link or you don't get a chance to copy it down. It will be sent out later to everyone who's registered as an attendee.

And with that, I'll head over to Sam.

[Audio: Speaker/Sam] Awesome.

Thank you so much Hadyn. Kia ora everyone, thank you for coming along today.

As Hadyn said, today's webinar is all about ransomware. We're going to look at what ransomware actually is and how it sort of plays out.

We're going to use our lifecycle diagram, lifecycle of a ransomware to actually understand a ransomware attack and break it down into three phases so that we can understand a little bit better.

Phase one is how the attackers get in.

Phase two is what they do once they're in your systems, and phase three is what the impact is to you as a victim.

Lastly, we're also going to talk about all the controls that you can implement to prevent ransomware from actually occurring. Now, it's a pretty big topic, there is going to be quite a bit of information. So I just want to reiterate, the slides will be available, there will be a recording available, don't feel like you have to take all the information in one go.

And the other thing that I want to highlight here is that we're using ransomware as an example of a threat to a business. The reality is that the controls that we go over today can be implemented to help protect your business against all cyber security threats and prevent the vast majority that we see reported to CERT New Zealand from actually happening to you.

So we're using this as an a bit of an example. To understand how the threats actually happen, the ways that the attacks get in are very common across attacks, and understand the ways that we can prevent it, the controls or we can put in place to keep ourselves nice and safe.  

[Slide change]

All right, so we'll start off with what ransomware is.

Very basically, it's a malicious type of software, and it's designed to lock files and computer systems, unless a ransom is paid.

What do we mean by locking files? You know, this is as simple as, you open up your desktop, you try to open an Excel spreadsheet, and you're unable to do so because it's been encrypted, or it's been locked. This is what ransomware does, it gets into your computer system. And it tries to encrypt or lock as many files as much data, as much system access as it possibly can, with the demand of a ransom from the attacker so that you can get that access back. So the attackers will firstly target your systems that have open avenues for attack. We're talking about Internet expose services as a way to sort of get into your system now.

The Optus breach of 2022, this is something that happened in Australia, there was a lot of talk at the time about that breach occurring because there was an Internet facing system that lacked authentication. It didn't require a password to use, and so soon as an attacker became aware that it existed, they were able to simply get in and steal their data, and that infected around 10 million Australians at the time. So, what they're looking for is basically open doors. It's less about targeting specific organisations these days and more about taking the doors that are open to them.

Then they get into the system, they block the access to the systems. Again, this might be Excel spreadsheets, word documents, the rest of the documents that you have on your device. It may be systems that you use for your business, maybe your emails and things like that, they lock down as much of that as possible, especially things that are critical to your business, so that they can make it more appealing for you to pay the ransom, and get that access back.

And then of course, they demand that payment, they would demand that ransom so you can get that access back. And often this is done in the form of cryptocurrency. So asking that you pay a certain amount of Bitcoin to a Bitcoin wallet. It's a lot harder to sort of track those transactions. And that's why they're often using cryptocurrency as their form of payment.

And lastly, what we've seen a lot more these days is that not only do they lock the systems and demand a ransom for that, they then go on to demand a ransom to prevent them from leaking the data that they've been able to take from your system as well. There's a bit of a double ransom attempt going on with ransomware attacks these days. And we're going to talk about that a little more when we get into whether or not it's valuable to pay a ransom.

[Slide change]

First of all, though, how would you know if you've been affected with ransomware?

The first and the most easiest, is that typically you open up your device, you try to open that Word document that Excel spreadsheet, you find it's unable to open and it's actually got a different file extension at the end. And you simply can't open these things. It may be applications, it may be whole systems that you're trying to access within your environment. But that lack of access, that inability to open things as your first flag that you probably dealing with a ransomware attack.

The second one is that you're going to get a message in some form that you need to pay a ransom in order to get that access back. And we've got an example on screen soon. But this can come through in different ways. It may be an email, it may be a simple text file that's been left on your desktop. Sometimes it's actually a message embedded in certain data systems and things like this. So no matter how you get that message, the presence of their message is also a good indication that you may be dealing with a ransomware attack.

[Audio: Host/Hadyn] So, sorry Sam, how do you find that message? Where will this read me file be?

[Audio: Speaker/Sam] Typically the attackers want it to be easy to find.

They want you to be able to find it so that you can understand what's happened and how you pay to get that access back. And that's why in the vast majority of cases, this is simply a text file that you'll find on your desktop in your documents folder. It may even pop up when you try to open an encrypted file.

Typically, if that message is there, it's not going to be hidden, it's going to be pretty, pretty much in plain sight. They want you to see it because they want you to pay that ransom.

And we've got an example here of what this may look like. It can be as simple as a dot txt file that says your computer has been encrypted. You've lost all your data you need to pay 0.01 Bitcoin to this wallet, and that's how you'll be able to get access back.

[Slide change]

Okay, so we've opened our desktop, we've tried to open an Excel spreadsheet and it's unable to open. We've found that there's a read me file, claiming that we've got ransomware, and we need to pay a ransom in order to get access back. So, what do we do next?

First and foremost, if you have a dedicated IT team, if you have a managed service provider or a managed security service provider, contact them immediately. Get in touch with them as soon as possible so that they can let you know what needs to happen to keep your environment safe. Now, if you don't have that, or if you're a little bit worried, and you want to take some kind of action to secure things as much as you can, what you can actually do is start isolating things. So, it says, get your network offline as soon as possible. Basically, that means disconnect things from the internet. And even more so if you find that it's one device that's been infected, isolating that device away from your network, away from your other devices, so that they can't communicate, may prevent that ransomware from spreading a little bit further.

If you start to look at how you can recover, how you can actually get back to operation, your files have been locked down, you don't have the data you need to run your business, if you have good backups in place, this is really enabling for you to start recovery. You can start restoring from those backups and start getting back to business as usual, as soon as possible. And that's always going to be better. We're going to talk about backups a lot, a little bit later on. But it's always going to be better when your backups are more recent, the more recent your backups are, obviously, the more data you're going to be able to retain. And essentially backups allow you to get back to operation as normal without playing the game of the attackers, without feeding into their process.  

Now check to see you have real ransomware. And we wanted to mention this because there is some cases, and it doesn't happen too much, but there are some cases out there where people find text files, they maybe see an email that claims that there's been a ransomware attack to their system. But actually, it's a baseless claim. It's simply an email, trying to take opportunity, trying to say hey, I've actually I've locked down your stuff you need to pay Bitcoin. Trying to get people who really panic and in that fear, take action in terms of paying that ransom.

But if you actually investigate your system, and you do find you've got full access to all your systems, all your files and things like that, it's possible that you're not actually dealing with a real ransomware attack. But if you do find that all that stuff is locked down, then obviously in that case, it's probably likely it is a true ransomware attack.  

And then of course, report that to CERT New Zealand. If you report to us, you can get some free advice and guidance on how to deal with ransomware, how to get back up and running and things that you can do to keep yourself safe and prevent ransomware from occurring to you again in the future.

[Slide change]

Okay, so the age old question is should you pay a ransom?

This may be something that as a small business, as a small business owner, it may seem like a good opportunity for you. If you just pay this small amount of money, sometimes small, sometimes it's really large, you may get access back to your systems, and that can be appealing for business owners wanting to get back to business operation, as normal, as quickly as possible.

Ultimately, it's your call. But there are some strong recommendations we make against paying ransoms. And there's a lot of reasons why we recommend against that.

New Zealand's government position is absolutely do not pay any ransoms. And the reasons why we recommend not paying any ransom is because the reality is paying that ransom does not guarantee that you will get your data and your systems back. We have seen cases where an organisation pays a ransom demand, and actually, that attacker then goes on to demand further ransom amounts. Once they know that you're willing to pay, they're going to try to squeeze as much money out of you as they can. As I said, in some instances, once you pay that attacker, they understand that you're now willing to pay, and they see that as an opportunity to demand more money. That may actually let attackers know that you are a potential target who is willing to pay in these cases. And this may lead to further targeted attacks in the future, knowing that you're willing to pay those ransoms to get out of that situation. It's also creating that financial incentive for online criminals. These guys wouldn't be doing these things if it didn't actually make them money if they weren't being lucrative and doing this. And when we decide to pay that ransom, we're feeding into that process of making a financial incentive for online criminals to engage in this kind of behaviour.

[Audio: Host/Hadyn] Just real quickly, we've got a few questions on the ransomware stuff. So we've had a question about, is this just a one off event? So once they've once you pay that ransom, what guarantee do you have that they're actually out of your system?

[Audio: Speaker/Sam] None. That's the reality. And this is another reason why we recommend not paying that ransom and actually taking it into your own hands, taking the situation into control, restoring from backups, engaging your IT service provider, your managed service provider to make sure that that access is is gotten rid of, that they don't have any kind of persistent access. But the truth is paying that ransom, there is no guarantee of anything in doing so. If you pay that ransom, they may very well leak your data anyway. You pay that ransom, they may have access still within your systems and they may get back in and re encrypt everything and in demand another ransom. The truth is paying that ransom doesn't guarantee anything will get better.

[Audio: Host/Hadyn] And while the government and CERT recommends that you don't pay the ransom, and there's not actually any legal requirement, if you pay the ransom, that's not, that's not a legal problem.

[Audio: Speaker/Sam] Yeah. One thing I would recommend for organisations, if they have sort of international trading, or if they operate internationally, there may be some restrictions around paying those things in international jurisdictions. It's not something that I'm completely aware of, but if that's something that your business is doing, it would probably be valuable to understand whether or not paying that ransom is going to put you in any kind of difficulty, in a legal sense before doing so.

[Audio: Host/Hadyn] And finally, because you mentioned Bitcoin, generally that's a known tracking public ledger kind of thing, why do they ask for Bitcoin, if that's the case?

[Audio: Speaker/Sam] It's just that when it goes through a bank account, there are a lot of a lot of things that law enforcement agencies can do, and work with the banks to really track that stuff down and get it down to an individual on the other end. It's a lot harder to do with cryptocurrencies and things that are on the blockchain, it's not necessarily impossible, but it is a lot harder to do. And it gives the criminals a bit of leeway in terms of being able to get that payment without necessarily having law enforcement, banks and things like that, really trying to track them down through those things. It's just easier for them, it's easier for them to get away with by through that measure.

[Audio: Host/Hadyn] There's a couple more questions, but we'll come back to those later on, you can carry on.

[Slide change]

[Audio: Speaker/Sam] Okay. All right. So we've talked about bad stuff, we've talked about what happens if you get the attack. We've talked about, you know, you've got the ransom demand, do you pay it, do you consider paying out these kinds of things, what can you do to prepare in case it does happen, and what can you do to prevent it to protect yourself before it happens. The first and most important thing to take into account as things can go wrong, we can put a lot of defences in place, and things can still happen. And that's why it's really important to have an incident response plan. Having a plan in place so that you know what to do and when you need to do it. And this could be as simple as knowing who to call having that phone number written down having that email address handy so that when things happen, you're not scrambling trying to figure out who you need to contact, what number you need to call on how to reach them. Having these things in place ahead of time is really, really important. Now, the level of depth that you want to go into in terms of an incident response plan is ultimately up to you and your organisation, you may want to go into detail depth on each individual kind of incident that can occur, ransomware, phishing DDoS. You may want to go into detail for each individual one, or you may want it to be an overarching incident response plan. And in case anything cyber security related happens. So things like, how do you contact your IT service provider, your managed security service provider. If you need to make report to the office of the Privacy Commissioner, because customer data has been impacted, how do you do that. What's the process for that. Having these things written out, easily accessible, making sure your employees, your staff are aware of that plan, and they can also easily access it if they need to are all really important steps. One thing I want to call out here is that in the very near future Own Your Online, we'll be putting up an incident response plan template to sort of help you build these plans out, flesh them out for your organisation. But as I say, the level of detail the amount of information in there, that's going to be dependent on your organisation, your size, your capacity, the things that you actually engage in. And the plan may look different from organisation to organisation.

[Audio: Host/Hadyn] I'm going to jump in, with organisations that we've helped in the past with these situations, I can tell you that the incident response plan is really good for getting over that panic factor. You go oh, wait, we have a plan for this. Like I can just pick up my plan and look and say this person does this, this person does that. It takes out a lot of that stress, a lot of that, oh my god, what are we going to do? I can't get to any of my files. I suddenly realize you might need your response plan, not in one of those files that can be locked.

[Audio: Speaker/Sam] Yeah, that's a really good point. That's actually why we recommend having a physical incident response plan available. One thing that I often see when I go to different offices is that there's always plans on the wall for if an earthquake occurs. You know, if a fire happens, there's a plan there laid out so that people know what to do. This incident response plan is essentially the same, making it physically available, readily available for anyone who needs it. And as you say Hadyn, that's a really great point that there is a lot of panic, there's a lot of stress when something goes on when a cyber security incident actually happens. And having that plan, having those steps laid out can take away a lot of that stress and help you make sure that you're actually doing what you need to do in that incident regardless of how distressed you actually may be. Now we talked about making sure that that incident response plan is easily accessible for all your employees, that your employees are aware of it and that's about building cyber security awareness within your organisation. It's not just around incident response plans. Things like, helping your employees know that they are likely to receive phishing emails and phishing text messages if they have a work email address, have a work phone, they are very likely to receive these kinds of things. And making them aware of what phishing looks like, what phishing is trying to achieve, and how, actually if they do fall for that, if they do click that link, and they provide their valid login credentials for their business systems that they might put that might put the business at risk. Now, that's potentially offering those attackers some ability to access systems. And so awareness around phishing, that it's likely to happen, what it's likely to look like, and where to report it. You know, you may have an internal team that you can report phishing to so that they can be aware, it may simply be that you report that to CERT New Zealand's so that we can take action against that phishing website. We can include that link into phishing disruption service and these kinds of things, we can prevent people from being able to access those websites. But that awareness, that awareness across cyber security and what it looks like for your organisation is really important. The reality is, every business these days uses the internet, they use the internet to enable the business further. And so we've really gone away from with cyber security was one team's or one person's responsibility. The truth is that everyone has a responsibility when it comes to cyber security, and so bringing your organisation and your employees along on its cyber security journey, making sure that they're aware of these kinds of things, is just even more important. And in the core of what we're talking about today, the controls that you can actually implement to prevent or limit the damage caused by ransomware. There are a lot of things that you can do. And we're about to look at a little list of controls. And before people get a little bit panicked about how technical some of them are, some of them are a little bit more technical, but some of them are things that you could go away and do today, things that you could implement today, to keep your organisation nice and safe. That's not just going to help prevent ransomware, it's going to help to prevent the vast majority of the things that we see reported at here at CERT New Zealand.  

[Slide change]

Okay, so we're talking about the ransomware lifecycle diagram. And that's what you can see on screen here. Now a couple of things to take note of. It's broken up into three different phases. So the first phase is the initial access. And this is when the attacker is looking for a way into your into your business, into your system, and into your network. The second phase is the consolidation and preparation phase. This is once they're inside. And this is them trying to move around trying to access more systems, more, more data, more documents, trying to get control of as much as they can. And the third one is when that impact is actually seen. So this is when files are encrypted, backups are destroyed, data is exfiltrated, ransom demands are made. One thing I want to point out with this diagram is that as we move from left to right, there is a scale of time here. But that scale can change from ransomware incident to ransomware incident. Sometimes attackers start putting those impacts in place as soon as they're in the system. Sometimes attackers sit within systems for months trying to get as much access as possible. So they can make those ransom demands more appealing to pay. What we do with this diagram, and we're going to break it down and look into each phase individually, is we can apply our 10 critical controls to this diagram so that we can understand how these controls can actually help keep us safe, and where they're actually going to be relevant in terms of the lifecycle.  So this is what it looks like when we apply all our 10 critical controls to this diagram. And as I say, we kind of break down each phase, we're going to look at these controls individually. There are a lot of things that we can do to keep our business, our data, our information, customers nice and safe. And that's what we're going to look at now.

[Slide change]

So the list of 10 critical controls, we're going to quickly go through it, we're going to talk about them a little bit more as we see where they land on the lifecycle diagram.

Now the 10 critical controls. That's a list of security controls that we have here at CERT that we update annually. And this has seen that what we want this to be as a list of security controls that small to medium businesses can go away and implement today, without necessarily having to engage, you know, a really expensive private cyber security firm to put these things in place.

A lot of the things on this list of things that you could go away and implement today. Some of them are going to require some technical, some technical knowledge, and some technical capability in terms of your networks. But there is a lot more information available on each of these controls. At the end of the slides, we have a page of links, one of those links will take you to the 10 critical controls where you can go and find more specific information about any one of these individual controls.

And the other thing that I want to get across here today is that, you're probably not going to go away and do all 10 of these things immediately. And that's okay. But if you go when you do one or two, if there's a couple of things that you can tick off that list today, you are putting yourself in a much more secure position, much more likely to prevent the bad things from actually happening, which is the best thing that we can do.

So we've got patching and software systems, multi-factor authentication, using password managers, logging and alerting, asset lifecycle management, security awareness building, implementing and testing your backups, implementing network segmentation, application control, and principle of least privilege. Don't stress too much. That's a long list. But we are going to look at each one. I'm going to try to keep it a little bit, a little bit high level, so we're not overloading you with too much information. And I really do encourage you, go check out the list of 10 critical controls find that more in depth detailed information on any of these that seem like something you want to implement in your own organisation.

[Slide change]

Okay, let's get into the phases. Obviously we've got three phases and ransomware, ransomware attack. The first one that we're going to look at as the initial access phase here.

[Slide change]

So, in the initial access phase, what we're really highlighting is the main ways that an attacker can get into your system to deploy a ransomware. The reality is that comes down to two major things. You've got your internet exposed systems, and you've got malware delivery to your systems. Now, if we break down into internet exposed systems a little bit more, what are we talking about?

Think about when your employee logs into a business system, they do that through the internet, most typically. This can include things like VPNs, or logging into to business systems remotely, but the reality is, the main ways that an attacker is going to use those to get into your system is through valid credentials. It's through phishing campaigns, to sending a phishing email to an employee, who does click that link who does provide those credentials, and in using those credentials to log into a business system.

It may be password guessing, it may be that unfortunately, the password of an employee, is not particularly strong, or it's been breached in a data breach somewhere else, maybe it's a reused password they use across multiple accounts. Being able to guess that password and then gain access to the system, again, through those valid credentials, those valid usernames, and passwords.

The third one here is the exploitation of software weaknesses. So, when a software vulnerability pops up, attackers will exploit that vulnerability to gain access to systems.

That sounds quite technical. The reality is that the way that we can prevent that is really easy, which we'll talk about in a moment here. And then the third thing I want to talk about is the delivery of malicious documents. So, this is where an attacker will send an email to an employee and may contain what looks like a PDF or some kind of document attached to it. Opening that document may try to run install a malicious software, a malicious program.

Through that program, they may be able to gain some kind of access. That program may try to deliver the malware itself. But there are things that we can do to prevent that as well.

First one, security awareness building and again, this is bringing your employees along on that journey, making sure that they're aware of how cyber security matters for them matters for the organisation, and the part that they can play in that.  

This is being aware of phishing, this is being aware that you are likely to receive those phishing emails and as phishing text messages, how to spot them, how to make sure that you're not providing your information to a phishing email, so that we can prevent the attackers from actually getting hold of those usernames and passwords. So they can't get into our systems.

This is being aware of how to create a good password, how to make a password that's going to be strong enough, so it's not easily guessed. It's having awareness across things like password reuse, and how that poses a risk to not just your business, your organisation, but for them individually in their own lives as well.

It's about being aware of the delivery of malicious software through documents attached in email. So you get a dodgy email that's got no text in the body, it's just got a subject and an attachment, and that's not something you typically receive, that's a good indication that that may be a dodgy document.

And the best thing to do in that case is not open that, is either simply delete it, maybe forwarded it onto an IT team, maybe report to CERT New Zealand so that we can provide some advice around that.

Awareness across these things can be really, really powerful and really valuable for preventing these incidents from occurring.

We talked about passwords a little bit and how passwords sometimes can be easily guessed and easily cracked. Sometimes we use the same password across accounts, and maybe it ends up in a data breach somewhere, and that puts our other accounts at risk.

One of the ways that we can get around this as a password manager. Now password manager is ultimately just an online vault, if you will, that stores your passwords for you. Most of them these days will actually generate your passwords for you, so you can make sure that they're really strong, really unique random characters. Not going to be able to be guessed or cracked. And you don't have to remember them all that way.

With a password manager, you do have to remember the master passwords, the password you use to access the password manager. And you have to make sure that that password is long, strong and unique, so it's going to keep all your other passwords nice and safe.

But the beauty of a password manager is you're going to have really long strong passwords in there. You don't have to remember all your passwords.

And actually this can also help prevent phishing because when you get a phishing email asking for a password, but you don't know that password off the top of your head and you have to go into your password manager, find the password, memorize it and then put it back in the email. It gives you that time to stop and think about the email, whether or not it's actually legitimate, whether or not it's dodgy and it's more likely a phishing email. And that time is often all that people need to be able to spot these things.

So a Password Manager can be really, really powerful in terms of preventing those first two initial access factors.  

Centralised logging, or logging and alerting is going to make an appearance across the diagram. And reality with this one is it's not so much a preventative measure in terms of logging, at least, it's more of a measure to help you understand what has happened, and how you can prevent that happening again in future. So this is more of a control that's in place. If something goes wrong, you'll be able to figure out what it was and you can fix it up. And what we mean by logging is having a log of actions within your systems. And it may be as simple as having a log of when a certain critical business system was logged into and maintaining that log.

And in this way, if you find that there was unauthorised access to that system, you have that log of when that when those logins occurred, you can figure out where it's happened, what account, what credentials has been used, whether or not a vulnerability has been exploited. It gives you that paper trail so that you can figure out what went wrong, and you can stop it from happening again in the future.

One thing that logging I want to call out is that this can often be done through software, if you use sort of like a workspace suite, Google workspace, Microsoft office, a lot of these systems, a lot of these programs have a feature that you can turn on for logging. Pretty sure Microsoft have recently just made a lot more of those features available to a much wider range of their customers at no additional costs. That may be something you want to look into.

[Audio: Host/Hadyn] Just to jump in one of the analogies I heard in regard to that of this breach that you mentioned a little while ago. You know that someone's broken into your house, logging tells you what they did with your toothbrush, which I quite liked. I thought that was a nice analogy. Also, just a note that there are quite a few questions that I think we're going to actually get to answering quite a few of them, especially when we get to password managers. But if we haven't answered them, by the end, we'll make sure that we we cover them all off. So don't worry, if you're like why didn't they answer our question yet.

[Audio: Speaker/Sam] That's all Yeah, yeah. Good point. We'll try to make sure we have a bit of time at the end of this presentation so that we can actually just address any questions and answers that have been coming through.

[Audio: Host/Hadyn] I'll let you know now, Sam, there's a lot of people asking about what password managers to use, so when you get to that when you get to that control.

[Audio: Speaker/Sam] Yeah, no worries. The other thing was logging and alerting, in terms of alerting, this is this is more of a preventative measure.

So the kind of alerts that you may want to set up within your own environment will depend on your organisation. But it may be as simple as you have a really, really critical business system, you want an alert to go off every time it's accessed. So every time someone logs into it, you have an alert popping up that lets you know what's been accessed. And then you can figure out, should they be accessing this at the time does that look legitimate? Actually, maybe something's amiss. And then you can use that alert to help prevent anything further, bad from actually happening.

I think I know what you're going to talk about Hadyn, and we've just done the password manager control. But look, there's a few things that I would say around password managers, it can be hard to sort of pick the one that you want.

Typically, doing a Google search of the best ones will give you a bit of information, some information that you can use to make a call for yourself. But the things that I would personally be looking for in a password manager before I actually commit with one is, how do they how do they protect their information? The key thing I'm looking for is do they have multi-factor authentication, on top of the password that you use to access the password manager. That's really, really important. That is such a powerful security control in terms of preventing unauthorised access. If a password manager didn't allow, didn't offer multi-factor authentication, I wouldn't even consider them. That's the first question that I would ask.

Next thing I would be looking at is, have they had any incidents occur in the past, any data breaches any issues like that? And how did they handle it? You know, maybe the fact that they had an incident in the past is enough for you to say, nope, that's not the one for me. And that's okay. Maybe the way that they handled it was done really well. And that actually gives you confidence that if something was to happen with that password manager, that they're going to handle it in an appropriate fashion. These are just a couple of things that I would be looking for. In terms of what password managers I will be looking at.

Password managers that generate your password for you as well is really powerful. You can make sure your passwords, 30 characters, long, 40 characters, long, whatever you want. Completely random letters, numbers, symbols, all that good stuff. And those passwords are going to be super strong. Those are definitely not going to be cracked anytime. So looking for the password managers that offered multi-factor authentication and have a good track record. These are important questions to be asking.

There is a slight difference when we talk about a third-party password manager and a built in password manager. I imagine there's a few questions coming through about what about the password manager in Google Chrome, could I just use that? That's an option. It's probably not the best option.

The reality is, if you go down that route, Google's now become your password manager, your password for Google has got to be long, strong and unique. You should really turn multi-factor authentication on for Google. You should make sure Google is updated as often as possible as quickly as possible. You need to understand that if you go down that route that has now become your password manager, and it actually may put your device at risk if you stay auto logged in to Google on your device.  

If you lose that device, and then anyone can open it and get into your Google account where you're auto logged in, where all your passwords are saved, that obviously puts you at a lot of risk. So opting out of those auto login features, or those save your password features is something you may want to consider if you're going down that route. And making sure any devices that you have that are auto logged into those accounts as nice and secure itself with a good password, or biometrics or something along those lines, is also really important.  

Okay, next thing we're talking about is application control. And this is just determining exactly what kinds of applications can run within your environment.

So what this is really powerful for preventing is that email containing malicious document that tries to install some malware, if we only allow certain applications like Excel, like Word to run within our environment, then when we click that attachment, the program that it's trying to run isn't able to run with your environment.

So this is just sort of taking control in terms of what applications can actually run within your environment. And that's typically looks a little like a whitelist of applications, a list of applications that you're happy to actually run with your environment. And in that way, anything outside that list simply can't run.

Talked about multi-factor authentication, talked about how powerful this one is. Look, this is called a few different things, multi-factor authentication, two-factor authentication, two step verification, the list of search terms that are used to describe this do kind of go on. But it's all the same thing. It's that additional layer of protection on top of your password, and username.

So typically, it looks like a code sent to your phone generated within an app on your phone, and you have to enter that code in order to be able to log in. As I said earlier, this is probably one of the most powerful security controls, it's a free control, you could go and turn the sign on all your important accounts today. And it's actually the thing that I'm looking for most in service providers or in platforms and websites. Do they offer multi-factor authentication? If they do, that's a really big, really big plus in terms of their security, and in terms of your security. So getting staff to actually enrol in multi-factor authentication is a really powerful thing to do and can be really, really important to prevent unauthorised access through password guessing phishing, those actual valid credentials.

I think that I would say, and this comes into security awareness building, multi-factor authentication can be a pain, when you log in every single day, and you're challenged with multi-factor authentication, it can be a pain to go through that every single time.

What I would promise you is that if an incident were to occur, that's a much bigger pain. Going through that process of multi-factor authentication, even every day, even every time you log in, is always going to be a much, much smaller pain in trying to recover from an incident like ransomware, especially when multi-factor authentication is free, and in a lot of ways can be sort of a number one control to prevent unauthorised access.  

We talked about exploitation of vulnerabilities within software. Vulnerabilities pop up all the time. It's an unfortunate nature of software and the way that it's developed. And in that sense, what's really important is to make sure that all our applications or our software, the operating systems on our devices are kept up to date with the latest update from the vendor. And actually, that's done as soon as possible, after that update’s been released. It's a pretty easy process.

I'm sure we've all had that pop up in the bottom right hand corner of our screen saying there's an update, please restart. And we've all hit remind me tomorrow, remind me the next day, remind me in seven days. But the truth is actually getting that installation of that update as soon as possible is really important to make sure that those vulnerabilities can't be exploited for a way into your system, your environment.

And then the last one is asset lifecycle management. This is a pretty broad control. This is about understanding all the assets within your environment, making sure that you're aware of what devices are communicating with each other. You know what devices are part of which network, actually understanding all the assets in your environment and how they communicate is really, really powerful.

One part of this is understanding the assets that are Internet facing within your environment, and making sure those have the relevant authorization and authentication requirements on them. So if you have an internet exposed service, it requires a username and password to access before you can actually access it. Putting multi-factor authentication on that as well as a really, really powerful step. That way you've got authorisation and authentication taking place before that internet exposed system can actually be accessed.

[Audio: Host/Hadyn] Just very quickly, noticing the time, but when you put together your incident response plan, one of the first things that we suggest is creating a list of everything that you've got, which helps with that asset lifecycle management, because you're forced to think about oh this, oh that connects to the internet, oh we've got this which connects to the internet.

Stuff that you might not even think about, or that you might not be concerned about.

Like you're a panel beater, but you just happen to have a massive client database of people's homes addresses, email addresses, phone numbers, and registration of their car.

So, little things like that, stuff that you think about when you put together your, when you put together your incident response plan and stuff that you know, you have to keep up to date.

[Audio: Speaker/Sam] Really important point.

And actually going through that process can help a lot to determine what controls can you put on the different assets within your environment too.

So as you're going through and you're listing your assets out, you can actually determine, well, that one's really important, maybe we should have multi-factor authentication there. And you can start ticking off the ones that you really want that on, and then going through the process of making sure that's implemented.  

[Slide change]

[Audio: Speaker/Sam] All right, we are quickly running out of time. And we do want to get to some Q & A.

So phase two consolidation and preparation. Good thing is this one's a bit of a smaller phase. Alright, so what happens in this phase. This is once an attacker has actually gotten into your system, now they're trying to take control of as much as they can. They're trying to access as much files, as much data as many systems as they possibly can, as many devices as they can. And the reason for that is because they want the impact of the ransomware attack to be as severe as possible to make you more likely to pay that ransom.

Again, we've got logging here. And this is not a preventative measure. But this is going to help you understand what goes wrong if something goes wrong. So, you can make sure it doesn't happen again in the future.

The other side of this is those alerting. So, if you've got someone who's moving laterally within your environment, if you find that an employee, a user within your environment is suddenly able to access things that they shouldn't be able to access. That is a strong suggestion that maybe there's something going on within the system, that alert can give you a chance to lock things down, prevent anything further happening.

We've got application control again. So, a lot of times what attackers will do is once they've gotten into the system, they'll then start using bespoke tools to try and gain access to other things, to try and move to more of the system to try and move around as much as possible. And if we've got their really strong application control, and if we've got that whitelist of applications that we allow, their tools probably not going to be on that list. So they're not going to be able to use that to get into as much of the system as possible.

Patching again, once they're in there, they will exploit vulnerabilities and software to again move within the system get as much access as possible. And if we're making sure those applications that software is up to date with the latest update from the vendor, that's going to go a long way to prevent those things from happening and keep us nice and safe.

Network segmentation sounds like a pretty technical one. But the truth of this is just breaking down your network into as many small parts as you possibly can. This might simply look like making sure the payroll system that you have doesn't communicate can't access the data system that you keep on your customers. Breaking it down to as many little parts as you possibly can, is what we're talking about here.

And the reason for that is because if an attacker does get in, and they're in one part of your system, but you've implemented really sound network segmentation policies, and typically this can be done through software, these days. If you've implemented that network segmentation, then just because the attacker is able to access one part of your system, they aren't able to access the risk, and this can go a long way to minimizing the damage of something like a ransomware attack.  

And principle of least privilege, another very technical sounding one. But the simple reality of this one is, it's just making sure that your employees only have access to what they need in order to do their job. And they don't have access to anything above that. And the reason that's important is very similar to network segmentation.

If an attacker is able to get into a user account within your organisation, but that account only has access to a very limited number of things that that employee actually needs to do their job, we're limiting the amount of access that the attacker has to the rest of our systems, to the rest of our processes. And that way, we can again, minimize the impact that the ransomware attack may have on our systems. This isn't to say that your employees may at times need more access to do a job or a task. And that can be given at the time, especially when you've got an IT provider or a managed service provider on board.

Multi-factor authentication, again, on those important business systems. If the attackers in the system, they're trying to move laterally, they're trying to access another system. But you've got multi-factor authentication on that one. They're not going to be able to get through that additional layer of protection. And so they're going to be a little bit shoehorned in terms of how much they can access on your system, again, minimizing the impact of that ransomware attack to you.  

 

[Slide change] And phase three, this is where the bad stuff actually starts happening. So this is when you've noticed that your files have been encrypted, you can no longer open your Word docs or Excel spreadsheets.

This is when you notice that your backups can't be accessed. And we want to call backups out here specifically, because what a lot of the time organisations will do is have their business environment, and they'll have really good backups, but they'll store them in the same environment. And so when a ransomware attack actually happens, if the ransomware attacker has access to that environment, they will go after the backups first, take that opportunity away from you, to prevent you from being able to restore from your backup.

So a couple keys when it comes to backups, one is making sure that they're done regularly. A nice little anecdote as it was an organisation that we worked with not too long ago, who unfortunately was suffering a ransomware attack. However, three days prior, they had implemented daily backups. So they were storing a backup every single day. And what this meant for them was that they completely ignored the attacker, they started restoring straightaway, and they were back up and running the very next day. And backups are really the golden ticket to recovery. But we have to do them right.

One is making sure that we do them regularly, that we're creating those backups on a regular basis. The other is making sure that they're secure. So they need to be stored in a separate location to our business network. This may be physically, this may be on a hard drive that you have, this may be through a cloud service provider, it may be on an off site, sort of server or storage device. It needs to be secure, and we need to make sure that if a ransomware attack were to affect our network, our system, our environment that our backups are not part of that, so if that were to happen, we can still restore from those backups. That's why backups are on the actual diagram though is because it is something that attackers will go after within your environment, try to destroy them prevent you from actually being able to recover that way.

We've got logging and alerting again, we've gone over this before. Keep that pay paper trail, have those alerts pop up so you can prevent anything further from happening.

Application Control, again, if we have that really good whitelist of applications, then possibly the tools that the attacker is trying to use to actually encrypt the data can't run within our systems. And so that impact has significantly minimized.

Backups, as I say, this is the golden ticket to recovery, making sure we have regular tested secure backups as the number one key when it comes to recovering from a ransomware attack.

Last thing I want to mention on this part of the diagram is that typically what we have seen lately, you've gone through the whole ransomware attack that made the ransom demand, you can access your files, maybe you go through the recovery process, maybe you decide to pay that ransom, whatever the reality looks like for you, what we have seen a lot of lately as a second ransom demand.

So all this stuff has already happened, and then the attacker comes back and says, well, we're exfiltrated your data to and we're gonna put that online unless you pay us another ransom. This has happened in quite a lot. And it's something that's important to be aware of.

[Slide change]

Okay, that was a lot of information. Good news is that we've, we've ended with a bit of time for Q & A. But there's a couple of things that I just want to get across before we do dive into the Q & A section.  

Ransomware can be truly devastating to an organisation. But there are a number of controls that we can put in place to at least limit the impact of ransomware or prevent it from happening at all. And the important thing to take note of here, the controls that we've talked about will not just help prevent against ransomware, they are going to help you prevent against the vast majority of cyber security incidents, attacks, risks, threats that we see here at CERT New Zealand.  

Even implementing a few of the controls that we've talked about, even if you go away, and you implement two-factor authentication, and that's all you do, you have just improved your security significantly.

And one thing I want to get across to people is we're not expecting everyone leave this this webinar today and implement all 10 controls. That's not realistic. But what is realistic is taking one of these controls on that list that's really good for your organisation, your size, your capacity, and implementing that today. Whether or not that's improving your password policy, offering a password manager to employees implementing two-factor authentication, maybe looking at setting up some alerts and some logins. Don't let perfect get in the way of good. Go away do something today that can improve your own security, even if it's just one thing on the list and you're gonna be in a better situation than you were before.

[Slide change]

The key things I want you to remember, two-factor authentication, is one of, if not, the most powerful control against ransomware. But against the vast majority of other cyber security attacks as well. If that's all you do, you have significantly improved your security posture.

Two-factor authentication, it's the key to preventing the bad stuff from happening in the first place. The other one I want to call out again as making sure you have sound patching processes, so you're regularly updating your apps and software and operating systems with the update from the vendor as soon as possible.

Put these two together, and you've just done a lot to prevent the things from happening in the first place.

But what if something does happen? Well, in the case of ransomware backups are the most important control you can have. Making sure you have regular backups that are stored daily, ideally, but on a frequency that's regular enough for your organisation to be able to recover from. And those backups are stored securely off site away from our network.

If ransomware were to happen, but you've got that in place, then you can begin the recovery process immediately, start restoring from those backups, and completely ignore the game of the attacker.

[Slide change]

And of course, there's additional resources. We've gone over a lot of information today, and I don't expect that you've taken it all onboard. There is more information out there available.

Check out Own Your Online, there's guides for ransomware, there's guides on how to protect your business.

[Slide change]

Check out www.cert.govt.nz, where you can find more information on the 10 critical controls we've talked about.

You can find more information on an incident response plan, more information about ransomware with a bit more technical information on it. And of course, how to report to CERT New Zealand.

[Slide change]

Question time.

[Audio: Host/Hadyn] Yeah, thank you so much Sam. It's very in depth, but done with plenty of time to answer some questions. One of the things I do want to cover off, there's a lot of questions about using cloud security and the sort of, I'm going to hopefully put them all into a single thing.

Can the ransomware spill over into your files that are on the cloud service?

How do backups work with cloud services?

Do they need to be enabled?

Where are they stored?

Is that considered an off site backup?

And also multi-factor authentication on those?

Some of the businesses, Microsoft, Google, are doing different forms of multi-factor authentication, and if you could talk about those?

[Audio: Speaker/Sam] Sure. Okay.

So, Cloud, initially we were thinking about cloud and whether or not things can spill over into cloud if we're dealing with a ransomware incident. Is that right thinking that's the first one? Okay, so the good news here is that a cloud system is going to be separate from your system.

Now, I say that with a caveat. Because if you've done any embedding of that cloud system to be able to communicate with your internal systems, that's not going to be the case. But if we just look at backups, for example, you are uploading your backup to a cloud system.

So the only communication that's occurring is through that uploading. And in this sense, we just need to take the same things into account with that cloud service provider. We need to make sure that we've got secure credentials for that cloud service provider. So our password, if we access that cloud service, we're going to have to log in with the username and password just like everything else we do. So we need to make sure that their password is long, strong and secure.

Again, consider a password manager, that'll spit out that password for you, it'll be more secure than you could ever hope for.  

Two-factor authentication as well, making sure that that is present on your cloud service provider, that that's something that they offer to you as another important question to ask another important thing to make sure exists. And then if you've got a really secure password, and you've got a really, and you've got two-factor authentication enabled, that's going to make sure that that accessing that cloud service is nice and secure.

And then the only other thing you need to make to make sure is that it's not, not something that's been implemented internally, not something that is communicating with all the different segments of your network. And if it is communicating with at least one segment of your network, just being aware of that is really important.

And again, this comes back to that asset lifecycle management process. If you've got a cloud service that is interacting with parts of your environment, being aware of that and making sure that you have those really good passwords, that two-factor authentication enabled, and that logging and alerting in this case is really important too.  

The second part of this was...

[Audio: Host/Hadyn] Backups, and the other one was MFA.

[Audio: Speaker/Sam] MFA. Yep. So cloud service providers, one of one of the offerings that a lot of them have is backups. And this is a really good option to consider.

The one thing that I would say around cloud service providers and named doing backups is that if you do need to recover from a backup, it can be a little bit slower going through the cloud. A little bit slower than if you had an external hard drive that you plugged in and you started backing up from that. It's gonna take a little bit more time. And that's just because you're simply downloading that image from the internet.

Again, the same things you want to consider, look at a cloud service provider that has a good track record that either hasn't had an incident in the past or has dealt with an incident really well, that offers multi-factor two-factor authentication, these kinds of things. Those are really important questions to ask.

Speaking of multi-factor authentication, yep there's, there's lots of different forms of it these days. It used to be only a text message, you would enrol your number, you'd get a text message with the code, you enter that code, you login. Then some app started coming out and those apps started creating the code, you enter the code you log in.

Now we see sometimes the website actually generates the code and you enter that code into the app. There are a lot of different forms of multi-factor authentication, and some are better than others. But having any form of multi-factor authentication is vastly better than no form of multi-factor authentication.

Like I would encourage you to look at authenticator apps, probably the easiest, and at the same time, most secure way to go for multi-factor authentication. But even if you go down the route of enrolling a phone and getting a text message sent to you, that is a lot better than having no form of multi-factor authentication. It can also depend on the platform that we're talking about on the service that we're talking about, they may only offer specific forms of multi-factor authentication.

But again, it really does come down to the fact that having some form of MFA on your accounts on your systems is vastly more secure than having no form of MFA on any of those accounts and systems.

[Audio: Host/Hadyn] And you've talked a little bit about internal systems.

But I just would like to remind people that, also turn that on your social media settings, because so many businesses have social media accounts these days. That's how some people do all their sales through there. Make sure that you have MFA turned on all your social media accounts as well.

And that's also I guess, principle of least privilege, making sure that only the people that need access to that have access to the password and the MFA and all the rest of it, because you don't want anyone else getting access to that.

Okay, so apart from that. How can you how can you tell if your data has been stolen?

[Audio: Speaker/Sam] That's, that's a good question.

So, a lot of times with data exfiltration, a lot of the times you will also get a ransom demand. Because what the attackers are trying to do is, just like they are the ransomware, when they lock everything down, and won't give you access back unless you pay a ransom, with data exfiltration it's the same kind of goal.

So, they've stolen your data, they're threatening to release it unless you pay a ransom. So there's probably going to be some kind of demand somewhere. But this does come back to that logging and alerting. So you could set up an alert for a really high amount of traffic leaving your environment. That could be an alert that you're looking at.

And there's different alert platforms that you can use ever say alerts are built into a lot of the suites that are in use Google workspace, Microsoft Office, these kinds of things. So do have a look at that platform and what's available to you in terms of those alerts. But that's an alert that you could set up for your organisation, you could set something up to know when a large amount of information has been has left your environment, you could set up that alerting so that you know when someone has access to really critical system. Sorry, you could set up that logging so that you know when someone has access to a really critical system, where you can set up an alert for when that really critical system is accessed. Those are the things that are going to enable you to know that something has happened, potentially even before that ransom demand comes through.

So I would definitely encourage checking out www.cert.govt.nz. Check out the critical controls page, the link is provided at the end of the slides. Have a look at the logging and alerting one and see what kind of implementation you could do within your organisation that's going to help you become aware of these things if they're happening. And hopefully help you prevent anything further from happening. If you do get one of those alerts.

[Audio: Host/Hadyn] Just keeping an eye on the time and we'll do two more questions.

Do not worry if we haven't answered your question, we will do our best to write them out, and we will send you answers to those. But these two feel very important.

First of all, can you encrypt your own data which would stop, and would that stop the attackers from encrypting it and logging it?

[Audio: Speaker/Sam] Yes, absolutely you can.

This will depend on what you do with the information within your environment. If you have to use it for some kind of business function, then it and its encrypted forms probably not going to be very useful for you in that state. But potentially if the storage system that we're talking about data can be encrypted in that sense.

A really great example is customer passwords, right. Passwords shouldn't be stored in plaintext. Typically, they're stored on what's called ciphertext which is just it's been encrypted, it's been put through that process. Absolutely you can typically the barrier for those kinds of things is that you need to use that data for something and it needs to be in that unencrypted form.

Passwords are a really good example of information on your customers that you don't need to use for business functions. You just need to do that process of they've entered their password, we put it through the hashing process, yes, that matches the hash that we've stored for that password. This is the right password, they can log in.

A lot of technical speak there. But that's an example of a data set that probably shouldn't be stored without being encrypted. The difficulty is, you probably need to use your customer data for your business functions. And having it in an encrypted form is not going to be useful for those types of things. So it's a it's a bit of a balancing act, if there is information you don't need to use on your customers, absolutely, I encourage you to consider storing that in an encrypted format.

[Audio: Host/Hadyn] And the last question, how do you sanitize and ensure the attacker is no longer in your environment after the attack?

[Audio: Speaker/Sam] Hmm, that's a that's a very good question.

That's probably quite a technical question. And this will change depending on if you have an IT service provider, a managed service provider, managed security service provider, because in this case, those guys are going to be the ones that are going through that process.

If you're doing it yourself, this is where that logging becomes really, really powerful. You know exactly what they did to get in and what they did once they were in. And that gives you basically a checklist of what you need to make sure has been secured.

It's typically it's going to be there was some kind of user account that was used to gain initial access, we need to make sure that that user accounts password has been changed is really nice and secure. We've turned multi-factor authentication on there, these kinds of things.

But that logging is also going to be able to tell you whether or not they deployed some kind of tool within your environment. If you have really good allow listing in place, and you're only allowing certain applications to run, you're not going to be able to run that tool. But if they did put that tool in your system to run it and do some kind of function, again, that logging is the thing that's going to be able to tell you if that was the case, and then getting those things off your system is really, really important.

Depending on how bad the ransomware attack is, this kind of thing is probably one of those things that you would want to look for a professional service to do to make sure it's done properly, and that there is no sort of persistent access on your system.

But going through those logs are the key here making sure that the things that were used to gain access to user credentials, the vulnerability that was exploited, whatever it may be, that that's been remediated, that the password has been changed. Multifactor authentication has been turned on. That system, that software has been patched, it's nice and secure.

Now, again, this is this is one of the really powerful benefits of having that logging system in place, so that if something bad does go wrong, you can figure out what it was, and make sure it doesn't happen again in the future.

[Audio: Host/Hadyn] If that did sound really technical, and you're worried like, oh, no, I don't have a, I don't have a managed service provider, CERT is here to help you out. So if you do get impacted, report through to us, and we can assist you with your recovery.

So thank you, Sam. This has been incredibly informative, and we've blazed through it.

Again, if you've had a question, and we haven't answered it, we will get you, we will get you an answer to your question.

This webinar has been recorded and we're going to send that out with all the links and a transcript. The people transcribing this are hating all of the weird ums and ahs that we've been saying during this thing and how fast Sam's been talking. But that's okay. So thank you all again for your time and hope you have a lovely day.

Cheers.

[Audio: Speaker/Sam] Thanks everyone.

[Recording ends].