Jamaica. Make up real time feedback into the behavior of your distributed systems and observing changes, exceptions. Errors in real time allows you to not only experiment with confidence, but respond instantly to get things working again. Close. Hello, everybody. Welcome to my talk. Also, welcome to comfortitude Chaos Engineering. My name is Kennedy Torkura. I am the cofounder CTO and c two admitigant, the continuous security verification platform. So this leveraging, I'm going to be talking defeating ransomware attacks, attacks with security chaos engineering. My Twitter handle is up there, and feel free to reach out to me to ask questions regarding my talk. I'm very passionate about this topic, and I'm always wishing, I'm always available to talk about it. All right, so firstly, let us look at ransomware. Right, an overview of ransomware attacks. So, ransomware, what is it? It is basically a type of malicious software, which is actually called malware, that threatens these publish or blocks access to data or computer systems, usually by encrypting it until the victim pays a ransom fee to the attacker. So what ransomware does is it's similar to what kidnappers do in the physical world. They kidnap people and then they ask for some kind of ransom which has to be paid before they release victims. Similarly, this is the same method that the ransomware attackers employ, with the difference that these time around, these attacks, actually happen in the digital space. Now, let us look at some statistics about ransomware attacks that have happened in recent years. And what we have here in this graph. These pie chart is actually gotten from the Zofos report, one of their security reports for last year. And we can see these, that actually there is 79% of ransomware. And this pie chart actually explains the amount of incident response that they carried out, because this is a managed security provider. So they kind of offer services for other companies because of their expertise. And according to the report from last year, most of the incidents, response activities that they carried out were in response of ransomware attacks, 79%. That is really high. Also, there are a lot of statistics online if you check about ransomware in the last one year, 18 months. So what we see from sonic wall is that there is 148% increase of ransomware between Q two of 2020 and Q two of 2021. A lot of ransomware attacks. Also, we see ransomware attacks, about 190.4 million ransomware attacks, just as at q three of last year. The same from sonic wall. There is also an interesting report, actually, this is from the FBI. The FBI in the United States specifically, these have received complaints just in the first half of last year, 2084 complaints about ransomware and of course, talking about finances. This time around, according to cybersecurity Ventures, victims will pay a total amount of about $265,000,000 because of ransomware by 2031. So these are just some statistics about ransomware, how prevalent it is, how it is expanding, how it is becoming a very huge problem for enterprises and even people. And it just goes to say how important it is for us to begin to take care of or to begin to prevent ourselves from becoming victims of ransomware. All right, now, we already looked at some of the impacts of ransomware, but here I just want to highlight on five main impacts of ransomware attacks. Of course, the first is financial loss. As we have seen, there's a lot of loss of financial. Companies have to pay a lot of money to the criminals that are behind these ransomware attacks. There's also data laws because oftentimes, even after paying ransom, the agents, the malicious people behind ransomware attacks, they do not return all the data. Sometimes these don't even return. They don't even hand over the encryption keys or even if these do that, these are reports that the victims are never able to recover. All the data that got missing, got lost as a result of the attack. And of course, these is also reputation damage. Okay, so the reputation of a company is badly smeared. If they fall victim to these attacks, they have to do a lot of communication tactics, firstly to their customers, to their investors, to the public. They have to apologize. And it's a bad reputation for a company. And they have to spend a lot of money, a lot of resources to be able to repair this reputation if they are ever able to do that. Legal implications also, this is really huge nowadays, especially for companies that are in Europe, we got the GDPR and usually what around somewhere, as we'll see later on, is a culmination of many attacks. Right? The attackers go through multiple steps. And it's often the case that some of these attacks actually expose data, as we have seen. And it's often the case where it either directly violates regulations like GDPR, or it's also the problem where customers of a company that is a victim of ransomware actually take the company to the court. They take the company because sometimes ransomware impacts their own activities. It makes the customers lose money, it makes them lose resources, and they take the company that provided a service to them to court and becomes a legal case. And of course, it disrupts business. Right? In Germany here, a few months ago, a company called Mediamact, which is one of the biggest online retail shops, they were attacked by ransomware. Now, this ransomware actually made it impossible for PoS systems to be used in the shops so the people could buy, they could not actually pay for services for products these bought. And this disrupted a lot of business activities. So ransomware, one of the biggest impacts it has, which we feel immediately, is the fact that was a company, your business is disrupted, you cannot serve your customers, you cannot go about your normal activities. It's a big pain. All right, now let us look at the steps, right? And as I said before, ransomware is a combination of multiple steps. In fact, before a ransomware becomes successful, it means the attackers have carried out multiple attacks against the infrastructure, against the victim. And in the end, they are able to kind of identify that material, they're able to identify that resource that is very critical to you, so critical that they can place a huge amount of money and you're going to pay. So what I'm showing here on the screen is about a specific ransomware called winter two. And this, Rama, is actually a ransomware that targets windows operating systems. And usually the infection vector is through RDP. And they actually also use phishing attacks to target their victims, which might be employees of a company, they might be normal individuals. And they're also distributed using ransomware as a service, which is another factor that has made ransomware to become very rampant these days. Because what ransomware as a service does is it lowers the entry barrier for people who want to conduct, who want to use these attacks because they don't need to have, again, the technical capabilities to develop ransomware. These don't have to write it from the scratch. They just go to the service provide of ransomware, which are usually available in the dark web. And they go there and buy the tools and they even offer them services and they buy it at a cheap rate and they are able to use it. So the important thing about this slide here is just to show the attack can of Wadrama. So Wadrama, as I said before, starts with an RDP brute force attack, and then the next thing is it scans for connectivity and also for new targets. The interesting thing in step three there is you see that the ransomware itself, tons of security controls, so it has the capability to identify that you're using maybe some firewalls or some antivirus devices or any software that might detect its presence, and it switches it off. It does another network reconnaissance to kind of understand your network, to understand your keys to the kingdom, to understand what kinds of resources are more critical to you. As a victim, based on that, it might move, literally, it might move from one resource to the other, from one network to the other. And other things, as you see in step five that might occur is credential theft. So they begin to see your credentials. They want to gain root access to certain resources in your network. They place a backdoor so that they can actually, if at all, you detect them at this point in time and you flush them out of the system, they leave backdoors which will enable them to come back to your system along the way, you see, they also have con miner to mine bitcoins in the victim system. And the last step, which is step eight, is where they actually ask for ransomware. So you can see that there's a lot of work that they have to do. There's a lot of security loopholes that they have to exploit along the way. Eventually, they arrive at a place where they feel confident enough that they have verified a resource that is so important that they can place a high price tag on it and they can force their victims to pay for this resource to be returned or to pay for the decryption key of the resource. Okay, so we have looked at ransomware, and now how about these cloud. Okay, so do we have ransomware that happen in the cloud? There is a lot of misconceptions about ransomware in the cloud, and we're going to be looking at some of those ones. Firstly, what we have seen in recent years is that ransomware has actually, the attackers, the perpetrators of ransomware attacks, are now beginning to target cloud based systems, cloud infrastructures, cloud native systems. And why is that? Well, one of the major drivers of this change of tactics is the Covid-19 pandemic. All right, so Covid-19 has come and we are still in the pandemic. Hopefully, we are out of it very soon. However, many companies have realized that they have to transform these infrastructure. They are undergoing the digital transformation and they are moving to the cloud because these cloud offers for them most of those facilities that will help their systems to be agile, to be elastic, to be robust. One of the major problems about moving to the cloud, amongst many other challenges that people face when they move to the cloud, is the fact that especially for companies, for enterprises that have both on premises and cloud systems, the line between on premises and cloud systems actually is blurred. Right. It is blurred because some cloud service providers make it so easy for the on premises and the in cloud infrastructure to connect. And so this connection becomes a good bridge for attackers to also leverage. And they can actually leverage such connections to easily attack or to move, move laterally from on premises systems to cloud based systems. The next thing is misconception. So one of them that I have heard about is the cloud is immune to ransomware, right? The cloud is not immune to ransomware. Cloud is not immune. These cloud offers in the cloud, these is the shared responsibility model, which is one of the models that is not well understood by most customers or most people who migrate to the cloud. Right. As a user of the cloud, you got your own responsibility. You have a lot of things to take care of, especially everything that is referred to as a logical security measure. You got to take care of it. So because of that infrastructure like object story, like x ray buckets on AWS, a lot of the security measures that have to be put in place are a responsibility of customers. And we will see an attack in the next few slides that actually shows how s these buckets are being targeted and being used, have been targeted during ransomware attacks. All right, so one of the key things I wanted to take from this slide is that the implications of ransomware in the cloud could be worse than the implications in traditional or on premises environments. And the major thing is because firstly, most cloud resources are misconfigured. According to Gartner, 99% of cloud resources are going to fall to attacks because of misconfigurations. So there is a high chance that attackers are going to get access, they're going to get privileged access, are they going to leverage it, and they're going to get access to resources that they can use for ransomware. All right, so what are the countermeasures that are in place now? There are a lot of countermeasures that have been put out there for ransomware. A lot of them are written provided by the cloud service providers themselves. There are also countermeasures that are provided by different security vendors or security organizations. One of the important things, as we have seen, that ransomware is a combination of multiple attacks, is that you have to enable a defense in depth security architecture. Your security architecture has got to be layered. It is a layered security system that can actually detect or proven ransomware. So what we see on this slide, these is basically a very nice way of describing defense in depth. We see that one of the first layers of ransomware countermeasures is training and awareness. Right. You have to train your employees. They have to understand the basics of cyber hygiene. They have to understand that they are targets to things like phishing emails, and they have to avoid the temptation of clicking links that seem malicious. So basically, there are four main types of controls. When we talk about defense in depth, there are the preventive controls, which include things like firewalls, authentication and authorization, identity and access management systems. These are also the detective controls, which actually detect malicious activities in your environment that might be indicators of compromise regarding sims and login systems. Then we also have recovery controls. Right? Recovery controls are those controls that will help a compromised system to come back to life to resume its normal activities. And what are these controls? These include things like backups, disaster recovery methods, incident response, and of course, I've already talked about security awareness. In summary, most of the ransomware countermeasures fall under these four controls. Now, you might be wondering, okay, what has this to do with security chaos engineering? Right? And I'm here today to tell you that security chaos engineering is one of the robust or one of the best ways you can actually prevent yourself from becoming a victim of ransomware attacks. Now, security case engineering is the identification of security control failures through proactive experimentation to build confidence in the system's ability to defend against malicious conditions. Right. And we're going to be looking a little bit into it. We are in chaos engineering conference. So I want to believe that most of the audience already are sort of used or have heard of chaos engineering. Chaos engineering. Security chaos engineering, actually, it implements most of the techniques or the methods or the approaches of chaos engineering. However, this time around, the focus is on security. The focus is on security attributes, on confidentiality, integrity, and availability. All right, so let's look at how security cares engineering is what it actually means. So basically, in security career, the first thing that you do in security case engineering is to define your hypothesis. In these case, you're talking about security faults. It's about injecting security faults into your infrastructure so that you can verify if the security controls are functioning was you expect them to function. All right? And this infrastructure could be code, source code, could be things like docker containers, could be cloud infrastructure, could be kubernetes clusters. In the end, you're actually conducting those security faults so that you will perceive or you will verify if your preventive controls, like the ones we just talked about in the last slide, if they are working as they should work. And because this is security, at the end of the day, there are three main things in your infrastructure or in your security architecture that you want to prevent, right? You want to make sure that the security attributes, which are confidentiality, integrity, and availability are not violated. Any violation of these is a security breach. It's a security problem. It might lead to cyberattacks, it might lead to a lot of problems. So at the core of security chaos engineering is for the protection of the attributes of security, which are confidentiality, integrity and availability. Now let us look at an example scenarios of a ransomware. In this case, it is a bucket ransomware attack. Now, during a bucket ransomware attack, the attacks basically, and there are various ways this could be conducted. The scenario we're going to be using today is just a hypothetical one which might happen. So in these case, firstly, the attacker creates a user called Bob. And after creating these user, that user, Bob tries to get access to an EKS cluster, a kubernetes cluster on Amazon Web services. By the way, these scenario is typically based on Amazon Web services and actually could be applied to even every other cloud service provider since they have similar. So. Well, Bob tries to get access to the EKS clusters. He's able to get access to it. He compromises one of the clusters, a pod in the cluster. From there, he gets to understand that this pod is actually looking towards an s three bucket. And this pod is actually either dumping information or retrieving information from an s three bucket. And it's able to understand that that s, these bucket actually has information that is very critical, maybe things like credit card information or Social Security numbers or it could be anything that is very delicate for the company. And so the next thing it does is to move forward, take over the bucket, encrypt it, request for ransomware. And that is more or less the lifecycle of a ransomware attacks. Okay. What's interesting for us here is, well, in this scenario could be actually a security chaos engineering experiment that you're conducting for your AWS infrastructure. And what you're going to be looking for, firstly, is in the first step of this attack, let's call it in this attack actually, where a user is created, you want to understand, okay, the detective controls that have been put in place. And this could be like cloud security posture management systems. It could be like the AWS config. These are security controls that should identify when unauthorized access is carried out or these should actually identify unauthorized access. They should identify when people who are not supposed to create new resources are creating new resources like a user. And this is something that you will expect these kinds of tools to detect in the next step. As we discussed, the attacks went forward and got access to an eks cluster and then went forward to compromise one of the pods. Right. And from a security standpoint, you're going to be interested to understand whether these activities that were done by the attacker before he successfully compromised a pod, if any of the Kubernetes security controls detected this exploitation, if it was detected, whether threat detection tools like AWS guard duty or security hub that are actually supposed to detect the range of activities that will be conducted, understand, by an attacker to be able to really conduct this attack. Okay. And now we get to the point where the attacks actually compromises the s, these bucket. And even in this case, these are a lot of activities. Like I said, for the attacker to identify that this bucket has sensitive information, there is going to be a lot of reconnaissance, there's going to be a lot of probing attacks, and these are attacks that should be detected. These are specific commands against an s three bucket that should be deemed as malicious. And you will expect also, again, that things like the access analyzer of AWS that kind of identifies when access to resources are suspicious, you expect it to kind of fire up an alert or from the security hub and such tools. Yes. And we finally get to the point where the attack is successful. And as a victim, you're already asking yourself whether to pay or not to pay because you already saw the request from the attacker for a ransom, right? And this is the point where incident response is actually triggered. Incident response in most cases is triggered at the end, after the attack is almost successful or is already successful after these ransom has been requested for. Of course. And these is the point, again where things like backups are, people begin to try to trigger their backups to bring their system back to life, to resume their business activities. And you want to ask whether are your backups even accessible? Are they usable? Are these already corrupted? Are they run books that you use for incident response? Are they even accurate? Are they functional? Are they updated? Now these are questions that are very interested, very interesting from a security chaos engineering experiments. So how do we even run these experiment? So there is a concept of game days, which are specific periods that are set aside to conduct security chaos engineering experiments, right? So game days are usually used by DevOps, by sres, to conduct experiments that kind of test how robust or their systems are, how available they are, how they can respond to incident response. But security game days this time around are with a security focus. I will not go into details of the components of people who should attend this sort of security game days, but essentially you're going to be having your security team there. You're going to be having maybe some sres, anybody who is actually part of the security incident response mechanism or lifecycle. You want that person to be part of the game days, part of the security game days. All right. Now you might also be thinking about what kinds of security activities should constitute or are good candidates for security chaos engineering. And there is a very good resource that was released by Amazon Web Services called these ransomware risk management on AWS using the NIST cybersecurity framework. And in this document, there are a lot of possibilities. These are a lot of recommended practices that should constitute either prevention, detection, or recovery from ransomware. Agreed again, that these are very specific to Amazon Web services, but again, they are similar resources that you will find in other cloud service providers. So what are these things? There are things like, we have already mentioned some of them. Things like checking if backups are already in place, whether they are well configured, corruption testing, deny listing, looking at things like your EC, two security groups, route 53, if all of these AWS resources are well configured to prevent or to detect or to even recover from ransomware. So go check these resource out and I'm sure that you're going to have some good insights as in where to start running your game days from. One important topic I want to talk about here is about continuous verification of runbooks, right? So we all know that runbooks are extremely helpful for security incident response and also for even normal incident response. Basically, runbooks carry these compose of certain steps that are written that can be executed in an incident response scenarios and which helps these operators to actually be a little bit help the operators to be a little bit proactive. Now, runbooks are very useful. However, security incident response in cloud environment introduces a lot of challenges, right? And these challenges kind of impact or kind of limit how efficient runbooks can be. All right. One of the challenges is because in the cloud infrastructure is constantly changing. Infrastructure is not static. Therefore, this means that runbooks also cannot be static. Runbooks have to be updated periodically, as often as possible. And also these runbooks have to be aligned with the current state of the infrastructure. And this is very important because security teams, they gain confidence by exercising runbooks. All right, before I conclude, I just want to highlight about some relevant resources. Since I come from an academic research background. During my doctoral research, I did a lot of research about security Chaos engineering. And some of these papers are already published. And if want good materials that will support your security chaos engineering journey. Yeah, these are some nice materials that will help you. And I also had a chance to be one of the contributing authors to the first book on security chaos engineering. And this was released last year. I was very lucky to be invited by Aaron Reinhardt and Kelly Shortridge. And this book has also very good content around security chaos engineering. All right, so this is the last slide. And, yeah, just to mention some important points again. Firstly, ransomware is a real threat. Cloud environments are not immune to ransomware attacks they can suffer from, and there are attacks that happened in real life. Also, security chaos engineering provides for you, means that you can verify your security posture. And this includes ransomware. Right. You can use security chaos engineering to check whether you are resistant to ransomware attack, to check if whatever measure that you have put in place to either detect or prevent or even recover you from ransomware. You can actually use security chaos engineering to check whether those controls are working as you kind of expect these to work. All right, so thank you very much for listening to my talk. I am readily available for you online or on Twitter to answer your questions around this topic. Have a nice conference. Right.