Aon Ransomware Response and Mitigation Strategies

Prepared by Aon’s Cyber Solutions Group
Proprietary and Confidential
Elizabeth Martin – Manager, Security Advisory Practice
Ransomware Response and Mitigation
Strategies: A Practical Approach

2
Aon’s Cyber Solutions
Proprietary & Confidential
Agenda
Introduction
Industry News
Aon’s Client Experiences
Aon’s Digital Forensics and Incident Response Activities
Aon’s Pro-Active Mitigation Strategy Development
What Does the Future Hold?

3
Proprietary & Confidential 3
Introduction

4
Proactive Security Advisory
Elizabeth Martin
Manager
Chicago, IL
E: Elizabeth.M.Martin@aon.com
P: +1 312.646.7358
EDUCATION:
B.S. – Electronics Engineering
Technology
Elizabeth Martin provides over 20 years of experience in the Information Security, Compliance, and Risk Management industry
and 25 years in Information Technology. Ms. Martin evaluates challenges associated with protecting an organization’s assets
while offering improvements that will support growth, improve operational efficiencies, meet compliance requirements, and
mitigate risk. Ms. Martin has extensive experience in the Fortune 500 automotive, retail, financial, healthcare, government, and
managed security services verticals.
Expertise highlights include Information Security and Risk Management Program Development, Information Security and Risk
Management Assessments, Program Development, and Workshops, Regulatory Compliance Analysis, Implementation, and
Management, as well as Policy and Procedure Development.
In her capacity at Aon, Ms. Martin proactively helps organizations assess and manage their risk in accordance with their
business requirements. She performs holistic Security Risk Assessments for clients that involve evaluating enterprise risks
including assessment of security architectures, policies and governance.

5
Aon Services: DFIR and Pro-Active Advisory Overview
* Includes former Head of the Cyber Division at FBI Headquarters and former founder of the FBI’s computer crime squad in New York

6
Industry News: The Rise of Ransomware

7
The Headlines

8
What Do the Experts Have to Say?

9
The Costs are Increasing
Global Data Breach Cost – Per Capita, by Industry
(Measured in US$)
Impact of the Top 22 Factors on the Per Capita
Costs
MEAN TIME TO CONTAIN
(MTTC) A BREACH
69 Days
FOR THE FOURTH YEAR, PONEMON’S STUDY
SHOWS THE RELATIONSHIP BETWEEN HOW
QUICKLY AN ORGANIZATION CAN CONTAIN
DATA BREACH INCIDENTS AND FINANCIAL
CONSEQUENCES.

10
Aon’s Client Experiences

11
What Does This Mean For Our Clients?
What are we doing
about Cybersecurity
and ransomware?
What is our strategy?
BOARD OF DIRECTORS
CEO
What are we
doing about
Cybersecurity?
Do we have a
strategy for
ransomware?
We’re doing
things about
this
Cybersecurity
right?
CISO
Yes of course!
We’re doing all
these things!!
 Increased attention from the Board of Directors
 Driving accountability at the C-Level
 CISOs facing increased scrutiny and/or requesting 3rd Party Assistance
 5 of my last 6 Security Risk Assessments were driven by the BoD
 Security and IT Teams are still challenged
 Varying degrees of diligence, tools, practices, risk management, etc.

12
The Challenges We Face
We are doing
enough right?
Is everything
I put in place
working?
CISO
Team, we’re
doing all the
things, right?
Security Team
NOOO!!! WE’RE
NOT DOING
ENOUGH!! THE
SKY IS
FALLING!!!!
IT – You are
doing all the
things,
right?
IT
Uhhh…my hair is
on fire with new
deployments,
acquisitions,
outages, but we’re
trying!!!
3 Months Later….
Aon DFIR
Team
Do you have
an EDR
Solution? Do
you have
Logs? Do you
have a list of
systems? Can
we access the
SIEM? Do you
have a
SIEM?? How
do we deploy
IoC Detection?

13
Here We Are: Not So Exact Numbers
 Prior to summer of 2019 we saw one or
two ransomware cases per month
 Summer of 2019 we saw something like
5 or 6 cases in a 10 or 15 day period
 They continue to come in on a regular
basis
 We typically only see catastrophic cases
 Most cases contain common attack
vectors and malware strains

14
Aon DFIR Incident Response, Analysis, and
Containment Activities

15
Aon DFIR: Engagement Overview
 Forensic acquisition of systems and host-based forensic analysis
 Malware analysis
 Log analysis: Firewalls; Threat Detection; Active Directory; All Available Logs
 Network Monitoring: Deploy Open Source tools if none available
 Malware Protection triage and review
 IoC scanning via LIMA (Proprietary Tool) and other tools as available
 O365 / Email log collection and analysis
 Dark web threat intelligence
 Law enforcement engagement
Note: Cyber Insurance and ransomware payments are typically conducted outside of DFIR and
Pro-Active purview. We are nearly always engaged through client attorney under Privilege

16
Aon DFIR: Engagement Overview By The Numbers
SAMPLE – Overview of Efforts
 397 systems (99 servers, 298 workstations) identified as infected
 613 potential attacker IP addresses blocked
 5 strains of malware identified
 3000+ malware samples identified
 530+ LIMA Scans
 1200+ Linux Scans
 Inoculations (“kill switch”) deployed for Trojans (used to harvest credentials
and propagate ransomware)
Above reflects a smaller environment, we have responded to
environments with 2000+ affected machines

17
Aon DFIR: Anatomy of an Attack - Response Activities
Infection Vector:
 Initial infection vector often not confirmed, phishing email with malicious
link/attachment most likely.
 Often see IoCs dating years back reducing ability to tie to the incident
timeline
Multi-Stage Malware Deployment:
 Attacks generally followed typical pattern of multi-stage malware
deployment, leading to ransomware infection
 Multiple Emotet, Trickbot, Dridex, and Ryuk infections observed

18
Lateral Propagation
 Attackers harvest credentials and create backdoors
 Attackers map network and use compromised accounts to propagate
Malware broadly
 Remote Shells / Meterpreter deployed to escalate privileges and create
backdoors in machines
 Attackers gain access to admin-level accounts and domain controllers to
deploy malware across the environment
 Most lateral propagation is occurring through remote administration
tools such as Powershell, Named Pipes, RDP, etc. and go largely
undetected and uncontrolled

19
Lateral Propagation (Cont’d)
 Limited network segmentation, choke points, and visibility to restrict SMB and remote
Windows administration traffic
 Clear evidence of “hands on keyboard” attacker activity typically 3-4 weeks in advance of
ransomware payload execution
 Attackers typically obtain a host list as part of reconnaissance activity, including
identification of backups, Domain Controllers, etc.
Containment Efforts
 In most cases, at this point, the ransomware has spread rapidly and many systems are
down – both endpoints and servers. In some cases certain environments are not affected
 SMB traffic is quickly restricted to the best of the capabilities available, usually on the fly
router ACLs due to a flat network combined with on the fly firewall rules

20
Containment Efforts
 Overall – TANGO DOWN within a 2-3 day timeframe. Business functions have halted, have
seen cases where employees are simply asked to not work. Some IT folks are going to
BestBuy, laying down AmEx and buying all available workstations (Procurement services are
not available)
 3-7 Days later and infections continue if a successful containment strategy is not deployed
 Often see reinfections of same machines due to lack of the following:
 System hardening, host based controls, configuration management practices, network
segmentation, or inadequate / ineffective malware protection
 Malware Protection may not automatically detect IoCs, custom signatures must be deployed,
assuming Malware Protection console is available and not affected by ransomware
 Containment strategies using Windows tools such as SCCM, AppLocker, Windows
Defender, etc. are restricted due to limitation of SMB traffic
Aon DFIR
Team
IT
Security Team

21
Containment Efforts
 In some cases attacker directly accessed backup console and deleted
backups, in other cases the backups were simply not functioning, which had
gone unnoticed
 In many cases client does not maintain Asset Management solutions or
network diagrams, or if they do they are unavailable due to the ransomware,
further complicating response and increasing the timeline for containment
 Obtaining access to tools, deploying Aon tools where visibility is
lacking, and overall availability of fundamental information and
systems significantly increases the timeline of containment
Aon DFIR
Team
IT
Security Team

22
Containment Efforts Realized!
 Our Malware Analysis team is able to identify specific IoCs, lateral propagation
methods, etc. Our DFIR team has become accustomed to deploying containment
solutions in some of the most challenging environments
 In many cases our DFIR team requests deployment of an EDR tool, which seems to
be the most effective
 Specific host based controls are deployed depending on the environment and tools
available. This includes EDR, Malware Protection, and any additional tools in place
that can block IoCs and allow for rebuild, restore, recovery, etc.
 Log Analysis and Monitoring is in place to immediately alert to all IoCs
 Network based restrictions are slowly lifted, in a phased approach, once it is
confirmed the containment strategy is successful
Aon DFIR
Team
IT
Security Team

23
Aon DFIR: Anatomy of an Attack – Eradication
Eradication
 While the spread of the ransomware may be contained, there are still many items to
consider on an ongoing basis, such as the following:
 Diligence in eradication measures – do not reintroduce infected machines to the
network
 Establish a safe practice for data recovery, including paying the ransom and
restoring data
 Ensuring there is a sound set of protective controls to prevent subsequent
infection vectors (e.g. phishing protection, advanced threat, etc.)
Data Exfiltration
 While the incident may be contained, there should be an ongoing effort to conduct
Deep / Dark Web searches to identify data exfiltration
Aon DFIR
Team
IT
Security Team

24
Aon Pro-Active Advisory Mitigation Strategy

25
Aon Pro-Active Advisory: Engagement Status
 Containment has been achieved through a
collaboration between Client and our DFIR team
 Client has not yet fully recovered
 Additional Pro-Active Mitigation Strategies need to
be developed to further strengthen detection,
prevention, and response capabilities

26
Aon Advisory: Pro-Active Ransomware Mitigation Strategy
Establish Threat Profiles, Network Baseline, Enhance Chokepoints
 Whiteboard environment, gather a threat profile of the following:
 User profiles
 Location Profiles
 Establish Network Baseline and Chokepoints
 Develop Network Reference Architecture
 Develop Traffic Profiling

27
REMOTE LOCATIONS
Cloud ServicesAWS
Internet
Regional Data
Center
Infrastructure
VPN
CORE
INFRASTRUCTURE
Backup Data Center
Primary
Data Center
Infrastructure
Business Apps
Business Apps /
ERP / Etc.
Business Apps /
ERP / Etc.
Business Apps /
ERP / Etc. Mgmt
Business Apps /
ERP / Etc.
Pre-Prod
Security Tools
RDC/File
Servers
RDC/File
Servers
Internet
Infrastructure
Backups
E-Commerce
Middleware
Development
Core
Infrastructure
Backup Network
WAN
Users
Users
Router
Users
POS
Firewall / UTM
Retail
Locations
WAN
Retail Back
Office
Firewall / UTM
O365
Small
Office
Campus
Router
Firewall / UTM
Router
Firewall / UTM
Network Reference Architecture

28
 Traffic Baselining
 Restrict network traffic
based on user and location
threat profiles
 Keep SMB traffic localized

29
Understand Current and Planned Security Controls
 Gather current, planned, and recommended security controls related to the
following:
 Mobile Device Controls
 Endpoint Controls
 Email / Browsing
 Perimeter Controls
 Server / Identity Management
 Security Analytics
 Overlay Controls to a general “Anatomy of an Attack”

Vulnerability Management
Dark Web Search
Threat Intelligence
SIEM
Traffic Baselining
Security Analytics
Cloud
E-commerce
Infection Vector
Email Filtering
URL Filtering
Email / Browsing
Firewall
Advanced Threat
Advanced Threat
Perimeter Controls
Mobile Device Controls
Corporate Device
BYOD Device
MDM
Wireless
Wireless
Controls
Malware
Corporate
Endpoint
EDR /
Malware Protection
Malware
Configuration Management
Patching
Endpoint Controls
Windows Defender
AppLocker
LAPS
Lateral Propagation
Identity
Directory
Server
EDR
PAM
Lateral Propagation
Server / Identity Management
Application
Whitelisting
Configuration Management
Patching
Malware
VPN
24x7 Monitoring
MalwareMalicious Actor
Malicious Actor
Malicious Actor
SDN
DDoS
WAF
IPS
Security Reference Architecture
Backup Protection
Insider Threat

SECURITY
ANALYTICS
PERSISTENCE
PHISHING
MALICIOUS
WEBSITE
CREDENTIAL
HARVESTING
API HOOKING
RANSOMWARE
DATA
EXFILTRATION
BOTNET
LATERAL
MOVEMENT
COMMAND AND CONTROL
ROOTKIT
INFECTION VECTORS PROPAGATION PAYLOAD
TenableDark Web Search
Threat Intelligence
Backstory
(Google)
Cortex XDR
Backup ProtectionNetwork
Segmentation
Palo Alto FirewallWildFire
Carbon Black Host Based
Controls
Thycotic Host Based ControlsURL FilteringProofpoint Carbon Black Carbon Black Host Based Controls
24x7 Monitoring
KILLCHAIN
KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN KILLCHAIN
Palo Alto IPS
Anatomy of An Attack
Insider Threat
Microsoft ATA
KILLCHAIN

32
Develop Roadmap, Budget aligned with
NIST CSF
Enhance DFIR Preparedness

33
What Does the Future Hold?

34
Proprietary & Confidential Aon’s Cyber Solutions Group
Aon plc (NYSE:AON) is the leading global provider of risk management,
insurance and reinsurance brokerage, and human resources solutions and
outsourcing services. Through its more than 66,000 colleagues worldwide,
Aon unites to empower results for clients in over 120 countries via
innovative and effective risk and people solutions and through industry-
leading global resources and technical expertise. Aon has been named
repeatedly as the world’s best broker, best insurance intermediary, best
reinsurance intermediary, best captives manager, and best employee
benefits consulting firm by multiple industry sources.
Visit aon.com for more information on Aon.
Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed
investigative skills, and proprietary technologies to help clients uncover
and quantify cyber risks, protect critical assets, and recover from cyber
incidents.
Cyber security services offered by Stroz Friedberg Inc. and its affiliates.
Insurance products and services offered by Aon Risk Insurance Services
West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast,
Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of
Florida and their licensed affiliates.
The information contained herein and the statements expressed are of a
general nature and are not intended to address the circumstances of any
particular individual or entity. Although we endeavor to provide accurate
and timely information and use sources we consider reliable, there can be
no guarantee that such information is accurate as of the date it is received
or that it will continue to be accurate in the future. No one should act on
such information without appropriate professional advice after a thorough
examination of the particular situation.
www.aon.com | © Aon plc 2019. All rights reserved.
Disclaimer of Liability: This strictly confidential report provides a written
account of information collected and collated by us within limited time
constraints. It contains information obtained from sources which have not
been validated and the accuracy or veracity of which cannot be
guaranteed. It is being provided to the addressee “as is” and with specific
disclaimer of any express or implied warranties of any kind, including
merchantability, fitness for purpose, title and/or non-infringement. Further,
we make no representations regarding the sufficiency of our work for any
business, financial, or other purpose, including the purpose for which it has
been requested. We do not express an opinion regarding any business
decisions associated with the subject matter of our deliverables.
Sufficiency of the work and business decisions are the sole responsibility
of the addressee. We shall not be liable for any loss or injury caused by
the neglect or other act or failure to act on the part of us and/or our agents
in procuring, collecting or communicating any information. Further, no
liability is accepted by us for any loss or damage arising out of any reliance
on the information contained in this report.
About Aon

Aon Ransomware Response and Mitigation Strategies

More Related Content

What's hot

Similar to Aon Ransomware Response and Mitigation Strategies

More from CSNP

Recently uploaded

Aon Ransomware Response and Mitigation Strategies