Abstract image of a woman sitting on books and studying on a laptop

Best Practices for Preventing and Recovering from Ransomware

Download as PPTX, PDF
Precisely, profile picture
Precisely

The document outlines a comprehensive strategy for ransomware defense focused on prevention, detection, and recovery processes specifically for IBM i systems. It emphasizes the importance of understanding ransomware vulnerabilities, establishing continuous data protection mechanisms, and conducting thorough audits to limit exposure. Best practices for maintaining security and effective recovery plans are also discussed, highlighting the need for collaboration and leveraging advanced tools to ensure resilience against attacks.

Technology
1 of 51
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Ransomware Defense Prevention, Detection and Recovery Gavriel Meir-Levi | Sales Director - Security Products Barry Kirksey | Principal Sales Engineer
Session Overview 1. Prevention 2. Detection 3. Recovery 2
Session Overview 1. Prevention: Keep it Off The IBM i 2. Detection: Limit The Blast Radius 3. Recovery: Continuous Data Protection (CDP) 3
Prevention 1. What? 2. Why? 3. How? Keep it off the IBM i
Prevention 1. What are we securing? 2. Why are we securing it? 3. How are we securing it? What are we securing?
You can’t secure what you don’t understan d We’re securing the IBM i against ransomware... Prevention What are we securing? Meaning what?
Prevention How does ransomware reach the IBM i? Ingress Command and Control Encryption Compromise ! Tunneling Burrowing Anatomy of a Ransomware Attack
Ransomware Business Model Ransomware Target 3rd Party Partners Ransomware Software Developer 10-30% 70% 70% Raa$ Business model
Ransomware Business Model Ransomware Target 3rd Party Partners Ransomware Software Developer 10-30% 70% 70% Raa$ Business model Point of Network Ingress Ingress happens when the network is compromised by 3rd Party Ransomware partners.
Most Common Point of Ingress Internet Router Domain Controller NAS/Backup Storage Telephony Devices Firewall/ VPN Gateway Managed Laptops Managed Workstations Managed Servers End-of-life (EOL) Products “Under the Radar” Exploitation Source: CrowdStrike 2024 Threat Report Unmanaged network appliances – particularly edge gateway devices – remained the most routinely observed initial access vector for exploitation during 2023 Target/Unmanaged Asset Sensor Managed Asset
1. Classic Wintel Ransomware Contamination 2. Advanced Threats that Specifically Target the IBM i Prevention What are we securing?
Keeping It Off The IBM i • The IBM i OS ‘proper’ – is generally not the target • IBM i can be affected by malware in the IFS in two ways: • An infected object is stored in the IFS IFS • Malware enters the system from an infected infected workstation to a mapped drive (that is, IBM (that is, IBM i) via a file share on the IFS the IFS Integrated File System The integrated file system is a part of the IBM i operating system that supports stream input/output and storage management similar to personal computer and UNIX operating systems, while providing an integrating structure over all information stored in the system.
The Case of the Contaminated Network Ingress Command and Control Encryption Compromise ! Tunneling Burrowing IFS Classic mapped drive ransomware scenario
Network Contamination A tale of betrayal and redemption The Human Element Security Sue Admin Andy Malicious Maxine End User Ellen THE USUAL SUSPECTS:
The Case of the Contaminated Network An AI tale of betrayal and redemption THE USUAL SUSPECTS: The Human and AI Element Security Sue Admin Andy Malicious Maxine End User Ellen WITH SPECIAL GUEST: AI Artemus
The Contaminated Network Point of ingress Malicious Maxine End User Ellen Security Sue Admin Andy
The Contaminated Network Lateral movement Malicious Maxine End User Ellen Security Sue Admin Andy
Malicious Maxine End User Ellen Security Sue Admin Andy The Contaminated Network RED ALERT: IBM i is in danger Network Share
The Contaminated Network RED ALERT: IBM i is in danger Malicious Maxine End User Ellen Security Sue Admin Andy
The Contaminated Network Rewind prewind: Planning starts before contamination Security Sue Admin Andy End User Ellen Collaboratio n IFS Access Network Segmentation Exit Point IFS Security MFA
Don’t Forget The “Why” Here comes the “how” End User Ellen IFS Access Network Segmentation Exit Point IFS Security MFA Don’t Forget The “Why” – Because End User Ellen’s access to the IFS is critical to the business. And if it isn’t… Security Sue Admin Andy Collaboratio n
Lots of Great Tools Some of which your organization already uses End User Ellen IFS Access Network Segmentation Exit Point IFS Security MFA Security Sue Admin Andy Collaboratio n Segmentation Illumio Guardicore Etc.
Zero Trust Adaptive MFA End User Ellen IFS Access Network Segmentation Exit Point IFS Security Security Sue Admin Andy Collaboratio n Segmentation Illumio Guardicore Etc. Zero Trust Microsoft365 Okta Etc. MFA
Next Gen Tools API calls are your friend End User Ellen IFS Access Network Segmentation Exit Point IFS Security Security Sue Admin Andy Collaboratio n Segmentation Illumio Guardicore Etc. Zero Trust Microsoft365 Okta Etc. MFA API Calls CrowdStrike SentinelOne Pal Alto Networks, Qradar, Etc.
Tried And True IFS Security No external tool can replace good native IFS security End User Ellen IFS Access Network Segmentation Exit Point IFS Security Security Sue Admin Andy Collaboratio n Segmentation Illumio Guardicore Etc. Zero Trust Microsoft365 Okta Etc. MFA API Calls CrowdStrike SentinelOne Pal Alto Networks, Qradar, Etc. Best Practices Journal IFS Objects Restrict QSYS.LIB Change to *Public *Exclude No Shares to Root Directory Etc.
Congratulations Sue and Andy! They kept the ransomware off the IBM i… or did they? End User Ellen IFS Access Security Sue Admin Andy Collaboratio n Malicious Maxine Rats !
1. Audit: Security Must Be Demonstrable 2. Test For Failure 3. Limit The Blast Radius Detection Limiting the blast radius
On The Audit Trail Demonstrate success… and test for failure End User Ellen IFS Access Network Segmentation Exit Point IFS Security MFA Security Sue Admin Andy Collaboratio n Welcome to the Audit Layer Endpoint Telemetry | Network Activity | MFA Logs | Exit Point Traffic | IFS Object Changes QAUDJRN | IFS Object Journals
The Case of the Contaminated Network An AI tale of betrayal and redemption THE USUAL SUSPECTS: The Human and AI Element Security Sue Admin Andy Malicious Maxine End User Ellen WITH SPECIAL GUEST: AI Artemus
The AI Layer Use your audit data to train the AI End User Ellen IFS Access Network Segmentation Exit Point IFS Security MFA Security Sue Admin Andy Collaboratio n The Audit Layer Becomes The AI Layer Endpoint Telemetry | Network Activity | MFA Logs | Exit Point Traffic IFS Object Changes | QAUDJRN | IFS Object Journals AI Artemus
Andy is losing it Yet another job?!?! Admin Andy I already have a day job, managing the IBM i. Now they want me to become the CISO for the i AND the AI engineer for the i ?!?
Sue’s Got It She’s already ai-ready Admin Andy Thank God Sue is here!!! Security Sue Hey Andy, we’re looking at some cool AI tools for security and I want IBM i data in the mix… Collaboratio n
ALL AI-READY Sue’s AI-Ready And now so is Andy Admin Andy I have waited for this day!!! Security Sue I want your input! Collaboratio n
Advanced Detection Limit the blast radius Security Sue Admin Andy AI Artemus Collaboration Red Team Ruby End User Ellen PROD HA FTP Endpoint Scanning CDP Recovery Prevention Cloud Scanner Storage The AI SecOps Layer Endpoint Telemetry | Network Activity | MFA Logs | Exit Point Traffic | IFS Object Changes | CIS Benchmarks| I/O Activity QAUDJRN | IFS Object Journals | Cloud Scanning | FTP Endpoint File Scans | Red Team Activity | Remote CDP Journals | Pen Testing
1. Malware Written for The IBM i • Rare • Insider Threats 2. Advanced Persistent Threats that Target the IBM i • Live Off The Land (LOTL) • Insider-Like • Example: Involved SSH Keys accessed via AIX Advanced Threats Limiting the blast radius
Recovery
The system is corrupt! What now? • You must have a Continuous Data Protection (CDP) recovery plan! • Execute the plan • Recover to an acceptable point prior to the corruption
Planning: Maintain known good starting points Regular SAVEs Pros: • Allows for the most granularity (file, library) Cons: • Restore time • Not suitable for IFS Directories Flash copy/Snapshot image Pros: • May be faster than restore • Suitable for IFS Directories and Stream files Cons: • Quality of snapshot questionable • Requires restore of Journal Receivers Journal Receivers • Needed for rolling forward from start point • Immutable • Must be retained (protected from deletion)
Planning: Requirements for CDP Apply Journal Change: Method to roll forward (apply) the journal entries from the known good point. Logical Replication Software: Software to roll forward (apply) the journal entries from the known good point. Start Point: Point in the journal receiver chain of the chosen known good point to Roll Forward from. Recovery Point: Point in the journal receiver chain where logical replication should stop. This is typically before the point of corruption. Final Readiness Process: • Typical Unplanned Switch Procedure to prepare the Database for normal operations (i.e. commitment control, triggers referential constraints, etc). • Final User validation
Planning: Snapshot Quality State of Production LPAR at Time of Flash Open Commits All user data written to storage Known Transaction Point Quality of snapshot Requires outage Powered down No Yes Yes ⭐⭐⭐⭐⭐ Yes Restricted State No Yes Yes ⭐⭐⭐⭐ Yes Applications down No Yes Yes ⭐⭐⭐⭐ Yes Quiesced applications No Yes Yes ⭐⭐⭐⭐ Yes Application running with FORCE WRITE action performed No In doubt No ⭐⭐ No Application running with FORCE WRITE action performed Yes Unlikely No ⭐ No Application running No In doubt No ⭐ No Application running Yes Highly unlikely No ⭐ No
Known Recovery Point IBM I Vol 01 IBM I Vol .. IBM I Vol .. IBM I Vol .. IBM I Vol 88 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 Production Data Immutable Snapshots – Every Hour GOOD WARNING FAIL Validated Immutable Snapshots Known Recovery Point and Recovery Times
“Be Prepared” for CDP Recovery -168 HR -144 HR -120 HR -96 HR -72 HR -48 HR -24 HR Snapshots Full Backup Incremental Backup Known Good Points High Quality snapshot Low Quality snapshot Journal Receivers System Corrupt Normal LPAR A: !
CDP Recovery: from SAVE -168 HR -144 HR -120 HR -96 HR -72 HR -48 HR -24 HR Full Backup Incremental Backup Known Good Points Journal Receivers System Corrupt LPAR A: Recovery Operations Recovery Point Start Point • System restore • Libraries • Files • Objects Normal LPAR B: Roll Forward Restore offers granularity to the object level, but will be slower to complete
CDP Recovery: from SNAPSHOT -168 HR -144 HR -120 HR -96 HR -72 HR -48 HR -24 HR Journal Receivers System Corrupt Recovery Operations Recovery Point Start Point • IPL Snapshot Normal LPAR B: Roll Forward Snapshots Known Good Points LPAR A: High Quality snapshot Low Quality snapshot
CDP Recovery at the LPAR level A A Roll forward Restore Roll forward IPL Snapshot Recovery Point Recovery Point Roll Forward Recovery: from SAVE Roll Forward Recovery: from SNAPSHOT
Multi-LPAR CDP Readiness Topology A - Primary B - Backup Real-time HA/DR A - Recovery B - Recovery Journal Receivers Journal Receivers must be retained. Protect them from deletion by replicating them to another separate LPAR
Example Event Timeline - NORMAL Timestamp Event LPAR Comments Sunday 0100 Database SAVE A or B Media should be available to B system Regularly Remote Journal Receiver SAVEs B Receivers are required for roll forward recovery - should be changed regularly and saved expeditiously
Example Event Timeline – Cyber Attack Timestamp Event LPAR Comments Thursday 1400 Cyber attack – Rogue database changes occur A Rogue record changes are replicated to B Thursday 1415 Production isolated and offline A B is online, but not available to users. Thursday 1700 Decision to perform a roll forward recovery
Example Event Timeline - Recovery Timestamp Event LPAR Comments Thursday 1730 CLRLIB completed, RESTORE started B Affected libraries Friday 1300 RESTORE completed B Affected libraries Friday 1315 Initialize Data Groups for restart B Set Data Group Recovery Point Friday 1330 Replay forward from SAVE Point B Start Data Groups from SAVE point in journal receivers. Recovery Point – 1 Reach Recovery Point B Stop Data Groups Recovery Point – 2 Perform final readiness B Switch Procedure to close commit control cycles, prepare database Recovery Point – 3 Present recovered database B
Questions
Thank You

More Related Content

PPTX
best_practices_for_preventing_and_recovering_from_ransomeware_240612 (1).pptx
Precisely
 
PPTX
best_practices_for_preventing_and_recovering_from_ransomeware_240612 (1).pptx
Precisely
 
PDF
Best Practices in IBM i Security
Precisely
 
PPTX
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Precisely
 
PDF
What’s the State of Your Endpoint Security?
IBM Security
 
PDF
CNIT 125 Ch 8. Security Operations
Sam Bowne
 
PPTX
IBM i Security Best Practices
Precisely
 
PDF
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
best_practices_for_preventing_and_recovering_from_ransomeware_240612 (1).pptx
Precisely
 
best_practices_for_preventing_and_recovering_from_ransomeware_240612 (1).pptx
Precisely
 
Best Practices in IBM i Security
Precisely
 
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Precisely
 
What’s the State of Your Endpoint Security?
IBM Security
 
CNIT 125 Ch 8. Security Operations
Sam Bowne
 
IBM i Security Best Practices
Precisely
 
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 

Similar to Best Practices for Preventing and Recovering from Ransomware (20)

PDF
7. Security Operations
Sam Bowne
 
PPTX
Defending Your IBM i Against Malware
Precisely
 
PPTX
IBM i Security SIEM Integration
Precisely
 
PPT
System Z Mainframe Security For An Enterprise
Jim Porell
 
PDF
Controlling Access to IBM i Systems and Data
Precisely
 
PPSX
IBM: Cognitive Security Transformation for the Enrgy Sector
FMA Summits
 
PPTX
Configuration Tips to Reduce the Risk of IBM i Malware Infection
Precisely
 
PDF
Presentation defend your company against cyber threats with security solutions
xKinAnx
 
PDF
Security Solution - IBM Business Connect Qatar Defend your company against cy...
Dalia Reda
 
PDF
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
PPTX
501 ch 9 implementing controls to protect assets
gocybersec
 
PPTX
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Tripwire
 
PDF
3 Enablers of Successful Cyber Attacks and How to Thwart Them
IBM Security
 
PPTX
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
PDF
Nuts & Bolts of the Dynamic Attack Chain
IBM Security
 
PPTX
Disaster Recovery using Spectrum Scale Active File Management
Trishali Nayar
 
PPT
Security Considerations in Process Control and SCADA Environments
amiable_indian
 
PPT
Energy Sector Security Metrics - June 2013
Andy Bochman
 
PPT
Control system including PLC cybersecurity
Dr.Maged Mikhail
 
PPTX
IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure
Nico Chillemi
 
7. Security Operations
Sam Bowne
 
Defending Your IBM i Against Malware
Precisely
 
IBM i Security SIEM Integration
Precisely
 
System Z Mainframe Security For An Enterprise
Jim Porell
 
Controlling Access to IBM i Systems and Data
Precisely
 
IBM: Cognitive Security Transformation for the Enrgy Sector
FMA Summits
 
Configuration Tips to Reduce the Risk of IBM i Malware Infection
Precisely
 
Presentation defend your company against cyber threats with security solutions
xKinAnx
 
Security Solution - IBM Business Connect Qatar Defend your company against cy...
Dalia Reda
 
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
501 ch 9 implementing controls to protect assets
gocybersec
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Tripwire
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
IBM Security
 
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
Nuts & Bolts of the Dynamic Attack Chain
IBM Security
 
Disaster Recovery using Spectrum Scale Active File Management
Trishali Nayar
 
Security Considerations in Process Control and SCADA Environments
amiable_indian
 
Energy Sector Security Metrics - June 2013
Andy Bochman
 
Control system including PLC cybersecurity
Dr.Maged Mikhail
 
IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure
Nico Chillemi
 
Ad

More from Precisely (20)

PDF
Modernizing Power Systems: Cloud Migration Strategies for IBM I and AIX with ...
Precisely
 
PDF
What Every Data Leader Should Know About Third-Party Data for AI and Analytic...
Precisely
 
PDF
The Future of Automation: AI, APIs, and Cloud Modernization.pdf
Precisely
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
Reimagining Insurance: Connected Data for Confident Decisions.pdf
Precisely
 
PDF
Introducing Syncsort™ Storage Management.pdf
Precisely
 
PDF
Enable Enterprise-Ready Security on IBM i Systems.pdf
Precisely
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
Solving the CIO’s Dilemma: Speed, Scale, and Smarter SAP Modernization.pdf
Precisely
 
PDF
Solving the Data Disconnect: Why Success Hinges on Pre-Linked Data.pdf
Precisely
 
PDF
Cooking Up Clean Addresses - 3 Ways to Whip Messy Data into Shape.pdf
Precisely
 
PDF
Building Confidence in AI & Analytics with High-Integrity Location Data.pdf
Precisely
 
PDF
SAP Modernization Strategies for a Successful S/4HANA Journey.pdf
Precisely
 
PDF
Precisely Demo Showcase: Powering ServiceNow Discovery with Precisely Ironstr...
Precisely
 
PDF
The 2025 Guide on What's Next for Automation.pdf
Precisely
 
PDF
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Precisely
 
PDF
Modernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdf
Precisely
 
PDF
Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...
Precisely
 
PDF
Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...
Precisely
 
Modernizing Power Systems: Cloud Migration Strategies for IBM I and AIX with ...
Precisely
 
What Every Data Leader Should Know About Third-Party Data for AI and Analytic...
Precisely
 
The Future of Automation: AI, APIs, and Cloud Modernization.pdf
Precisely
 
Unlock new opportunities with location data.pdf
Precisely
 
Reimagining Insurance: Connected Data for Confident Decisions.pdf
Precisely
 
Introducing Syncsort™ Storage Management.pdf
Precisely
 
Enable Enterprise-Ready Security on IBM i Systems.pdf
Precisely
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
Solving the CIO’s Dilemma: Speed, Scale, and Smarter SAP Modernization.pdf
Precisely
 
Solving the Data Disconnect: Why Success Hinges on Pre-Linked Data.pdf
Precisely
 
Cooking Up Clean Addresses - 3 Ways to Whip Messy Data into Shape.pdf
Precisely
 
Building Confidence in AI & Analytics with High-Integrity Location Data.pdf
Precisely
 
SAP Modernization Strategies for a Successful S/4HANA Journey.pdf
Precisely
 
Precisely Demo Showcase: Powering ServiceNow Discovery with Precisely Ironstr...
Precisely
 
The 2025 Guide on What's Next for Automation.pdf
Precisely
 
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Precisely
 
Modernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdf
Precisely
 
Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...
Precisely
 
Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...
Precisely
 
Ad

Recently uploaded (20)

PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPTX
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
Configure Apache Mutual Authentication
Antonino Piraino
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
What is a Computer? Input Devices /output devices
GulJan8
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Modernising the Digital Integration Hub
Daniel Toomey
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 

Best Practices for Preventing and Recovering from Ransomware

  • 1. Ransomware Defense Prevention, Detection and Recovery Gavriel Meir-Levi | Sales Director - Security Products Barry Kirksey | Principal Sales Engineer
  • 2. Session Overview 1. Prevention 2. Detection 3. Recovery 2
  • 3. Session Overview 1. Prevention: Keep it Off The IBM i 2. Detection: Limit The Blast Radius 3. Recovery: Continuous Data Protection (CDP) 3
  • 4. Prevention 1. What? 2. Why? 3. How? Keep it off the IBM i
  • 5. Prevention 1. What are we securing? 2. Why are we securing it? 3. How are we securing it? What are we securing?
  • 6. You can’t secure what you don’t understan d We’re securing the IBM i against ransomware... Prevention What are we securing? Meaning what?
  • 7. Prevention How does ransomware reach the IBM i? Ingress Command and Control Encryption Compromise ! Tunneling Burrowing Anatomy of a Ransomware Attack
  • 8. Ransomware Business Model Ransomware Target 3rd Party Partners Ransomware Software Developer 10-30% 70% 70% Raa$ Business model
  • 9. Ransomware Business Model Ransomware Target 3rd Party Partners Ransomware Software Developer 10-30% 70% 70% Raa$ Business model Point of Network Ingress Ingress happens when the network is compromised by 3rd Party Ransomware partners.
  • 10. Most Common Point of Ingress Internet Router Domain Controller NAS/Backup Storage Telephony Devices Firewall/ VPN Gateway Managed Laptops Managed Workstations Managed Servers End-of-life (EOL) Products “Under the Radar” Exploitation Source: CrowdStrike 2024 Threat Report Unmanaged network appliances – particularly edge gateway devices – remained the most routinely observed initial access vector for exploitation during 2023 Target/Unmanaged Asset Sensor Managed Asset
  • 11. 1. Classic Wintel Ransomware Contamination 2. Advanced Threats that Specifically Target the IBM i Prevention What are we securing?
  • 12. Keeping It Off The IBM i • The IBM i OS ‘proper’ – is generally not the target • IBM i can be affected by malware in the IFS in two ways: • An infected object is stored in the IFS IFS • Malware enters the system from an infected infected workstation to a mapped drive (that is, IBM (that is, IBM i) via a file share on the IFS the IFS Integrated File System The integrated file system is a part of the IBM i operating system that supports stream input/output and storage management similar to personal computer and UNIX operating systems, while providing an integrating structure over all information stored in the system.
  • 13. The Case of the Contaminated Network Ingress Command and Control Encryption Compromise ! Tunneling Burrowing IFS Classic mapped drive ransomware scenario
  • 14. Network Contamination A tale of betrayal and redemption The Human Element Security Sue Admin Andy Malicious Maxine End User Ellen THE USUAL SUSPECTS:
  • 15. The Case of the Contaminated Network An AI tale of betrayal and redemption THE USUAL SUSPECTS: The Human and AI Element Security Sue Admin Andy Malicious Maxine End User Ellen WITH SPECIAL GUEST: AI Artemus
  • 16. The Contaminated Network Point of ingress Malicious Maxine End User Ellen Security Sue Admin Andy
  • 17. The Contaminated Network Lateral movement Malicious Maxine End User Ellen Security Sue Admin Andy
  • 18. Malicious Maxine End User Ellen Security Sue Admin Andy The Contaminated Network RED ALERT: IBM i is in danger Network Share
  • 19. The Contaminated Network RED ALERT: IBM i is in danger Malicious Maxine End User Ellen Security Sue Admin Andy
  • 20. The Contaminated Network Rewind prewind: Planning starts before contamination Security Sue Admin Andy End User Ellen Collaboratio n IFS Access Network Segmentation Exit Point IFS Security MFA
  • 21. Don’t Forget The “Why” Here comes the “how” End User Ellen IFS Access Network Segmentation Exit Point IFS Security MFA Don’t Forget The “Why” – Because End User Ellen’s access to the IFS is critical to the business. And if it isn’t… Security Sue Admin Andy Collaboratio n
  • 22. Lots of Great Tools Some of which your organization already uses End User Ellen IFS Access Network Segmentation Exit Point IFS Security MFA Security Sue Admin Andy Collaboratio n Segmentation Illumio Guardicore Etc.
  • 23. Zero Trust Adaptive MFA End User Ellen IFS Access Network Segmentation Exit Point IFS Security Security Sue Admin Andy Collaboratio n Segmentation Illumio Guardicore Etc. Zero Trust Microsoft365 Okta Etc. MFA
  • 24. Next Gen Tools API calls are your friend End User Ellen IFS Access Network Segmentation Exit Point IFS Security Security Sue Admin Andy Collaboratio n Segmentation Illumio Guardicore Etc. Zero Trust Microsoft365 Okta Etc. MFA API Calls CrowdStrike SentinelOne Pal Alto Networks, Qradar, Etc.
  • 25. Tried And True IFS Security No external tool can replace good native IFS security End User Ellen IFS Access Network Segmentation Exit Point IFS Security Security Sue Admin Andy Collaboratio n Segmentation Illumio Guardicore Etc. Zero Trust Microsoft365 Okta Etc. MFA API Calls CrowdStrike SentinelOne Pal Alto Networks, Qradar, Etc. Best Practices Journal IFS Objects Restrict QSYS.LIB Change to *Public *Exclude No Shares to Root Directory Etc.
  • 26. Congratulations Sue and Andy! They kept the ransomware off the IBM i… or did they? End User Ellen IFS Access Security Sue Admin Andy Collaboratio n Malicious Maxine Rats !
  • 27. 1. Audit: Security Must Be Demonstrable 2. Test For Failure 3. Limit The Blast Radius Detection Limiting the blast radius
  • 28. On The Audit Trail Demonstrate success… and test for failure End User Ellen IFS Access Network Segmentation Exit Point IFS Security MFA Security Sue Admin Andy Collaboratio n Welcome to the Audit Layer Endpoint Telemetry | Network Activity | MFA Logs | Exit Point Traffic | IFS Object Changes QAUDJRN | IFS Object Journals
  • 29. The Case of the Contaminated Network An AI tale of betrayal and redemption THE USUAL SUSPECTS: The Human and AI Element Security Sue Admin Andy Malicious Maxine End User Ellen WITH SPECIAL GUEST: AI Artemus
  • 30. The AI Layer Use your audit data to train the AI End User Ellen IFS Access Network Segmentation Exit Point IFS Security MFA Security Sue Admin Andy Collaboratio n The Audit Layer Becomes The AI Layer Endpoint Telemetry | Network Activity | MFA Logs | Exit Point Traffic IFS Object Changes | QAUDJRN | IFS Object Journals AI Artemus
  • 31. Andy is losing it Yet another job?!?! Admin Andy I already have a day job, managing the IBM i. Now they want me to become the CISO for the i AND the AI engineer for the i ?!?
  • 32. Sue’s Got It She’s already ai-ready Admin Andy Thank God Sue is here!!! Security Sue Hey Andy, we’re looking at some cool AI tools for security and I want IBM i data in the mix… Collaboratio n
  • 33. ALL AI-READY Sue’s AI-Ready And now so is Andy Admin Andy I have waited for this day!!! Security Sue I want your input! Collaboratio n
  • 34. Advanced Detection Limit the blast radius Security Sue Admin Andy AI Artemus Collaboration Red Team Ruby End User Ellen PROD HA FTP Endpoint Scanning CDP Recovery Prevention Cloud Scanner Storage The AI SecOps Layer Endpoint Telemetry | Network Activity | MFA Logs | Exit Point Traffic | IFS Object Changes | CIS Benchmarks| I/O Activity QAUDJRN | IFS Object Journals | Cloud Scanning | FTP Endpoint File Scans | Red Team Activity | Remote CDP Journals | Pen Testing
  • 35. 1. Malware Written for The IBM i • Rare • Insider Threats 2. Advanced Persistent Threats that Target the IBM i • Live Off The Land (LOTL) • Insider-Like • Example: Involved SSH Keys accessed via AIX Advanced Threats Limiting the blast radius
  • 37. The system is corrupt! What now? • You must have a Continuous Data Protection (CDP) recovery plan! • Execute the plan • Recover to an acceptable point prior to the corruption
  • 38. Planning: Maintain known good starting points Regular SAVEs Pros: • Allows for the most granularity (file, library) Cons: • Restore time • Not suitable for IFS Directories Flash copy/Snapshot image Pros: • May be faster than restore • Suitable for IFS Directories and Stream files Cons: • Quality of snapshot questionable • Requires restore of Journal Receivers Journal Receivers • Needed for rolling forward from start point • Immutable • Must be retained (protected from deletion)
  • 39. Planning: Requirements for CDP Apply Journal Change: Method to roll forward (apply) the journal entries from the known good point. Logical Replication Software: Software to roll forward (apply) the journal entries from the known good point. Start Point: Point in the journal receiver chain of the chosen known good point to Roll Forward from. Recovery Point: Point in the journal receiver chain where logical replication should stop. This is typically before the point of corruption. Final Readiness Process: • Typical Unplanned Switch Procedure to prepare the Database for normal operations (i.e. commitment control, triggers referential constraints, etc). • Final User validation
  • 40. Planning: Snapshot Quality State of Production LPAR at Time of Flash Open Commits All user data written to storage Known Transaction Point Quality of snapshot Requires outage Powered down No Yes Yes ⭐⭐⭐⭐⭐ Yes Restricted State No Yes Yes ⭐⭐⭐⭐ Yes Applications down No Yes Yes ⭐⭐⭐⭐ Yes Quiesced applications No Yes Yes ⭐⭐⭐⭐ Yes Application running with FORCE WRITE action performed No In doubt No ⭐⭐ No Application running with FORCE WRITE action performed Yes Unlikely No ⭐ No Application running No In doubt No ⭐ No Application running Yes Highly unlikely No ⭐ No
  • 41. Known Recovery Point IBM I Vol 01 IBM I Vol .. IBM I Vol .. IBM I Vol .. IBM I Vol 88 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 ID 23100915 Production Data Immutable Snapshots – Every Hour GOOD WARNING FAIL Validated Immutable Snapshots Known Recovery Point and Recovery Times
  • 42. “Be Prepared” for CDP Recovery -168 HR -144 HR -120 HR -96 HR -72 HR -48 HR -24 HR Snapshots Full Backup Incremental Backup Known Good Points High Quality snapshot Low Quality snapshot Journal Receivers System Corrupt Normal LPAR A: !
  • 43. CDP Recovery: from SAVE -168 HR -144 HR -120 HR -96 HR -72 HR -48 HR -24 HR Full Backup Incremental Backup Known Good Points Journal Receivers System Corrupt LPAR A: Recovery Operations Recovery Point Start Point • System restore • Libraries • Files • Objects Normal LPAR B: Roll Forward Restore offers granularity to the object level, but will be slower to complete
  • 44. CDP Recovery: from SNAPSHOT -168 HR -144 HR -120 HR -96 HR -72 HR -48 HR -24 HR Journal Receivers System Corrupt Recovery Operations Recovery Point Start Point • IPL Snapshot Normal LPAR B: Roll Forward Snapshots Known Good Points LPAR A: High Quality snapshot Low Quality snapshot
  • 45. CDP Recovery at the LPAR level A A Roll forward Restore Roll forward IPL Snapshot Recovery Point Recovery Point Roll Forward Recovery: from SAVE Roll Forward Recovery: from SNAPSHOT
  • 46. Multi-LPAR CDP Readiness Topology A - Primary B - Backup Real-time HA/DR A - Recovery B - Recovery Journal Receivers Journal Receivers must be retained. Protect them from deletion by replicating them to another separate LPAR
  • 47. Example Event Timeline - NORMAL Timestamp Event LPAR Comments Sunday 0100 Database SAVE A or B Media should be available to B system Regularly Remote Journal Receiver SAVEs B Receivers are required for roll forward recovery - should be changed regularly and saved expeditiously
  • 48. Example Event Timeline – Cyber Attack Timestamp Event LPAR Comments Thursday 1400 Cyber attack – Rogue database changes occur A Rogue record changes are replicated to B Thursday 1415 Production isolated and offline A B is online, but not available to users. Thursday 1700 Decision to perform a roll forward recovery
  • 49. Example Event Timeline - Recovery Timestamp Event LPAR Comments Thursday 1730 CLRLIB completed, RESTORE started B Affected libraries Friday 1300 RESTORE completed B Affected libraries Friday 1315 Initialize Data Groups for restart B Set Data Group Recovery Point Friday 1330 Replay forward from SAVE Point B Start Data Groups from SAVE point in journal receivers. Recovery Point – 1 Reach Recovery Point B Stop Data Groups Recovery Point – 2 Perform final readiness B Switch Procedure to close commit control cycles, prepare database Recovery Point – 3 Present recovered database B