Hello, everyone, and thank you so much for joining us today. My name is Jacob Abrams and I am a product marketer responsible for Akamai Guardicore Segmentation along with our other Zero Trust security solutions. And it's my pleasure to be introducing our webinar today, Ransomware Mitigation in a Couple of Clicks. We know that ransomware isn't going away anytime soon. As we showed in our own State of Segmentation report last year, ransomware attacks have basically doubled over the past two years, and that upward trend doesn't seem to be leveling off. So what can we do? How do these attacks actually unfold? And what's available to us right now that can stop active ransomware attacks and prevent successful ones in the future, while also assisting with recovery? Now, in just a moment, to help us answer those questions, I'm going to turn things over to Milton Keath, our Senior Solutions Engineer for Guardicore Segmentation.
But before I do, I'd like to call out some additional content pieces that have been made available for download through BrightTALK. We have two stories from our customers who have used Guardicore Segmentation to both prevent a potential ransomware attack as well as stop an active one. You can also find direct link to our website where you can find even more information about our solution and more customer stories.
And now, without any further ado, take it away, Milton. Thank you, Jacob. As Jacob said, my name is Milton Keath. I'm one of the senior solutions engineers as part of the Akamai Guardicore Segmentation product. And as Jacob said, we're going to talk about mitigating ransomware in a couple clicks. Besides prevention, we will talk about response and recovery also.
So I want to take you through the typical ransomware attack scenario. So usually step one, the attacker is doing a spear-phishing email attack, or they're looking for vulnerable services, and they could be from unpatched servers or zero-days. And sometimes there's always the brute-force attack that's going on. So there's multiple attack methods that they try to get that initial foothold. Then once they're in, they want to start gathering intelligence, so they'll start trying to find those domain credentials, or your service accounts, your root passwords. They're looking for those privileged servers out there, like your domain controllers. Then step three is when they're looking for your backups because they want to destroy or encrypt every backup you have. The next step after that is they'll download data. In case you're saying, well, we have an immutable backup, we'll store from that backup, well, they want to find data and they'll say, well, congrats, you restore from backup, pay us this ransom anyway, or we're going to destroy your brand reputation. But it's actually because of those immutable backups we actually see the attackers dwelling even longer. They want to find out, do you have an immutable backup? How long is it good for? Is it good for 2 weeks, 2 months? 6 weeks, 6 months? They will try to dwell until they can put a backdoor in every single backup you have. So they keep destroying your environment over and over, or you feel you have no choice but to pay them that ransomware, the ransom for it.
After they've gathered their intelligence, that's when they start exploiting all your servers. And they can do that in as little as one day. They might use the EternalBlue, they can do your golden and silver ticket type of Kerberos attacks. And they're attacking the common protocols, RDP being number one, followed by SMB, RPC, SSH, WMI. Those are the most highly attacked ransomware ports. Once they've infected all their servers, that is when they actually encrypt everything.
So let's show you another way of looking at ransomware without segmentation. So stereotypically, user clicks on that phishing email and they get that initial malware infection. Then the attacker starts gathering their intelligence. They're looking through your infrastructure, they're moving around, unrestricted around your entire environment, typically. And then they drop the malware, which in result will infect all your servers and encrypt all your data.
Now, let's look at ransomware with segmentation. So if you have good segmentation boundaries in place, there still may be a point of compromise, but you're going to reduce the blast radius. So again, the user clicks on that phishing email attack, downloads the malware. The attacker begins to gather their intelligence, but they're restricted. They're not able to talk to, in this case, the financial segment or the C-suite segment of your environment. Now, when they drop the malware, it's limited with the blast radius. So how do we end up avoiding from getting right here? How do we get from you receiving that message? Everything's encrypted.
So I'm going to go into a live demo here. What you see right now is the Guardacore UI. One of the first things we do is we provide visibility to help you understand what's going on in your environment. I'm not going to show you too much of this but just give you a little brief view of it. We can see right here we have a web server, and we can see the two assets in those web servers. And we click down, we can actually see that it's a Tomcat process, the Java, a lot of Layer 7 contextual information that's communicating to the database backend, which in this case it is a mongodaemon. So we're going to provide you that rich contextual information so you understand what's happening inside your environment.
Well, let's talk about how we prevent it. So I'm going to come over here with a few simple clicks right here with Inside Guardicore, you see we have these policy wizards. You'll see policies that focus on infrastructure apps. In fact those are the policies I actually recommend first for my customers. Focus on those DHCP, NTP, Active Directory, because those are typical devices, especially AD. If they go down, they have a huge impact to your entire environment in multiple business units. So I always recommend lock down those infrastructure services first and then you can follow up with our ransomware prevention templates, such as this Prevent lateral movements through Task Scheduler. So if I click on this just to show you how simple it is to go through one of these wizards, I'm going to choose the Admin Machines. So I'm going to pick our jumpboxes and I'm going to click Next, and what you're going to see right here, it says the jumpboxes are allowed to communicate to the Task Scheduler process on these specific ports. So that's an initial one.
If we go back, you'll see we have several other ransomware prevention and we have ransomware response templates. But now I want to show you is what about endpoints? This focuses around the data center. I want to show you a couple of manual ways. It's very simple to create policy. So I'm going to come in here and say create a rule, and I want to first say Allow, and I want to choose my endpoints. So I want to say here are the endpoints, environment endpoints. Specifically, I want to say it's only the Help Desk users. I want to choose the management utilities they're allowed to use. In this case, I'm going to pick the Microsoft Terminal Services client dot exe right here. Paste that path in and manually add it. Now for the destination, I want to say other endpoints. So what we're saying is endpoint to endpoint, only the Help Desk can use the Microsoft Terminal Services client in this case, and we'll lock it down to the specific process, which is service host, and the specific port, which is 3389. And I'm going to call this ruleset endpoint to endpoint. And save that. So first we're allowing only the Help Desk to use the remote administration utilities to talk to other endpoints.
Now I'm going to create another role right here, but I'm going to create a Block rule. This rule is simply going to say endpoint to endpoint Deny. We're going to block all traffic because why are endpoints talking to each other? That's where the vast majority of malware attacks exploits happen. Not all of them, but the vast majority of them. So simply by having this policy in place, we say the Help Desk can talk, use the remote management utilities to talk to other endpoints. But then all of the communication between the endpoints and endpoints are blocked. Now you could take it a step further and add another rule right here. We'll add another Block rule. And we'll just use the source of Any. And then we'll call out the endpoints also as the destination. If we want to, we can call out specific services. Or maybe we want to log the RDP and maybe you're also running SSH, you have some Linux workstations. And we can actually log that as a separate item. And maybe you know what, we don't just want to log it, we want to Block and Alert on those. So you can take it a step further. So very flexible with how fine grained or how coarse grained you want to get to your policies.
You have those rules in place, again, you will significantly reduce the risk of not just ransomware but a lot of malware. You go in there and you lock down your infrastructure apps like your Active Directory, you're gonna prevent a lot of attacks. But what happens if you say okay, well Milton, we haven't, we didn't have policy in place, but we have an incident going on. This actually happened to me. I had a customer at 9:30 Central Standard Time. They were East Coast, so it was 10:30 their time. They called me. It was a Thursday night, it was the day before the kickoff, before they're going to production. They said, Milton, we believe we have a server on our DMZ that got exploited and it's trying to attack the rest of our network. Can Guardicore help? So I called our director of professional services. We immediately spun up their environment, and I created a basic policy for them. And we'll go through that, a typical quarantine policy, which I already have pre-built here, and I'll talk you through the steps I did.
So the first thing I did is I created a label called Quarantine and I said, destination Any. Let's Block it. Let's stop all access to anything that we label Quarantine. We got one of our firewall clients on this expected compromised host, immediately Quarantine it. Then we said, let's Block anything going inbound into Quarantine because we didn't know what the communication was at the time. So we first contained that incident. With those two rules. Now we had to think about, okay, that's the initial response. How do we get any other device that might have that malware signature inside the Quarantine label? We could go mainly at them, but we actually have a faster way of doing that, and that's through Guardicore Insight, which is based off of Osquery.
So what we can do right here is with Guardicore Insight is write a query looking for that specific malware. And we're running. This is happening in real time. So built into our firewall client is Osquery. You don't have to set up a separate Osquery infrastructure. And if you're not familiar with Osquery, it was created in 2012. It's an open source project that basically gives you a SQL query language of your workload so you can look for files, file hashes, registry settings, SOC so they are open or close. Here we found two devices running that specific malware. We can turn around and now label these as Environment Quarantine. And they will immediately get that policy that's in place as soon as I apply this label. Now we've contained this, but now how do we recover?
Going back over here to the response tab, the next thing I did with that customer, we said, okay, here's your servers. And we said, all servers are allowed to use their antivirus exe to talk to the antivirus domain over 443 to pull down their updates. Once their AV company, the vendor they were using, had a signature and ability to remove that specific malware, they were able to respond to it and download it. Then we're like, okay, now how do we patch that? They obviously exploited some vulnerability. We had to allow patch management to talk inbound to the quarantine. And again, I would recommend the specific executable to the specific process on the server or on those ports to allow the ability push. But how do we control those servers? And that's where we create another rule that says from secure administrative host, allow the incident response team to run again whatever management utilities you need to that quarantine network to those services on their ports. So here they're allowed to talk to the SSH daemon and service host over RDP and SSH. So a quick way of responding and recovering.
Now maybe we see other movements. We have ransomware response templates such as this file share right here. So maybe we're seeing ransomware that's writing to file shares. We can quickly come in here, specify the file shares, specify the endpoints, and produce this policy very rapidly. We're saying endpoints to the file shares denied and it's override blocks. It would supersede those other policies that you saw that I've created. Maybe it's a what I call a break glass moment where you need to restrict all lateral movement throughout your environment. And that's where we have this malware response lateral movement policy. So here what we want to do, the exception domain controllers, we need the domain controllers syncing and we can add exceptions for jumpboxes if we wanted to. So I can call those the secure administrative host. And what you'll see with this policy is the domain controller to domain controller is able to use RDP SMB ports. They're able to do their falsehood, they're able to communicate. But anything else talking to those domain controllers will get blocked. But then we allow access to the secure administrative host on SSH and Telnet. Maybe you don't want to allow Telnet. We can come in there and just revoke Telnet. And then we say the secure administrative host are allowed access to SSH and Telnet. Again, it's up to you if you want to use those clear-text protocols or not. But we can revoke those. In this last one, we're stopping access to those well-known exploited protocols. RDP, SMB, RPC, SSH, Windows Remote Management. So this will stop the lateral movements to the most highly attacked ransomware. Very quick response.
Now getting back to our slides. So what if you have a SOC already in place? Well, we actually have a ransomware playbook that you can download that'll take you step by step. Similar procedure to what I just demonstrated for you. So it's well documented on how to respond to an incident. The next thing is, what if you have a SOC, or maybe you don't have a SOC, but you want to add threat hunting into it. Akamai has its Hunt service that's built on top of the Guardicore Segmentation. So there's no additional agents that you have to deploy out there. We're using R telemetry. Now, big difference between our threat hunting service and other threat hunting services. Yes, we use AI machine learning, but we actually have human analysts involved. Anytime that we detect an event, we investigate with human analysts to make sure it's legitimate. And then we contact you, we're actually going to alert you and we help you respond to it. So the first thing, as I said, we're going to collect those unique signals from R telemetry. We're going to automatically analyze it, then we're going to investigate if we see a suspicious event. In the event that we detect an incident, we're going to proactively reach out to you and we're going to help you mitigate that. We're not just going to say, here is, oh, your antivirus is detecting something. Go respond to it, Mr. Customer. No, we know we detect it, we know it's malicious. We're going to help you inspect it. The other thing our threat hunting team does is they look for misconfigurations in your environment. Maybe there's old accounts that haven't been logged into that are domain admins in Active Directory, as an example.
So in conclusion, we're showing the ability first to prevent the malware and ransomware, how to stop that lateral movement via granular policy. But we can also terminate existing sessions. So that's an important part between Guardicore's firewall and other firewalls is when we create a deny rule, a lot of firewalls out there, when you put a deny in place, any existing sessions still remain even after the deny is in place. With us, when we put a deny in place, we immediately terminate those sessions. That's important for rapid response and recovery. We give you the ability, using Guardicore Insight, to look for that malware so you can rapidly label things, find out what's the extent of your compromise, and then we can offer you additional coverage with the Hunt. The Hunt can be complementary to an existing SOC team, or maybe you want that MDR efficient type functionality, but you don't have a SOC. You can't afford a SOC or MDR, but you still want the threat hunting, you can subscribe to the threat hunting service.
So in conclusion, thank you. And back to you, Jacob. Thank you so much for that, Milton. And, thank you everybody for joining us today. We really appreciate you tuning in. If you have any more questions or if you would like to get more information on how Akamai Guardicore Segmentation can help you, prevent, remediate, and recover from ransomware, you can visit our website at www.akamai.com/guardicore. Thank you so much everybody. Take care.