[Owasp-egypt] Ransomware

Hassan Mourad hassan.mourad at owasp.org
Fri Jul 1 08:31:44 UTC 2016


I guess we can script something to kill the offending process whenever the
honey token is hit

For lateral movement, i think i saw one ransomware that had some worm like
behavior using Usb sticks
On Jun 30, 2016 12:29 PM, "Saafan, A." <a.m.saafan at gmail.com> wrote:

> I find it useful to protect against exfiltration / targeted type attacks.
> Not sure about ransomware. I am thinking by the time responders are to act
> based on the alert, big part of the damage would have already been done.
> Maybe in a more mature an environment where the incident response is very
> quick.
>
> Do you know of a ransomware that goes for lateral movement using tokens?
>
>
>
> --
> Saafan
>
> On Thu, Jun 30, 2016 at 12:19 PM, Hassan Mourad <hassan.mourad at owasp.org>
> wrote:
>
>> And what do you think about using honey tokens for early detection
>> On Jun 30, 2016 10:24 AM, "Saafan, A." <a.m.saafan at gmail.com> wrote:
>>
>>> Some measures I found helpful:
>>>
>>>    - Prevent files from running from %temp% and %appdata% using group
>>>    policy
>>>    - Block office macros on all users with a very tight exception
>>>    process
>>>    - Prevent cmd and powershell for normal users
>>>    - Administrative users to use a non-administrative account for daily
>>>    interactions (office, web...etc) and use separate account for their
>>>    administrative actions (preferably via a staging server).
>>>
>>>
>>>
>>>
>>> --
>>> Saafan
>>>
>>> On Thu, Jun 30, 2016 at 9:37 AM, Hassan Mourad <hassan.mourad at owasp.org>
>>> wrote:
>>>
>>>> I came across this comprehensive list of ransomware and thought i'd
>>>> share it with you
>>>>
>>>>
>>>> https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#
>>>>
>>>> Not AppSec, but definitely a nightmare for everyone in the security
>>>> field
>>>>
>>>> What do you think is the best defense against ransomware
>>>>
>>>> Hassan
>>>>
>>>> _______________________________________________
>>>> Owasp-egypt mailing list
>>>> Owasp-egypt at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-egypt
>>>>
>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-egypt/attachments/20160701/8da1f1cc/attachment.html>


More information about the Owasp-egypt mailing list