Bart PreneelMay 26, 2024
Adam Shostack  

Microsoft could fix ransomware by rate limiting createfile(), the api that’s used to open files. Opening files is a crucial step to encrypting or exfiltrating the data, and very few apps need to open a lot of files at once.

I’ve heard that Microsofts reason for not fixing it is … because user experience shouldn’t change because of windows update… https://wandering.shop/@xgranade/112498285644883431

Xandra Granade 🏳️‍⚧️ (@[email protected])

I remember when Windows 10 mail was local only, before a Windows Update made it cloud-only. I remember Edge didn't have built-in ads, before an update put ads everywhere. I remember when the My Documents folder was local-only by default, until a new version of OneDrive pushed it all to the cloud by default. History suggests that this kind of product is too often a wedge to justify more abuse of personal information in the future.

The Wandering Shop
May 26, 2024 at 1:26pmWeb
Show threadPär BjörklundMay 26, 2024
@adamshostack @xgranade I'm guessing it would break git, npm, compression tools and compilers.
Not a patient audience
Show threadAdam Shostack  May 26, 2024
@Paxxi @xgranade Yes. And backups.
Show threadSteve BellovinMay 26, 2024
@adamshostack @xgranade As I read this, a large rsync is running to back up my photo archive—and there are a lot of files to back up, because the latest Lightroom upgrade apparently touched O(ℵ₀) files: “new catalog format”…
Show threadAdam Shostack  May 26, 2024
@SteveBellovin @xgranade Lightroom’s already insufferably slow 😇
Show threadSteve BellovinMay 26, 2024
@adamshostack @xgranade The rsync is mine, not Lightroom’s…
Show threadafxMay 26, 2024
@SteveBellovin @adamshostack @xgranade One of the many reasons I run Capture One.
Show threadSteve BellovinMay 26, 2024
@afx @adamshostack @xgranade Last time I looked, Capture One didn't support some features I rely on, such as merging a GPS track with the .DNG files. I should check it out again, though.
Show threadafxMay 26, 2024
@SteveBellovin @adamshostack @xgranade For me that would be a job for exiftool.
Show threadSteve BellovinMay 26, 2024
@afx @adamshostack @xgranade That might work, though I'd have to write a script that would parse the .gpx file, match the timestamps against the photo capture times, modify the files, etc. I seem to recall a few other missing features as well. But as I said, I do need to take another look at it.
Show threadAdam Shostack  May 26, 2024

@afx @SteveBellovin @xgranade Does Capture One still demand to run anti-piracy stuff as root?

(Yes, Lightroom does that, and you can disable it all, and LR still runs. Capture threw a fit and exited, if I remember right.)

Show threadafxMay 26, 2024
@adamshostack @SteveBellovin @xgranade No idea?
At least I see no C1 service in the services list on my box.
Show threadMartin SeegerMay 26, 2024
@adamshostack AFAIK it was tried with AV software doing that and the side effects were unexpectedly heavy.
Show threadAdam Shostack  May 26, 2024
@masek That would be why you build it in the OS not a third party add on
Show threadWowSuchCyberMay 27, 2024

@adamshostack @xgranade or at the very least, monitor the use of it and block abusers.

In 2015 my company suffered a ransomware attack, a low complexity one: management PA also managed the info@ address, opened an infected word file and left for lunch. By the time my team located the laptop and isolated it, it had infected 400k files in the shares she had access to. 1/2

Show threadWowSuchCyberMay 27, 2024

@adamshostack @xgranade we had good recovery so not too bad but then I met all the vendors I could find and asked them: this is a very specific behavior, one laptop opening thousands of file per seconds over the network on the file server, you should be able to detect and block that, what do you have?

None had a solution. Even Cisco despite them having acquired Snort.

Show threadafxMay 27, 2024
@WowSuchCyber @adamshostack @xgranade Shouldn't that be a trivial rule in Splunk or any other decent log analysis tool? Either by monitoring the file server or the client.
Show threadAdam Shostack  May 27, 2024
@afx @WowSuchCyber @xgranade What’s “trivial”? (1/3)
Show threadAdam Shostack  May 27, 2024

@afx @WowSuchCyber @xgranade If it’s so obvious why does every Splunk user need to reinvent it? (2/3)

[edit I should have said snort not splunk]

Show threadAdam Shostack  May 27, 2024
@afx @WowSuchCyber @xgranade Lastly, can you give me your GitHub of trivial rules that everyone should be using? 😀 More seriously it’s easy to declare things obvious in hindsight (3/3)
Show threadAdam Shostack  May 27, 2024

@afx @WowSuchCyber @xgranade Lastly Splunk is a network IDS not a log analysis tool. I don’t think it does volume very well. If it did, a Cisco sales Eng should have whipped it up on the spot. (4/3, doubling down on “what’s trivial 😀🤷)

[edit: I meant to say snort]

Show threadafxMay 27, 2024
@adamshostack @WowSuchCyber @xgranade Are mixing up Splunk with Snort?
Show threadAdam Shostack  May 27, 2024
@afx @WowSuchCyber @xgranade I totally am. I blame a lack of coffee and Covid. Probably in that order
Show threadAdam Shostack  May 27, 2024
@afx @WowSuchCyber @xgranade I think it should be an easy rule in the Splunk log analysis tool, which is not the snort ids that Cisco owns. But also I don’t know Splunk rules and so have no idea how to express “lots” in them.
Show threadafxMay 27, 2024
@adamshostack @WowSuchCyber @xgranade Can't whip it up right now, I am on vacation, no Splunk to play with. But in general it is not hard to set up a rule that says if event X occurs more than Y times in a given time window on host Z, raise an alert. Of course, that requires to get the right events into it first.
Show threadAdam Shostack  May 27, 2024
@afx @WowSuchCyber @xgranade yes, just to play devils advocate "you want to log every file open and pay us for it? ok!"
Show threadafxMay 27, 2024
@adamshostack @WowSuchCyber @xgranade Yup, that is the pain with Splunk. I am still hoping for an equally capable tool with a more civilised price structure. (The mother ship could theoretically easily buy an unlimited corporate license, but there are politics in the way)
Show threadTindraMay 27, 2024

@adamshostack @afx @WowSuchCyber @xgranade ding!

In order to make such a rule cost effective, you need correlation to happen on the endpoint. Which requires a specialized endpoint security solution.

OR

You take the idea of I forget the name of the security product, and drop some honey files and only take action when those are touched. Much lower volume to ship up to your centralized logging solution but also means actually understanding logging well enough to know how to set up and send up those logs.

Show threadAdam Shostack  May 27, 2024
@TindrasGrove @afx @WowSuchCyber @xgranade Thinkst? (cc @haroonmeer hey could you do this to alert on ransomware?)
Show threadTindraMay 27, 2024
@adamshostack @afx @WowSuchCyber @xgranade @haroonmeer it wasn’t Thinkst, but I expect you could use them to set up such a rule.
Show threadafxMay 27, 2024
@adamshostack @TindrasGrove @WowSuchCyber @xgranade @haroonmeer The problem with canaries ist, they need to sit in the path that the adversary touches. But that should be easy in big file shares, much more of a pain if you have many dedicated shares.
Show threadTindraMay 27, 2024

@afx @adamshostack @WowSuchCyber @xgranade @haroonmeer you are correct - the better you scatter canaries around, the faster detection will be.

Bonus points for seeing if the common ransomwares have logic about how they crawl a directory so you can make sure they’re in some of the earlier-touched locations, instead of just “well, the ransomware will get here *eventually* locations.

Show threadafxMay 27, 2024
@TindrasGrove @adamshostack @WowSuchCyber @xgranade And this ist where I think any modern EDR/XDR should do this in the endpoint.
Show threadWowSuchCyberMay 27, 2024
@TindrasGrove @adamshostack @afx @xgranade that's what we did. Enable advanced file monitoring services (I think that's what it was called at the time) and monitor specific files we put in two shares one named aaaa the other zzzz for the sole purpose of detecting scanning, with a trigger that locked the user of the file handle.
Show threadAdvanced Persistent TeapotMay 27, 2024

@adamshostack @afx @WowSuchCyber @xgranade it's easy to write a suitable rule in Splunk if you're collecting logs of file access/modification on shares

However if you have the storage to handle events for all the file accesses on your network shares day in day out, you are one lucky SOC

Show threadafxMay 27, 2024
@adamshostack @WowSuchCyber @xgranade Valid excuse, I use that often myself.
Show threadafxMay 27, 2024
@adamshostack @WowSuchCyber @xgranade I am seriously wondering why security vendors do not have that by default. Maybe I am naive, but I do not see a hard problem looking for file open per machine and alert at a certain frequency.
Show threadAdam Shostack  May 27, 2024
@afx @WowSuchCyber @xgranade if your tool is focused on single events at high speed, (snort) then it's potentially a big change to add data structures that list "if it happens twice.' ("Who cares about 2 buffer overflows on the same target?") But that's snort, not splunk, where it "should" be easy
Show threadafxMay 27, 2024
@adamshostack @WowSuchCyber @xgranade You need a correlation layer above Snort me thinks. Unfortunately I don't have access to network data in my environment for something like this. I have to stick to OS and application logs.