ransomware defense overview bdm - sambo-ict...the evolution of ransomware variants the confluence of...
Post on 07-Jun-2020
8 Views
Preview:
TRANSCRIPT
Aigerim IssabayevaConsulting Systems Engineer
30th September 2016
Ransomware Defense
22© 2015 Cisco and/or its affiliates. All rights reserved.
Video – Ransomware anatomy of an attackhttps://www.youtube.com/watch?v=4gR562GW7TI
3© 2015 Cisco and/or its affiliates. All rights reserved.
Ransomware Problem
1. Ransomware gains access to systems through web, email, servers…
2. Ransomware takes control of those systems, and holds the data is these systems ‘hostage’ until the owner/company agrees to pay the ‘ransom’ (bitcoins) to free the system.
• Education• Hospitals • Public safety • Financial banking • Retail
Effect: This can be catastrophic to businesses for a period of time
Problem: Customers can be taken hostage by malware that locks up critical resources–Ransomware
4© 2015 Cisco and/or its affiliates. All rights reserved.
Ransomware: Easy Profits
• Most profitable malware in history• Lucrative: Direct payment to attackers!• Cyber-criminals collected $209 million
in the first three months of 2016• At that rate, ransomware is on pace to
be a $1 billion a year crime this year.• Let’s take an example:
• Looking only at the Angler exploit kit delivering ransomware
• $60 million dollars a year in profits
5© 2015 Cisco and/or its affiliates. All rights reserved.
The Evolution of Ransomware VariantsThe confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for victims to pay have caused an explosion of ransomware variants.
PC Cyborg
2001
GPCoder
2005 2012 2013 2014
Fake Antivirus
2006
First commercial Android phone
2007
QiaoZhaz
20081989 2015 2016
CRYZIP
Redplus
Bitcoin network launched
RevetonRansomlock
Dirty DecryptCryptorbitCryptographic LockerUrausy
Cryptolocker
CryptoDefenseKolerKovterSimplelockCokriCBT-LockerTorrentLockerVirlockCoinVaultSvpeng
TeslaCrypt
VirlockLockdroidReveton
ToxCryptvaultDMALockChimeraHidden TearLockscreenTeslacrypt 2.0
Cryptowall
SamSamLocky
CerberRadamantHydracryptRokkuJigsawPowerware
73V3NKerangerPetyaTeslacrypt 3.0Teslacrypt 4.0Teslacrypt 4.1
6© 2015 Cisco and/or its affiliates. All rights reserved.
Request of Ransom
Encryption of Files
C2 Comms & Asymmetric Key
Exchange
Typical Ransomware InfectionProblem: Customers can be taken hostage by malware that locks up critical resources
Infection Vector
Ransomware frequently uses web and email
Ransomware takes control of targeted systems
Ransomware holds those systems ‘hostage’
Owner/company agrees to pay the ‘ransom’ (bitcoins) to free the system
7© 2015 Cisco and/or its affiliates. All rights reserved.
Most Ransomware Relies on C2 Callbacks
NAME* DNS IP NO C2 TOR PAYMENT
Locky DNS
SamSam DNS (TOR)
TeslaCrypt DNS
CryptoWall DNS
TorrentLocker DNS
PadCrypt DNS (TOR)
CTB-Locker DNS
FAKBEN DNS (TOR)
PayCrypt DNS
KeyRanger DNS
Encryption Key Payment MSG
*Top variants as of March 2016
88© 2015 Cisco and/or its affiliates. All rights reserved.
Ransomware Defense Overview
9© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Ransomware Defense SolutionSolution to Prevent, Detect and Contain ransomware attacks
Cisco Ransomware Defense Solution is not a silver bullet, and not a guarantee. It does help to: • Prevent ransomware from getting into the network where possible• Stop it at the systems before it gains command and control • Detect when it is present in the network • Work to contain it from expanding to additional systems and network areas• Performs incident response to fix the vulnerabilities and areas that were attacked
This solution helps to keep business operations running with less fear of being taken hostage and losing control of critical systemsü
10© 2015 Cisco and/or its affiliates. All rights reserved.
How Ransomware Works–Most Variants Require All 5 Steps
Files inaccessible
Files inaccessible
Encryption Key C2
Infrastructure
User Clicks a Link or Malvertising
Ransomware Payload
MaliciousInfrastructure
Email w/ Malicious Attachment
RansomwarePayload
EMAIL-BASED INFECTION
WEB-BASED INFECTION
!
Encryption Key C2 Infrastructure
!
11© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Ransomware Defense
Umbrella blocks the requestNGFW blocks the connectionEmail Security w/AMP blocks the phishing email
AMP for Endpoint blocks the file
Umbrella blocks the request NGFW blocks the connection
Umbrella blocks the request to Encryption Key Infrastructure
Umbrella Next-Gen Firewall AMP EndpointEmail w/AMP
OR
12© 2015 Cisco and/or its affiliates. All rights reserved.
DETECT AND CONTAIN IN NETWORKTalos Security Intelligence
Cisco Ransomware Defense
RANSOMWARE CONTAINED
NGIPS deploys the patch N
PIG
S
AMP Threat Grid analyzes threat
AM
P
NGFW blocks the
connection
NG
FW
TrustSecdeploysdynamic Containment
TRU
STSE
C
CLEAN SYSTEM
AMP Endpoint protects the
system
AM
P
ISE pushes containment policy
ISE
StealthWatchdetects and alerts
SW
13© 2015 Cisco and/or its affiliates. All rights reserved.
What to Do
3
• Detect and contain in the network infrastructure (security driven network refresh)
90-180 DAYS
1
Plan for the worstHave an effective disaster recovery plan and back up frequentlyPrevent when Possible1. Quick protection: Deploy
Umbrella and AMP for Endpoint (prevent when possible)
2. Add AMP to Email Security (CES or ESA)
30 DAYS
2
• Deploy AMP Threat Grid, NGFW/NGIPS with Firepower 4100 series
• Cisco Incident Response Services to better prepare
60 DAYS
1515© 2015 Cisco and/or its affiliates. All rights reserved.
Breaking the Ransomware Kill Chain
16© 2015 Cisco and/or its affiliates. All rights reserved.
TARGET BREACHCOMPROMISE
DNS
DNS-Layer
Security
WebSecurity
EmailSecurity
NGIPS
LAUNCH
HostAnti-
Malware
INSTALL
NGIPS
NGFW
NetworkAnti-
Malware
EXPLOIT
DNS
DNS-Layer
Security
WebSecurity
NGIPS
CALLBACK
NGIPS
NGFW
RECON
FlowAnalytics
PERSIST
Threat Intelligence
STAGE
End-to-End “Kill Chain” Defense Infrastructure
File Trajectory
ATTACKER
INFRASTRUCTURE USED BY ATTACKER
FILES/PAYLOADSUSED BY ATTACKER
17© 2015 Cisco and/or its affiliates. All rights reserved.
TARGET BREACHCOMPROMISE
LAUNCH INSTALLEXPLOIT CALLBACKRECON PERSISTSTAGE
End-to-End “Kill Chain” Defense Infrastructure ATTACKER
INFRASTRUCTURE USED BY ATTACKER
FILES/PAYLOADSUSED BY ATTACKER
CloudDefenseQuick Win!
WEB Defense
Rapid DefenseProtect Me-Once They’re In!
Umbrellaon/off-net
OpenDNS intel
FTDWSA/ESA
on-netTALOS intel
CES/ESA+AMPoff-net, TALOS intel
CWS/WSAoff-net
proxy all
AMP+TG(for endpoint)
on/off-net
FTD & AMP (for network)
on-net
AMP+TG(for content)on/off-net
Umbrellaon/off-netall ports
DNS & IP layer
FTDon-net
all portsIP layer
CWS/WSA & CTAports 80/443
on/off-netproxy all
FTD, ISE+TrustSec
on-netprevent nmap
FTD, ISE+TrustSec& Stealthwatch
on-net segmentation& netflow
OpenDNS Investigate
Internet-wide visibility
TALOSresearch
only
18© 2015 Cisco and/or its affiliates. All rights reserved.
How You Get Infected
SALESMEN RESEARCHINGNEW PRODUCTS Secure outbound web access
MANAGER OPENING E-MAIL FROM VENDOR Secure mail
Secure file accessEMPLOYEE ACCESSINGFILES ON SERVER
19© 2015 Cisco and/or its affiliates. All rights reserved.
Web Proxy
FirepowerAppliance
RouterSwitchAccessSwitch
CorporateDevice
DistributionSwitch
CoreSwitch
Switch
CoreDistributionAccess Local Services
WebBrowsing
Without a Defense In Depth strategy you have the problems we see today
RansomwareDownloaded
Webpage retrievalrequested
20© 2015 Cisco and/or its affiliates. All rights reserved.
Web Security
SwitchDistributionSwitch
CoreSwitch
Switch
CoreDistributionAccess Local Services
WebBrowsing
Defense In Depth – Best Threat Surface Coverage Possible
CLOUD SERVICES
Policy(AMP4E)
Malware Sandbox
(Threat Grid)
Threat Intelligence
(Talos)
DNS-LayerSecurity
(Umbrella)
RansomwareDownloaded
Webpage retrievalrequested
CorporateDevice
D N S
AccessSwitch
FirepowerAppliance
Router
Command & Control
2121© 2015 Cisco and/or its affiliates. All rights reserved.
Services for Ransomware Defense
22© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Security Services to address Ransomware
ADVISORY CONSULTING
ENGINEERING OPERATIONS
BEFORE DURING/AFTER
• Diagnose and demonstrate security weakness and vulnerabilities and provide recommendations
• Review people, process and technology to identify exposed areas that may lead to a data breach
• Assess Incident Response Readiness• Design and deployment services of new
technologies and products
• Perform incident response and Identify “Root Cause” of the attack
• Respond with expert resources to quickly and effectively mitigate security incidents
• Increase efficiency and efficacy of security operations
• Free up personnel to focus on confirmed threats
top related