ransomware defense overview bdm - sambo-ict...the evolution of ransomware variants the confluence of...

Aigerim IssabayevaConsulting Systems Engineer

30th September 2016

Ransomware Defense

22© 2015 Cisco and/or its affiliates. All rights reserved.

Video – Ransomware anatomy of an attackhttps://www.youtube.com/watch?v=4gR562GW7TI


Ransomware Problem

1. Ransomware gains access to systems through web, email, servers…

2. Ransomware takes control of those systems, and holds the data is these systems ‘hostage’ until the owner/company agrees to pay the ‘ransom’ (bitcoins) to free the system.

• Education• Hospitals • Public safety • Financial banking • Retail

Effect: This can be catastrophic to businesses for a period of time

Problem: Customers can be taken hostage by malware that locks up critical resources–Ransomware


Ransomware: Easy Profits

• Most profitable malware in history• Lucrative: Direct payment to attackers!• Cyber-criminals collected $209 million

in the first three months of 2016• At that rate, ransomware is on pace to

be a $1 billion a year crime this year.• Let’s take an example:

• Looking only at the Angler exploit kit delivering ransomware

• $60 million dollars a year in profits


The Evolution of Ransomware VariantsThe confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for victims to pay have caused an explosion of ransomware variants.

PC Cyborg

2001

GPCoder

2005 2012 2013 2014

Fake Antivirus

2006

First commercial Android phone

2007

QiaoZhaz

20081989 2015 2016

CRYZIP

Redplus

Bitcoin network launched

RevetonRansomlock

Dirty DecryptCryptorbitCryptographic LockerUrausy

Cryptolocker

CryptoDefenseKolerKovterSimplelockCokriCBT-LockerTorrentLockerVirlockCoinVaultSvpeng

TeslaCrypt

VirlockLockdroidReveton

ToxCryptvaultDMALockChimeraHidden TearLockscreenTeslacrypt 2.0

Cryptowall

SamSamLocky

CerberRadamantHydracryptRokkuJigsawPowerware

73V3NKerangerPetyaTeslacrypt 3.0Teslacrypt 4.0Teslacrypt 4.1


Request of Ransom

Encryption of Files

C2 Comms & Asymmetric Key

Exchange

Typical Ransomware InfectionProblem: Customers can be taken hostage by malware that locks up critical resources

Infection Vector

Ransomware frequently uses web and email

Ransomware takes control of targeted systems

Ransomware holds those systems ‘hostage’

Owner/company agrees to pay the ‘ransom’ (bitcoins) to free the system


Most Ransomware Relies on C2 Callbacks

NAME* DNS IP NO C2 TOR PAYMENT

Locky DNS

SamSam DNS (TOR)

TeslaCrypt DNS

CryptoWall DNS

TorrentLocker DNS

PadCrypt DNS (TOR)

CTB-Locker DNS

FAKBEN DNS (TOR)

PayCrypt DNS

KeyRanger DNS

Encryption Key Payment MSG

*Top variants as of March 2016


Ransomware Defense Overview


Cisco Ransomware Defense SolutionSolution to Prevent, Detect and Contain ransomware attacks

Cisco Ransomware Defense Solution is not a silver bullet, and not a guarantee. It does help to: • Prevent ransomware from getting into the network where possible• Stop it at the systems before it gains command and control • Detect when it is present in the network • Work to contain it from expanding to additional systems and network areas• Performs incident response to fix the vulnerabilities and areas that were attacked

This solution helps to keep business operations running with less fear of being taken hostage and losing control of critical systemsü


How Ransomware Works–Most Variants Require All 5 Steps

Files inaccessible

Files inaccessible

Encryption Key C2

Infrastructure

User Clicks a Link or Malvertising

Ransomware Payload

MaliciousInfrastructure

Email w/ Malicious Attachment

RansomwarePayload

EMAIL-BASED INFECTION

WEB-BASED INFECTION

!

Encryption Key C2 Infrastructure

!


Cisco Ransomware Defense

Umbrella blocks the requestNGFW blocks the connectionEmail Security w/AMP blocks the phishing email

AMP for Endpoint blocks the file

Umbrella blocks the request NGFW blocks the connection

Umbrella blocks the request to Encryption Key Infrastructure

Umbrella Next-Gen Firewall AMP EndpointEmail w/AMP

OR


DETECT AND CONTAIN IN NETWORKTalos Security Intelligence

Cisco Ransomware Defense

RANSOMWARE CONTAINED

NGIPS deploys the patch N

PIG

S

AMP Threat Grid analyzes threat

AM

P

NGFW blocks the

connection

NG

FW

TrustSecdeploysdynamic Containment

TRU

STSE

C

CLEAN SYSTEM

AMP Endpoint protects the

system

AM

P

ISE pushes containment policy

ISE

StealthWatchdetects and alerts

SW


What to Do

3

• Detect and contain in the network infrastructure (security driven network refresh)

90-180 DAYS

1

Plan for the worstHave an effective disaster recovery plan and back up frequentlyPrevent when Possible1. Quick protection: Deploy

Umbrella and AMP for Endpoint (prevent when possible)

2. Add AMP to Email Security (CES or ESA)

30 DAYS

2

• Deploy AMP Threat Grid, NGFW/NGIPS with Firepower 4100 series

• Cisco Incident Response Services to better prepare

60 DAYS


Breaking the Ransomware Kill Chain


TARGET BREACHCOMPROMISE

DNS

DNS-Layer

Security

WebSecurity

EmailSecurity

NGIPS

LAUNCH

HostAnti-

Malware

INSTALL

NGIPS

NGFW

NetworkAnti-

Malware

EXPLOIT

DNS

DNS-Layer

Security

WebSecurity

NGIPS

CALLBACK

NGIPS

NGFW

RECON

FlowAnalytics

PERSIST

Threat Intelligence

STAGE

End-to-End “Kill Chain” Defense Infrastructure

File Trajectory

ATTACKER

INFRASTRUCTURE USED BY ATTACKER

FILES/PAYLOADSUSED BY ATTACKER


TARGET BREACHCOMPROMISE

LAUNCH INSTALLEXPLOIT CALLBACKRECON PERSISTSTAGE

End-to-End “Kill Chain” Defense Infrastructure ATTACKER

INFRASTRUCTURE USED BY ATTACKER

FILES/PAYLOADSUSED BY ATTACKER

CloudDefenseQuick Win!

WEB Defense

Rapid DefenseProtect Me-Once They’re In!

Umbrellaon/off-net

OpenDNS intel

FTDWSA/ESA

on-netTALOS intel

CES/ESA+AMPoff-net, TALOS intel

CWS/WSAoff-net

proxy all

AMP+TG(for endpoint)

on/off-net

FTD & AMP (for network)

on-net

AMP+TG(for content)on/off-net

Umbrellaon/off-netall ports

DNS & IP layer

FTDon-net

all portsIP layer

CWS/WSA & CTAports 80/443

on/off-netproxy all

FTD, ISE+TrustSec

on-netprevent nmap

FTD, ISE+TrustSec& Stealthwatch

on-net segmentation& netflow

OpenDNS Investigate

Internet-wide visibility

TALOSresearch

only


How You Get Infected

SALESMEN RESEARCHINGNEW PRODUCTS Secure outbound web access

MANAGER OPENING E-MAIL FROM VENDOR Secure mail

Secure file accessEMPLOYEE ACCESSINGFILES ON SERVER


Web Proxy

FirepowerAppliance

RouterSwitchAccessSwitch

CorporateDevice

DistributionSwitch

CoreSwitch

Switch

CoreDistributionAccess Local Services

WebBrowsing

Without a Defense In Depth strategy you have the problems we see today

RansomwareDownloaded

Webpage retrievalrequested


Web Security

SwitchDistributionSwitch

CoreSwitch

Switch

CoreDistributionAccess Local Services

WebBrowsing

Defense In Depth – Best Threat Surface Coverage Possible

CLOUD SERVICES

Policy(AMP4E)

Malware Sandbox

(Threat Grid)

Threat Intelligence

(Talos)

DNS-LayerSecurity

(Umbrella)

RansomwareDownloaded

Webpage retrievalrequested

CorporateDevice

D N S

AccessSwitch

FirepowerAppliance

Router

Command & Control


Services for Ransomware Defense


Cisco Security Services to address Ransomware

ADVISORY CONSULTING

ENGINEERING OPERATIONS

BEFORE DURING/AFTER

• Diagnose and demonstrate security weakness and vulnerabilities and provide recommendations

• Review people, process and technology to identify exposed areas that may lead to a data breach

• Assess Incident Response Readiness• Design and deployment services of new

technologies and products

• Perform incident response and Identify “Root Cause” of the attack

• Respond with expert resources to quickly and effectively mitigate security incidents

• Increase efficiency and efficacy of security operations

• Free up personnel to focus on confirmed threats

ransomware defense overview bdm - sambo-ict...the evolution of ransomware variants the confluence of...

Documents