ransomware defense technical session...ransomware defense technical session. the evolution of...
TRANSCRIPT
Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF CertifiedConsulting Systems Engineer, Cyber Security, Denmark
6/2 - 2018
Ransomware DefenseTechnical Session
The Evolution of Ransomware VariantsThe confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for victims to pay have caused an explosion of ransomware variants.
PC Cyborg
2001
GPCoder
2005 2012 2013 2014
Fake Antivirus
2006
First commercial Android phone
2007
QiaoZhaz
20081989 2015 2016
CRYZIP
Redplus
Bitcoin network launched
RevetonRansomlock
Dirty DecryptCryptorbitCryptographic LockerUrausy
Cryptolocker
CryptoDefenseKolerKovterSimplelockCokriCBT-LockerTorrentLockerVirlockCoinVaultSvpeng
TeslaCrypt
VirlockLockdroidReveton
ToxCryptvaultDMALockChimeraHidden TearLockscreenTeslacrypt 2.0
Cryptowall
SamSam
Locky
CerberRadamantHydracryptRokkuJigsawPowerware
73V3NKerangerPetyaTeslacrypt 3.0Teslacrypt 4.0Teslacrypt 4.1
Worm typeRansomware/ Desstructionware
WannaCryNotPetya
2017
TALOS brings the intelligence – Smarter every day
TALOS detects vulnerabilities
Customers with NGFW, IPS, Meraki MX are protected
Customers with NGFW, IPS, Meraki MX already protected
Plus
AMP caught the payload and Umbrella blocked the callout
2017
TALOS detects exploits
Customers with NGFW, IPS, Meraki MX are protected
Microsoft vulnerability identifiedMar 14
Shadow Brokersexploit leakedApr 14
WannaCry ransomware releasedMay 12
Ransomware Defense Overview
Cisco Ransomware Defense SolutionSolution to Prevent, Detect and Contain ransomware attacks
Cisco Ransomware Defense Solution is not a silver bullet, and will not decrypt the already infected system. It does help to: • Prevent ransomware from getting into the network where possible• Stop it at the systems before it gains command and control • Detect when it is present in the network • Work to contain it from expanding to additional systems and network areas• Performs incident response to fix the vulnerabilities and areas that were attacked
This solution helps to keep business operations running with less fear of being taken hostage and losing control of critical systemsü
Ransomware Kill Chain - Seven Stages of an Attack
RECON STAGE
TARGET
CALLBACK PERSIST
BREACH
LAUNCH EXPLOIT INSTALL
COMPROMISE
ATTACKER INFRASTRUCTURE USED BY ATTACKER
FILES/PAYLOADSUSED BY ATTACKER
Breaking the Ransomware KillChain
• Threat intelligence – Knowledge of existing Ransomware and communication vectors
• E-mail security – Block Ransomware attachments and links
• Web Security – Block web communication to infected sites and files
• DNS Security - Break the Command & Control call back
Capabilities needed to break the kill chain
DNS
• Client Security – Inspect files for Ransomware and Virus’s, quarantine and remove
• Segment infrastructure –Authenticate access, separate traffic based on role and policy
• Intrusion Prevention - Block attacks, exploitation and intelligence gathering
• Monitor Infrastructure communications – Identify and alert on abnormal traffic flows
Capability Defense against the “Kill Chain”
RECON STAGE
TARGET
CALLBACK PERSIST
BREACH
LAUNCH EXPLOIT INSTALL
COMPROMISE
End–to–EndInfrastructure
Defense
NGIPS
NGFW
FlowAnalytics
NetworkAnti-
Malware
NGIPS
NGFW
HostAnti-
MalwareDNSDNS
Security
WebSecurity
EmailSecurity
NGIPS
DNSDNS Security
WebSecurity
NGIPS
Threat Intelligence
10
Defend against the entire “Kill Chain”
RECON STAGE
TARGET
CALLBACK PERSIST
BREACH
LAUNCH EXPLOIT INSTALL
COMPROMISE
AMP + TG(everywhere) to log pivots
Quick DefenseWith Cloud!
AdvancedWEB Defense
Rapid DefenseProtect Me-
Once They’re In!
FTD, ISE+TrustSecon-net
InvestigateInternet-wide
visibility
TALOSresearch
Umbrellaon/off-netODNS intel
CES + TGoff-net
TALOS intel
CWS/WSAoff-net
proxy all
FTDWSA/ESA
on-netTALOSintel
AMP + TG(for content)on/off-net
FTD & AMP network
on-net
AMP + TG(for endpoint)
on/off-net
Umbrellaon/off-netall ports
CWS/WSA & CTA
on/off-netproxy all
FTDon-net
all portsIP layer
FTDISE+TrustSecStealthwatch
on-netsegmentation
& netflow
Simplified Solution Architecture view
COMPROMISEDSITES AND
MALVERTISING
PHISHINGSPAM
Blocked by CiscoUmbrella Roaming (DNS Security)
Blocked by CiscoAMP for Endpoints(Host Anti-Malware)
Weblink
Webredirect
C2
Filedrop
Email attachment
EXPLOITKIT
DOMAINS
Angler
Nuclear
NuTrino
C2
RANSOMWAREPAYLOAD
MaliciousInfrastructure
Encryption KeyInfrastructure
Prevent and Contain Ransomware with Cisco Email Security, Umbrella, and AMP
Blocked by CiscoCloud Email Securitywith AMP
Layers of Defense
Quick Prevention Overview
CES – Phishing e-mail with ransomware malware link getting replaced on CES
ODNS – Bad link getting blocked by ODNS
AMP4E – Ransomware getting submitted to TG, TG Report, and Ransomware now blocked on different system.
The outer most layer – Email security
COMPROMISEDSITES AND
MALVERTISING
PHISHINGSPAM
Weblink
Webredirect
C2
Filedrop
Email attachment
EXPLOITKIT
DOMAINS
Angler
Nuclear
Rig
C2
RANSOMWAREPAYLOAD
MaliciousInfrastructure
Encryption KeyInfrastructure
Prevent and Contain Ransomware with Cisco Cloud Email Security
Blocked by Cisco Cloud Email Security with AMP
When CES identifies an unknown URL that is potentially malicious, the URL is re-written using the Outbreak Filters feature and users can be re-directed to a confirmation page. This behavior is configurable.
The CES policy in this example was set to strip Ransomware attachments, and send the remainder of the message so that our testing could be validated. Cisco recommends to configure the policy to drop the entire message, not just remove the attachment.
Incoming Mail Policies Outbreak Filters
Incoming Mail Policies Advanced Malware Protection
Auto remediation of malicious file by CES
AMP and Threatgrid integration by CES
The second layer – DNS security
COMPROMISEDSITES AND
MALVERTISING
PHISHINGSPAM
Blocked by Cisco Umbrella Roaming(DNS Security)
Weblink
Webredirect
C2
Filedrop
Email attachment
EXPLOITKIT
DOMAINS
Angler
Nuclear
Rig
C2
RANSOMWAREPAYLOAD
MaliciousInfrastructure
Encryption KeyInfrastructure
Prevent and Contain Ransomware with Cisco Umbrella (formerly OpenDNS)
OpenDNS blocks phishing
The last layer – Host Anti-Malware
COMPROMISEDSITES AND
MALVERTISING
PHISHINGSPAM
Blocked by Cisco AMP for Endpoints(Host Anti-Malware)
Weblink
Webredirect
C2
Filedrop
Email attachment
EXPLOITKIT
DOMAINS
Angler
Nuclear
Rig
C2
RANSOMWAREPAYLOAD
MaliciousInfrastructure
Encryption KeyInfrastructure
Prevent and Contain Ransomware with Cisco AMP for Endpoints
COMPROMISEDSITES AND
MALVERTISING
PHISHINGSPAM
Blocked by CiscoUmbrella Roaming (DNS Security)
Blocked by CiscoAMP for Endpoints(Host Anti-Malware)
Weblink
Webredirect
C2
Filedrop
Email attachment
EXPLOITKIT
DOMAINS
Angler
Nuclear
NuTrino
C2
RANSOMWAREPAYLOAD
MaliciousInfrastructure
Encryption KeyInfrastructure
Prevent and Contain Ransomware with Cisco Email Security, Umbrella, and AMP
Blocked by CiscoCloud Email Securitywith AMP