Cisco Security Experts Series: Ransom Where Everywhere: Breaking Down the Ransomware

Transcription

1 Cisco Security Experts Series: Ransom Where Everywhere: Breaking Down the Ransomware Andrew Edwards / Rob Gregg Cyber Cisco July 6th, 2016

2 Better Security Visibility Securing the Mobile Enterprise Protect Against Advanced Malware Improve Results with Security Services Harden and Segment the Network Security as a Network Driver 2

3 Effective Security Is Delivered When The Pieces Work Together. Seamlessly. Our goal is to make security less complex by providing a best of breed portfolio that s deeply integrated and delivers solutions that are superb individually, but vastly more powerful when used together. 3

4 Security For Ransomware In , ransomware uses phishing or spam messages to gain a foothold. Users merely have to click links in phishing or spam or open attachments for ransomware to download and call out to its command-and- control server Cisco Security with Advanced Malware Protection (AMP)blocks spam and phishing s and malicious attachments and URLs.

5 Cisco Security Benefits Threat-Focus With Cisco, a substantial reduction in total cost of ownership and the new features to battle viruses and spam [are] a reality. Kenichi Tabata Komatsu. Ltd. Japan Signature and behavioral layers of defense built-into single appliance Multiple anti-spam engines, and Web Reputation, multiple AV-Scanners, and Outbreak Filters Exceptional threat identification infrastructure using Cisco s Talos Research Group Zero-day and blended threat protection Advanced Malware Protection

6 To Defend Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate WWW Web Endpoint Mobile Virtual Cloud Network Point-in-Time Continuous

7 Cisco Security Overview Talos Cloud Appliance Virtual Incoming Threat BEFORE DURING AFTER Reputation Mail Flow Policies Acceptance Controls Anti-Spam Anti-Virus AMP File Reputation Graymail Management Content Controls Outbreak Filters AMP File Sandboxing and Retrospection Inbound ThreatGrid Safe Unsubscribe URL Rep & Cat Anti-Phish WIT Tracking User Click Activity (Anti-Phish) X X X X X X X X HQ Admin Management Reporting Message Track

8 Cisco Security Integration with Threat Intelligence Built on Unmatched Collective Security Analytics Threat Intelligence I00I III0I III00II 0II00II I0I I000 0II0 00 0III000 II Cisco III000III0 I00I II0I III Talos Research Response III0 I00I II0I III00II 0II00II II0 00 0III000 III0I00II II II0000I II0 100I II0I III00II 0II00II I0I000 0II0 00 WWW Endpoints Web Networks IPS Devices 1.6 Million Global Sensors 100 TB of Data Received per Day 150 Million+ Deployed Endpoints 600+ Engineers, Technicians, and Researchers 35% Worldwide Traffic 13 Billion Web Requests 24 x 7 x 365 Operations 40+ Languages ESA 180,000+ file samples per day FireAMP community Advanced Microsoft a and industry disclosures Snort and ClamAV open source communities Honeypots Sourcefire AEGIS program Private and public threat feeds Dynamic analysis

9 Cisco Talos Reputation Database BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Spam Traps Complaint Reports IP Blacklists and Whitelists Message Composition Data Compromised Host Lists Website Composition Data Breadth and Quality of Data Make the Difference Global Volume Data Domain Blacklist and Safelists Other Data IP Reputation Score

10 Cisco Security Delivers Industry-Leading Inbound Security Threat Protection Data Security Anti-Spam Antivirus Data Loss Prevention Encryption Advanced Malware Protection (AMP) Outbreak Filters

11 Prevent Spoofing Attacks BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Forged Detection Incoming Mail: Good, Bad, Unknown FED Content Filter FED filter parameters: Exec name directory Cousin domain check LDAP query DMARC verification Other Actions Quarantined or Expose Spoofed Mail From Suspect Spoofs: Prepend with Warning, BCC, alternate destination, etc.

12 Antispam Defense in Depth BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Anti-Spam What Incoming Mail: Good, Bad, and Unknown Cisco Talos Suspicious Mail Is Rate Limited and Spam Filtered Who Where Cisco Anti-Spam How When > 99% catch rate < 1 in 1 million false positives Known Bad Mail Is Blocked Before It Enters the Network Choice of Scanning Engines to Suit Every Customer s Risk Posture

13 Antivirus Defense in Depth BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Antivirus What Who Where Cisco Anti-Spam IMS How When Anti-Spam Engines Antivirus Engines Choice of Anti-Virus Engines: Sophos, McAfee

14 Cisco Zero-Hour Malware Protection Advanced Malware Protection Cisco AMP integration File Reputation Known file reputation Reputation update File Sandboxing Advanced Malware Protection Unknown files are uploaded for sandboxing (archived, Windows PE, PDF, MS Office) Outbreak Filters

15 AMP Provides Continuous Retrospective Security BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Breadth and Control Points WWW Endpoints Web Network IPS Devices Telemetry Stream File Fingerprint and Metadata File and Network I/O Process Information Continuous Feed Continuous Analysis

16 Outbreak Filters Zero Hour URL and File Based Malware Protection BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Outbreak Filters Outbreak Filters Advantage Average lead time*: Over 13 hours Outbreaks blocked*: 291 outbreaks Total incremental protection*: Over 157 days Cisco Talos Dynamic Quarantine Virus Filter Advanced Malware Protection Outbreak Filters in Action Cloud Powered Zero- Hour Malware Detection Zero-Hour Virus and Malware Detection

17 Outbreak Filters Defend Against Blended Attacks BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Link Is Clicked Website Is Clean Cisco Security Dynamic, Real-Time Inspection via HTTP Cisco Talos Website Is Blocked The requested web page has been blocked Cisco and Web Security protects your organization s network from malicious software. Malware is designed to look like a legitimate or website which accesses your computer, hides itself in your system, and damages files.

18 Outstanding URL Defense Many Ways of Protecting End Users from Malicious or Inappropriate Links BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Contains URL Web Rep and/or Web Cat Send to Cloud Rewrite URL Analysis Cisco Talos Defang BLOCKEDwww.playboy. comblocked BLOCKEDwww.proxy.or gblocked Replace This URL is blocked by policy Automated with Outbreak Filters or Manual

19 Web Interaction Tracking Enabling Tracking of URLs Rewritten by Policy BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Filtering User A Rewritten URL: 2asyncfs.com Click Time: 09:23:25 12 Jan 2015 Re-write reason: Outbreak Action taken: Blocked App 1 App 2 App 3 App 5 User B Rewritten URL: 5asynxsf.com Click Time: 11:01:13 09 Mar 2015 Re-write reason: Policy Action taken: Allowed App 4 G App 6 App 7 Potentially Malicious URLs Rewritten URLs User C Rewritten URL: 8esynttp.com Click Time: 16:17:44 15 Jun 2015 Re-write reason: Outbreak Action taken: Blocked Monitor Users from a Single Pane of Glass

20 Mitigating one of Today s Most Significant Cyber Threats: Ransomware Rob Gregg Channel Systems Rob.gregg@cisco.com

21 YOUR FILES ARE ENCRYPTED 21

22 Ransomware Discoveries 24

23 Typical Ransomware Infection Infection Vector C2 Comms & Asymmetric Key Exchange Encryption of Files Request of Ransom 25

24 Encryption C&C Payment MSG NAME DNS IP NO C&C TOR PAYMENT Locky SamSam TeslaCrypt CryptoWall TorrentLocker PadCrypt CTB-Locker FAKBEN PayCrypt KeyRanger DNS DNS (TOR) DNS DNS DNS DNS (TOR) DNS DNS (TOR) DNS DNS

25 Ransomware Kill Chain in Detail User Clicks a Link or Malvertising Initial Exploit Using Angler Malicious Infrastructure Ransomware Payload Encryption Key C2 Infrastructure w/ Malicious Attachment Ransomware Payload 27

26 How Cisco Protects Customers from Ransomware Umbrella blocks the request NGFW blocks the connection Web or Security w/amp blocks the file Umbrella blocks the request NGFW blocks the connection Lancope detects the activity AMP for Endpoints blocks the file Umbrella blocks the request 28 Umbrella Next-Gen Firewall AMP Lancope

27 29 OpenDNS Technology Overview

28 Why leverage DNS to Detect and Block Threats most attacker C2 is initiated via DNS lookups with some non-web callbacks 15% of C2 bypasses Web ports 80 & 443 Storm Regin Pushdo/Cutwail Gh0st Lethic Seasalt (APT1) njrat NON-WEB C2 EXAMPLES Glooxmail (APT1) Zbot ZeroAccess Bifrose DarkComet Hesperbot Tinba Starsypound (APT1) Gameover Zeus Longrun (APT1) Citadel Kelihos PoisonIvy Biscuit (APT1) Bouncer (APT1) Tinba 91% of C2 can be blocked at the DNS layer IP DNS IP Lancope Research (now part of Cisco) 1 NON-WEB WEB Cisco AMP Threat Grid Research 2 millions of unique malware samples from small office LANs over 2 years millions of unique malware samples submitted to sandbox over 6 months NOTE1: Visual Investigations of Botnet Command and Control Behavior (link) malware reached out to 150,000 C2 servers over 100,000 TCP/UDP ports malware often used 866 (TCP) & 1018 (UDP) well known ports, 30 whereas legitimate traffic used 166 (TCP) & 19 (UDP) ports NOTE2: Forthcoming 2016 Cisco Annual Security Report 9% had IP connections only and/or legitimate DNS requests 91% had IP connections, which were preceded by malicious DNS lookups very few had no IP connections

29 Our Perspective Diverse Set of Data 80B Requests Per Day 65M Daily Active Users 160+ Countries 12K Enterprise Customers 31

30 Anatomy of a Cyber Attack Reconnaissance and Infrastructure Setup Domain Registration, IP, ASN Intel., Public / Private Announcements Monitor Adaption Based on Results Patient Zero Hit Target Expansion Wide-Scale Prevalence Defense Signatures Built

31 We See Where Attacks Are Staged using modern data analysis to surface threat activity in unique ways

32 34 Real World Example Blocking Locky

33 Feeling Locky? - Encrypts & renames the infected device s important files with.locky extension - Appx 90,000 victims per day [1] - Ransom ranges from BTC (1 BTC ~ 422 USD) - Linked to Dridex operators [1] Forbes Ransonware Crisis 35

34 Blocking Ransomware: Real World Example with a Locky Domain glslindia[.]com (detection Date: 15/03/2016) 36

35 Blocking Ransomware Locky: Real World Example These domains co-occurr Malware Download URL These domains share the same infrastructure 37 Domains in Red are automatically blocked by OpenDNS Hash of the malicious file downloaded from these domains

36 Blocking Ransomware Locky: Real World Example Infection Point 38 Before During After Current Malware distribution Point Next Malware Distribution Points Expose the attacker s infrastructure (Nameservers and IPs) to predict the next moves

37 Discover the Threats Before They Happen VT Link: (first VT submission: :51:45 three days after OpenDNS, see next slide) 39

38 UMBRELLA Enforcement Network security service protects any device, anywhere INVESTIGATE Intelligence Discover and predict attacks before they happen PRODUCTS & TECHNOLOGIES 40

39 What does OpenDNS Provide CATEGORY MALWARE C2 CALLBACK PHISHING CUSTOM (API) IDENTITY INTERNAL IP HOSTNAME AD USER HOSTNAME Umbrella (Enforcement) SECURITY LABS Investigate (Intelligence) STATUS & SCORES CO-OCCURRENCES RELATIONSHIPS ATTRIBUTIONS PATTERNS & GEOs DOMAIN, IP, ASN, , HASH API 41

40 Automate Security to Reduce Attack Dwell Time CUSTOMER & PARTNER COMMUNITY THREAT ANALYSIS & INTELLIGENCE UMBRELLA Enforcement & Visibility CUSTOMER files domains Automatically Pulls newly discovered malicious domains in minutes AMP Threat Grid - Cloud Logs or Blocks all Internet activity destined to these domains 48

41 Prevent and Contain Ransomware with Umbrella and AMP 50

42 Talos has developed a decryption tool to aid users whose files have been encrypted by TeslaCrypt ransomware. The Talos TeslaCrypt Decryption Tool is an open source command line utility for decrypting TeslaCrypt encrypted files so users files can be returned to their original state. 51