Cisco Security Experts Series: Ransom Where Everywhere: Breaking Down the Ransomware

Similar documents
Cisco Advanced Malware Protection. Ross Shehov Security Virtual Systems Engineer March 2016

Cisco Security: Layered Protection from Blended Threats

Cisco Advanced Malware Protection for Endpoints

Cisco Cloud Security Interoperability with Microsoft Office 365

Cisco Advanced Malware Protection

Cisco Advanced Malware Protection for Endpoints

C I S C O E M A I L S E C U R I T Y A P P L I A N C E

Cisco Web Security: Protection, Control, and Value

The Hillstone and Trend Micro Joint Solution

Networking for Caribbean Development

Protection Against Advanced Persistent Threats

Cisco Security Strategy Update Integrated Threat Defense. Oct 28, 2015

SourceFireNext-Generation IPS

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

Cloud App Security. Tiberio Molino Sales Engineer

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Integrating MSS, SEP and NGFW to catch targeted APTs

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

Comprehensive Filtering. Whitepaper

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

Cisco Security Intelligence Operations

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Protecting the Infrastructure: Symantec Web Gateway

Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

Stop advanced targeted attacks, identify high risk users and control Insider Threats

Symantec Advanced Threat Protection: Network

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

Modular Network Security. Tyler Carter, McAfee Network Security

Content Security: Protect Your Network with Five Must-Haves

Comprehensive Anti-Spam Service

Comprehensive Filtering: Barracuda Spam Firewall Safeguards Legitimate

SPEAR-PHISHING ATTACKS

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Cisco Security Appliances

Covert Operations: Kill Chain Actions using Security Analytics

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

REVOLUTIONIZING ADVANCED THREAT PROTECTION

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

How Attackers are Targeting Your Mobile Devices. Wade Williamson

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Breaking the Cyber Attack Lifecycle

Cisco & Big Data Security

Data Center security trends

Malicious Mitigation Strategy Guide

WEBSENSE SECURITY SOLUTIONS OVERVIEW

WildFire. Preparing for Modern Network Attacks

Deploying Next Generation Firewall with ASA and Firepower services

IT Sicherheit im Web 2.0 Zeitalter

Deploying Layered Security. What is Layered Security?

Spear Phishing Attacks Why They are Successful and How to Stop Them

Migration Project Plan for Cisco Cloud Security

Next Generation IPS and Reputation Services

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

ENABLING FAST RESPONSES THREAT MONITORING

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

Cisco and Sourcefire. AGILE SECURITY : Security for the Real World. Stefano Volpi

Advanced Endpoint Protection

User Documentation Web Traffic Security. University of Stavanger

Zscaler Cloud Web Gateway Test

One Minute in Cyber Security

Fighting Advanced Threats

System Compatibility. Enhancements. Operating Systems. Hardware Requirements. Security

Zscaler Internet Security Frequently Asked Questions

Cisco Security Appliance Keeps your Critical Business Safe

European developer & provider ensuring data protection User console: Simile Fingerprint Filter Policies and content filtering rules

A Case for Managed Security

Data Sheet: Messaging Security Symantec Brightmail Gateway Award-winning messaging security for inbound protection and outbound control

Simple security is better security Or: How complexity became the biggest security threat

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

24/7 Visibility into Advanced Malware on Networks and Endpoints

TRITON APX. Websense TRITON APX

Content-ID. Content-ID URLS THREATS DATA

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

Introducing IBM s Advanced Threat Protection Platform

Solution Brief. Aerohive and OpenDNS. Advanced Network Security for Retail Stores

Palo Alto Networks. October 6

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Security Intelligence Blacklisting

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8

Braindumps QA

Unified Security, ATP and more

Trend Micro Hosted Security. Best Practice Guide

The Benefits of SSL Content Inspection ABSTRACT

WhatWorks in Detecting and Blocking Advanced Threats:

Security Intelligence Services.

Next Generation Firewalls and Sandboxing

SPEAR PHISHING AN ENTRY POINT FOR APTS

Transcription:

Cisco Security Experts Series: Ransom Where Everywhere: Breaking Down the Ransomware Andrew Edwards / Rob Gregg Cyber Security @ Cisco July 6th, 2016

Better Security Visibility Securing the Mobile Enterprise Protect Against Advanced Malware Improve Results with Security Services Harden and Segment the Network Security as a Network Driver 2

Effective Security Is Delivered When The Pieces Work Together. Seamlessly. Our goal is to make security less complex by providing a best of breed portfolio that s deeply integrated and delivers solutions that are superb individually, but vastly more powerful when used together. 3

Email Security For Ransomware In email, ransomware uses phishing or spam messages to gain a foothold. Users merely have to click links in phishing or spam email or open attachments for ransomware to download and call out to its command-and- control server Cisco Email Security with Advanced Malware Protection (AMP)blocks spam and phishing emails and malicious email attachments and URLs.

Cisco Email Security Benefits Threat-Focus With Cisco, a substantial reduction in total cost of ownership and the new features to battle viruses and spam [are] a reality. Kenichi Tabata Komatsu. Ltd. Japan Signature and behavioral layers of defense built-into single appliance Multiple anti-spam engines, Email and Web Reputation, multiple AV-Scanners, and Outbreak Filters Exceptional threat identification infrastructure using Cisco s Talos Research Group Zero-day and blended threat protection Advanced Malware Protection

To Defend Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate WWW Email Web Endpoint Mobile Virtual Cloud Network Point-in-Time Continuous

Cisco Email Security Overview Talos Cloud Appliance Virtual Incoming Threat BEFORE DURING AFTER Email Reputation Mail Flow Policies Acceptance Controls Anti-Spam Anti-Virus AMP File Reputation Graymail Management Content Controls Outbreak Filters AMP File Sandboxing and Retrospection Inbound Email ThreatGrid Safe Unsubscribe URL Rep & Cat Anti-Phish WIT Tracking User Click Activity (Anti-Phish) X X X X X X X X HQ Admin Management Reporting Message Track

Cisco Email Security Integration with Threat Intelligence Built on Unmatched Collective Security Analytics Threat Intelligence I00I III0I III00II 0II00II I0I000 0110 00 10I000 0II0 00 0III000 II1010011 101 Cisco 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 Talos Research Response 1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00 101000 0II0 00 0III000 III0I00II II II0000I II0 100I II0I III00II 0II00II I0I000 0II0 00 WWW Email Endpoints Web Networks IPS Devices 1.6 Million Global Sensors 100 TB of Data Received per Day 150 Million+ Deployed Endpoints 600+ Engineers, Technicians, and Researchers 35% Worldwide Email Traffic 13 Billion Web Requests 24 x 7 x 365 Operations 40+ Languages ESA 180,000+ file samples per day FireAMP community Advanced Microsoft a and industry disclosures Snort and ClamAV open source communities Honeypots Sourcefire AEGIS program Private and public threat feeds Dynamic analysis

Cisco Talos Email Reputation Database BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Spam Traps Complaint Reports IP Blacklists and Whitelists Message Composition Data Compromised Host Lists Website Composition Data Breadth and Quality of Data Make the Difference Global Volume Data Domain Blacklist and Safelists Other Data IP Reputation Score -10 0 +10

Cisco Email Security Delivers Industry-Leading Inbound Security Threat Protection Data Security Anti-Spam Antivirus Data Loss Prevention Encryption Advanced Malware Protection (AMP) Outbreak Filters

Prevent Spoofing Attacks BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Forged Email Detection Incoming Mail: Good, Bad, Unknown FED Content Filter FED filter parameters: Exec name directory Cousin domain check LDAP query DMARC verification Other Actions Quarantined or Expose Spoofed Mail From Suspect Spoofs: Prepend with Warning, BCC, alternate destination, etc.

Antispam Defense in Depth BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Anti-Spam What Incoming Mail: Good, Bad, and Unknown Email Cisco Talos Suspicious Mail Is Rate Limited and Spam Filtered Who Where Cisco Anti-Spam How When > 99% catch rate < 1 in 1 million false positives Known Bad Mail Is Blocked Before It Enters the Network Choice of Scanning Engines to Suit Every Customer s Risk Posture

Antivirus Defense in Depth BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Antivirus What Who Where Cisco Anti-Spam IMS How When Anti-Spam Engines Antivirus Engines Choice of Anti-Virus Engines: Sophos, McAfee

Cisco Zero-Hour Malware Protection Advanced Malware Protection Cisco AMP integration File Reputation Known file reputation Reputation update File Sandboxing Advanced Malware Protection Unknown files are uploaded for sandboxing (archived, Windows PE, PDF, MS Office) Outbreak Filters

AMP Provides Continuous Retrospective Security BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Breadth and Control Points WWW Email Endpoints Web Network IPS Devices Telemetry Stream File Fingerprint and Metadata File and Network I/O Process Information Continuous Feed 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 Continuous Analysis

Outbreak Filters Zero Hour URL and File Based Malware Protection BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Outbreak Filters Outbreak Filters Advantage Average lead time*: Over 13 hours Outbreaks blocked*: 291 outbreaks Total incremental protection*: Over 157 days Cisco Talos Dynamic Quarantine Virus Filter Advanced Malware Protection Outbreak Filters in Action Cloud Powered Zero- Hour Malware Detection Zero-Hour Virus and Malware Detection

Outbreak Filters Defend Against Blended Attacks BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Link Is Clicked Website Is Clean Cisco Security Dynamic, Real-Time Inspection via HTTP Cisco Talos Website Is Blocked The requested web page has been blocked http://www.threatlink.com Cisco Email and Web Security protects your organization s network from malicious software. Malware is designed to look like a legitimate email or website which accesses your computer, hides itself in your system, and damages files.

Outstanding URL Defense Many Ways of Protecting End Users from Malicious or Inappropriate Links BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Email Contains URL Web Rep and/or Web Cat Send to Cloud Rewrite URL Analysis Cisco Talos Defang BLOCKEDwww.playboy. comblocked BLOCKEDwww.proxy.or gblocked Replace This URL is blocked by policy Automated with Outbreak Filters or Manual

Web Interaction Tracking Enabling Tracking of URLs Rewritten by Policy BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Filtering User A Rewritten URL: 2asyncfs.com Click Time: 09:23:25 12 Jan 2015 Re-write reason: Outbreak Action taken: Blocked App 1 App 2 App 3 App 5 User B Rewritten URL: 5asynxsf.com Click Time: 11:01:13 09 Mar 2015 Re-write reason: Policy Action taken: Allowed App 4 G App 6 App 7 Potentially Malicious URLs Rewritten URLs User C Rewritten URL: 8esynttp.com Click Time: 16:17:44 15 Jun 2015 Re-write reason: Outbreak Action taken: Blocked Monitor Users from a Single Pane of Glass

Mitigating one of Today s Most Significant Cyber Threats: Ransomware Rob Gregg Channel Systems Engineering @OpenDNS Rob.gregg@cisco.com

YOUR FILES ARE ENCRYPTED 21

Ransomware Discoveries 24

Typical Ransomware Infection Infection Vector C2 Comms & Asymmetric Key Exchange Encryption of Files Request of Ransom 25

Encryption C&C Payment MSG NAME DNS IP NO C&C TOR PAYMENT Locky SamSam TeslaCrypt CryptoWall TorrentLocker PadCrypt CTB-Locker FAKBEN PayCrypt KeyRanger DNS DNS (TOR) DNS DNS DNS DNS (TOR) DNS DNS (TOR) DNS DNS

Ransomware Kill Chain in Detail User Clicks a Link or Malvertising Initial Exploit Using Angler Malicious Infrastructure Ransomware Payload Encryption Key C2 Infrastructure Email w/ Malicious Attachment Ransomware Payload 27

How Cisco Protects Customers from Ransomware Umbrella blocks the request NGFW blocks the connection Web or Email Security w/amp blocks the file Umbrella blocks the request NGFW blocks the connection Lancope detects the activity AMP for Endpoints blocks the file Umbrella blocks the request 28 Umbrella Next-Gen Firewall AMP Lancope

29 OpenDNS Technology Overview

Why leverage DNS to Detect and Block Threats most attacker C2 is initiated via DNS lookups with some non-web callbacks 15% of C2 bypasses Web ports 80 & 443 Storm Regin Pushdo/Cutwail Gh0st Lethic Seasalt (APT1) njrat NON-WEB C2 EXAMPLES Glooxmail (APT1) Zbot ZeroAccess Bifrose DarkComet Hesperbot Tinba Starsypound (APT1) Gameover Zeus Longrun (APT1) Citadel Kelihos PoisonIvy Biscuit (APT1) Bouncer (APT1) Tinba 91% of C2 can be blocked at the DNS layer IP DNS IP Lancope Research (now part of Cisco) 1 NON-WEB WEB Cisco AMP Threat Grid Research 2 millions of unique malware samples from small office LANs over 2 years millions of unique malware samples submitted to sandbox over 6 months NOTE1: Visual Investigations of Botnet Command and Control Behavior (link) malware reached out to 150,000 C2 servers over 100,000 TCP/UDP ports malware often used 866 (TCP) & 1018 (UDP) well known ports, 30 whereas legitimate traffic used 166 (TCP) & 19 (UDP) ports NOTE2: Forthcoming 2016 Cisco Annual Security Report 9% had IP connections only and/or legitimate DNS requests 91% had IP connections, which were preceded by malicious DNS lookups very few had no IP connections

Our Perspective Diverse Set of Data 80B Requests Per Day 65M Daily Active Users 160+ Countries 12K Enterprise Customers 31

Anatomy of a Cyber Attack Reconnaissance and Infrastructure Setup Domain Registration, IP, ASN Intel., Public / Private Announcements Monitor Adaption Based on Results Patient Zero Hit Target Expansion Wide-Scale Prevalence Defense Signatures Built

We See Where Attacks Are Staged using modern data analysis to surface threat activity in unique ways

34 Real World Example Blocking Locky

Feeling Locky? - Encrypts & renames the infected device s important files with.locky extension - Appx 90,000 victims per day [1] - Ransom ranges from 0.5 1.0 BTC (1 BTC ~ 422 USD) - Linked to Dridex operators [1] Forbes Ransonware Crisis 35

Blocking Ransomware: Real World Example with a Locky Domain glslindia[.]com (detection Date: 15/03/2016) 36

Blocking Ransomware Locky: Real World Example These domains co-occurr Malware Download URL These domains share the same infrastructure 37 Domains in Red are automatically blocked by OpenDNS Hash of the malicious file downloaded from these domains

Blocking Ransomware Locky: Real World Example Infection Point 38 Before During After Current Malware distribution Point Next Malware Distribution Points Expose the attacker s infrastructure (Nameservers and IPs) to predict the next moves

Discover the Threats Before They Happen VT Link: https://virustotal.com/en/file/07bed9baa42996bded75dacf5c2611ba5d3a3f19b8588ea734530f74c2586087/analysis/ (first VT submission: 2016-03-18 16:51:45 three days after OpenDNS, see next slide) 39

UMBRELLA Enforcement Network security service protects any device, anywhere INVESTIGATE Intelligence Discover and predict attacks before they happen PRODUCTS & TECHNOLOGIES 40

What does OpenDNS Provide CATEGORY MALWARE C2 CALLBACK PHISHING CUSTOM (API) IDENTITY INTERNAL IP HOSTNAME AD USER HOSTNAME Umbrella (Enforcement) SECURITY LABS Investigate (Intelligence) STATUS & SCORES CO-OCCURRENCES RELATIONSHIPS ATTRIBUTIONS PATTERNS & GEOs 208.67.222.222 DOMAIN, IP, ASN, EMAIL, HASH API 41

Automate Security to Reduce Attack Dwell Time CUSTOMER & PARTNER COMMUNITY THREAT ANALYSIS & INTELLIGENCE UMBRELLA Enforcement & Visibility CUSTOMER files domains Automatically Pulls newly discovered malicious domains in minutes AMP Threat Grid - Cloud Logs or Blocks all Internet activity destined to these domains 48

Prevent and Contain Ransomware with Umbrella and AMP 50

Talos has developed a decryption tool to aid users whose files have been encrypted by TeslaCrypt ransomware. The Talos TeslaCrypt Decryption Tool is an open source command line utility for decrypting TeslaCrypt encrypted files so users files can be returned to their original state. http://www.talosintelligence.com/teslacrypt_tool/ 51

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information