Cisco Security Experts Series: Ransom Where…Everywhere: Breaking …€¦ · Breaking Down the...
Transcript of Cisco Security Experts Series: Ransom Where…Everywhere: Breaking …€¦ · Breaking Down the...
Andrew Edwards / Rob Gregg
Cyber Security @ Cisco
July 6th, 2016
Cisco Security Experts Series:
Ransom Where…Everywhere: Breaking Down the Ransomware
2
Better Security Visibility
Securing the Mobile Enterprise
Harden and Segment the Network
Improve Results with Security Services
Protect Against Advanced Malware
Security as a Network Driver
3
Our goal is to make security less
complex by providing a best of breed
portfolio that’s deeply integrated and
delivers solutions that are superb
individually, but vastly more powerful
when used together.
Effective Security Is Delivered When The Pieces Work Together. Seamlessly.
• In email, ransomware uses phishing or spam messages to gain a foothold. Users merely have to click links in phishing or spam email or open attachments for ransomware to download and call out to its command-and- control server
• Cisco Email Security with Advanced Malware Protection (AMP)blocks spam and phishing emails and malicious email attachments and URLs.
Email Security For Ransomware
• Signature and behavioral layers of defense built-into single appliance
• Multiple anti-spam engines, Email and Web Reputation, multiple AV-Scanners, and Outbreak Filters
• Exceptional threat identification infrastructure using Cisco’s TalosResearch Group
• Zero-day and blended threat protection
• Advanced Malware Protection
Cisco Email Security Benefits
With Cisco, a substantial reduction in total cost of
ownership and the new features to battle viruses and
spam [are] a reality.
“
” Kenichi Tabata
Komatsu. Ltd. Japan
Threat-Focus
To Defend Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
NetworkEndpoint Mobile Virtual CloudEmail Web
WWW
Point-in-Time Continuous
Attack Continuum
Cisco Email Security Overview
Talos
Appliance VirtualCloud
Reporting
Message Track
Management Admin
HQ
Inbound
Incoming ThreatBEFORE AFTERDURING
Tracking
User Click Activity
(Anti-Phish)
File
Sandboxing and
Retrospection
X X XXX
Content
Controls
X
Acceptance
Controls
File
Reputation
Anti-Spam
Anti-Virus
Outbreak
Filters
X
Mail Flow
Policies
Graymail
Management
Safe Unsubscribe
X
Anti-PhishThreatGrid URL Rep & Cat
Reputation
WIT
AMPAMP
• 180,000+ file samples per day
• FireAMP™ community
• Advanced Microsoft aand industry disclosures
• Snort and ClamAV open source communities
• Honeypots
• Sourcefire AEGIS™ program
• Private and public threat feeds
• Dynamic analysis
Cisco Email Security Integration with Threat IntelligenceBuilt on Unmatched Collective Security Analytics
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
101000 0II0 00 0III000 III0I00II II II0000I II0
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00
Cisco®
Talos
Threat
IntelligenceResearch
Response
Email Endpoints Web Networks IPS Devices
WWW
1.6 MillionGlobal Sensors
100 TBof Data Received per Day
150 Million+ Deployed Endpoints
600+Engineers, Technicians, and Researchers
35% Worldwide Email Traffic
13 BillionWeb Requests
24 x 7 x 365Operations
40+Languages
ESA
Breadth and Quality of Data Make the Difference
Cisco TalosEmail Reputation Database
0-10
IP Reputation Score
+10-10
SpamTraps
ComplaintReports
IP Blacklistsand
Whitelists
MessageComposition
Data
CompromisedHost Lists
WebsiteComposition
Data
GlobalVolume
Data
DomainBlacklist and
Safelists
OtherData
BEFOREDiscover
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
Remediate
Cisco Email Security Delivers Industry-Leading Inbound Security
Anti-Spam
Threat Protection Data Security
Antivirus
AdvancedMalware
Protection (AMP)
OutbreakFilters
Data LossPrevention
Encryption
Prevent Spoofing Attacks
Incoming Mail:
Good, Bad,
Unknown
FED
Content
Filter
Quarantined or Expose Spoofed
“Mail From”
Forged Email Detection
Other
Actions
BEFOREDiscover
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
Remediate
Suspect Spoofs: Prepend with
Warning, BCC, alternate
destination, etc.
FED filter parameters:
• Exec name directory
• Cousin domain check
• LDAP query
• DMARC verification
BEFOREDiscover
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
RemediateAntispam Defense in Depth
Incoming Mail:
Good, Bad, and
Unknown Email
Cisco®
Talos
What
Cisco
Anti-Spam
WhenWho
HowWhere
Suspicious Mail Is
Rate Limited and
Spam Filtered
Known Bad Mail Is Blocked Before
It Enters the Network
Choice of Scanning Engines to Suit
Every Customer’s Risk Posture
• > 99% catch rate
• < 1 in 1 million
false positives
Anti-Spam
BEFOREDiscover
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
RemediateAntivirus Defense in Depth
Antivirus
Choice of Anti-Virus Engines:
Sophos, McAfee
What
Cisco
Anti-Spam
IMS
WhenWho
HowWhere
Anti-SpamEngines
AntivirusEngines
Cisco Zero-Hour Malware ProtectionAdvanced Malware Protection
Outbreak FiltersAdvanced Malware
Protection
File Reputation
Known file reputation
File Sandboxing
Unknown files are uploaded for sandboxing(archived, Windows PE, PDF, MS Office)
Cisco® AMP
integration
Reputation update
BEFOREDiscover
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
Remediate
Web
WWW
Endpoints NetworkEmail DevicesIPS
Telemetry Stream
Breadth and Control Points
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
AMP Provides Continuous Retrospective Security
Continuous Feed
Continuous Analysis
File Fingerprint and Metadata
Process Information
File and Network I/O
BEFOREDiscover
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
RemediateOutbreak FiltersZero Hour URL and File Based Malware Protection
Cloud Powered Zero-
Hour Malware DetectionZero-Hour Virus
and Malware Detection
Advanced Malware Protection
Outbreak Filters in Action
Outbreak Filters Advantage• Average lead time*: Over 13 hours
• Outbreaks blocked*: 291 outbreaks
• Total incremental protection*: Over 157 days
Virus
Filter
Dynamic
Quarantine
Cisco®
Talos
Outbreak Filters
BEFOREDiscover
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
RemediateOutbreak FiltersDefend Against Blended Attacks
Link Is Clicked
Cisco Security
The requested web page
has been blocked
http://www.threatlink.com
Cisco Email and Web Security protects your organization’s
network from malicious software. Malware is designed to look
like a legitimate email or website which accesses your
computer, hides itself in your system, and damages files.
Website Is Clean
Website
Is BlockedCisco®
TalosDynamic, Real-Time
Inspection via HTTP
BEFOREDiscover
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
Remediate
Outstanding URL DefenseMany Ways of Protecting End Users from Malicious or Inappropriate Links
Send to Cloud
Email Contains URL Web Rep
and/or Web Cat
URL AnalysisCisco®
Talos
Rewrite
Defang
Replace
BLOCKEDwww.playboy.
comBLOCKED
BLOCKEDwww.proxy.or
gBLOCKED
“This URL is
blocked by policy”
Automated with Outbreak Filters or Manual
BEFOREDiscover
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
RemediateWeb Interaction TrackingEnabling Tracking of URLs Rewritten by Policy
Rewritten URL: 2asyncfs.com
Click Time: 09:23:25 12 Jan 2015
Re-write reason: Outbreak
Action taken: Blocked
Rewritten URL: 5asynxsf.com
Click Time: 11:01:13 09 Mar 2015
Re-write reason: Policy
Action taken: Allowed
Rewritten URL: 8esynttp.com
Click Time: 16:17:44 15 Jun 2015
Re-write reason: Outbreak
Action taken: Blocked
User A
User B
User C
Potentially
Malicious URLs
Filtering
Rewritten URLs Monitor Users from a Single
Pane of Glass
G
App 1 App 2 App 5App 3
App 4
App 6 App 7
Mitigating one of Today’s Most Significant Cyber Threats: Ransomware
Rob Gregg – Channel Systems Engineering @OpenDNS
21
YOUR FILES ARE ENCRYPTED
24
Ransomware Discoveries
25
Request
of Ransom
Encryption
of Files
C2 Comms &
Asymmetric Key
Exchange
Typical Ransomware Infection
Infection
Vector
NAME DNS IP NO C&C TOR PAYMENT
Locky DNS
SamSam DNS (TOR)
TeslaCrypt DNS
CryptoWall DNS
TorrentLocker DNS
PadCrypt DNS (TOR)
CTB-Locker DNS
FAKBEN DNS (TOR)
PayCrypt DNS
KeyRanger DNS
Encryption C&C Payment MSG
27
Ransomware Kill Chain in Detail
Initial Exploit
Using Angler
Ransomware
Payload
User Clicks a Link
or Malvertising
Malicious
Infrastructure
Ransomware
Payload
Email w/ Malicious
Attachment
Encryption Key C2 Infrastructure
28
How Cisco Protects Customers from RansomwareUmbrella blocks the request
NGFW blocks the connection
Web or Email Security
w/AMP blocks the file
AMP for
Endpoints
blocks
the file
Umbrella blocks the request
NGFW blocks the connection
Lancope detects the activity
Umbrella
blocks
the
request
Umbrella Next-Gen Firewall AMP Lancope
29
OpenDNS Technology Overview
30
NOTE1: Visual Investigations of Botnet Command and Control Behavior (link)
• malware reached out to 150,000 C2 servers over 100,000 TCP/UDP ports
• malware often used 866 (TCP) & 1018 (UDP) “well known” ports,
whereas legitimate traffic used 166 (TCP) & 19 (UDP) ports
NOTE2: Forthcoming 2016 Cisco Annual Security Report
• 9% had IP connections only and/or legitimate DNS requests
• 91% had IP connections, which were preceded by malicious DNS lookups
• very few had no IP connections
Zbot
ZeroAccess
njRAT
Regin
Gh0st
Storm
Pushdo/Cutwail DarkComet
Bifrose
Lethic
Kelihos
Gameover Zeus
CitadelTinba
Hesperbot
Bouncer (APT1)
Glooxmail (APT1)
Longrun (APT1)
Seasalt (APT1)
Starsypound (APT1)
Biscuit (APT1)PoisonIvy
Tinba
NON-WEB C2 EXAMPLES
DNS
WEBNON-WEB
IP IP
millions of unique malware samples
from small office LANs over 2 years
Lancope Research(now part of Cisco)1
15%of C2 bypasses
Web ports 80 & 443
millions of unique malware samples
submitted to sandbox over 6 months
Cisco AMP Threat Grid Research2
91%of C2 can be blocked
at the DNS layer
Why leverage DNS to Detect and Block Threatsmost attacker C2 is initiated via DNS lookups with some non-Web callbacks
31
Requests Per Day
80BCountries160+
Daily Active Users
65MEnterprise Customers
12K
Our PerspectiveDiverse Set of Data
Patient Zero Hit
Defense Signatures Built
Target Expansion
Wide-Scale Prevalence
Monitor Adaption Based on Results
Domain Registration, IP, ASN Intel., Public / Private Announcements
Reconnaissance and Infrastructure Setup
Anatomy of a Cyber Attack
We See Where Attacks Are Stagedusing modern data analysis to surface threat activity in unique ways
34
Real World Example Blocking Locky
35
Feeling Locky?
- Encrypts & renames the infected device’s important files with .locky extension
- Appx 90,000 victims per day [1]
- Ransom ranges from 0.5 –1.0 BTC (1 BTC ~ 422 USD)
- Linked to Dridex operators
[1] Forbes Ransonware Crisis
36
Blocking Ransomware: Real World Example with a Locky Domainglslindia[.]com (detection Date: 15/03/2016)
37
Blocking RansomwareLocky: Real World Example
Domains in Red are
automatically
blocked by OpenDNS
Hash of the malicious
file downloaded from
these domains
Malware
Download URLThese domains
co-occurr
These domains share
the same infrastructure
38
Current Malware
distribution
Point
Infection Point
Next Malware
Distribution Points
Expose the attacker’s infrastructure (Nameservers and IPs) to predict the next moves
Before During After
Blocking RansomwareLocky: Real World Example
39
Discover the Threats Before They Happen
VT Link: https://virustotal.com/en/file/07bed9baa42996bded75dacf5c2611ba5d3a3f19b8588ea734530f74c2586087/analysis/
(first VT submission: 2016-03-18 16:51:45 three days after OpenDNS, see next slide)
40
UMBRELLAEnforcementNetwork security service protects any device, anywhere
INVESTIGATEIntelligenceDiscover and predict attacks before they happen
PRODUCTS & TECHNOLOGIES
41
SECURITY LABS
Umbrella(Enforcement)
208.67.222.222 DOMAIN, IP, ASN, EMAIL, HASH
API
What does OpenDNS Provide
CATEGORY IDENTITY
MALWARE INTERNAL IP
C2 CALLBACK HOSTNAME
PHISHING AD USER
CUSTOM (API) HOSTNAME
Investigate(Intelligence)
STATUS & SCORES
CO-OCCURRENCES
RELATIONSHIPS
ATTRIBUTIONS
PATTERNS & GEOs
48
CUSTOMER
COMMUNITYCUSTOMER & PARTNER THREAT
ANALYSIS & INTELLIGENCE
AMP Threat Grid - Cloud
UMBRELLAEnforcement & Visibility
Automatically Pulls newly discovered malicious domains in minutes
Logs or Blocks all Internet activity destined to these domains
files domains
Automate Security to Reduce Attack Dwell Time
50
Prevent and Contain Ransomware with Umbrella and AMP
51
Talos has developed a decryption tool to aid users whose files have been encrypted by TeslaCrypt ransomware. The Talos TeslaCrypt Decryption Tool is an open source command line utility for decrypting TeslaCryptencrypted files so users’ files can be returned to their original state.
http://www.talosintelligence.com/teslacrypt_tool/