Andrew Edwards / Rob Gregg

Cyber Security @ Cisco

July 6th, 2016

Cisco Security Experts Series:

Ransom Where…Everywhere: Breaking Down the Ransomware

2

Better Security Visibility

Securing the Mobile Enterprise

Harden and Segment the Network

Improve Results with Security Services

Protect Against Advanced Malware

Security as a Network Driver

3

Our goal is to make security less

complex by providing a best of breed

portfolio that’s deeply integrated and

delivers solutions that are superb

individually, but vastly more powerful

when used together.

Effective Security Is Delivered When The Pieces Work Together. Seamlessly.

• In email, ransomware uses phishing or spam messages to gain a foothold. Users merely have to click links in phishing or spam email or open attachments for ransomware to download and call out to its command-and- control server

• Cisco Email Security with Advanced Malware Protection (AMP)blocks spam and phishing emails and malicious email attachments and URLs.

Email Security For Ransomware

• Signature and behavioral layers of defense built-into single appliance

• Multiple anti-spam engines, Email and Web Reputation, multiple AV-Scanners, and Outbreak Filters

• Exceptional threat identification infrastructure using Cisco’s TalosResearch Group

• Zero-day and blended threat protection

• Advanced Malware Protection

Cisco Email Security Benefits

With Cisco, a substantial reduction in total cost of

ownership and the new features to battle viruses and

spam [are] a reality.

“

” Kenichi Tabata

Komatsu. Ltd. Japan

Threat-Focus

To Defend Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

NetworkEndpoint Mobile Virtual CloudEmail Web

WWW

Point-in-Time Continuous

Attack Continuum

Cisco Email Security Overview

Talos

Appliance VirtualCloud

Reporting

Message Track

Management Admin

HQ

Inbound

Email

Incoming ThreatBEFORE AFTERDURING

Tracking

User Click Activity

(Anti-Phish)

File

Sandboxing and

Retrospection

X X XXX

Content

Controls

X

Acceptance

Controls

File

Reputation

Anti-Spam

Anti-Virus

Outbreak

Filters

X

Mail Flow

Policies

Graymail

Management

Safe Unsubscribe

X

Anti-PhishThreatGrid URL Rep & Cat

Email

Reputation

WIT

AMPAMP

• 180,000+ file samples per day

• FireAMP™ community

• Advanced Microsoft aand industry disclosures

• Snort and ClamAV open source communities

• Honeypots

• Sourcefire AEGIS™ program

• Private and public threat feeds

• Dynamic analysis

Cisco Email Security Integration with Threat IntelligenceBuilt on Unmatched Collective Security Analytics

10I000 0II0 00 0III000 II1010011 101 1100001 110

110000III000III0 I00I II0I III0011 0110011 101000 0110 00

I00I III0I III00II 0II00II I0I000 0110 00

101000 0II0 00 0III000 III0I00II II II0000I II0

1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00

100I II0I III00II 0II00II I0I000 0II0 00

Cisco®

Talos

Threat

IntelligenceResearch

Response

Email Endpoints Web Networks IPS Devices

WWW

1.6 MillionGlobal Sensors

100 TBof Data Received per Day

150 Million+ Deployed Endpoints

600+Engineers, Technicians, and Researchers

35% Worldwide Email Traffic

13 BillionWeb Requests

24 x 7 x 365Operations

40+Languages

ESA

Breadth and Quality of Data Make the Difference

Cisco TalosEmail Reputation Database

0-10

IP Reputation Score

+10-10

SpamTraps

ComplaintReports

IP Blacklistsand

Whitelists

MessageComposition

Data

CompromisedHost Lists

WebsiteComposition

Data

GlobalVolume

Data

DomainBlacklist and

Safelists

OtherData

BEFOREDiscover

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

Remediate

Cisco Email Security Delivers Industry-Leading Inbound Security

Anti-Spam

Threat Protection Data Security

Antivirus

AdvancedMalware

Protection (AMP)

OutbreakFilters

Data LossPrevention

Encryption

Prevent Spoofing Attacks

Incoming Mail:

Good, Bad,

Unknown

FED

Content

Filter

Quarantined or Expose Spoofed

“Mail From”

Forged Email Detection

Other

Actions

BEFOREDiscover

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

Remediate

Suspect Spoofs: Prepend with

Warning, BCC, alternate

destination, etc.

FED filter parameters:

• Exec name directory

• Cousin domain check

• LDAP query

• DMARC verification

BEFOREDiscover

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

RemediateAntispam Defense in Depth

Incoming Mail:

Good, Bad, and

Unknown Email

Cisco®

Talos

What

Cisco

Anti-Spam

WhenWho

HowWhere

Suspicious Mail Is

Rate Limited and

Spam Filtered

Known Bad Mail Is Blocked Before

It Enters the Network

Choice of Scanning Engines to Suit

Every Customer’s Risk Posture

• > 99% catch rate

• < 1 in 1 million

false positives

Anti-Spam

BEFOREDiscover

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

RemediateAntivirus Defense in Depth

Antivirus

Choice of Anti-Virus Engines:

Sophos, McAfee

What

Cisco

Anti-Spam

IMS

WhenWho

HowWhere

Anti-SpamEngines

AntivirusEngines

Cisco Zero-Hour Malware ProtectionAdvanced Malware Protection

Outbreak FiltersAdvanced Malware

Protection

File Reputation

Known file reputation

File Sandboxing

Unknown files are uploaded for sandboxing(archived, Windows PE, PDF, MS Office)

Cisco® AMP

integration

Reputation update

BEFOREDiscover

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

Remediate

Web

WWW

Endpoints NetworkEmail DevicesIPS

Telemetry Stream

Breadth and Control Points

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

AMP Provides Continuous Retrospective Security

Continuous Feed

Continuous Analysis

File Fingerprint and Metadata

Process Information

File and Network I/O

BEFOREDiscover

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

RemediateOutbreak FiltersZero Hour URL and File Based Malware Protection

Cloud Powered Zero-

Hour Malware DetectionZero-Hour Virus

and Malware Detection

Advanced Malware Protection

Outbreak Filters in Action

Outbreak Filters Advantage• Average lead time*: Over 13 hours

• Outbreaks blocked*: 291 outbreaks

• Total incremental protection*: Over 157 days

Virus

Filter

Dynamic

Quarantine

Cisco®

Talos

Outbreak Filters

BEFOREDiscover

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

RemediateOutbreak FiltersDefend Against Blended Attacks

Link Is Clicked

Cisco Security

The requested web page

has been blocked

http://www.threatlink.com

Cisco Email and Web Security protects your organization’s

network from malicious software. Malware is designed to look

like a legitimate email or website which accesses your

computer, hides itself in your system, and damages files.

Website Is Clean

Website

Is BlockedCisco®

TalosDynamic, Real-Time

Inspection via HTTP

BEFOREDiscover

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

Remediate

Outstanding URL DefenseMany Ways of Protecting End Users from Malicious or Inappropriate Links

Send to Cloud

Email Contains URL Web Rep

and/or Web Cat

URL AnalysisCisco®

Talos

Rewrite

Defang

Replace

BLOCKEDwww.playboy.

comBLOCKED

BLOCKEDwww.proxy.or

gBLOCKED

“This URL is

blocked by policy”

Automated with Outbreak Filters or Manual

BEFOREDiscover

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

RemediateWeb Interaction TrackingEnabling Tracking of URLs Rewritten by Policy

Rewritten URL: 2asyncfs.com

Click Time: 09:23:25 12 Jan 2015

Re-write reason: Outbreak

Action taken: Blocked

Rewritten URL: 5asynxsf.com

Click Time: 11:01:13 09 Mar 2015

Re-write reason: Policy

Action taken: Allowed

Rewritten URL: 8esynttp.com

Click Time: 16:17:44 15 Jun 2015

Re-write reason: Outbreak

Action taken: Blocked

User A

User B

User C

Potentially

Malicious URLs

Filtering

Rewritten URLs Monitor Users from a Single

Pane of Glass

G

App 1 App 2 App 5App 3

App 4

App 6 App 7

Mitigating one of Today’s Most Significant Cyber Threats: Ransomware

Rob Gregg – Channel Systems Engineering @OpenDNS

Rob.gregg@cisco.com

21

YOUR FILES ARE ENCRYPTED

24

Ransomware Discoveries

25

Request

of Ransom

Encryption

of Files

C2 Comms &

Asymmetric Key

Exchange

Typical Ransomware Infection

Infection

Vector

NAME DNS IP NO C&C TOR PAYMENT

Locky DNS

SamSam DNS (TOR)

TeslaCrypt DNS

CryptoWall DNS

TorrentLocker DNS

PadCrypt DNS (TOR)

CTB-Locker DNS

FAKBEN DNS (TOR)

PayCrypt DNS

KeyRanger DNS

Encryption C&C Payment MSG

27

Ransomware Kill Chain in Detail

Initial Exploit

Using Angler

Ransomware

Payload

User Clicks a Link

or Malvertising

Malicious

Infrastructure

Ransomware

Payload

Email w/ Malicious

Attachment

Encryption Key C2 Infrastructure

28

How Cisco Protects Customers from RansomwareUmbrella blocks the request

NGFW blocks the connection

Web or Email Security

w/AMP blocks the file

AMP for

Endpoints

blocks

the file

Umbrella blocks the request

NGFW blocks the connection

Lancope detects the activity

Umbrella

blocks

the

request

Umbrella Next-Gen Firewall AMP Lancope

29

OpenDNS Technology Overview

30

NOTE1: Visual Investigations of Botnet Command and Control Behavior (link)

• malware reached out to 150,000 C2 servers over 100,000 TCP/UDP ports

• malware often used 866 (TCP) & 1018 (UDP) “well known” ports,

whereas legitimate traffic used 166 (TCP) & 19 (UDP) ports

NOTE2: Forthcoming 2016 Cisco Annual Security Report

• 9% had IP connections only and/or legitimate DNS requests

• 91% had IP connections, which were preceded by malicious DNS lookups

• very few had no IP connections

Zbot

ZeroAccess

njRAT

Regin

Gh0st

Storm

Pushdo/Cutwail DarkComet

Bifrose

Lethic

Kelihos

Gameover Zeus

CitadelTinba

Hesperbot

Bouncer (APT1)

Glooxmail (APT1)

Longrun (APT1)

Seasalt (APT1)

Starsypound (APT1)

Biscuit (APT1)PoisonIvy

Tinba

NON-WEB C2 EXAMPLES

DNS

WEBNON-WEB

IP IP

millions of unique malware samples

from small office LANs over 2 years

Lancope Research(now part of Cisco)1

15%of C2 bypasses

Web ports 80 & 443

millions of unique malware samples

submitted to sandbox over 6 months

Cisco AMP Threat Grid Research2

91%of C2 can be blocked

at the DNS layer

Why leverage DNS to Detect and Block Threatsmost attacker C2 is initiated via DNS lookups with some non-Web callbacks

31

Requests Per Day

80BCountries160+

Daily Active Users

65MEnterprise Customers

12K

Our PerspectiveDiverse Set of Data

Patient Zero Hit

Defense Signatures Built

Target Expansion

Wide-Scale Prevalence

Monitor Adaption Based on Results

Domain Registration, IP, ASN Intel., Public / Private Announcements

Reconnaissance and Infrastructure Setup

Anatomy of a Cyber Attack

We See Where Attacks Are Stagedusing modern data analysis to surface threat activity in unique ways

34

Real World Example Blocking Locky

35

Feeling Locky?

- Encrypts & renames the infected device’s important files with .locky extension

- Appx 90,000 victims per day [1]

- Ransom ranges from 0.5 –1.0 BTC (1 BTC ~ 422 USD)

- Linked to Dridex operators

[1] Forbes Ransonware Crisis

36

Blocking Ransomware: Real World Example with a Locky Domainglslindia[.]com (detection Date: 15/03/2016)

37

Blocking RansomwareLocky: Real World Example

Domains in Red are

automatically

blocked by OpenDNS

Hash of the malicious

file downloaded from

these domains

Malware

Download URLThese domains

co-occurr

These domains share

the same infrastructure

38

Current Malware

distribution

Point

Infection Point

Next Malware

Distribution Points

Expose the attacker’s infrastructure (Nameservers and IPs) to predict the next moves

Before During After

Blocking RansomwareLocky: Real World Example

39

Discover the Threats Before They Happen

VT Link: https://virustotal.com/en/file/07bed9baa42996bded75dacf5c2611ba5d3a3f19b8588ea734530f74c2586087/analysis/

(first VT submission: 2016-03-18 16:51:45 three days after OpenDNS, see next slide)

40

UMBRELLAEnforcementNetwork security service protects any device, anywhere

INVESTIGATEIntelligenceDiscover and predict attacks before they happen

PRODUCTS & TECHNOLOGIES

41

SECURITY LABS

Umbrella(Enforcement)

208.67.222.222 DOMAIN, IP, ASN, EMAIL, HASH

API

What does OpenDNS Provide

CATEGORY IDENTITY

MALWARE INTERNAL IP

C2 CALLBACK HOSTNAME

PHISHING AD USER

CUSTOM (API) HOSTNAME

Investigate(Intelligence)

STATUS & SCORES

CO-OCCURRENCES

RELATIONSHIPS

ATTRIBUTIONS

PATTERNS & GEOs

48

CUSTOMER

COMMUNITYCUSTOMER & PARTNER THREAT

ANALYSIS & INTELLIGENCE

AMP Threat Grid - Cloud

UMBRELLAEnforcement & Visibility

Automatically Pulls newly discovered malicious domains in minutes

Logs or Blocks all Internet activity destined to these domains

files domains

Automate Security to Reduce Attack Dwell Time

50

Prevent and Contain Ransomware with Umbrella and AMP

51

Talos has developed a decryption tool to aid users whose files have been encrypted by TeslaCrypt ransomware. The Talos TeslaCrypt Decryption Tool is an open source command line utility for decrypting TeslaCryptencrypted files so users’ files can be returned to their original state.

http://www.talosintelligence.com/teslacrypt_tool/