Cisco Security Solutions...(DNS Security) Blocked by Cisco AMP for Endpoints (Host Anti-Malware) Web...
Transcript of Cisco Security Solutions...(DNS Security) Blocked by Cisco AMP for Endpoints (Host Anti-Malware) Web...
Michael Vassigh
Dresden November 2016
Combined Intelligence against Ransomware
Cisco Security Solutions
The new security model
Network Endpoint Mobile Virtual Cloud
Point in Time ContinuousThreat Intelligence
X
DURINGDetectBlockDefend
AFTERScopeContain
Remediate
BEFOREDiscoverEnforceHarden
RECURSIVE DNS
ANY PORT
ADMIN
NGFW/UTM
Filter
URL
Leading Threat Intelligence
Research Group
I0I00I00I0I 0II0 I00I0 00I0II0 00I0I00I 0I0II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0II 00I 0I0 00II0I0II0I0I0II 0I00II
II0
I 0
0I0
0 I0
00
00
I00
00I00I0I00I00I0I00I0II00II00I0 I00I 000 I0I 0I0II000I0 0I00 I0II00 I0I000I00
I00
I 00
0I0
0I0
I00
I
Roaming User 00
II0I 0
I00
II00
I00
I 00
0I0
0I0
0I0
0I0
00
1 1
10
0
III0I 00I00I 000I00I0II0I I0I0 00 I0I I00I0II 00I00I0I 00I0I00I0 00II0I0I 00II0II0I 00I0II II
AMP for Endpoints
00I00I0I00I00I0I00I0II00II00I0 I00I 0I00 I00I 0I0 I000I I0 0I00II 00I0 I0I 00I I0I 00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I0I0 0I0 I0I00 I00 I0I I00 0I0II 00II00I 0 I00I0 0I0I0 00I0I0 I00I I0I 0I0I 0I I0 0 I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 I0 0I0 0 I0 I00 I 00 I0 0 I 0I0
0I0 0 I0 0 I 0 0I 0I 0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00II0 0I0I0I00 I0I0 I0I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0 I0I0I 00I I0I 00 I0I0 0I
I0I0I 0 0I0II0 I00 0II0I000II0I0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 0I0I 0I00 00II0I 00I00I I00I0 00I 0000I00I00II0I 00I00I 00I00II0I I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 0
I00I0II00I0I00II0I00I
I0II0I000I0I000II0I0
0I00I0I00I00I000II0 II0
I 0
0I0
0I 0
I00
I 0
0I0
I0I0
I00
I0
0I 00II0I0II0 0II0II0I 00I0I)I00II0I0 00I0I00 00II0II0I 0I0I 00II0II000I00I 000I00I00 I0I00
CTA
II00
I0 I0
0I 0
I00
I0I0
0 II0
I 0 II0
I I0I0
0I0
II0I I0
00
I00
I0
I0I0
II00
I0I0
III00
I0I0
I0I0
I0I0
I00
II0I0
II 00
0II0
II00
I00
I0I
II0 II0II 0II II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0II0I 0II0 0II0I I00I0I 000II0I 00II00I I0II00I 00II0I0III000I 0I0I II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0I0I 00II 0II0I 0II0I0II00I00 00II0I0II0I0I 00I000I0I00I 0000I
II0I0
II 00
II0I0
0 0
0I0
0I0
0I
I0I0I0 I0I00III0 0I
0II II0I00 0I00II0
AMP for Endpoints
Endpoint User
I00I0II00I0I00II0I00I
I0II0I000I0I000II0I0
0I00I0I00I00I000II0
VPN
DATACENTER
I00
I 0
0I0
II0
II0
00
II0
00
II 0
II 0
I0 0
00
I00
I 0
0I0
I II
00
00
I0I0
I0 0
0I0
I00
0I0
I0I
0II
II0
I0 II0
0I0
I00
00
00
00
II0
II0
00
II0
I 0
00
00
0II
0II
II0
I0 II0
0I0
I00
00
00
00
II0
II0
00
II0
I 0
00
00
0II
I
I0II0I II0II0 0I 0 I
00
0II0
00
I0I
00
0II0
00
I0I
0I 0I 00 II 0II 0I 0I0I0
0II I0II00I0 II00I0
NGFW
AMP for Network
00I0 0000I 00 00I 0I I0II I00I I0I00I I0II0I
I0I0I0 I0I00II0 I0I0I0 0I0I00 I0II0 0I0I 00I
0II II0I00 0I0I 000II0I 00I00 I0I00 000 I00
Block
Warn
Allow
Cloud Option
Network Traffic
Flow
Analysis
Vector TRAFFIC
AMP for
Web & Email
I00I0II00I0I00II0I00I
I0II0I000I0I000II0I0
0I00I0I00I00I000II0
Web & Email Security
Dynamic Malware
Analysis
NGIPS
NGIPS/
AMP
00I0II0I0II0I00II0I
CLOUD APPS
Identity
Services
Trustsec
PEOPLE & DEVICES
BEFORE DURING AFTER
NGIPSv
Vector
CLOUD APPS
Vector
ASAv
CES ESA
StealthwatchASA/Meraki
MX
AnyConnect VPN
AMP Threat Grid
CWS WSA
ASA
ISE
00 III 0 II0I0 II 0I0 00 III0I0 0 II 000
PEOPLE & DEVICES
WEB & EMAILWEB & EMAIL
AMP for Endpoints
AMP for
Web & Email
AMP for Network
AMP for Endpoints
NGIPS/
AMP
NGIPS
ODNSUmbrella
NGIPSv
Vector ANY PORT
Intelligent cybersecurity to protect against advanced threats
Defending againstRansomware
Ransomware: Easy Profits (*Ransom=Lösegeld)
• Most profitable malware in history
• Lucrative: Direct payment to attackers!
• Cyber-criminals collected $209 million
in the first three months of 2016
• At that rate, ransomware is on pace to
be a $1 billion a year crime this year.
• Let’s take an example:
• Looking only at the Angler exploit kit
delivering ransomware
• $60 million dollars a year in profits
The Evolution of Ransomware VariantsThe confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for victims to pay have caused an explosion of ransomware variants.
PC Cyborg
2001
GPCoder
2005 2012 2013 2014
Fake Antivirus
2006
First commercial
Android phone
2007
QiaoZhaz
20081989 2015 2016
CRYZIP
Redplus
Bitcoin network launched
RevetonRansomlock
Dirty DecryptCryptorbitCryptographic LockerUrausy
Cryptolocker
CryptoDefenseKolerKovterSimplelockCokriCBT-LockerTorrentLockerVirlockCoinVaultSvpeng
TeslaCrypt
VirlockLockdroidReveton
ToxCryptvaultDMALockChimeraHidden TearLockscreenTeslacrypt 2.0
Cryptowall
SamSam
Locky
CerberRadamantHydracryptRokkuJigsawPowerware
73V3NKerangerPetyaTeslacrypt 3.0Teslacrypt 4.0Teslacrypt 4.1
Request
of Ransom
Encryption
of Files
C2 Comms &
Asymmetric Key
Exchange
Typical Ransomware InfectionProblem: Customers can be taken hostage by malware that locks up critical resources
Infection
Vector
Ransomware
frequently uses
web and email
Ransomware takes control
of targeted systems
Ransomware holds those
systems ‘hostage’
Owner/company agrees to
pay the ‘ransom’ (bitcoins)
to free the system
How Ransomware Works–Most Variants Require All 5 Steps
Files inaccessible
Files inaccessible
Encryption Key C2
Infrastructure
User Clicks a Link or Malvertising
Ransomware Payload
MaliciousInfrastructure
Email w/ Malicious Attachment
RansomwarePayload
EMAIL-BASED INFECTION
WEB-BASED INFECTION
!
Encryption Key C2 Infrastructure
!
• Threat intelligence – Knowledge of existing Ransomware and communication vectors
• E-mail security – Block Ransomware attachments and links
• Web Security – Block web communication to infected sites and files
• DNS Security - Break the Command & Control call back
Capabilities needed to break the kill chain
DNS
• Client Security – Inspect files for Ransomware and Virus’s, quarantine and remove
• Segment infrastructure –Authenticate access, separate traffic based on role and policy
• Intrusion Prevention - Block attacks, exploitation and intelligence gathering
• Monitor Infrastructure communications – Identify and alert on abnormal traffic flows
Capability Defense against the “Kill Chain”
RECON STAGE
TARGET
CALLBACK PERSIST
BREACH
LAUNCH EXPLOIT INSTALL
COMPROMISE
End–to–EndInfrastructure
Defense
NGIPS
NGFW
Flow
Analytics
Network
Anti-
Malware
NGIPS
NGFW
Host
Anti-
Malware
DNSDNS
Security
Web
Security
Security
NGIPS
DNSDNS
Security
Web
Security
NGIPS
Threat
Intelligence
Solution architecture and elements
COMPROMISED
SITES AND
MALVERTISING
PHISHING
SPAM
Blocked by Cisco
Umbrella Roaming
(DNS Security)
Blocked by Cisco
AMP for Endpoints
(Host Anti-Malware)
Web
link
Web
redirect
C2
File
drop
Email attachment
EXPLOIT
KIT
DOMAINS
Angler
Nuclear
NuTrino
C2
RANSOMWARE
PAYLOAD
Malicious
Infrastructure
Encryption Key
Infrastructure
Prevent and Contain Ransomware with Cisco
Blocked by Cisco
(Cloud) Email Security
with AMP
COMPROMISED
SITES AND
MALVERTISING
PHISHING
SPAM
Web
link
Web
redirect
C2
File
drop
Email attachment
EXPLOIT
KIT
DOMAINS
Angler
Nuclear
Rig
C2
RANSOMWARE
PAYLOAD
Malicious
Infrastructure
Encryption Key
Infrastructure
Prevent and Contain Ransomware with Cisco Email Security
Blocked by
Cisco Email Security with AMP
Incoming Mail Policies Outbreak Filters
Incoming Mail Policies Advanced Malware Protection
COMPROMISED
SITES AND
MALVERTISING
PHISHING
SPAM
Blocked by
Cisco Umbrella Roaming
(DNS Security)
Web
link
Web
redirect
C2
File
drop
Email attachment
EXPLOIT
KIT
DOMAINS
Angler
Nuclear
Rig
C2
RANSOMWARE
PAYLOAD
Malicious
Infrastructure
Encryption Key
Infrastructure
Prevent and Contain Ransomware with Cisco Umbrella (OpenDNS)
OpenDNS blocks phishing
COMPROMISED
SITES AND
MALVERTISING
PHISHING
SPAM
Blocked by
Cisco AMP for Endpoints
(Host Anti-Malware)
Web
link
Web
redirect
C2
File
drop
Email attachment
EXPLOIT
KIT
DOMAINS
Angler
Nuclear
Rig
C2
RANSOMWARE
PAYLOAD
Malicious
Infrastructure
Encryption Key
Infrastructure
Prevent and Contain Ransomware with Cisco AMP for Endpoints
DETECT AND CONTAIN IN NETWORKTalos Security
Intelligence
Cisco Ransomware Network Containment
RANSOMWARE
CONTAINED
NGIPS
deploys
the patch NP
IGS
AMP
Threat Grid
analyzes
threat
AM
P
NGFW
blocks the
connection
NG
FW
TrustSec
deploys
dynamic
Containment
TR
US
TS
EC
CLEAN
SYSTEMAMP Endpoint
protects the
system
AM
P
ISE pushes
containment
policy
ISE
StealthWatch
detects and
alerts
SW
Cisco Ransomware Defense SolutionSolution to Prevent, Detect and Contain ransomware attacks
Cisco Ransomware Defense Solution is not a silver bullet, and not a guarantee. It does help to:
• Prevent ransomware from getting into the network where possible
• Stop it at the systems before it gains command and control
• Detect when it is present in the network
• Work to contain it from expanding to additional systems and network areas
• Performs incident response to fix the vulnerabilities and areas that were attacked
This solution helps to keep business operations running with less
fear of being taken hostage and losing control of critical systems