Documente Academic
Documente Profesional
Documente Cultură
1. Ransomware gains access to systems through • Hospitals taking care of patients and losing the
web, email, servers… ability to give them real-time care (admittance,
surgeries, medications, etc)
2. Ransomware takes control of those systems,
and holds the data is these systems ‘hostage’ • Public safety not being able to respond to 911 or
until the owner/company agrees to pay the emergency calls
‘ransom’ (bitcoins) to free the system. • Financial banking systems offline from trading or
banking activities
• Retail not processing payments, customers not
able to purchase
Ransomware: Easy Profits
1989 2001 2005 2006 2007 2008 2012 2013 2014 2015 2016
CryptoDefense
Koler
GPCoder QiaoZhaz Reveton Kovter Tox Cerber
Ransomlock Simplelock Cryptvault Radamant
Cokri DMALock Hydracrypt
Bitcoin CBT-Locker Chimera Rokku
network launched TorrentLocker Hidden Tear Jigsaw
Dirty Decrypt Virlock Lockscreen Powerware
Cryptorbit CoinVault Teslacrypt 2.0
Cryptographic Locker Svpeng
Urausy
Typical Ransomware Infection
Problem: Customers can be taken hostage by malware that locks up critical resources
445 TCP
445 TCP
ETERNALBLUE
DOUBLEPULSAR
445 TCP
Scans external IPs
Velocity of Propagation
Honeypot 445 TCP Connections Kill Switch Domain DNS Queries
Infection Process – network
Used to
Installs
install Scans TCP 445
DOUBLEPULSAR
mssecsvc.exe
Drops
Creates service
mssecsvc2.0 &
starts
tasksche.exe
Infection Process - encryption
Encrypts files
RSA 2048 tasksche.exe taskse.exe @wannadecr
yptor@.exe
Drops
Deletes
temp files taskdl.exe Tor.exe
Executes
Mitigation
• Apply the MS17-010 patch to your systems
• Microsoft has released this update for XP/Server 2003 systems
• Block ALL Inbound/Outbound SMB traffic
• ports 139, 445
• Snort Rules
• 42329-42332 DoublePulsar (April 25)
• 42340 Anonymous SMB (April 25)
• 41978 Samba buffer overflow (March 14)
Prevention
Cisco Ransomware Defense Solution is not a silver bullet, and not a guarantee.
It does help to:
• Prevent ransomware from getting into the network where possible
• Stop it at the systems before it gains command and control
• Detect when it is present in the network
• Work to contain it from expanding to additional systems and network areas
• Performs incident response to fix the vulnerabilities and areas that were attacked
Email attachment
1 2 3
Plan for the worst • Deploy AMP Threat Grid, • Detect and contain in the
Have an effective disaster NGFW/NGIPS with Firepower network infrastructure (security
recovery plan and back up 4100 series driven network refresh)
frequently • Cisco Incident Response
Prevent when Possible Services to better prepare
1. Quick protection: Deploy
Umbrella and AMP for
Endpoint (prevent when
possible)
2. Add AMP to Email Security
(CES or ESA)
Breaking the Ransomware KillChain
INFRASTRUCTURE
USED BY ATTACKER
File
Trajectory
Network
Email
Anti-
Security
Malware
Threat
Intelligence
Web Web
NGFW NGFW
Security Security
Flow
NGIPS NGIPS NGIPS NGIPS Analytics
Capability Defense Against the Kill Chain
RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST
Host
End–to–End DNS DNS Anti- DNS DNS
Defense
Network
Email Windows
Anti-
Threat Security Malware
Intelligence
Mac
NGFW Web NGFW Web
Policy & Security Security
Access Unix/Linux
Control
NGIPS Flow
NGIPS NGIPS NGIPS
Mobile Analytics
SALESMEN RESEARCHING
Secure outbound web access
NEW PRODUCTS
MANAGER OPENING
Secure mail
E-MAIL FROM VENDOR
EMPLOYEE ACCESSING
Secure file access
FILES ON SERVER
Without a Defense In Depth strategy you have the problems we see today
Access Distribution Core Local Services
Web Proxy
Switch
Ransomware
Downloaded
Webpage retrieval
requested
Web
Corporate Access Distribution Core Firepower Switch Router
Browsing
Device Switch Switch Switch Appliance
Defense In Depth – Best Threat Surface Coverage Possible
Access Distribution Core Local Services
CLOUD SERVICES
Switch
Ransomware
Downloaded
DNS
Webpage retrieval
requested
Web
Browsing Corporate Access Distribution Core Firepower Switch Router
Device Switch Switch Switch Appliance
Services for Ransomware Defense
Cisco Security Services to address Ransomware
BEFORE DURING/AFTER
• Diagnose and demonstrate security weakness • Perform incident response and Identify “Root
and vulnerabilities and provide recommendations Cause” of the attack
• Review people, process and technology to • Respond with expert resources to quickly
identify exposed areas that may lead to a data and effectively mitigate security incidents
breach
• Assess Incident Response Readiness • Increase efficiency and efficacy of security
operations
• Design and deployment services of new
technologies and products • Free up personnel to focus on confirmed
threats
ADVISORY CONSULTING
ENGINEERING OPERATIONS
Backup
SECURITY EVERYWHERE
Attack Continuum
Services
BEFORE DURING AFTER
Discover Detect Scope
Enforce Block Contain
Harden Defend Remediate
Internet-Wide 16B
Scanning 20B Daily Web Requests 500+
Threats Industry Participants
Blocked Sharing Open Source
Product Telemetry Honeypots Partnerships Intel Sharing
(ISACs)
Vulnerability Open Source
Discovery (Internal) Communities Third Party Programs
(MAPP)
100%
Only Cisco can build a true E2E security architecture
Best of Breed
Portfolio The Cisco
Architectural
Approach
Advantage
Cisco Security Solution Partners
Combined Program – Over 60+ Partners
Vulnerability Management Custom Detection Full Packet Capture Remediation Incident Response
5. Physical
2. Risk & 3. Network 4. Application 6. Threat
1. Strategy &
Compliance Security Security Management
Operational
Security Information Security Penetration Testing Penetration Testing Security Incident Response
Segmentation Risk Assessments and External and Internal Web, Mobile & Binary Operations Emergency & Retainer
High-Level Designs & Program Development, Network; Wireless Application Plan, Design and
Strategy GDPR Operate
Advanced Analytics
Rule/signature
tuning and optimization
Cisco Collective
24x7 Proactive Threat Intelligence
Device Monitoring
Threat Analysis,
Policy/Change Incident Monitoring
Management & Forensics
0101
0100
1011
0101
0100
1011
0101
0100
1011
0101
0100
1011
39
What Can the Network Do for You?
Network as Sensor
Internet
Flow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION
172.168.134.2
NetFlow Provides ADDRESS
Network
Non-NetFlow- Devices
Capable Device NetFlow / NBAR / NSEL
Generate
NetFlow
SPAN
• Collect and analyze
StealthWatch StealthWatch • Up to 4000 sources
FlowSensor FlowCollector • Up to 240,000 flows per
second (FPS) sustained
Context Information
NetFlow
pxGrid StealthWatch
10.201.3.18 10.201.0.23
.
.
10.201.3.50
10.201.3.83
Scenario: Malware is quickly propagating .
.