2021 01-13 reducing risk-of_ransomware
- 2. Which of the following network security projects is your
company planning to mainly engage in during 2021:
• Micro-segmentation
• Compliance
• Cloud migration
• Automation
• More than one of the above
2 | Confidential
A QUESTION TO YOU
- 3. LET’S INTRODUCE OUR SPEAKERS
HUIB KLAASSENS
BDM
JAN HEIJDRA
TECHNOLOGY EVANGELIST
YITZY TANNENBAUM
PRODUCT MARKETING MANAGER
- 4. JAN HEIJDRA – CISCO SECURITY
Enterprise Mobility
Management
Network Traffic Security Analytics
(Cloud) Workload
Protection
Web
Security
Email
Security
Advanced
Threat
Secure
SD-WAN / Routers
Identity and Network
Access Control
Secure Internet
Gateway
Switches and
Access Points
Next-Gen
FW/IPS
Cloud Access Security
- 5. 2 | Confidential
YITZY TANNENBAUM – ALGOSEC OVERVIEW
Founded 2004
1800+ Enterprise Customers
Serving 20 of the Fortune 50
24/7 Support via 3 Global Centers
ISO 27001 Certified
Passionate about Customer Satisfaction
FORTUNE
50
ISO
27001
2004
- 7. SECURITY SERVICES
SOC Services
• SOC Build, Operate and Optimization
• Security Devices (ASA, FP, FTD, AMP,
Third Party FWs, IPS)
• Switches, Servers, Endpoints,
• Managed ISE
• Managed AMP
• Cloud Security Monitoring
Security Consulting
• Network Architecture
Assessment
• Cloud Security Assessment
• Gap Assessment (NIST-800)
• Pen Testing
• Security Optimization
• Incident Response
• Forensics
• Malware Readiness Assessment
for Endpoint, Network and DC
• AMP (Endpoints, Network)
• Incident Response
Next Generation Firewall Services
(Cisco ASA and FirePOWER Threat Defense)
• Firewall Policy Reviews and Optimization
• Design and Deployments
• Migrations (from old Cisco Firewalls and Third-Party
Firewalls to Cisco ASA/FTD)
• Operate
• Compliance
• On-Prem, DC and Cloud
Network Access Control (Cisco ISE)
and Segmentations
• Workshops
• Proof of Value/POC and Pilot Deployment
• Enterprise Rollout
• Post Deployment optimization and Support
• ACS to ISE Migration
• Network Segmentation (TrustSec)
• SDA (DNA Center)
Malware Protection
- 9. Did you organization experience a ransomware
attack?
• Yes, multiple in the last two years
• Yes, one in the last two years
• Yes, but not in the last two years
• No, thankfully we haven’t had a ransomware attack!
9 | Confidential
POLL
- 11. 11 | Confidential
Talos encompasses six key areas:
Threat Intelligence & Interdiction,
Detection Research,
Engine Development,
Vulnerability Research & Discovery,
Open Source & Education,
and Global Outreach.
We are an elite group of security experts
devoted to providing superior protection to
customers with our products and service.
Cisco Talos' core mission is to
provide verifiable and customizable
defensive technologies and
techniques that help customers
quickly protect their assets from
cloud to core.
Our job is protecting your network.
- 13. 13 | Confidential
EXTENSIVE COVID-THEMED ACTIVITY
• Malware and phishing
campaigns using COVID-
themed lures
• Attacks against
organizations that carry
out research and work
related to COVID
• Fraud and
disinformation
- 17. Top threats included
ransomware, such as
Sodinokibi and Maze
OBSERVED TRENDS
Top weaknesses include
lack of phishing
protection/education,
network monitoring and
logging, and patching
Top initial vectors
included phishing and
web app exploitation
- 18. RANSOMWARE
• The most common type of
attack
• Most common variants were
Maze and Sodinokibi
• No commodity trojans
• Maze “retires”
These types of attacks
remain one of the most
impactful for any
organization and can
severely affect critical
services
Impact
- 20. PC
Cyborg
2002
GPCoder
2005 2012 2013 2014
TOR
2006
First
commercial
Android phone
2007
QiaoZhaz
20081989 2015 2016
CRYZIP
Redplus
Bitcoin
network launched
Reveton
Ransomlock
Dirty Decrypt
Cryptorbit
Cryptographic Locker
Urausy
Cryptolocker
CryptoDefense
Koler
Kovter
Simplelock
Cokri
CBT-Locker
TorrentLocker
Virlock
CoinVault
Svpeng
TeslaCrypt
Virlock
Lockdroid
Reveton
Tox
Cryptvault
DMALock
Chimera
Hidden Tear
Lockscreen
Teslacrypt 2.0
Cryptowall
SamSam
Locky
Cerber
Radamant
Hydracrypt
Rokku
Jigsaw
Powerware
73V3N
Keranger
Petya
Teslacrypt 3.0
Teslacrypt 4.0
Teslacrypt 4.1
2017
CrySis
Nemucod
Jaff
Spora
Popcorn Time
NotPetya
WannaCry
THE EVOLUTION OF RANSOMWARE VARIANTS
- 21. HOW?
1. Deliver exploits to 1st victim computer
2. Repeat per victim computer:
• Encrypt file system
• Encrypt accessible networked file shares
• Move laterally: explore the network
• Deliver exploits to next victim via network
3. Wait for victim to call
4. Collect ransom
5. Supply decryption key
“AdvancedPersistentThreat”,Wikipedia
- 22. 1ST VICTIM: ATTACK TECHNIQUES (PARTIAL LIST)
• Email attachment
• Send a malicious email attachment
• Browser Drive-By-Download
• Host the malicious content on a website
• “Water-hole” technique
• Compromise a website the victim likely to visit
• Social Engineering
• Fool someone to do it for you
• Mobile malware
• Spread a malicious mobile application
- 23. EXPLORE THE COMPROMISED NETWORK
• Encrypting network shares:
→Requires network access from victim to file system
→Produces (unusual) network traffic
• Move Laterally:
• Find more devices, gain more access, encrypt more interesting data
→Requires network access from victim1 to victim2 to …
→Produces (unusual) network traffic
- 29. Umbrella blocks
the request
NGFW blocks
the connection
Email Security w/AMP
blocks the phishing
email
AMP for Endpoint
blocks the file
Umbrella blocks
the request (or file
download AMP)
NGFW blocks
the connection (or
file download AMP)
Cisco Ransomware Defense
Breaking the Kill Chain
Umbrella blocks
the request to
Encryption Key
Infrastructure
NGFW blocks
the connection
Umbrella Next-Gen Firewall AMP EndpointEmail w/AMP
OR
Persist
Propagate
NetFlow
StealthWatch
AMP
Segmentation
ISE (RTC)
FW
- 30. THE FIRST STEP IS THE HARDEST
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Most ingenious step (social engineering, clever technical exploit delivery, …)
• Much of the attack is happening outside of your control
• Requires fancy defense technologies to mitigate
- 31. RECOMMENDATION #1: EDUCATION
• Educate you employees to identify malicious actors as we’ve
mentioned earlier
• Equip your self with tool that can help with these type of attack (hard
to find good tools)
- 32. MAKE LATERAL STEPS HARDER FOR ATTACKER!
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 1 Step 2 Step 3
- 33. LATERAL STEPS
• The attacker is now on your turf
• Use your advantages:
• Control your network
• Know what traffic is usual and what is not
- 34. UNUSUAL – IN THE USUAL WAYS
• Lateral traffic is unusual – in the usual ways
• Communicating parties that never communicate
• Protocols & ports that are never used across security zones
• Firewalls are really good at blocking such traffic … as long as:
• There are firewalls in the traffic path
• The firewalls are properly configured
- 36. USE TECHNOLOGY YOU KNOW WELL
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
- 37. SEGMENT THE NETWORK: INTERNAL FIREWALLS
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Place internal firewalls between network zones
• Use SDN virtualization technologies to filter traffic inside data center
- 38. RECOMMENDATION #3: PLAN
• Leverage a SIEM technology to quickly identify an attack is happening
• Create a playbook in your SOAR system with well defined step to stop
the attack
• Create a playbook in your NSPM to quickly isolate the infected server
- 39. Have you already started a micro-segmentation
project in your organization?
• Yes, we’ve completed our micro-segmentation project
• Yes, we are currently in the midst of a micro-segmentation
project
• No, but it is in our roadmap
• No, and we don’t plan to in the near future
39 | Confidential
POLL
- 41. WHAT TO DO NEXT?
ATTACHMENTS TAB
Connect with us on LinkedIn
Register for Part 2 of Ransomware Masterclass Webinar
Join the Raffle request a Ransomware Assessment Service
1 random winner will be selected for a free of charge assessment
Request your copy of:
• Cisco Zero Trust Security
• Ransomware Defense for dummies
Select
- 43. 43 | Confidential
THANK YOU
HUIB KLAASSENS
BDM
JAN HEIJDRA
TECHNOLOGY EVANGELIST
YITZY TANNENBAUM
PRODUCT MARKETINGMANAGER