SlideShare a Scribd company logo

2021 01-13 reducing risk-of_ransomware

AlgoSec
AlgoSec

This document discusses strategies for reducing ransomware risks. It begins with a poll asking organizations about their ransomware experiences. It then discusses malware trends seen by the Cisco Talos threat intelligence team, including the continued prevalence of ransomware variants like Maze and Sodinokibi. The document outlines the basic process of how ransomware works and how it has evolved over time. It recommends high-level solutions like education, network segmentation, and planning to make lateral movement within networks harder for attackers.

Related slideshows

Best Practics for Automating Next Generation Firewall Change Processes
Best Practics for Automating Next Generation Firewall Change ProcessesBest Practics for Automating Next Generation Firewall Change Processes
Best Practics for Automating Next Generation Firewall Change Processes
 
SDN's managing security across the virtual network final
SDN's managing security across the virtual network finalSDN's managing security across the virtual network final
SDN's managing security across the virtual network final
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinar
 
1 of 43
Download to read offline
REDUCING RISK OF RANSOMWARE ATTACKS – Back to Basics
Which of the following network security projects is your company planning to mainly engage in during 2021: • Micro-segmentation • Compliance • Cloud migration • Automation • More than one of the above 2 | Confidential A QUESTION TO YOU
LET’S INTRODUCE OUR SPEAKERS HUIB KLAASSENS BDM JAN HEIJDRA TECHNOLOGY EVANGELIST YITZY TANNENBAUM PRODUCT MARKETING MANAGER
JAN HEIJDRA – CISCO SECURITY Enterprise Mobility Management Network Traffic Security Analytics (Cloud) Workload Protection Web Security Email Security Advanced Threat Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access Points Next-Gen FW/IPS Cloud Access Security
2 | Confidential YITZY TANNENBAUM – ALGOSEC OVERVIEW Founded 2004 1800+ Enterprise Customers Serving 20 of the Fortune 50 24/7 Support via 3 Global Centers ISO 27001 Certified Passionate about Customer Satisfaction FORTUNE 50 ISO 27001 2004
HUIB KLAASSENS – METSI TECHNOLOGIES
SECURITY SERVICES SOC Services • SOC Build, Operate and Optimization • Security Devices (ASA, FP, FTD, AMP, Third Party FWs, IPS) • Switches, Servers, Endpoints, • Managed ISE • Managed AMP • Cloud Security Monitoring Security Consulting • Network Architecture Assessment • Cloud Security Assessment • Gap Assessment (NIST-800) • Pen Testing • Security Optimization • Incident Response • Forensics • Malware Readiness Assessment for Endpoint, Network and DC • AMP (Endpoints, Network) • Incident Response Next Generation Firewall Services (Cisco ASA and FirePOWER Threat Defense) • Firewall Policy Reviews and Optimization • Design and Deployments • Migrations (from old Cisco Firewalls and Third-Party Firewalls to Cisco ASA/FTD) • Operate • Compliance • On-Prem, DC and Cloud Network Access Control (Cisco ISE) and Segmentations • Workshops • Proof of Value/POC and Pilot Deployment • Enterprise Rollout • Post Deployment optimization and Support • ACS to ISE Migration • Network Segmentation (TrustSec) • SDA (DNA Center) Malware Protection
AGENDA Malware trends1 2 3 4 What is ransomware High level solutions What to do next?
Did you organization experience a ransomware attack? • Yes, multiple in the last two years • Yes, one in the last two years • Yes, but not in the last two years • No, thankfully we haven’t had a ransomware attack! 9 | Confidential POLL
10 | Confidential MALWARE TRENDS BY TALOS
11 | Confidential Talos encompasses six key areas: Threat Intelligence & Interdiction, Detection Research, Engine Development, Vulnerability Research & Discovery, Open Source & Education, and Global Outreach. We are an elite group of security experts devoted to providing superior protection to customers with our products and service. Cisco Talos' core mission is to provide verifiable and customizable defensive technologies and techniques that help customers quickly protect their assets from cloud to core. Our job is protecting your network.
Protecting Customers Malvertising Drive by downloads Rogue software Botnets Cryptomining Credential compromiseDDoS Man in the middle Spyware/ Malware Advanced persistent threats Wiper attacks Phishing Unpatched software Supply chain attacks Ransomware Data/IP theft
13 | Confidential EXTENSIVE COVID-THEMED ACTIVITY • Malware and phishing campaigns using COVID- themed lures • Attacks against organizations that carry out research and work related to COVID • Fraud and disinformation
14 | Confidential https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html#more
15 | Confidential Let’s look at the poll Results
16 | Confidential
Top threats included ransomware, such as Sodinokibi and Maze OBSERVED TRENDS Top weaknesses include lack of phishing protection/education, network monitoring and logging, and patching Top initial vectors included phishing and web app exploitation
RANSOMWARE • The most common type of attack • Most common variants were Maze and Sodinokibi • No commodity trojans • Maze “retires” These types of attacks remain one of the most impactful for any organization and can severely affect critical services Impact
19 | Confidential WHAT IS RANSOMWARE
PC Cyborg 2002 GPCoder 2005 2012 2013 2014 TOR 2006 First commercial Android phone 2007 QiaoZhaz 20081989 2015 2016 CRYZIP Redplus Bitcoin network launched Reveton Ransomlock Dirty Decrypt Cryptorbit Cryptographic Locker Urausy Cryptolocker CryptoDefense Koler Kovter Simplelock Cokri CBT-Locker TorrentLocker Virlock CoinVault Svpeng TeslaCrypt Virlock Lockdroid Reveton Tox Cryptvault DMALock Chimera Hidden Tear Lockscreen Teslacrypt 2.0 Cryptowall SamSam Locky Cerber Radamant Hydracrypt Rokku Jigsaw Powerware 73V3N Keranger Petya Teslacrypt 3.0 Teslacrypt 4.0 Teslacrypt 4.1 2017 CrySis Nemucod Jaff Spora Popcorn Time NotPetya WannaCry THE EVOLUTION OF RANSOMWARE VARIANTS
HOW? 1. Deliver exploits to 1st victim computer 2. Repeat per victim computer: • Encrypt file system • Encrypt accessible networked file shares • Move laterally: explore the network • Deliver exploits to next victim via network 3. Wait for victim to call 4. Collect ransom 5. Supply decryption key “AdvancedPersistentThreat”,Wikipedia
1ST VICTIM: ATTACK TECHNIQUES (PARTIAL LIST) • Email attachment • Send a malicious email attachment • Browser Drive-By-Download • Host the malicious content on a website • “Water-hole” technique • Compromise a website the victim likely to visit • Social Engineering • Fool someone to do it for you • Mobile malware • Spread a malicious mobile application
EXPLORE THE COMPROMISED NETWORK • Encrypting network shares: →Requires network access from victim to file system →Produces (unusual) network traffic • Move Laterally: • Find more devices, gain more access, encrypt more interesting data →Requires network access from victim1 to victim2 to … →Produces (unusual) network traffic
STEPPING STONES 2 4 Financial Database HVAC Control Partner Network Procurement Department Internet Step 0
STEPPING STONES 2 5 Financial Database HVAC Control Partner Network Procurement Department Internet Step 0 Step 1
STEPPING STONES 2 6 Financial Database HVAC Control Partner Network Procurement Department Internet Step 0 Step 1 Step 2 Step 3
STEPPING STONES 2 7 Financial Database HVAC Control Partner Network Procurement Department Internet Step 0 Step 1 Step 2 Step 3 Pay $$$$ or lose data
28 | Confidential HIGH LEVEL SOLUTION
Umbrella blocks the request NGFW blocks the connection Email Security w/AMP blocks the phishing email AMP for Endpoint blocks the file Umbrella blocks the request (or file download AMP) NGFW blocks the connection (or file download AMP) Cisco Ransomware Defense Breaking the Kill Chain Umbrella blocks the request to Encryption Key Infrastructure NGFW blocks the connection Umbrella Next-Gen Firewall AMP EndpointEmail w/AMP OR Persist Propagate NetFlow StealthWatch AMP Segmentation ISE (RTC) FW
THE FIRST STEP IS THE HARDEST Financial Database HVAC Control Partner Network Procurement Department Internet • Most ingenious step (social engineering, clever technical exploit delivery, …) • Much of the attack is happening outside of your control • Requires fancy defense technologies to mitigate
RECOMMENDATION #1: EDUCATION • Educate you employees to identify malicious actors as we’ve mentioned earlier • Equip your self with tool that can help with these type of attack (hard to find good tools)
MAKE LATERAL STEPS HARDER FOR ATTACKER! Financial Database HVAC Control Partner Network Procurement Department Internet Step 1 Step 2 Step 3
LATERAL STEPS • The attacker is now on your turf • Use your advantages: • Control your network • Know what traffic is usual and what is not
UNUSUAL – IN THE USUAL WAYS • Lateral traffic is unusual – in the usual ways • Communicating parties that never communicate • Protocols & ports that are never used across security zones • Firewalls are really good at blocking such traffic … as long as: • There are firewalls in the traffic path • The firewalls are properly configured
RECOMMENDATION #2: SEGMENTATION • Define network zones • Place firewalls to filter traffic between zones • Write restrictive policies for traffic between zones
USE TECHNOLOGY YOU KNOW WELL Financial Database HVAC Control Partner Network Procurement Department Internet
SEGMENT THE NETWORK: INTERNAL FIREWALLS Financial Database HVAC Control Partner Network Procurement Department Internet • Place internal firewalls between network zones • Use SDN virtualization technologies to filter traffic inside data center
RECOMMENDATION #3: PLAN • Leverage a SIEM technology to quickly identify an attack is happening • Create a playbook in your SOAR system with well defined step to stop the attack • Create a playbook in your NSPM to quickly isolate the infected server
Have you already started a micro-segmentation project in your organization? • Yes, we’ve completed our micro-segmentation project • Yes, we are currently in the midst of a micro-segmentation project • No, but it is in our roadmap • No, and we don’t plan to in the near future 39 | Confidential POLL
2021 01-13 reducing risk-of_ransomware
WHAT TO DO NEXT? ATTACHMENTS TAB Connect with us on LinkedIn Register for Part 2 of Ransomware Masterclass Webinar Join the Raffle request a Ransomware Assessment Service 1 random winner will be selected for a free of charge assessment Request your copy of: • Cisco Zero Trust Security • Ransomware Defense for dummies Select
42 | Confidential Q&A Let’s look at the pollResults
43 | Confidential THANK YOU HUIB KLAASSENS BDM JAN HEIJDRA TECHNOLOGY EVANGELIST YITZY TANNENBAUM PRODUCT MARKETINGMANAGER

More Related Content

2021 01-13 reducing risk-of_ransomware

  • 1. REDUCING RISK OF RANSOMWARE ATTACKS – Back to Basics
  • 2. Which of the following network security projects is your company planning to mainly engage in during 2021: • Micro-segmentation • Compliance • Cloud migration • Automation • More than one of the above 2 | Confidential A QUESTION TO YOU
  • 3. LET’S INTRODUCE OUR SPEAKERS HUIB KLAASSENS BDM JAN HEIJDRA TECHNOLOGY EVANGELIST YITZY TANNENBAUM PRODUCT MARKETING MANAGER
  • 4. JAN HEIJDRA – CISCO SECURITY Enterprise Mobility Management Network Traffic Security Analytics (Cloud) Workload Protection Web Security Email Security Advanced Threat Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access Points Next-Gen FW/IPS Cloud Access Security
  • 5. 2 | Confidential YITZY TANNENBAUM – ALGOSEC OVERVIEW Founded 2004 1800+ Enterprise Customers Serving 20 of the Fortune 50 24/7 Support via 3 Global Centers ISO 27001 Certified Passionate about Customer Satisfaction FORTUNE 50 ISO 27001 2004
  • 6. HUIB KLAASSENS – METSI TECHNOLOGIES
  • 7. SECURITY SERVICES SOC Services • SOC Build, Operate and Optimization • Security Devices (ASA, FP, FTD, AMP, Third Party FWs, IPS) • Switches, Servers, Endpoints, • Managed ISE • Managed AMP • Cloud Security Monitoring Security Consulting • Network Architecture Assessment • Cloud Security Assessment • Gap Assessment (NIST-800) • Pen Testing • Security Optimization • Incident Response • Forensics • Malware Readiness Assessment for Endpoint, Network and DC • AMP (Endpoints, Network) • Incident Response Next Generation Firewall Services (Cisco ASA and FirePOWER Threat Defense) • Firewall Policy Reviews and Optimization • Design and Deployments • Migrations (from old Cisco Firewalls and Third-Party Firewalls to Cisco ASA/FTD) • Operate • Compliance • On-Prem, DC and Cloud Network Access Control (Cisco ISE) and Segmentations • Workshops • Proof of Value/POC and Pilot Deployment • Enterprise Rollout • Post Deployment optimization and Support • ACS to ISE Migration • Network Segmentation (TrustSec) • SDA (DNA Center) Malware Protection
  • 8. AGENDA Malware trends1 2 3 4 What is ransomware High level solutions What to do next?
  • 9. Did you organization experience a ransomware attack? • Yes, multiple in the last two years • Yes, one in the last two years • Yes, but not in the last two years • No, thankfully we haven’t had a ransomware attack! 9 | Confidential POLL
  • 10. 10 | Confidential MALWARE TRENDS BY TALOS
  • 11. 11 | Confidential Talos encompasses six key areas: Threat Intelligence & Interdiction, Detection Research, Engine Development, Vulnerability Research & Discovery, Open Source & Education, and Global Outreach. We are an elite group of security experts devoted to providing superior protection to customers with our products and service. Cisco Talos' core mission is to provide verifiable and customizable defensive technologies and techniques that help customers quickly protect their assets from cloud to core. Our job is protecting your network.
  • 12. Protecting Customers Malvertising Drive by downloads Rogue software Botnets Cryptomining Credential compromiseDDoS Man in the middle Spyware/ Malware Advanced persistent threats Wiper attacks Phishing Unpatched software Supply chain attacks Ransomware Data/IP theft
  • 13. 13 | Confidential EXTENSIVE COVID-THEMED ACTIVITY • Malware and phishing campaigns using COVID- themed lures • Attacks against organizations that carry out research and work related to COVID • Fraud and disinformation
  • 15. 15 | Confidential Let’s look at the poll Results
  • 17. Top threats included ransomware, such as Sodinokibi and Maze OBSERVED TRENDS Top weaknesses include lack of phishing protection/education, network monitoring and logging, and patching Top initial vectors included phishing and web app exploitation
  • 18. RANSOMWARE • The most common type of attack • Most common variants were Maze and Sodinokibi • No commodity trojans • Maze “retires” These types of attacks remain one of the most impactful for any organization and can severely affect critical services Impact
  • 19. 19 | Confidential WHAT IS RANSOMWARE
  • 20. PC Cyborg 2002 GPCoder 2005 2012 2013 2014 TOR 2006 First commercial Android phone 2007 QiaoZhaz 20081989 2015 2016 CRYZIP Redplus Bitcoin network launched Reveton Ransomlock Dirty Decrypt Cryptorbit Cryptographic Locker Urausy Cryptolocker CryptoDefense Koler Kovter Simplelock Cokri CBT-Locker TorrentLocker Virlock CoinVault Svpeng TeslaCrypt Virlock Lockdroid Reveton Tox Cryptvault DMALock Chimera Hidden Tear Lockscreen Teslacrypt 2.0 Cryptowall SamSam Locky Cerber Radamant Hydracrypt Rokku Jigsaw Powerware 73V3N Keranger Petya Teslacrypt 3.0 Teslacrypt 4.0 Teslacrypt 4.1 2017 CrySis Nemucod Jaff Spora Popcorn Time NotPetya WannaCry THE EVOLUTION OF RANSOMWARE VARIANTS
  • 21. HOW? 1. Deliver exploits to 1st victim computer 2. Repeat per victim computer: • Encrypt file system • Encrypt accessible networked file shares • Move laterally: explore the network • Deliver exploits to next victim via network 3. Wait for victim to call 4. Collect ransom 5. Supply decryption key “AdvancedPersistentThreat”,Wikipedia
  • 22. 1ST VICTIM: ATTACK TECHNIQUES (PARTIAL LIST) • Email attachment • Send a malicious email attachment • Browser Drive-By-Download • Host the malicious content on a website • “Water-hole” technique • Compromise a website the victim likely to visit • Social Engineering • Fool someone to do it for you • Mobile malware • Spread a malicious mobile application
  • 23. EXPLORE THE COMPROMISED NETWORK • Encrypting network shares: →Requires network access from victim to file system →Produces (unusual) network traffic • Move Laterally: • Find more devices, gain more access, encrypt more interesting data →Requires network access from victim1 to victim2 to … →Produces (unusual) network traffic
  • 28. 28 | Confidential HIGH LEVEL SOLUTION
  • 29. Umbrella blocks the request NGFW blocks the connection Email Security w/AMP blocks the phishing email AMP for Endpoint blocks the file Umbrella blocks the request (or file download AMP) NGFW blocks the connection (or file download AMP) Cisco Ransomware Defense Breaking the Kill Chain Umbrella blocks the request to Encryption Key Infrastructure NGFW blocks the connection Umbrella Next-Gen Firewall AMP EndpointEmail w/AMP OR Persist Propagate NetFlow StealthWatch AMP Segmentation ISE (RTC) FW
  • 30. THE FIRST STEP IS THE HARDEST Financial Database HVAC Control Partner Network Procurement Department Internet • Most ingenious step (social engineering, clever technical exploit delivery, …) • Much of the attack is happening outside of your control • Requires fancy defense technologies to mitigate
  • 31. RECOMMENDATION #1: EDUCATION • Educate you employees to identify malicious actors as we’ve mentioned earlier • Equip your self with tool that can help with these type of attack (hard to find good tools)
  • 32. MAKE LATERAL STEPS HARDER FOR ATTACKER! Financial Database HVAC Control Partner Network Procurement Department Internet Step 1 Step 2 Step 3
  • 33. LATERAL STEPS • The attacker is now on your turf • Use your advantages: • Control your network • Know what traffic is usual and what is not
  • 34. UNUSUAL – IN THE USUAL WAYS • Lateral traffic is unusual – in the usual ways • Communicating parties that never communicate • Protocols & ports that are never used across security zones • Firewalls are really good at blocking such traffic … as long as: • There are firewalls in the traffic path • The firewalls are properly configured
  • 35. RECOMMENDATION #2: SEGMENTATION • Define network zones • Place firewalls to filter traffic between zones • Write restrictive policies for traffic between zones
  • 36. USE TECHNOLOGY YOU KNOW WELL Financial Database HVAC Control Partner Network Procurement Department Internet
  • 37. SEGMENT THE NETWORK: INTERNAL FIREWALLS Financial Database HVAC Control Partner Network Procurement Department Internet • Place internal firewalls between network zones • Use SDN virtualization technologies to filter traffic inside data center
  • 38. RECOMMENDATION #3: PLAN • Leverage a SIEM technology to quickly identify an attack is happening • Create a playbook in your SOAR system with well defined step to stop the attack • Create a playbook in your NSPM to quickly isolate the infected server
  • 39. Have you already started a micro-segmentation project in your organization? • Yes, we’ve completed our micro-segmentation project • Yes, we are currently in the midst of a micro-segmentation project • No, but it is in our roadmap • No, and we don’t plan to in the near future 39 | Confidential POLL
  • 41. WHAT TO DO NEXT? ATTACHMENTS TAB Connect with us on LinkedIn Register for Part 2 of Ransomware Masterclass Webinar Join the Raffle request a Ransomware Assessment Service 1 random winner will be selected for a free of charge assessment Request your copy of: • Cisco Zero Trust Security • Ransomware Defense for dummies Select
  • 42. 42 | Confidential Q&A Let’s look at the pollResults
  • 43. 43 | Confidential THANK YOU HUIB KLAASSENS BDM JAN HEIJDRA TECHNOLOGY EVANGELIST YITZY TANNENBAUM PRODUCT MARKETINGMANAGER