Download presentation
Published byEugenia West Modified over 7 years ago
1
Blocking ransomware with Cisco AMP and Cisco Umbrella Jordan Gackowski
Systems Engineering
2
Your files are encrypted
So imagine right before an important board presentation. You open up your computer and see: Your files are encrypted. In a panic, you call up IT/ pray back-up your important files / possibly have a mini melt-down And they only way to get the decryption key is by paying 500 Bitcoins. You succumb. Pay the Bitcoin. Little do you know that the attacker is still pivoting around your network infrastructure, What do you do? This story seems all too familiar with what’s happening in real life. It’s clear that ransomware is back in the spotlight.
3
Encryption C&C Payment MSG Name DNS IP NO C&C TOR Payment Locky SamSam DNS (TOR) TeslaCrypt CryptoWall TorrentLocker PadCrypt CTB-Locker FAKBEN PayCrypt KeyRanger
4
Anatomy of a cyber attack
Reconnaissance and infrastructure setup Domain registration, IP, ASN Intel Monitor adaption based on results Patient zero hit Target expansion Wide-scale expansion Defense signatures built Attackers frequently ask "What if I create this attack that no ones knows about, using anonymous infrastructure. How will you find it?” [CLICK] Well, there’s common misconception that the attack lifecycle starts with patient zero. Patient zero referring to the first machine infected with the malicious code. [CLICK] From there the attacker does a targeted expansion to a similar segment, then a wide-scale expansion to all. Weeks later traditional security vendors catch up, reverse engineer the code and create a signature they push out to customers in form of an update. [CLICK] But looking at the timeline in more detail, there's all sorts of threat crumbs left behind as attacker’s create their infrastructure Before an attack is launched, severs get spun up in dark of the internet, domain registration, and IP/ ASN space is necessary, etc. All of this activity leaves behind fingerprints. At Cisco, we observe these fingerprints and trained our algorithms and classifiers to pick up on these subtle shifts, hints, and clues. Allowing us to map out the good and bad of the internet.
5
Real world example blocking Locky
We leverage this threat intelligence, in both of our products – Umbrella (enforcement) and Investigate (intelligence) Both work in tandem to block known and unknown threat before they ever reach your network. Let’s walk through a real example of how we discovered the ransomware variant Locky.
6
Feeling Locky? Via email attachment in a phishing campaign
Encrypts and renames files with .locky extension Appx 90,000 victims per day [1] Ransom ranges from 0.5 – 1.0 BTC (1 BTC ~ $601 US) Linked to Dridex operators Just a little background on the Locky - It’s usually delivered via an attachment in a phishing campaign - Operates by encrypting and renaming the infected device’s important files with .locky extension - Targets approximately 90K victims per day - And many have their hands tied and end up paying between .5-1 BTC, equivalent to $422 USD!
7
Blocking ransomware: Locky domain example
taddboxers.com (Detection Date: October 8, 2016) Like I mentioned before, Cisco Umbrella has a very unique view of the internet – with over 65M+ users a day and 80B DNS requests daily. All of that intelligence about the internet infrastructure is collected within our intelligence tool, Investigate. Investigate available to our customers through a an Investigate API or web Console. And has proven to be a great tool with prioritizing incident response and speeding up investigation. Now let’s see what we know about Locky using the technology behind Investigate. Right now our search is focused on a domain “taddboxers.com” This domain was first seen by our system on Sept 28 and it was tagged as malware How did we know that? Well for one, we saw an immediate spike in traffic when it was first launched – September 28. Cisco Umbrella acts as a recursive DNS service and we’re able to see patterns of global internet activity So you see here that on October 8, there was a large spike in activity – indicating this domain was part of an attacker’s internet infrastructure I do want to note that a spike in DNS queries for a given domain, doesn’t necessarily mean it’s malicious – it could be a link for a legitimate , etc. But the culmination of the malware tag, and all of the other classifiers known about this domain – our researchers confirmed it was malicious and placed it on the Block List So what else did we know about it?
8
Blocking ransomware: Locky domain example
taddboxers.com (Detection Date: October 8, 2016) With WHOIS we can see domain ownership, including the address used to register the given domain, and how many domains are tied to that address. You can even uncover how many of those domains are malicious. Investigate is also integrated with Cisco AMP Threat Grid. Similar to how Investigate provides intelligence about the relationships between domains, IPs and ASNs, Threat Grid provides intelligence about malware files so security teams can quickly understand what malware is doing or attempting to do, how large a threat it poses, and how to defend against it. In Investigate, you can query by file hash (SHA256, SHA1, or MD5) , domain, IP, or ASN. And get more insight into which are file hashes calling out to a given domain with associate samples, their threat score, behavioral indicators, and other file analysis data. Threat Grid license holders can even pivot directly into Threat Grid with a click of a button
9
Blocking ransomware: Locky domain example
taddboxers.com (Detection Date: October 8, 2016) Investigate’s internet-wide visibility provides insight into the relationships and connections between domains, IPs, ASNs, and file hashes – enabling users to pivot between data points when mapping out an attacker’s internet infrastructure.
10
Blocking ransomware Locky: Real world example Email address registered
to domain Locky: Real world example These domains share the same infrastructure Malware download URL Cg3studio.com tadboxxers.com (100.00) These domains co-occur Domains in red are automatically blocked by Umbrella So, we know A LOT - and all of our threat intelligence can be visualized in a 3D model called OpenGraphiti. OpenGraphit is a culmination of all the intelligence we have on the internet’s infrastructure of domains, IPs, ASNs and malware files hashes. And was makes this visualization tool so powerful is we’re able to see the connections, relationships and evolutions between the components of the internet Even drill down on a specific attack origin – allowing YOU to pivot through an attacker’s infrastructure. Right now it’s focused on “taddboxxers.com” – showing you the wider picture of the attacker’s ransomware infrastructure. [CLICK] For one, the red color shows which domains were tagged as malicious and automatically blocked by Umbrella. We identified this as a malware distribution point How? Leveraging the diverse set of data we get from our DNS service, and we apply statistical models to that data to score and classify the domains Allowing us uncover and predict malicious domains. So we’re able to find relationships between domains and then block users from accessing them. [CLICK] Next, we see the hash of a malicious file (in yellow) downloaded from these domains So starting from a single domain, we can identify other domains that share the same malicious payload [CLICK] And we can be more accurate because we can identify the URL that is used to spread this malware. From a correlation perspective, we can also identify was the ingress point of the infection [CLICK] Notice the red line linking these two domains – we’ve identified them as co-occurrences. And what co-occurrences means is whenever someone makes a DNS request, we look at what other domains are queried right before and after that. That connection is very valuable when trying to build out your view of an attacker’s infrastructure. [CLICK] While they don’t share the same internet infrastructure, we know that these two domains are part of the same campaign because 100% of the users who connect to this domain also connect to taddboxxers.com right after. Our research team looked into this domain further- and discovered that it’s been injected with malicious Java scripts that redirect users to taddboxxers.com, where the malicious payload is downloaded [CLICK] Using this intelligence we can essentially pivot through an attackers infrastructure and also uncover & protect against other domains used in the same campaign. This can be easily done by analyzing DNS and identifying the shared components of the malicious infrastructure Here, we can see these 3 domains share the same nameserver and are hosted on the same IP. And they’ve been registered using the same gmail address. So from a single domain, we have the intelligence to find all of this information. And what’s great -- all of these components are correlated by Investigate. No need for different threat intel feeds or manual correlation. Hash of the malicious file downloaded from these domains
11
Blocking ransomware Locky: Real world example
Next malware distribution points Expose the attacker’s infrastructure (Nameservers and IPs) to predict the next moves Locky: Real world example Infection point Current malware distribution point Knowing the infection point [CLICK], where the malware is being distributed [CLICK] , the architecture of the attacker’s infrastructure (nameservers, IPs) [CLICK] , and correlated domains that will most likely be the next malware origins … we can pivot through an attacker’s infrastructure and proactive protect YOU before an attack launches.
12
Combining Umbrella and AMP for endpoints
13
The path of ransomware Encryption key infrastructure Compromised sites and malvertising Malicious infrastructure Exploit or phishing domains Angler Nuclear Rig Ransomware payload Web direct C2 C2 File drop Web link Phishing spam attachment Let’s revisit this slide of the path of ransomware and see the different points were Cisco Umbrella can protect you before, during, and after an attack. First off, Umbrella operates on the DNS layer. [CLICK] In the case of the initial infiltration, you could block the DNS request before the browser connects to the malicious site hosting the exploit kit — whether the user clicked on a link or if there was a redirect from a compromised site. So then you’re blocking the connection before the compromise occurs. [CLICK] Additionally, you can block the C2 callback between the exploit kit and the malicious infrastructure – when trying to report the most potent virus to serve the endpoint [CLICK] And if that doesn’t work, you could use and endpoint product that works on the file level, like Cisco Advanced Malware Protection (AMP for endpoints), to stop the file drop on the endpoint. [CLICK] With this approach, you can stop the payload downloading directly on endpoint if the virus is built into the attachment - and a C2 isn’t necessary [CLICK] Now if all else fails and the ransomware payload gets on your endpoint, Umbrella can block that C2 call for the encryption key infrastructure With the multiple points of infection, Umbrella can significantly mitigate the affects of ransomware and protect your network from being compromised. Blocked by Cisco Umbrella Blocked by Cisco AMP for Endpoints
14
The path of ransomware Encryption key infrastructure Encryption C&C Name DNS IP NO C&C TOR Locky SamSam TeslaCrypt CryptoWall TorrentLocker PadCrypt CTB-Locker FAKBEN PayCrypt KeyRanger Compromised sites and malvertising Malicious infrastructure Exploit or phishing domains Angler Nuclear Rig Ransomware payload Web direct C2 C2 File drop Web link Phishing spam attachment Let’s revisit this slide of the path of ransomware and see the different points were Cisco Umbrella can protect you before, during, and after an attack. First off, Umbrella operates on the DNS layer. [CLICK] In the case of the initial infiltration, you could block the DNS request before the browser connects to the malicious site hosting the exploit kit — whether the user clicked on a link or if there was a redirect from a compromised site. So then you’re blocking the connection before the compromise occurs. [CLICK] Additionally, you can block the C2 callback between the exploit kit and the malicious infrastructure – when trying to report the most potent virus to serve the endpoint [CLICK] And if that doesn’t work, you could use and endpoint product that works on the file level, like Cisco Advanced Malware Protection (AMP for endpoints), to stop the file drop on the endpoint. [CLICK] With this approach, you can stop the payload downloading directly on endpoint if the virus is built into the attachment - and a C2 isn’t necessary [CLICK] Now if all else fails and the ransomware payload gets on your endpoint, Umbrella can block that C2 call for the encryption key infrastructure With the multiple points of infection, Umbrella can significantly mitigate the affects of ransomware and protect your network from being compromised. Blocked by Cisco Umbrella Blocked by Cisco AMP for Endpoints
15
Where does Umbrella fit?
Malware C2 Callbacks Phishing Umbrella Network and endpoint First line It all starts with DNS Precedes file execution and IP connection Used by all devices Port agnostic HQ Sandbox NGFW Proxy Netflow AV Network and endpoint BRANCH Router/UTM AV Endpoint Think about where you enforce security today. Questions to pose: What do you use to protect your network? Your endpoints? You probably have a range of products deployed at your corporate headquarters and branch offices, or on roaming laptops. There are many ways that malware can get in, which is why it’s important to have multiple layers of security. Umbrella + DNS: Umbrella can be the first layer of defense against threats by preventing devices from connecting to malicious or likely malicious sites in the first place—which significantly reduces the chance of malware getting to your network or endpoints. Umbrella uses DNS as one of the main mechanisms to get traffic to our cloud platform, and then use it to enforce security too. DNS is a foundational component of how the internet works and is used by every device in the network. Way before a malware file is downloaded or before an IP connection over any port or any protocol is even established, there’s a DNS request. Let’s look now at the key features for Umbrella. ROAMING AV
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.