Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Block Threats Before, During, & After an Attack

Published byHubert Lester Modified over 6 years ago

Similar presentations

Presentation on theme: "How to Block Threats Before, During, & After an Attack"— Presentation transcript:

1 How to Block Threats Before, During, & After an Attack
with Cisco Umbrella and AMP Atheana Altayyar Product Management

2 Your files are encrypted
So imagine right before an important board presentation. You open up your computer and see: Your files are encrypted. In a panic, you call up IT/ pray that you backed -up your important files / possibly have a mini melt-down And they only way to get the decryption key is by paying 500 Bitcoins. You succumb. Pay the Bitcoin. Little do you know that the attacker is still pivoting around your network infrastructure, What do you do? This story seems all too familiar with what’s happening in real life. It’s clear that ransomware is back in the spotlight.

3 The path of ransomware Encryption key infrastructure Compromised sites and malvertising Exploit or phishing domains Angler Nuclear Rig Web direct Malicious infrastructure C2 C2 File drop Phishing spam Web link Ransomware payload attachment Let’s take a look at ransomware – and it’s path of infection There’s 2 main ways you can encounter the initial point of ransomware: 1. you’re on a compromised site hosting malvertising and – YOU CLICK 2. spam with a phishing link – YOU CLICK Both paths will lead a web request to the exploit kit An exploit kit is designed by the malware author to test the endpoint and find out if it’s running an AV, using Windows/ Mac browsers and pin point all the vulnerable pockets of the endpoint Once all the information of the endpoint is gathered, the exploit kit reports it’s findings via a C2 to the malicious infrastructure In this concerted effort – the attacker now knows the best virus to serve the endpoint. Now, you may get a where there’s an attachment (pdf) that has the virus built into the file. And immediately start downloading without a C2 call. Once the virus is on the endpoint, it has to beckon out to get the encryption key and run its process to encrypt the victims files. A payload is designed to lock, restrict, and encrypt files until payment is made. When all said and done and ransomware successfully gets on your endpoint, the your computer is now part of a ransomware attack.

4 Encryption C&C Payment MSG Name DNS IP NO C&C TOR Payment Locky SamSam
DNS (TOR) TeslaCrypt CryptoWall TorrentLocker PadCrypt CTB-Locker FAKBEN PayCrypt KeyRanger Let’s take a look at known ransomware variants and it’s mechanism for encryption. You see that they often call their encryption key infrastructure, using DNS – but not always. Some variants like Sam Sam have built-in encryption key that doesn’t require a C2 callback and other ransomware can use Tor-based Onion Routing or IP-only callbacks that avoid DNS completely and their attempt to remain anonymous Note: Onion routing is a technique for anonymous communication over a computer network. Messages are encapsulated in layers of encryption (like an onion). The encrypted data is transmitted through a series of network nodes – each peeling away a single layer, uncovering the data’s next destination. When the final layer is decrypted, the message arrives at its destination. The sender remains anonymous. Note: Payment MSG which essentially the “Click Here” to pay your ransomware and decrypt your files The message is essentially a web request so it can use Port 80, DNS, HTTP, TOR (Onion Routing)

5 Anatomy of a cyber attack
Reconnaissance and infrastructure setup Domain registration, IP, ASN Intel Monitor adaption based on results Patient zero hit Target expansion Wide-scale expansion Defense signatures built Attackers frequently ask "What if I create this attack that no ones knows about, using anonymous infrastructure. How will you find it?” [CLICK] Well, there’s common misconception that the attack lifecycle starts with patient zero. Patient zero referring to the first machine infected with the malicious code. [CLICK] From there the attacker does a targeted expansion to a similar segment, then a wide-scale expansion to all. Weeks later traditional security vendors catch up, reverse engineer the code and create a signature they push out to customers in form of an update. [CLICK] But looking at the timeline in more detail, there's all sorts of threat crumbs left behind as attacker’s create their infrastructure Before an attack is launched, severs get spun up in dark of the internet, domain registration, and IP/ ASN space is necessary, etc. Additionally, attackers may test their infrastructure with a small targeted segment and fine tune it based on results. All of this activity leaves behind fingerprints. At Cisco, we observe these fingerprints and trained our algorithms to pick up on these subtle shifts, hints, and clues. Allowing us to map out the good and bad of the internet.

6 Real world example blocking Locky
We leverage this threat intelligence, in all of our products – Umbrella (enforcement), Investigate (intelligence), and AMP Both work in tandem to block known and unknown threat before they ever reach your network. Let’s walk through a real example of how we discovered the ransomware variant Locky.

7 Feeling Locky? Via email attachment in a phishing campaign
Encrypts and renames files with .locky extension Appx 90,000 victims per day [1] Ransom ranges from 0.5 – 1.0 BTC (1 BTC ~ $970 US) Linked to Dridex operators Just a little background on the Locky - It’s usually delivered via an attachment in a phishing campaign - Operates by encrypting and renaming the infected device’s important files with .locky extension - Targets approximately 90K victims per day - And many have their hands tied and end up paying between .5-1 BTC, equivalent to $970 USD!

8 Blocking ransomware: Locky domain example
taddboxers.com (Detection Date: October 8, 2017) Like I mentioned before, Cisco Umbrella has a very unique view of the internet – with over 85M+ users a day and 100B DNS requests daily. All of that intelligence about the internet infrastructure is collected within our intelligence tool, Investigate. Investigate available to our customers through an Investigate API or web Console. And has proven to be a great tool with prioritizing incident response and speeding up investigation. Now let’s see what we know about Locky using the technology behind Investigate. Right now our search is focused on a domain “taddboxers.com” This domain was first seen by our system on Sept 28 and it was tagged as malware How did we know that? Well for one, we saw an immediate spike in traffic when the domain query first blipped – September 28th – showing when the attacker was testing out their infrastructure Cisco Umbrella acts as a recursive DNS service and we’re able to see patterns of global internet activity So you see here that on October 8, there was a large spike in activity – indicating this domain was part of an attacker’s internet infrastructure I do want to note that a spike in DNS queries for a given domain, doesn’t necessarily mean it’s malicious – it could be a link for a legitimate , etc. But the culmination of the malware tag, and all of the other classifiers known about this domain – our researchers confirmed it was malicious and placed it on the Block List So what else did we know about it?

9 Blocking ransomware: Locky domain example
taddboxers.com (Detection Date: October 8, 2017) With WHOIS we can see domain ownership, including the address used to register the given domain, and how many domains are tied to that address. You can even uncover how many of those domains are malicious. Investigate is also integrated with Cisco AMP Threat Grid. Similar to how Investigate provides intelligence about the relationships between domains, IPs and ASNs, Threat Grid provides intelligence about malware files so security teams can quickly understand what malware is doing or attempting to do, how large a threat it poses, and how to defend against it. In Investigate, you can query by file hash (SHA256, SHA1, or MD5) , domain, IP, or ASN. And get more insight into which are file hashes calling out to a given domain with associate samples, their threat score, behavioral indicators, and other file analysis data. Threat Grid license holders can even pivot directly into Threat Grid with a click of a button.

10 Blocking ransomware: Locky domain example
taddboxers.com (Detection Date: October 8, 2017) Investigate’s internet-wide visibility provides insight into the relationships and connections between domains, IPs, ASNs, and file hashes – enabling users to pivot between data points when mapping out an attacker’s internet infrastructure.

11 Blocking ransomware Locky: Real world example Email address registered
to domain Locky: Real world example These domains share the same infrastructure Malware download URL Cg3studio.com tadboxxers.com (100.00) These domains co-occur Domains in red are automatically blocked by Umbrella So, we know A LOT - and all of our threat intelligence can be visualized in a 3D model called OpenGraphiti. OpenGraphit is a culmination of all the intelligence we have on the internet’s infrastructure of domains, IPs, ASNs and malware files hashes. And was makes this visualization tool so powerful is we’re able to see the connections, relationships and evolutions between the components of the internet Even drill down on a specific attack origin – allowing YOU to pivot through an attacker’s infrastructure. Right now it’s focused on “taddboxxers.com” – showing you the wider picture of the attacker’s ransomware infrastructure. [CLICK] For one, the red color shows which domains were tagged as malicious and automatically blocked by Umbrella. We identified this as a malware distribution point How? Leveraging the diverse set of data we get from our DNS service, and we apply statistical models to that data to score and classify the domains Allowing us to uncover and predict malicious domains. So we’re able to find relationships between domains and then block users from accessing them. [CLICK] Next, we see the hash of a malicious file (in yellow) downloaded from these domains So starting from a single domain, we can identify other domains that share the same malicious payload [CLICK] And we can be more accurate because we can identify the URL that is used to spread this malware. From a correlation perspective, we can also identify was the ingress point of the infection [CLICK] Notice the red line linking these two domains – we’ve identified them as co-occurrences. And what co-occurrences means is whenever someone makes a DNS request, we look at what other domains are queried right before and after that. That connection is very valuable when trying to build out your view of an attacker’s infrastructure. [CLICK] While they don’t share the same internet infrastructure, we know that these two domains are part of the same campaign because 100% of the users who connect to this domain also connect to taddboxxers.com right after. Our research team looked into this domain further- and discovered that it’s been injected with malicious Java scripts that redirect users to the domain where the malicious payload is downloaded [CLICK] Using this intelligence we can essentially pivot through an attackers infrastructure and also uncover & protect against other domains used in the same campaign. This can be easily done by analyzing DNS and identifying the shared components of the malicious infrastructure Here, we can see these 3 domains share the same nameserver and are hosted on the same IP. And they’ve been registered using the same gmail address. So from a single domain, we have the intelligence to find all of this information. And what’s great -- all of these components are correlated by Investigate. No need for different threat intel feeds or manual correlation. Hash of the malicious file downloaded from these domains

12 Blocking ransomware Locky: Real world example
Next malware distribution points Expose the attacker’s infrastructure (Nameservers and IPs) to predict the next moves Locky: Real world example Infection point Current malware distribution point Knowing the infection point [CLICK], where the malware is being distributed [CLICK] , the architecture of the attacker’s infrastructure (nameservers, IPs) [CLICK] , and correlated domains that will most likely be the next malware origins … we can pivot through an attacker’s infrastructure and proactive protect YOU before an attack launches.

13 Combining Umbrella and AMP for endpoints

14 The path of ransomware Encryption key infrastructure Compromised sites and malvertising Web direct Exploit or phishing domains Angler Nuclear Rig Malicious infrastructure C2 C2 File drop Web link Phishing spam Ransomware payload attachment Let’s take a look at ransomware – and it’s path of infection There’s 2 main ways you can encounter the initial point of ransomware: 1. you’re on a compromised site hosting malvertising and – YOU CLICK 2. spam with a phishing link – YOU CLICK Both paths will lead a web request to the exploit kit An exploit kit is designed by the malware author to test the endpoint and find out if it’s running an AV, using Windows/ Mac browsers and pin point all the vulnerable pockets of the endpoint Once all the information of the endpoint is gathered, the exploit kit reports it’s findings via a C2 to the malicious infrastructure In this concerted effort – the attacker now knows the best virus to serve the endpoint. Now, you may get a where there’s an attachment (pdf) that has the virus built into the file. And immediately start downloading without a C2 call. Once the virus is on the endpoint, it has to beckon out to get the encryption key and run its process to encrypt the victims files. A payload is designed to lock, restrict, and encrypt files until payment is made. When all said and done and ransomware successfully gets on your endpoint, the your computer is now part of a ransomware attack. Blocked by Cisco Umbrella Blocked by Cisco AMP for Endpoints

15 Where does Umbrella fit?
Malware C2 Callbacks Phishing Umbrella Network and endpoint First line It all starts with DNS Precedes file execution and IP connection Used by all devices Port agnostic HQ Sandbox NGFW Proxy Netflow AV Network and endpoint BRANCH Router/UTM AV Endpoint Think about where you enforce security today. Questions to pose: What do you use to protect your network? Your endpoints? You probably have a range of products deployed at your corporate headquarters and branch offices, or on roaming laptops. There are many ways that malware can get in, which is why it’s important to have multiple layers of security. Umbrella + DNS: Umbrella can be the first layer of defense against threats by preventing devices from connecting to malicious or likely malicious sites in the first place—which significantly reduces the chance of malware getting to your network or endpoints. Umbrella uses DNS as one of the main mechanisms to get traffic to our cloud platform, and then use it to enforce security too. DNS is a foundational component of how the internet works and is used by every device in the network. Way before a malware file is downloaded or before an IP connection over any port or any protocol is even established, there’s a DNS request. Let’s look now at the key features for Umbrella. ROAMING AV

16

Download ppt "How to Block Threats Before, During, & After an Attack"

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Sky Advanced Threat Prevention

Sky Advanced Threat Prevention
January 07 th 2016 Intelligence Briefing NOT PROTECTIVELY MARKED.

January 07 th 2016 Intelligence Briefing NOT PROTECTIVELY MARKED.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
No boundaries with Unified Web Security Solutions Steven Vlastra Sr. Systems Engineer - Benelux.

No boundaries with Unified Web Security Solutions Steven Vlastra Sr. Systems Engineer - Benelux.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Similar presentations

Ads by Google